Investigate: View and Modify Queries Using URL Integration

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by Susan Ewald on Oct 24, 2017
Version 9Show Document
  • View in full screen mode
 

Investigation includes an External URL Integration that facilitates integration with third-party products by allowing a search against the NetWitness Suite architecture. By using a query in a URI, you can pivot directly from any product that allows custom links, into a specific drill point in the Investigation view in NetWitness Suite. This integration provides an internal presentation of the user's query.

URL Integration allows the user to identify the service either by the host id or by the service and port, as defined in NetWitness Suite. If NetWitness Suite is unable to resolve the service, the analyst is redirected to the Navigation view, showing the Service selection dialog. Once the service is selected, the Navigation view is loaded with the drill point, defined by the query.

Service Id Known

When the ID of the service to use for investigation is known, the format for entering a URI using a URL-encoded query is:

http://<sa host:port>/investigation/<deviceId>/navigate/query/<encoded query>/date/<start date>/<enddate>

where

  • <sa host: port> is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is needed only if access is configured over a non-standard port through a proxy.
  • <deviceId> is the internal Service ID in the NetWitness Suite instance for the service to query against. The service ID can be represented only as an integer. You can see the relevant service ID from the URL when accessing the Investigation view within NetWitness Suite. This value changes based on the service being connected to for analysis.
  • <encoded query> is the URL-encoded NetWitness Suite query. The length of query is limited by the HTML URL limitations.
  • <start date> and <end date> define the date range for the query. The format is <yyyy-mm-dd>T<hh:mm:ss>Z. The start and end dates are required. If no date is provided then the user defaults for that service are used. Relative ranges (for example, Last Hour) are not supported. All times are run as UTC.
    For example:
    http://localhost:9191/investigation/12/navigate/query/alias%20exists/date/2012-09-01T00:00:00Z/2012-10-31T00:00:00Z

Host and Port Known

When the host and port of the service to use for investigation is known, the format for entering a URI using a URL-encoded query is:

http://<sa host:port>/investigation/<device host:port>/navigate/query/<encoded query>/date/<start date>/<enddate>

where

  • <sa host: port> is the IP address or DNS, with or without a port, as appropriate (ssl or not). This designation is needed only if access is configured over a non-standard port through a proxy.
  • <device host:port> is the host and port of a service defined in NetWitness Suite instance for the service to query against. NetWitness Suite attempts to resolve the host and port as a service ID defined in NetWitness Suite.
  • <encoded query> is the URL-encoded NetWitness Suite query. The length of query is limited by the HTML URL limitations.
  • <start date> and <end date> define the date range for the query. The format is <yyyy-mm-dd>T<hh:mm:ss>Z. The start and end dates are required. If no date is provided then the user defaults for that service are used. Relative ranges (for example, Last Hour) are not supported in this version. All times are run as UTC.
    For example:
    http://localhost:9191/investigation/concentrator:50105/navigate/query/alias%20exists/date/2012-09-01T00:00:00Z/2012-10-31T00:00:00Z

Examples

These are query Examples where the SA Server is 192.168.1.10 and the deviceID is identified as 2.

All activity on 03/12/2013 between 5:00 and 6:00 AM with a hostname registered

All activity on 3/12/2013 between 5:00 and 5:10 PM with http traffic to and from IP address 10.10.10.3

Additional Notes

Some values may not need to be encoded as part of the query. For example, commonly the IP src and dst is used for this integration point. If leveraging a third-party application for integration of this feature, it is possible to reference those without encoding applied.

 

You are here

Table of Contents > Conducting an Investigation > Querying Data in the Navigate View > View and Modify Queries Using URL Integration

Attachments

    Outcomes