search
    search
      13 Jun, 2024

      In this video, you'll learn how to interact with NetWitness core services and Respond via the API. Having programmatic access to your organization's raw data can enable automation of common or complex tasks to save time and address security challenges. 

      Links

      1:15 NetWitness Training https://community.netwitness.com/s/training-catalog
      1:15 Mozilla HTTP Training https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages 
      1:15 curl Manual https://github.com/curl/curl/blob/master/docs/MANUAL.md 
      5:02 Postman for NetWitness https://community.netwitness.com/t5/netwitness-community-blog/postman-for-netwitness/ba-p/519615 
      5:18 Additional API Videos https://www.youtube.com/@SecuredByRSA/videos 
      7:30 jq Utility https://jqlang.github.io/jq/tutorial/ 
      11:39 NetWitness Core Services API Guide https://community.netwitness.com/s/article/655327 
      13:32 CyberChef https://gchq.github.io/CyberChef/#recipe=URL_Decode() 
      17:04 NetWitness nwconsole User Guide https://community.netwitness.com/s/article/NwConsoleUserGuidefor12-4 
      29:16 Postman for NetWitness https://community.netwitness.com/t5/netwitness-community-blog/postman-for-netwitness/ba-p/519615

      Timestamps

      0:55 Introduction and Setup
      5:31 Core Services Call Formatting
      11:30 Core Services URL Encoding
      14:11 SDK Call Intro
      15:11 SDK-Packets
      15:53 SDK-Content
      17:40 SDK-Query
      24:00 SDK-Values
      26:41 SDK-Session
      28:43 NW API (Respond) - Setup
      32:26 NW API (Respond) - Workflow
      35:00 NW API (Respond) - Data Handling
      38:37 Summary

      Sample Calls

      SDK-Packets

      curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk/packets?msg=packets&render=application/json&where=medium=32%26%26direction="inbound"%26%26time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"' > out.json

      SDK-Content

      curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk/content?msg=content&force-content-type=application/json&session=19&render=session-meta-file-list-json'

      SDK-Query

      No Aggregation:

      curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=query&force-content-type=text/plain&size=12&query=select+org.dst,ip.dst+where+time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"%26%26org.dst+exists%26%26direction="outbound"'

      With Aggregation:

      curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=query&force-content-type=text/plain&size=10000&query=select+count(medium)+where+time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"%26%26org.dst+exists%26%26direction="outbound"%26%26org.dst="Google","Microsoft+Azure"+group+by+org.dst,ip.dst+order+by+count(medium)+DESC'

      SDK-Values

      curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=values&force-content-type=text/plain&fieldName=org.dst&flags=sessions,sort-total,descending&size=10&where=medium=1%26%26time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"'

      SDK-Session

      curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=session&force-content-type=text/plain&id1=617505&id2=617505'
      Topic:
      0 Comment
        CATEGORIES
        RECENT POST
        Amazon Cloudwatch Event Source Log Configuration Guide
        3 Dec, 2025
        F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness
        31 Oct, 2025
        MSAzureGraph Universal Plugin for Microsoft Graph API
        17 Oct, 2025