.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
The policy.name meta key is returning multiple values for the same key in NetWitness
Issue
policy.name parses two different values and appears to conflict what values to use in creating rules.Cause
policy.name has been brought over from RSA enVision and has included both policy.name and signature.name under the same key on index-table-map.xml.
<mapping envisionName="signame" nwName="policy.name" flags="None" envisionDisplayName="SignatureName"/>
<mapping envisionName="policyname" nwName="policy.name" flags="None" envisionDisplayName="PolicyName"/>
<mapping envisionName="policyname" nwName="policy.name" flags="None" envisionDisplayName="PolicyName"/>
Workaround
To separate the confusion from policy.name and signature name you can add to table-map-custom.xml on the log decoder and index-concentrator-custom.xml on the concentrator.On the log decoder in table-map-custom.xml add:
<mapping envisionName="signame" nwName="sig.name" flags="None" envisionDisplayName="SignatureName"/>
On the concentrator in
index-concentrator-custom.xml add:
<key description="Sig Name" level="IndexValues" name="sig.name" format="Text" valueMax="10000" />
Notes
For more information on the creation of custom meta keys please refer to the RSA Security Analytics documentation.Product Details
RSA Product Set: Security Analytics, NetWitness Logs & PacketsRSA Product/Service Type: Log Decoder, Concentrator, Event Stream Analysis
RSA Version/Condition: 10.4, 10.5, 10.6, 11.x, 12.x
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue