NetWitness Community

NielsVanEijck · ‎2019-07-12

Can I retrieve all metadata of a network session using the REST API? If so, can someone explain to me how this works?

I want to use the sessionid as unique identifier.

Cheers, Niels.

Anonymous · ‎2019-07-12

Hi Neils,

You could get it with the following REST Endpoint:

https://brokerip:50103/sdk?msg=query&query=select+*+where+sessionid%3D<sessionid>&size=8192‍

There are also a couple of scripts in some of my other posts that could help, namely REST API to CSV and https://community.rsa.com/community/products/netwitness/blog/2019/03/11/netwitness-packet-meta-in-elk depending on whether you prefer CSV or JSON output.

Hope this helps!

Cheers,

Rui

Anonymous · ‎2019-07-12

Hi Neils,

You could get it with the following REST Endpoint:

https://brokerip:50103/sdk?msg=query&query=select+*+where+sessionid%3D<sessionid>&size=8192‍

There are also a couple of scripts in some of my other posts that could help, namely REST API to CSV and https://community.rsa.com/community/products/netwitness/blog/2019/03/11/netwitness-packet-meta-in-elk depending on whether you prefer CSV or JSON output.

Hope this helps!

Cheers,

Rui

NielsVanEijck · ‎2019-07-19

Hi Rui,

Thanks! Your answer has put me on the right track!

Cheers, Niels.

Retrieve session metadata using REST API