on Jun 14, 2016Article Content
| Article Number | 000029299 | ||||||||||||||||||||||||||||||||
| Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics UI, Reporting Engine Platform: CentOS | ||||||||||||||||||||||||||||||||
| Tasks | The purpose of this article is to help with interpreting strings such as "medium = 32" that are found in queries and rules within RSA Security Analytics. | ||||||||||||||||||||||||||||||||
| Resolution | Sessions in Security Analytics can be created by various means, such as packets ingested by a Packet Decoder, logs ingested by a Log Decoder, sessions created due to correlation rule matches, etc. The medium meta key of a session indicates the session type. (i.e. packets, logs, correlation, etc.) For example, if a session is created by a Packet Decoder after ingesting an Ethernet packet, the medium meta key value is set to 1. If a session is created by a Log Decoder after ingesting a log, the medium meta key value is set to 32. If a session is created by the correlation engine because a session matched a correlation rule then the medium meta key value is set to 33. The interpretation of each integer for the meta key can be found in the /etc/netwitness/ng/index-concentrator.xml file on concentrator appliances. They are also provided in the table below. | ||||||||||||||||||||||||||||||||
| Notes | The table below shows the relation between the medium meta key integers and the session types.
|