SA: Terminology

Document created by RSA Information Design and Development on Jul 21, 2016Last modified by RSA Information Design and Development on Jul 24, 2016
Version 2Show Document
  • View in full screen mode


Administration moduleThe Administration module is the user interface for administering and monitoring appliances, devices, and services. When configured, appliances, devices, and services are available to other Security Analytics modules.
AlertsThe Security Analytics Alerts module is the user interface for automated alerting functions.
Anonymised data"Data are anonymised if all identifying elements have been eliminated from a set of personal data. No element may be left in the information which could, by exercising reasonable effort, serve to re-identify the person(s) concerned. Where data have been successfully anonymised, they are no longer personal data." (Source - EU_DP_LAW_HANDBOOK) This term is defined as part of the Security Analytics data privacy solution.
anonymizationThe Privacy Technology Focus Group defines anonymization as a technology that converts clear text data into a nonhuman readable and irreversible form, including but not limited to one-way hashes and encryption techniques in which the decryption key has been discarded. This term is defined as part of the Security Analytics data privacy solution.
ArchiverThe RSA Archiver is an appliance that enables long-term log archiving by indexing and compressing log data and sending it to archiving storage. 


BrokerThe RSA Broker is an appliance and a service in the Security Analytics network. Brokers aggregate data captured by configured Concentrators, and Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder/Concentrator pairs throughout the infrastructure.


capacitySecurity Analytics has a modular-capacity architecture enabled with direct-attached capacity (DACs) or storage area networks (SANs), that adapts to the organization's short-term investigation and longer-term analytic and data-retention needs.
collectionsCollections are log retention sets for storing log data. For each collection, you can specify how much of the total storage space to use and how many days to retain the logs in the collection. You configure collections in Archiver.
ConcentratorThe RSA Concentrator is an appliance and service in the Security Analytics network. Concentrators index metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting.
Core DatabaseThis refers to the combination of the Packet, Meta, Session, and Index data.
Core servicesIn Security Analytics, the Core services ingest and parse data, generate meta data, and aggregate generated meta data with the raw data. The Core services are Decoder, Log Decoder, Concentrator, and Broker.


dashboardThe Security Analytics dashboard is the user interface displayed in a browser when logged on to Security Analytics. It can also be referred to as the dashboard in the generic sense. For example: You can create custom dashboards in the Security Analytics dashboard. In the specific sense "Security Analytics dashboard" replaces "Unified Dashboard".
DecoderThe RSA Decoder is an appliance and service in the Security Analytics network. In the Security Analytics network, packet data is collected using an appliance called Decoder, while the Log Decoder collects log events. The Decoder captures, parses, and reconstructs all network traffic from Layers 2 - 7, or log and event data from hundreds of devices.
downstream system and componentsAs opposed to core components, downstream systems use data stored on Core services for analytics, therefore, the operations of downstream services are dependent on Security Analytics Core services. The downstream systems are Archiver, Warehouse, ESA, Malware Analysis, Investigation, and Reporting.
drill pointA set of data that an analyst has brought into focus using queries and filters in the Investigation view. In effect, the analyst drills into the captured data to find interesting data that may harbor harmful files or code.


Event Stream Analysis (ESA)The RSA Event Stream Analysis (ESA) appliance provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators. ESA uses an advanced Event Processing Language that allows analysts to express filtering, aggregation, joins, pattern recognition, and correlation across multiple disparate event streams. Event Stream Analysis helps to perform powerful incident detection and alerting.
EVPEvents per second is a measure of the processing capacity for an RSA host that is consuming data.


forensics implementationIn a forensics implementation, the base Security Analytics configuration requires these components: Decoder, Concentrator, Broker, ESA, and Malware Analysis. An optional component is the Incident Management service, which resides on the ESA system and is used to prioritize alerts.
FirstWatchRSA FirstWatch is a research and analysis organization focused on emerging, sophisticated threats around the globe. Tracking over 5 million IPs and domains and dozens of unique threat sources, RSA FirstWatch delivers situational awareness and threat intelligence from across RSA’s research and incident response community.


Global Audit Logging

Global Audit Logging provides Security Analytics auditors with consolidated visibility into user activities within Security Analytics in real-time from one centralized location. This visibility includes audit logs gathered from the Security Analytics system and the different services throughout the Security Analytics infrastructure.


hashingAn obfuscation method used to protect sensitive data.
hostPhysical equipment or virtual machine, designated by a Fully Qualified Domain Name (FQDN) or IP address, on which any Security Analytics service is installed [that is the Security Analytics server, appliance service, Archiver service, Broker service, Concentrator service, Broker service, Decoder service (Packets and Logs), Hybrid, Malware Analysis service, Event Stream Analysis service, Log Collector service, Security Analytics Warehouse service, Workbench service, Reporting Engine service, and IPDB Extractor service].


identifiability"An individual is identified in this information; or if an individual, while not identified, is described in this information in a way which makes it possible to find out who the data subject is by conducting further research." (Source - EU_DP_LAW_HANDBOOK) This term is used when discussing the Security Analytics data privacy solution.
Incident Management serviceThe Incident Management service resides on the ESA system and is used to prioritize alerts.
Incidents moduleThe Incidents module provides the Incident Management function in Security Analytics. The incident management function is an easy way to track the incident response process.
indexThe index is a collection of files that provides a way to look up Session IDs using meta values.
Investigation moduleThe Investigation module is the Security Analytics user interface that allows visualization and reconstruction of packets and logs captured by Security Analytics appliances.


job systemThe Security Analytics jobs system lets you begin a long-running task and continue using other parts of Security Analytics while the job is running. Not only can you monitor the progress of the task, but you can also receive notifications when the task has completed and whether the result was success or failure. While you are working in Security Analytics, you can open a quick view of your jobs from the toolbar.


Live moduleThe Live module is the Security Analytics user interface to access and manage resources available to customers through the Live Content Management System.
Log DecoderA Log Decoder is a type of Decoder that collects logs rather than packets. It can collect four different log types - Syslog, ODBC, Windows eventing, and flat files.


Malware AnalysisMalware Analysis is an appliance and a co-located service in Security Analytics. The service is used for automated malware analysis and is accessible through the Investigation module.
Message DigestUses a one-way hash function to turn an arbitrary number of bytes into a fixed-length byte sequence. This is used as part of a data privacy solution.
meta DBThe meta database contains items of information that are extracted by a Decoder or Log Decoder from the raw data stream. Parsers, rules, or feeds can generate meta items.
Meta IDA number used to uniquely identify a meta item in the meta database.
meta data or meta itemsA Decoder ingests and parses raw data, creating meta items (meta data) in the process.
meta keyA name used to classify the type of each meta item. Common meta keys include ip.src, time, or service.
meta valueEach meta item contains a value. The value is what each parser, feed, or rule generates.
metered licensingMetered licensing is a Security Analytics licensing method based on a throughput per day of logs (SIEM) or network packets (Network Monitoring and Network Malware), combined with the separate purchase of the hardware needed to deploy the system and meet customers' retention requirements.


NetWitness or NextGen deviceAn RSA Broker, Concentrator, Decoder, Log Decoder, or Log Collector. If you see the term NextGen device, or NetWitness device change it to Core device.


out-of-the-box trial licensingSecurity Analytics 10.5 ships with a default Trial out-of-the-box license that enables customers to use the product with full functionality for 90 days. The 90-day time period begins when the Security Analytics user interface is configured and used for the first time.
Out-of-Compliance bannersA red banner is displayed during log on if your license is expired or you have exceeded your allotted usage. You may also see a red banner if your license has internal errors. A red banner cannot be dismissed. A yellow banner is displayed during system log on if your license is approaching expiration or you are nearing your allotted usage. You can dismiss the yellow banner by clicking the Dismiss button.


Packet IDA number used to uniquely identify a packet or log in a packet database.
packet DBThe packet database contains the raw, captured data. On a Decoder, the packet database contains packets as captured from the network. Log Decoders use the packet database to store raw logs. The raw data stored in the packet database is accessible by a Packet ID, however, this ID is typically never visible to the end user.
personal data"Under EU law, personal data are defined as information relating to an identified or identifiable natural person, that is, information about a person whose identity is either manifestly clear or can at least be established by obtaining additional information." (Source - EU_DP_LAW_HANDBOOK)


RSA Analytics WarehouseA Hadoop-based distributed computing system, which collects, manages, and enables analytics and reporting on longer-term sets of security data, for example, months or years. The Warehouse can be made up of three or more nodes depending on the organization's analytic, archiving, and resiliency requirements. It requires a service called Warehouse Connector to collect meta and events from Decoder and Log Decoder and writes them in Avro format into a Hadoop-based distributed computing system.
Reports moduleThe Reports module is the Security Analytics user interface for automated reporting functions.
rolesIn Security Analytics, roles determine what users can do. A role has permissions assigned to it and you must assign a role to each user. The user then has permission to do what the role allows.


Security Analytics Core (formerly NextGen)The following products are part of the Security Analytics Core suite: Decoder, Log Decoder, Concentrator, Broker, Archiver, Workbench.
Security Analytics ServerThe web server for reporting, investigation, administration, and other aspects of the analysts interface. Also enables reporting on data held in the Warehouse.
sensitive dataRegulatory mandates in some locations, for example the European Union (EU), require that information systems provide a means of protecting data when operating on sensitive data. Any data that could directly or indirectly depict "Who did what when?" may be considered personally identifiable or sensitive data.
serviceA service runs on a host and performs a unique function, such as collecting logs or archiving data. Security Analytics services include Archiver, Broker, Concentrator, Decoder, Event Stream Analysis, Incident Management, IPDB Extractor, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, Warehouse Connector, and Workbench.
service-based licensingThis is a per-service permanent Security Analytics license that has no expiration date. Support for service-based licensing is applicable for all appliances that require a license.
sessionOn a packet Decoder, a session represents a single, logical, network stream. For example, a TCP/IP connection is one session. On a Log Decoder, each log event is one session. Each session contains references to all the Packet IDs and Meta IDs that refer to the session.
Session IDA number used to uniquely identify a session in the Session DB.
Session DBThe session database contains information that ties the packet and meta items together into sessions.
SIEM implementationIn a security information and event management (SIEM) implementation, the base Security Analytics configuration requires these components: Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), and the Security Analytics server.
subscription licensingSubscription licenses for Security Analytics are offered for a specific time period that ranges from 12 to 36 months. Once licensed, subscription licenses are non-cancellable and non-downgradeable.


Transient dataIn Security Analytics, transient data is not stored on disk. When a meta key is marked as transient in the custom index file or the Services Config view where parsers for the service are configured, the Decoder, Log Decoder does not save the meta key to disk, but holds it in memory where it can be analyzed until overwritten.


virtual host(Formally virtual appliance) Virtual machine, designated by a Fully Qualified Domain Name (FQDN)) or IP address, on which any Security Analytics service runs (that is the appliance service, Archiver service, Broker service, Concentrator service, Broker service, Decoder service (Packets and Logs), Hybrid, Malware Analysis service, Event Stream Analysis service, Log Collector service, Security Analytics Warehouse service, Workbench service, Reporting Engine service, and IPDB Extractor service. A virtual instance of a Security Analytics appliance.


Warehouse ConnectorWarehouse Connector collects meta and events from Decoders and writes them in Avro format into a Hadoop-based distributed computing system. You can set up Warehouse Connector as a service on existing Log Decoders or Decoders or it can be run as a virtual appliance in your virtual environment.
Windows eventingWindows eventing pertains to Log Decoders, and refers to the Windows 2008 collection methodology and flat files can be obtained via SFTP.




You are here: Introduction to Security Analytics > Terminology