Get Network Statistics via netstat Flow Action

Release version: Australia

Updated March 12, 2026

1 minute to read

The Security Common Orchestration - Get Network Statistics via netstat flow action retrieves the network statistics for an affected resource on a Windows-based system. This flow action can accelerate the investigation and remediation process.

The Get Network Statistics via netstat flow action can be used with any flow to retrieve network statistics from a Windows-based system. The machine is queried with the netstat command including the -a and -o parameters. To enhance the output data, get-process command is also invoked.

Results

Possible results for this flow action are:

Table 1. Results
Result	Description
Success	Network statistics were retrieved in JSON format.
Failure	An error occurred while attempting to retrieve network statistics. More error information is available in the flow action output error.

Table 2. Input variables
Variable	Description
target [string]	The fully qualified domain name (FQDN) or IP address of the target system.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 3. Output variables
Variable	Description
response [string]	A JSON string representing the current running processes on the target machine. JSON data includes: pid Process identifier local _port Local port for the network transaction state Status of the TCP connection. Note: This field is null for UDP connections. local_address Local fully qualified domain name (FQDN) or IP address remote_address Remote fully qualified domain name (FQDN) or IP address protocol TCP or UDP remote_port Remote port of the network transaction path The file path of the process executable hash The hash value of the process executable. The hash is in SHA-256 for PowerShell V4 or higher. Otherwise, the hash is in MD5.

Restrictions

The MID Server must support PowerShell.

SHA-256 hash requires PowerShell V4.