Get Network Statistics via netstat activity

The Security Common Orchestration - Get Network Statistics via netstat, workflow activity retrieves the network statistics for an affected resource on a Windows-based system. This activity can accelerate the investigation and remediation process.

The Get Network Statistics via netstat activity can be used with any workflow to retrieve network statistics from a Windows-based system. The machine is queried with the netstat command including the -a and -o parameters. To enhance the output data, get-process command is also invoked.


Possible results for this activity are:

Table 1. Results
Result Description
Success Network statistics were retrieved in JSON format.
Failure An error occurred while attempting to retrieve network statistics. More error information is available in the activity output error.
Table 2. Input variables
Variable Description
target [string] The fully qualified domain name (FQDN) or IP address of the target system.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 3. Output variables
Variable Description
response [string]

A JSON string representing the current running processes on the target machine.

JSON data includes:

Process identifier
local _port
Local port for the network transaction
Status of the TCP connection.
Note: This field is null for UDP connections.
Local fully qualified domain name (FQDN) or IP address
Remote fully qualified domain name (FQDN) or IP address
Remote port of the network transaction
The file path of the process executable
The hash value of the process executable. The hash is in SHA-256 for PowerShell V4 or higher. Otherwise, the hash is in MD5.


The MID Server must support PowerShell.

SHA-256 hash requires PowerShell V4.