What does the medium meta key indicate in RSA Security Analytics queries and rules?

Tasks

The purpose of this article is to help with interpreting strings such as "medium = 32" that are found in queries and rules within RSA Security Analytics.

Resolution

Sessions in Security Analytics can be created by various means, such as packets ingested by a Packet Decoder, logs ingested by a Log Decoder, sessions created due to correlation rule matches, etc.

The  medium meta key of a session indicates the session type. (i.e. packets, logs, correlation, etc.)  For example, if a session is created by a Packet Decoder after ingesting an Ethernet packet, the  medium meta key value is set to 1.  If a session is created by a Log Decoder after ingesting a log, the  medium meta key value is set to 32.  If a session is created by the correlation engine because a session matched a correlation rule then the  medium meta key value is set to 33.

The interpretation of each integer for the meta key can be found in the /etc/netwitness/ng/index-concentrator.xml file on concentrator appliances.  They are also provided in the table below.

Notes

The table below shows the relation between the  medium meta key integers and the session types.
 

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Reporting Engine
Platform: CentOS

Summary

How to understand strings such as medium =32 in Security Analytics queries and rules.

Approval Reviewer Queue

ASOC Approval Group