Skip to content
  • There are no suggestions because the search field is empty.

RSA NetWitness® Suite Unified Data Model Meta Entities

Meta Entities

In the RSA NetWitness® Platform, data is parsed into the most accurate meta key available based on the given context which is extremely important for analysts. However, this can present a challenge when analysts have use cases where they do not need the most granular context. If they need only the high level context, they do not want to have to query every possible key of relevance. For Example: To check if IP 1.1.1.1 showed up in the network, they would need to query 7 different keys namely: ip.src, ip.dst, alias.ip, stransaddr, dtransaddr, forward.ip, device.ip, etc. 

Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts use them as regular keys to get to multiple, similar concepts. For Example: We can link all the keys referenced above as "ip.all"

Note:

  1. Meta Entities are only supported on RSA NetWitness 11.1 and above.
  2. All Meta keys defined under a Meta Entity should have the same Data Type
  3. All Meta keys defined under a Meta Entity should have the same Indexing Levels
  4. Meta Entities nesting is not allowed: a Meta Entity can only reference Meta Keys and not another Meta Entity
  • Entity Name: domain.all
  • Meta Keys in Entity:
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant Domain Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: domain
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This key should only be used to capture a Domain when the directionality is not clear

  • Entity Name: domain.src
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Source Domain Only

  • Entity Name: domain.dst
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Destination Domain Only

  • Entity Name: ec.all
  • Meta Keys in Entity:
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant Event Categorization Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: ec.activity
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This key should only contain a value from a predefined list of Event Category - Activities

  • Entity Name: ec.outcome
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only contain a value from a predefined list of Event Category - Outcome

  • Entity Name: ec.subject
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only contain a value from a predefined list of Event Category - Subject

  • Entity Name: ec.theme
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only contain a value from a predefined list of Event Category - Themes

  • Entity Name: email.all
  • Meta Keys in Entity:
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant Email Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: email
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This key should only be used to capture an Email when the directionality is not clear

  • Entity Name: email.dst
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Destination Email Only

  • Entity Name: email.src
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Source Email Only

  • Entity Name: eth.all
  • Meta Keys in Entity:
  • Data Type: MAC
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant Mac Address Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: alias.mac
  • Data Type: MAC
  • Indexing: IndexValue
  • Notes: This key should only be used to capture a MAC Address when the directionality is not clear

  • Entity Name: eth.dst
  • Meta Keys in Entity: MAC
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Destination MAC Address Only.

  • Entity Name: eth.src
  • Meta Keys in Entity: MAC
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Source MAC Address Only.

  • Entity Name: host.all
  • Meta Keys in Entity:
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant Hostname Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: alias.host
  • Data Type: Text
  • Indexing: IndexValue
  • Notes: This key should only be used to capture a hostnames when the directionality is not clear

  • Entity Name: host.dst
  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Destination Hostnames Only.

  • Entity Name:

    host.src 

  • Meta Keys in Entity: Text
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Source Hostnames Only.

  • Entity Name:
  • Meta Keys in Entity:

    device.host

  • Data Type:

    Text

  • Indexing:

    IndexValue

  • Notes:

    This is a Reserved Field, used to capture the Hostname of the Event Source


  • Entity Name: ip.all
  • Meta Keys in Entity:
  • Data Type: IPv4
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant IPv4 Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: alias.ip
  • Data Type: IPv4
  • Indexing: IndexValue
  • Notes: This key should only be used to capture a IPv4 Address when the directionality is not clear

  • Entity Name: ip.dst
  • Meta Keys in Entity: IPv4
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Destination IPv4 Address Only.

  • Entity Name: ip.src
  • Meta Keys in Entity: IPv4
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Source IPv4 Address Only.

  • Entity Name: ip.trans.src
  • Meta Keys in Entity: IPv4
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture a translated Source IPv4 Address only

  • Entity Name: ip.trans.dst
  • Meta Keys in Entity: IPv4
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture a translated Destination IPv4 Address only

  • Entity Name: forward.ip
  • Meta Keys in Entity: IPv4
  • Data Type: IndexValue
  • Indexing: This is used to capture the IPv4 Address of the Relay system in beween the Event source and Destination

  • Entity Name: device.ip
  • Meta Keys in Entity: IPv4
  • Data Type: IndexValue
  • Indexing: This is a Reserved Field, used to capture the IPv4 Address of the Event Source

  • Entity Name: ipv6.all
  • Meta Keys in Entity:
  • Data Type: IPv6
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant IPv6 Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: alias.ipv6
  • Data Type: IPv6
  • Indexing: IndexValue
  • Notes: This key should only be used to capture a IPv6 Address when the directionality is not clear

  • Entity Name: device.ipv6
  • Meta Keys in Entity: IPv6
  • Data Type: IndexValue
  • Indexing: This is a Reserved Field, used to capture the IPv6 Address of the Event Source

  • Entity Name: forward.ipv6
  • Meta Keys in Entity: IPv6
  • Data Type: IndexValue
  • Indexing: This is used to capture the IPv6 Address of the Relay system in beween the Event source and Destination

  • Entity Name: ipv6.dst
  • Meta Keys in Entity: IPv6
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Destination IPv6 Address Only.

  • Entity Name: ipv6.src
  • Meta Keys in Entity: IPv6
  • Data Type: IndexValue
  • Indexing: This key should only be used to capture Source IPv6 Address Only.

  • Entity Name: port.all
  • Meta Keys in Entity:
  • Data Type: UInt16
  • Indexing: IndexValue
  • Notes: This Entity is linked with all relevant Port Keys used in RSA NetWitness

  • Entity Name:
  • Meta Keys in Entity: port
  • Data Type: UInt16
  • Indexing: IndexValue
  • Notes:
  • Column 6: This key should only be used when the directionality context of Port is not clear

  • Entity Name: This key should only be used when the directionality context of Port is not clear

  • Entity Name:
  • Meta Keys in Entity: port.src
  • Data Type: UInt16
  • Indexing: IndexValue
  • Notes: This key should only be used when it’s a Source Port.

  • Entity Name: port.dst
  • Meta Keys in Entity: UInt16
  • Data Type: IndexValue
  • Indexing: This key should only be used when it’s a Destination Port.

  • Entity Name: tcp.srcport
  • Meta Keys in Entity: UInt16
  • Data Type: IndexValue
  • Indexing: This key should only be used when it’s a TCP based Source Port.

  • Entity Name: tcp.dstport
  • Meta Keys in Entity: UInt16
  • Data Type: IndexValue
  • Indexing: This key should only be used when it’s a TCP based Destination Port.

  • Entity Name: udp.srcport
  • Meta Keys in Entity: UInt16
  • Data Type: IndexValue
  • Indexing: This key should only be used when it’s a UDP based Source Port.

  • Entity Name: udp.dstport
  • Meta Keys in Entity: UInt16
  • Data Type: IndexValue
  • Indexing: This key should only be used when it’s a UDP based Destination Port.

  • Entity Name: port.trans.src
  • Meta Keys in Entity: UInt16
  • Data Type: IndexValue
  • Indexing: This key should only be used when it’s a Source Translated Port Number

  • Entity Name: port.trans.dst
  • Meta Keys in Entity: UInt16
  • Data Type: IndexValue
  • Indexing: This key should only be used when it’s a Destination Translated Port Number

  • Entity Name: port.src.all
  • Meta Keys in Entity:
  • Data Type: UInt16
  • Indexing: IndexValue
  • Notes: