A URL integration provides a way to represent the bread crumbs, or query path, you take when actively investigating a service in the Navigate view. You do not need to display and edit these objects often.
A URL integration maps a unique ID that is automatically created each time you click on a navigation link in the Navigation view to drill into data. When the drill-down completes, the URL reflects the query IDs for the current drill point. The Display Name is displayed in the bread crumb in the Navigate view.
The URL Integration panel provides a list of queries and allows users who have the proper permissions to modify this underlying source of data and analyze the query patterns of other users of the NetWitness Suite system. Within the panel, you can:
- Refresh the list.
- Edit a query.
- Delete a query.
- Clear all queries in the list.
Edit a Query
- Go to ADMIN > System.
In the options panel, select URL Integration.
The Edit Query Dialog is displayed.
- Edit the Display Name and the Query, but do not leave either field blank.
- To save the changes, click Save.
Delete a Query
To remove a query from NetWitness Suite entirely:
- Select the query.
A dialog requests confirmation that you want to delete the query.
- Click Yes.
Clear All Queries
To clear all queries from the list:
Use a Query in a URI
URL Integration facilitates integrations with third-party products by allowing a search against the NetWitness Suite architecture. By using a query in a URI, you can pivot directly from any product that allows custom links, into a specific drill point in the Investigation view in NetWitness Suite.
The format for entering a URI using a URL-encoded query is:
http://<nw host:port>/investigation/<serviceId>/navigate/query/<encoded query>/date/<start date>/<enddate>
- <nw host: port> is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is only needed if access is configured over a non-standard port through a proxy.
- <serviceId> is the internal Service ID in the NetWitness Suite instance for the service to query against. The service ID can be represented only as an integer. You can see the relevant service ID from the url when accessing the investigation view within NetWitness Suite. This value will change based on the service being connected to for analysis.
- <encoded query> is the URL-encoded NetWitness Suite query. The length of query is limited by the HTML URL limitations.
- <start date> and <end date> define the date range for the query. The format is <yyyy-mm-dd>T<hh:mm>. The start and end dates are required. Relative ranges (for example, Last Hour) are not supported in this version. All times are run as UTC.
These are query examples where the NetWitness Server is 192.168.1.10 and the serviceID is identified as 2.
All activity on 03/12/2013 between 5:00 and 6:00 AM with a hostname registered
- Custom Pivot: alias.host exists
All activity on 3/12/2013 between 5:00 and 5:10 PM with http traffic to and from IP address 10.10.10.3
- Custom Pivot: service=80 && (ip.src=10.10.10.3 || ip.dst=10.0.3.3)
- Encoded Pivot Dissected:
- service=80 => service&3D80
- ip.src=10.10.10.3 => ip%2Esrc%3D10%2E10%2E10%2E3
- ip.dst=10.10.10.3 => ip%2Esrc%3D10%2E10%2E10%2E3
Some values may not need to be encoded as part of the query. For example, commonly the IP src and dst is used for this integration point. If leveraging a third-party application for integration of this feature, it is possible to reference those without encoding applied.