The Security Common Orchestration - Get Network Statistics via netstat flow action retrieves the network statistics for an affected resource on a Windows-based system. This flow action can accelerate the investigation and remediation process.

The Get Network Statistics via netstat flow action can be used with any flow to retrieve network statistics from a Windows-based system. The machine is queried with the netstat command including the -a and -o parameters. To enhance the output data, get-process command is also invoked.

Results

Possible results for this flow action are:

Table 1. Results
Result Description
Success Network statistics were retrieved in JSON format.
Failure An error occurred while attempting to retrieve network statistics. More error information is available in the flow action output error.
Table 2. Input variables
Variable Description
target [string] The fully qualified domain name (FQDN) or IP address of the target system.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 3. Output variables
Variable Description
response [string]

A JSON string representing the current running processes on the target machine.

JSON data includes:

pid
Process identifier
local _port
Local port for the network transaction
state
Status of the TCP connection.
Note: This field is null for UDP connections.
local_address
Local fully qualified domain name (FQDN) or IP address
remote_address
Remote fully qualified domain name (FQDN) or IP address
protocol
TCP or UDP
remote_port
Remote port of the network transaction
path
The file path of the process executable
hash
The hash value of the process executable. The hash is in SHA-256 for PowerShell V4 or higher. Otherwise, the hash is in MD5.

Restrictions

The MID Server must support PowerShell.

SHA-256 hash requires PowerShell V4.