Skip to content
  • There are no suggestions because the search field is empty.

View and Modify Queries Using URL Integration

View and Modify Queries Using URL IntegrationView and Modify Queries Using URL Integration

NetWitness Investigate includes an External URL Integration that facilitates integration with third-party products by allowing a search against the NetWitness architecture. By using a query in a URI, you can pivot directly from any product that allows custom links, into a specific drill point in the Investigate view. This integration provides an internal presentation of the user's query.

URL Integration allows the user to identify the service either by the host id or by the service and port, as defined in NetWitness. If NetWitness is unable to resolve the service, the analyst is redirected to the Navigate view, showing the Service selection dialog. Once the service is selected, the Navigate view is loaded with the drill point, defined by the query.

Service Id KnownService Id Known

When the ID of the service to use for an investigation is known, the format for entering a URI using a URL-encoded query is:

http:// /investigation/ /navigate/query/ /date/ /

where

  • is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is needed only if access is configured over a non-standard port through a proxy.
  • is the internal Service ID in the NetWitness instance for the service to query against. The service ID can be represented only as an integer. You can see the relevant service ID from the URL when accessing the Investigate view within NetWitness. This value changes based on the service being connected to for analysis.
  • is the URL-encoded NetWitness query. The length of query is limited by the HTML URL limitations.
  • and define the date range for the query. The format is T Z. The start and end dates are required. If no date is provided then the user defaults for that service are used. Relative ranges (for example, Last Hour) are not supported. All times are run as UTC.
    For example:
    http://localhost:9191/investigation/12/navigate/query/alias%20exists/date/2012-09-01T00:00:00Z/2012-10-31T00:00:00Z

Host and Port KnownHost and Port Known

When the host and port of the service to use for investigation is known, the format for entering a URI using a URL-encoded query is:

http:// /investigation/ /navigate/query/ /date/ /

where

  • is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is needed only if access is configured over a non-standard port through a proxy.
  • is the host and port of a service defined in the NetWitness instance for the service to query against. NetWitness attempts to resolve the host and port as a service ID defined in NetWitness.
  • is the URL-encoded NetWitness query. The length of query is limited by the HTML URL limitations.
  • and define the date range for the query. The format is T Z . The start and end dates are required. If no date is provided then the user defaults for that service are used. Relative ranges (for example, Last Hour) are not supported in this version. All times are run as UTC.
    For example:
    http://localhost:9191/investigation/concentrator:50105/navigate/query/alias%20exists/date/2012-09-01T00:00:00Z/2012-10-31T00:00:00Z

ExamplesExamples

These are query examples where the NetWitness Server is 192.168.1.10 and the deviceID is identified as 2.