SA: Terminology

Document created by RSA Information Design and Development on Jul 27, 2016Last modified by RSA Information Design and Development on Aug 4, 2016
Version 2Show Document
  • View in full screen mode

This topic defines terminology used in Security Analytics documentation. Click a letter to navigate to a specific term.

The following tables list terminology alphabetically.


Administration moduleThe Administration module is the user interface for administering and monitoring appliances, devices, and services. When configured, appliances, devices, and services are available to other Security Analytics modules.
AlertsThe Security Analytics Alerts module is the user interface for automated ralerting functions.
Anonymised data"Data are anonymised if all identifying elements have been eliminated from a set of personal data. No element may be left in the information which could, by exercising reasonable effort, serve to re-identify the person(s) concerned. Where data have been successfully anonymised, they are no longer personal data." (Source - EU_DP_LAW_HANDBOOK) This term is defined as part of the Security Analytics data privacy solution.
anonymizationThe Privacy Technology Focus Group defines anonymization as a technology that converts clear text data into a nonhuman readable and irreversible form, including but not limited to one-way hashes and encryption techniques in which the decryption key has been discarded. This term is defined as part of the Security Analytics data privacy solution.
ArchiverThe RSA Archiver is an appliance that enables long-term log archiving by indexing and compressing log data and sending it to archiving storage. 


BrokerThe RSA Broker is an appliance and a service in the Security Analytics network. Brokers aggregate data captured by configured Concentrators, and Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder/Concentrator pairs throughout the infrastructure.


capacitySecurity Analytics has a modular-capacity architecture enabled with direct-attached capacity (DACs) or storage area networks (SANs), that adapts to the organization's short-term investigation and longer-term analytic and data-retention needs.
ConcentratorThe RSA Concentrator is an appliance and service in the Security Analytics network. Concentrators index metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting.
Core DatabaseThis refers to the combination of the Packet, Meta, Session, and Index data.
Core servicesIn Security Analytics, the Core services ingest and parse data, generate meta data, and aggregate generated meta data with the raw data. The Core services are Decoder, Log Decoder, Concentrator, and Broker.


dashboardThe dashboard is the entry point for all Security Analytics modules in the web-based Security Analytics user interface, providing a portal into functions of other modules for user convenience.
DecoderThe RSA Decoder is an appliance and service in the Security Analytics network. In the Security Analytics network}}, packet data is collected using an appliance called Decoder, while the Log Decoder collects log events. The Decoder captures, parses, and reconstructs all network traffic from Layers 2 - 7, or log and event data from hundreds of devices.
downstream system and componentsAs opposed to core components, downstream systems use data stored on Core services for analytics, therefore, the operations of downstream services are dependent on Security Analytics Core services. The downstream systems are Archiver, Warehouse, ESA, Malware Analysis, Investigation, and Reporting.
drill pointA set of data that an analyst has brought into focus using queries and filters in the Investigation view.  In effect, the analyst drills into the captured data to find interesting data that may harbor harmful files or code.


Event Stream Analysis (ESA)The RSA Event Stream Analysis (ESA) appliance provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency.  It is capable of processing large volumes of disparate event data from Concentrators. ESA uses an advanced Event Processing Language that allows analysts to express filtering, aggregation, joins, pattern recognition and correlation across multiple disparate event streams.  Event Stream Analysis helps to perform powerful incident detection and alerting.
EVPEvents per second is a measure of the processing capacity for an RSA host that is consuming data.


forensics implementationIn a forensics implementation, the base Security Analytics configuration requires these components: Decoder, Concentrator, Broker, ESA, and Malware Analysis. An optional component is the Incident Management service, which resides on the ESA system and is used to prioritize alerts.


Global Audit LoggingGlobal Audit Logging provides Security Analytics auditors with consolidated visibility into user activities within Security Analytics in real-time from one centralized location. This visibility includes audit logs gathered from the Security Analytics system and the different services throughout the Security Analytics infrastructure.


hashingAn obfuscation method used to protect sensitive data.
hostA host is the machine on which a service runs. Also referred to as an appliance, a host can be a physical or virtual machine.


identifiability"An individual is identified in this information; or if an individual, while not identified, is described in this information in a way which makes it possible to find out who the data subject is by conducting further research." (Source - EU_DP_LAW_HANDBOOK) This term is used when discussing the Security Analytics data privacy solution.
Incident Management serviceThe Incident Management service resides on the ESA system and is used to prioritize alerts.
Incidents moduleThe Incidents module provides the Incident Management function in Security Analytics. The incident management function is an easy way to track the incident response process.
indexThe index is a collection of files that provides a way to look up Session IDs using meta values.
Investigation moduleThe Investigation module is the Security Analytics user interface that allows visualization and reconstruction of packets and logs captured by Security Analytics appliances.


jobs systemThe Security Analytics jobs system lets you begin a long-running task and continue using other parts of Security Analytics while the job is running. Not only can you monitor the progress of the task, but you can also receive notifications when the task has completed and whether the result was success or failure. While you are working in Security Analytics, you can open a quick view of your jobs from the toolbar.


kThere are no definitions in this section.


Live moduleThe Live module is the Security Analytics user interface to access and manage resources available to customers through the Live Content Management System.
Log DecoderA Log Decoder is a type of Decoder that collects logs rather than packets. It can collect four different log types - Syslog, ODBC, Windows eventing, and flat files.


Malware AnalysisMalware Analysis is an appliance and a colocated service in Security Analytics. The service is used for automated malware analysis and is accessible through the Investigation module.
Message DigestUses a one-way hash function to turn an arbitrary number of bytes into a fixed-length byte sequence. This is used as part of a data privacy solution.
metaMeta is shorthand for "meta items" or metadata. In Security Analytics it is used in various combinations.
meta DBThe meta database contains items of information that are extracted by a Decoder or Log Decoder from the raw data stream. Parsers, rules, or feeds can generate meta items.
Meta IDA number used to uniquely identify a meta item in the meta database.
meta itemsA Decoder ingests and parses raw data, creating meta items (metadata) in the process.
meta keyA name used to classify the type of each meta item. Common meta keys include ip.src, time, or service.
meta valueEach meta item contains a value. The value is what each parser, feed, or rule generates.
metered licensingMetered licensing is a Security Analytics licensing method based on a throughput per day of logs (SIEM) or network packets (Network Monitoring and Network Malware), combined with the separate purchase of the hardware needed to deploy the system and meet customers' retention requirements.


NextGenA term that was formerly used to describe the RSA Broker, Concentrator, Decoder, and Log Decoder. These are now known as Security Analytics Core appliances and services.


out-of-the-box trial licensingSecurity Analytics 10.5 ships with a default Trial out-of-the-box license that enables customers to use the product with full functionality for 90 days. The 90-day time period begins when the Security Analytics user interface is configured and used for the first time.
Out-of-Compliance bannersA red banner is displayed during log on if your license is expired or you have exceeded your allotted usage. You may also see a red banner if your license has internal errors. A red banner cannot be dismissed. A yellow banner is displayed during system log on if your license is approaching expiration or you are nearing your allotted usage. You can dismiss the yellow banner by clicking the Dismiss button.


Packet IDA number used to uniquely identify a packet or log in a packet database.
packet DBThe packet database contains the raw, captured data. On a Decoder, the packet database contains packets as captured from the network. Log Decoders use the packet database to store raw logs. The raw data stored in the packet database is accessible by a Packet ID, however, this ID is typically never visible to the end user.
personal data"Under EU law, personal data are defined as information relating to an identified or identifiable natural person, that is, information about a person whose identity is either manifestly clear or can at least be established by obtaining additional information."


RSA Analytics WarehouseA Hadoop-based distributed computing system, which collects, manages, and enables analytics and reporting on longer-term sets of security data, for example, months or years. The Warehouse can be made up of three or more nodes depending on the organization's analytic, archiving, and resiliency requirements. It requires a service called Warehouse Connector to collect meta and events from Decoder and Log Decoder and write them in Avro format into a Hadoop-based distributed computing system.
Reports moduleThe Reports module is the Security Analytics user interface for automated reporting functions.
rolesIn Security Analytics, roles determine what users can do. A role has permissions assigned to it and you must assign a role to each user. The user then has permission to do what the role allows.


Security Analytics Core (formerly NextGen)The following products are part of the Security Analytics Core suite: Decoder, Log Decoder, Concentrator, Broker, Archiver, Workbench.
Security Analytics ServerThe web server for reporting, investigation, administration, and other aspects of the analysts interface. Also enables reporting on data held in the Warehouse.
sensitive dataRegulatory mandates in some locations, for example the European Union (EU), require that information systems provide a means of protecting data when operating on sensitive data. Any data that could directly or indirectly depict "Who did what when?" may be considered personally identifiable or sensitive data.
serviceA service runs on a host and performs a unique function, such as collecting logs or archiving data. Security Analytics services include Archiver, Broker, Concentrator, Decoder, Event Stream Analysis, Incident Management, IPDB Extractor, Log Collector, Log Decoder, Malware Analysis, Reporting Engine, Warehouse Connector, and Workbench.
service-based licensingThis is a per-service permanent Security Analytics license that has no expiration date. Support for service-based licensing is applicable for all appliances that require a license.
sessionOn a packet Decoder, a session represents a single, logical, network stream. For example, a TCP/IP connection is one session. On a Log Decoder, each log event is one session. Each session contains references to all the Packet IDs and Meta IDs that refer to the session.
Session IDA number used to uniquely identify a session in the Session DB.
Session DBThe session database contains information that ties the packet and meta items together into sessions.
SIEM implementationIn a security information and event management (SIEM) implementation, the base Security Analytics configuration requires these components: Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), and the Security Analytics server.
subscription licensingSubscription licenses for Security Analytics are offered for a specific time period that ranges from 12 to 36 months. Once licensed, subscription licenses are non-cancellable and non-downgradeable.


Transient dataIn Security Analytics, transient data is not stored on disk. When a meta key is marked as transient in the custom index file or the Services Config view where parsers for the service are configured, the Decoder, Log Decoder does not save the meta key to disk, but holds it in memory where it can be analyzed until overwritten. 


uThere are no definitions in this section.


virtual applianceA virtual instance of a Security Analytics appliance. 


Warehouse ConnectorWarehouse Connector allows collects meta and events from Decoders and write them in Avro format into a Hadoop-based distributed computing system. You can set up Warehouse Connector as a service on existing Log Decoders or Decoders or  it can be run as a virtual appliance in your virtual environment.
Windows eventingWindows eventing pertains to Log Decoders, and refers to the Windows 2008 collection methodology and flat files can be obtained via SFTP.


zThere are no definitions in this section.
You are here: Introduction to Security Analytics > Terminology