Skip to content
  • There are no suggestions because the search field is empty.

How to use the FETCH method within NetWitness API to retrieve comprehensive Incident and Alert data

Issue

The method described in KB 000003239 is not comprehensive enough.


Resolution

Use one of the two attached scripts, which utilize the FETCH method, for a more comprehensive API Pull to ensure all metakeys are represented in the results.

Script usage:

Scripted Method

  1. Download the attached script and copy it to a Linux host that has HTTPS/SSL/443 access to the Admin Server/NW-NODE-ZERO:   nw_respond_inc-alert_call-comprehensive.sh
  2. Make the script executable with by running:
    1. chmod +x /root/nw_respond_inc-alert_call-comprehensive.sh
  3. Execute the script with the following variables (defined in BOLD below)
    1. /root/nw_respond_inc-alert_call.sh  192.168.5.168 admin netwitness INC-273185 5
      1. Admin Server/Node Zero IP: 192.168.5.168
      2. Username : admin
      3. Password: netwitness
      4. Incident ID: INC-273185
      5. Number of Alerts to retrieve: 5
  4. Once executed, the output will retrieve and print:
    1. The variables passed
    2. The accessToken
    3. The Incident by itself
    4. The alerts related to that incident (maxing out at the number of alerts you defined, so the actual number of alerts may exceed your definition)

Example usage and Output (Note, results have been truncated because of how large they are):

[root@NEW-NW11-NW-NODE-ZERO ~]# /root/nw_respond_inc-alert_call-comprehensive.sh 192.168.5.168 admin netwitness INC-273185 5

Variable Inputs :


Admin Server IP = 192.168.5.168
Username = admin
Password = netwitness
Incident ID = INC-273185
Number of Alerts to Return = 5

Transient Access Token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NjI5MDY5NTkzMzUsImlzcyI6InNlY3VyaXR5LXNlcnZlci05MzUwZWZjZi02MmE0LTQzZmQtYjlmOC1lNGVlMDkwODQ4NDkiLCJpYXQiOjE3NjI4NzA5NTkzMzUsImF1dGhvcml0aWVzIjpbIkFkbWluaXN0cmF0b3JzIl0sInVzZXJfbmFtZSI6ImFkbWluIn0.JbgutNog_I_9LfhkEmL9BoeO2iszjbxXue4sgBO4X9RV7Hz4I2SaQXVyZHVqCm_jla7gpqMC6aCgIvePUn61iGANGbaDQmfHphfp9Dq7dMIQkgZh5LJFhHZ3zFG1IChsAOHKp2URXDDkQp4bT4_2_YS3CJ2mb2XFjOQuJbfMoSIeQGXHbFeQ2bT10dcb5DZ30dgsd0N1XUFW15Qpfj5akEepWwRd4tFR7s6vnr25OSjm6a_KPiNCCMS0eqBD6BHHnxC0FDNQ4Ky2VzUYO_PucpgeytI9so0bqVg65HECLy07WG5AhkXxcpNM4DzLh8I1z5IRWrmiMnguELHlvKRvlA


Retrieving incident details for INC-273185 :


HTTP/1.1 200
Server: nginx
Date: Tue, 11 Nov 2025 14:22:39 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-NW-UI-PRIMARY: true
X-NW-CBA-ENABLED: false
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self' https://cms.netwitness.com; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data:; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com; self' https://fonts.gstatic.com data:; connect-src 'self' wss:; img-src 'self' data:; frame-ancestors 'self' https://192.168.5.168/oauth/token
X-Frame-Options: SAMEORIGIN

[{"id":"INC-273185","name":"High Risk Alerts: ESA for 192.168.6.106","summary":"","priority":"HIGH","prioritySort":2,"riskScore":50,"status":"NEW","statusSort":1,"alertCount":10,"pinnedAlertCount":0,"containsPinnedAlerts":false,"averageAlertRiskScore":50,"sealed":true,"totalRemediationTaskCount":0,"openRemediationTaskCount":0,"hasRemediationTasks":false,"created":"2025-11-06T01:01:27.229+00:00","lastUpdated":"2025-11-06T01:02:03.126+00:00","lastUpdatedByUser":null,"assignee":null,"sources":["Event Stream Analysis"],"ruleId":"605a66162635426f55f07cab","firstAlertTime":"2025-11-06T01:01:24.099+00:00","timeWindowExpiration":"2025-11-06T02:01:24.099+00:00","groupByValues":["192.168.6.106"],"categories":[],"notes":null,"createdBy":"High Risk Alerts: ESA","dateIndicatorAggregationStart":"2025-10-27T01:01:24.099+00:00","breachExportStatus":"NONE","breachData":null,"breachTag":null,"hasDeletedAlerts":false,"deletedAlertCount":0,"groupByDomain":null,"enrichment":null,"eventCount":14,"groupBySourceIp":["192.168.6.106"],"groupByDestinationIp":["128.203.59.12","23.47.72.72","23.47.72.86"],"sentToArcher":false,"persisted":null,"errors":null,"history":[{"type":"CREATED","date":"2025-11-06T01:01:27.254+00:00","changedBy":"system","changedFrom":null,"changedTo":null}],"statusChangeTime":{"NEW":"2025-11-06T01:01:27.249+00:00"},"tta":null,"ttd":null,"ttr":null,"externalId":null,"tactics":[],"techniques":[],"createdFromRule":true}]

Retrieving 5 Alerts details for INC-273185 :


HTTP/1.1 200
Server: nginx
Date: Tue, 11 Nov 2025 14:22:39 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-NW-UI-PRIMARY: true
X-NW-CBA-ENABLED: false
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self' https://cms.netwitness.com; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' data:; style-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://fonts.googleapis.com; self' https://fonts.gstatic.com data:; connect-src 'self' wss:; img-src 'self' data:; frame-ancestors 'self' https://192.168.5.168/oauth/token
X-Frame-Options: SAMEORIGIN

[{"_id":"690bf3641eee261466e33369","receivedTime":1762390884104,"status":"GROUPED_IN_INCIDENT","originalHeaders":{"name":"HTTP GET Flood","description":null,"version":0,"severity":5,"timestamp":1762390884099,"signatureId":"615f330b4a5a8258d46ddcf9264192c79c433566e5cec665b8ae991380912e1b","deviceVendor":"RSA Netwitness","deviceProduct":"Event Stream Analysis","deviceVersion":"12.5","uebaSource":null,"whiteListAlertSources":[]},"originalAlert":{"severity":5,"eventSourceId":"ddc26106-dfce-4ba0-a057-999c7fa48c76:56005:1078445755","respondEnabled":true,"moduleType":"ESPER","engineUri":"ESARules-NOTEDR","moduleName":"HTTP GET Flood","suppressMessageBus":false,"transientAlert":false,"version":"0.3","notificationReasons":[],"actualEventsCount":1,"instanceId":"615f330b4a5a8258d46ddcf9264192c79c433566e5cec665b8ae991380912e1b","statement":"Module_esa000021_v0_3_Alert","contentUuid":"8d5fa4ce-f40e-4c30-b450-c47356e950f7","id":"59253b27-dad1-4244-be9d-51e91fc1f9d8","time":"Nov 6, 2025 01:01:24 AM UTC","moduleId":"esa000021_v0_3","events":[{"eth_dst_vendor":"Fortinet Inc.","lifetime":35,"entropy_req":5731,"ip_all":["128.203.59.12","128.203.59.12","128.203.59.12","128.203.59.12","128.203.59.12","128.203.59.12","128.203.59.12","128.203.59.12","192.168.6.106"],"sessionid":1078445755,"e. . . . . Truncated for example purposes}

Note: The above example is truncated due to length because it's an example only.

 

 


Notes

Checksum for the script:

sha256sum nw_respond_inc-alert_call-comprehensive.sh
ac091a7969df632b44697b45cbb776167cdc325fe554554cbd4326212f741040  nw_respond_inc-alert_call-comprehensive.sh

Alternative KB for less verbose outputs:

https://community.netwitness.com/s/article/How-to-Extract-Incident-and-Alert-Data-using-the-NetWitness-Respond-API


Product Details

NetWitness Product Set: NetWitness Logs and Packets
NetWitness Product/Service Type: Admin Server, Respond, ESA Primary
NetWitness Version/Condition: 12.3+
Platform: CentOS, AlmaLinux


Approval Reviewer Queue

Technical approval queue




Attachments:
nw_respond_inc-alert_call-comprehensive.sh