000037325 - RSA NetWitness Logs & Network: Extract SessionIDs for a specific time period via REST and NwConsole

Document created by RSA Customer Support Employee on May 7, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037325
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Version/Condition: 10.6.x & 11.x
IssueYou can use the REST API & NwConsole to extract many useful pieces of information from Netwitness. One such piece of information is a listing of session IDs based on a specific query. The issue here is that the query used in NwConsole may not always produce the same output when using the REST API due to incorrect HTML URL encoding.
ResolutionThe following example is from a lab environment. The below query can be used to extract the session id’s for the device type ‘windows’ from 01st of April 2019 to 3rd of April 2019

Within the NwConsole:

> login localhost:50005 admin <password>
> /sdk query query="select sessionid where (device.type='windows' && time='2019-04-01 00:01:00'-'2019-04-03 00:01:01')"

Output of the NwConsole on the Concentrator

If you attempt to use the same query with the REST API (web browser), the session ids which are produced do not adhere to the query's time range.

The following is the REST query used in a browser after the browser automatically URL encodes it:

http://<IP_of_the Conc>:50105/sdk/?msg=query&size=100&force-content-type=text/plain&query=select%20sessionid%20where%20device.type=%27windows%27%20&&%20time=%272019-Apr-01%2000:01:00%27-%272019-Apr-03%2000:01:01%27

Below are the results of the query in the browser:
Browser shows many SessionIDs

To get consistent results between NwConsole and the REST API follow the below steps. This can work for any NwConsole/REST API query.

  1. Login to the REST API of the Concentrator/Broker via the browser.
  2. Click on the asterisk(*) of the sdk node.

    REST API via the Browser

  3. In the drop-down menu for Properties for /sdk, select “query”
  4. Enter the investigation query with quotes.  For example; 

    query="select sessionid where device.type='windows' && time='2019-04-01 00:01:00'-'2019-04-03 00:01:01'"

  5. Click Send to start the query.
  6. You will see the output of the query in the Output section in the lower part of the Properties panel. Just above the output will be able the HTML encoded part-URL ;
    part-URL shown in REST
  7. Append the encoded URL into the browser after the URL of the REST interface. 

    http://<IP_of_the Conc>:50105/sdk/?msg=query&size=100&force-content-type=text/plain&query=select+sessionid+where+device.type%3D%27windows%27+%26%26+time%3D%272019-Apr-01+00%3A01%3A00%27-%272019-Apr-03+00%3A01%3A01%27

    Correct SessionIDs in the Browser