In this video, you'll learn how to interact with NetWitness core services and Respond via the API. Having programmatic access to your organization's raw data can enable automation of common or complex tasks to save time and address security challenges.
| 1:15 | NetWitness Training | https://community.netwitness.com/s/training-catalog |
| 1:15 | Mozilla HTTP Training | https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages |
| 1:15 | curl Manual | https://github.com/curl/curl/blob/master/docs/MANUAL.md |
| 5:02 | Postman for NetWitness | https://community.netwitness.com/t5/netwitness-community-blog/postman-for-netwitness/ba-p/519615 |
| 5:18 | Additional API Videos | https://www.youtube.com/@SecuredByRSA/videos |
| 7:30 | jq Utility | https://jqlang.github.io/jq/tutorial/ |
| 11:39 | NetWitness Core Services API Guide | https://community.netwitness.com/s/article/655327 |
| 13:32 | CyberChef | https://gchq.github.io/CyberChef/#recipe=URL_Decode() |
| 17:04 | NetWitness nwconsole User Guide | https://community.netwitness.com/s/article/NwConsoleUserGuidefor12-4 |
| 29:16 | Postman for NetWitness | https://community.netwitness.com/t5/netwitness-community-blog/postman-for-netwitness/ba-p/519615 |
| 0:55 | Introduction and Setup |
| 5:31 | Core Services Call Formatting |
| 11:30 | Core Services URL Encoding |
| 14:11 | SDK Call Intro |
| 15:11 | SDK-Packets |
| 15:53 | SDK-Content |
| 17:40 | SDK-Query |
| 24:00 | SDK-Values |
| 26:41 | SDK-Session |
| 28:43 | NW API (Respond) - Setup |
| 32:26 | NW API (Respond) - Workflow |
| 35:00 | NW API (Respond) - Data Handling |
| 38:37 | Summary |
curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk/packets?msg=packets&render=application/json&where=medium=32%26%26direction="inbound"%26%26time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"' > out.json
curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk/content?msg=content&force-content-type=application/json&session=19&render=session-meta-file-list-json'
No Aggregation:
curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=query&force-content-type=text/plain&size=12&query=select+org.dst,ip.dst+where+time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"%26%26org.dst+exists%26%26direction="outbound"'
With Aggregation:
curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=query&force-content-type=text/plain&size=10000&query=select+count(medium)+where+time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"%26%26org.dst+exists%26%26direction="outbound"%26%26org.dst="Google","Microsoft+Azure"+group+by+org.dst,ip.dst+order+by+count(medium)+DESC'
curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=values&force-content-type=text/plain&fieldName=org.dst&flags=sessions,sort-total,descending&size=10&where=medium=1%26%26time="2024-05-21+23:00:00"-"2024-05-22+00:00:00"'
curl -k --user 'api:netwitness' 'https://192.168.54.10:50103/sdk?msg=session&force-content-type=text/plain&id1=617505&id2=617505'