Maintain Queries Using URL IntegrationMaintain Queries Using URL Integration
A URL integration provides a way to represent the bread crumbs, or query path, you take when actively investigating a service in the Navigate view. You do not need to display and edit these objects often.
A URL integration maps a unique ID that is automatically created each time you click on a navigation link in the Navigation view to drill into data. When the drill-down completes, the URL reflects the query IDs for the current drill point. The Display Name is displayed in the bread crumb in the Navigate view.
The URL Integration panel provides a list of queries and allows users who have the proper permissions to modify this underlying source of data and analyze the query patterns of other users of the NetWitness system. Within the panel, you can:
- Refresh the list.
- Edit a query.
- Delete a query.
- Clear all queries in the list.
Caution: After a query has been removed from the system, any Investigation URLs that included the ID of that query will no longer function.
Edit a QueryEdit a Query
- Go to (Admin) > System.
-
In the options panel, select URL Integration.
-
Select the row in the grid and either double-click the row or click .
The Edit Query Dialog is displayed.
- Edit the Display Name and the Query, but do not leave either field blank.
- To save the changes, click Save.
Delete a QueryDelete a Query
Caution: After a query has been removed from the system, any Investigation URLs that included the ID of that query will no longer function.
To remove a query from NetWitness entirely:
- Select the query.
-
Click
A dialog requests confirmation that you want to delete the query.
- Click Yes.
Clear All QueriesClear All Queries
To clear all queries from the list:
-
Click
The entire list is cleared.
Use a Query in a URIUse a Query in a URI
URL integration facilitates integrations with third-party products by allowing a search against the NetWitness architecture. By using a query in a URI, you can pivot directly from any product that allows custom links, into a specific drill point in the Investigation view in NetWitness.
The format for entering a URI using a URL-encoded query is:
http://<nw host:port>/investigation/<serviceId>/navigate/query/<encoded query>/date/<start date>/<enddate>
where
- <nw host: port> is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is only needed if access is configured over a non-standard port through a proxy.
- <serviceId> is the internal Service ID in the NetWitness instance for the service to query against. The service ID can be represented only as an integer. You can see the relevant service ID from the url when accessing the investigation view within NetWitness. This value will change based on the service being connected to for analysis.
- <encoded query> is the URL-encoded NetWitness query. The length of query is limited by the HTML URL limitations.
- <start date> and <end date> define the date range for the query. The format is <yyyy-mm-dd>T<hh:mm>. The start and end dates are required. Relative ranges (for example, Last Hour) are not supported in this version. All times are run as UTC.
For example:
http://localhost:9191/investigation/12/navigate/query/alias%20exists/date/2018-09-01T00:00/2018-10-31T00:00
ExamplesExamples
These are query examples where the NetWitness Server is 192.168.1.10 and the serviceID is identified as 2.
All activity on 03/12/2018 between 5:00 and 6:00 AM with a hostname registered
- Custom Pivot: alias.host exists
- https://192.168.1.10/investigation/2...13-03-12T06:00
All activity on 3/12/2018 between 5:00 and 5:10 PM with http traffic to and from IP address 10.10.10.3
- Custom Pivot: service=80 && (ip.src=10.10.10.3 || ip.dst=10.0.3.3)
- Encoded Pivot Dissected:
- service=80 => service&3D80
- ip.src=10.10.10.3 => ip%2Esrc%3D10%2E10%2E10%2E3
- ip.dst=10.10.10.3 => ip%2Esrc%3D10%2E10%2E10%2E3
- https://192.168.1.10/investigation/2...13-03-12T17:10
Additional Notes
Some values may not need to be encoded as part of the query. For example, commonly the IP source (src) and destination (dst) is used for this integration point. If leveraging a third-party application for integration of this feature, it is possible to reference those without encoding applied.