000029299 - What does the "medium" meta key indicate in RSA Security Analytics queries and rules?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029299
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Reporting Engine
Platform: CentOS
TasksThe purpose of this article is to help with interpreting strings such as "medium = 32" that are found in queries and rules within RSA Security Analytics.
ResolutionSessions in Security Analytics can be created by various means, such as packets ingested by a Packet Decoder, logs ingested by a Log Decoder, sessions created due to correlation rule matches, etc.
The medium meta key of a session indicates the session type. (i.e. packets, logs, correlation, etc.)  For example, if a session is created by a Packet Decoder after ingesting an Ethernet packet, the medium meta key value is set to 1.  If a session is created by a Log Decoder after ingesting a log, the medium meta key value is set to 32.  If a session is created by the correlation engine because a session matched a correlation rule then the medium meta key value is set to 33.
The interpretation of each integer for the meta key can be found in the /etc/netwitness/ng/index-concentrator.xml file on concentrator appliances.  They are also provided in the table below.
NotesThe table below shows the relation between the medium meta key integers and the session types.
IntegerSession Type
7802.11 Radio
8802.11 AVS
9802.11 PPI
10802.11 PRISM
11802.11 Management
12802.11 Control
13DLT Raw