Investigation: Manage and Apply Default Meta Keys in an Investigation

Document created by RSA Information Design and Development on Jul 22, 2016
Version 1Show Document
  • View in full screen mode
 

When analysts are conducting an investigation of captured data in Investigation, a default set of meta keys is loaded and displayed in a default sequence in the Navigate view > Values panel. The default content and sequence is based on the meta keys for the service being investigated. Analysts can specify the meta keys to display during navigation by selecting the default meta keys or by selecting a user-defined group of meta keys, which provides great flexibility to define meta keys. This can help to drill down more directly to the desired data and to reduce the load time by preventing the loading of meta that is not of interest in the current investigation.

If no custom meta groups are in effect, the Navigate view is displayed with the meta key visibility specified in the Default Meta Keys dialog. To optimize loading of meta keys in the Navigate view > Values panel, Security Analytics does not open non-indexed meta keys by default. When you open a non-indexed meta key in the Values view, Security Analytics begins loading values for that meta key. If the load time is excessive, the load of the meta key times out with a message. Title, values, and counts for non-indexed meta keys are not drillable in the Values panel. Additional labeling in Investigation identifies the non-indexed meta keys, which were also present in prior releases.

To select the meta keys to apply to your investigation, you can.

  • Select the default meta keys.
  • Select a user-defined set of meta keys, called a meta group.

Note:  Security Analytics has no built-in meta groups besides the default group. Additional meta groups must be defined before they appear in the Use Meta Group menu. Once created, user-defined meta groups can be edited, deleted, exported for use on other services, and imported to the service you are investigation. All of these procedures are provided in a separate topic: Manage User-Defined Meta Groups.

The Default Meta Keys dialog allows you to specify the default view and display sequence for meta keys during navigation in the Investigation > Navigate view for a specific service. For each key or for all keys, you can set the default view to:

  • Hidden: Results for default meta key are hidden and are not available to load.
  • Open: Results for default meta key are open with all values and counts displayed.
  • Close: Results for default meta key are closed with only the meta name visible.
  • Auto: The loading of default meta keys is controlled by the index level, which must be Indexed By Value. 

When using the default meta keys, be aware that these can be modified for different services, and you may not be seeing the same set of default meta keys when navigating to a drill point on different services. If you do not see the expected data, you may need to change the initial view of the default meta keys.

When you change the initial state of default meta keys from within the Navigate view, the change persists for that service. When new keys are added to the custom index file for a Core service (for example, broker-custom-index.xml, decoder-custom-index.xml), the new keys are added to the default meta keys list. The changes made in the Navigate view apply only to the current service.

Use Default Meta Keys

To specify that the initial Navigate view opens using default meta keys:

  1. In the Security Analytics menu, select Investigation > Navigate.
  2. Select a service, and select Navigate.
  3. In the Meta menu, select Use Default Meta Keys.
    If an investigation is already in progress, the data is reloaded in the current view and an icon highlights the selected option. If no data is loaded yet, the default meta keys are used for the next load.

Configure Default Meta Keys

To configure the default view of default meta keys in the Investigation > Navigate view:

  1. In the Navigate View toolbar, select Meta > Manage Default Meta Keys.
    The Manage Default Meta Keys dialog is displayed with the list of available meta keys for the service.
    ManDefMetKeyDg.png
  2. (Optional) To change the order of the keys, select one or more keys, and drag the values up or down through the list of keys.
  3. Do one of the following:
    1. (Optional) To change the default view for all meta keys, make sure that no keys are selected and in the toolbar, select  ViewOption.png.
    2. (Optional) To change the default view for one or more keys, select the keys and in the toolbar, select  ViewOption.png.
      A drop-down of possible initial views for all default meta keys is displayed.
    3. (Optional) To revert to the default view for meta keys as specified in the service index file, make sure that no keys are selected and in the toolbar, select ViewOption.png > Auto.
      ManDefMetKeyMenu.png
      When you modify the default meta keys for a non-indexed meta key, you cannot set the key to OPEN. If you change the default view for a group of meta keys to OPEN and some of the meta keys are non-indexed, the non-indexed meta keys revert to AUTO. As a result, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are CLOSED until opened manually.
  4. Select one of the views.
  5. To save the changes, click Apply.
    The meta keys displayed in the Navigate view are set to your specifications. If the default meta keys are hidden, values for the meta keys are not shown in the investigation at all. If the default meta keys are closed, the values for the meta keys are not loaded by default, but you can load individual meta keys manually in the Navigate view.
You are here: Conduct an Investigation > Filter Information in the Navigate View > Manage and Apply Default Meta Keys in an Investigation

Attachments

    Outcomes