Investigate: Manage Meta Groups

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 9Show Document
  • View in full screen mode
 

A meta group combines selected meta keys into a group to show only data in which the meta keys were found. In the Investigate > Navigate view, you can use meta groups to filter data displayed in an investigation. A fresh installation of NetWitness Suite includes out-of-the-box (OOTB) meta groups that RSA content developers have developed to help you find interesting data sets in Investigate. The OOTB meta groups are prefixed with RSA for identification and can be duplicated but cannot be edited or deleted. You can create your own groups and you can duplicate and edit an OOTB group to create a custom group.

With a meta group in effect during an investigation, the information in the Values panel shows only the meta keys in the selected group. When you open a Parallel Coordinates visualization, the meta keys in a group appear as axes from left to right. It may be useful to create two versions of each custom meta group; one for analysis of meta values and one for creating a parallel coordinates chart focusing on a smaller subset of the same use case.

Custom meta groups are visible to all users of a service and may be exported for import to any service, limited by the available meta keys for that service.

Note: When an administrator adds custom meta groups manually by editing the custom index file for a service, the new groups become available to Investigation after the service is restarted.

This section describes how to add, edit, import, export, and delete custom meta groups to be used during navigation on a specific service.

Out-of-the-Box Meta Groups

The OOTB meta groups a built-in to RSA NetWitness Suite. The default meta groups are useful to focus an investigation on common use cases and to support threat detection using the RSA Hunting Pack.

These are the OOTB meta groups:

  • RSA Email Analysis includes meta keys that outline email interactions.
  • RSA Endpoint Analysis contains meta keys that provide insight on processes, files, users, and connections from NetWitness Endpoint (NWE) hosts.
  • RSA Malware Analysis includes meta keys that mark indicators of compromise in files contained in events.
  • RSA Outbound HTTP includes meta keys that provide insight into outbound web traffic.
  • RSA Outbound SSL/TLS includes meta keys that focus on encrypted web traffic.
  • RSA Query Hosts includes a meta keys that encompass all the meta keys to find hosts.
  • RSA Query IPs includes meta keys that encompass all the meta keys to find IP addresses.
  • RSA Query Mail includes meta keys that encompass all the meta keys to find email.
  • RSA Query Users includes meta keys that encompass all the meta keys to find users.
  • RSA Threat Analysis includes meta keys that mark potential threats in the data set.
  • RSA Web Analysis includes meta keys that mark anomalies in web traffic.

Create a Meta Group and Add Meta Keys

  1. While investigating a service in the Investigate > Navigate view, select Meta > Manage Meta Groups in the toolbar.
    The Manage Meta Groups dialog is displayed. Initially only OOTB groups are configured for a service and listed under Group Name. If other custom groups have been configured, they are also listed under Group Name.
    Manage Meta Groups Dialog
  2. In the grid toolbar, click Add Icon.
    A new row is inserted at the top of the Meta Groups grid.
  3. Type a name for the new meta group, and press Enter.
    The form to the right opens for editing.
    New Meta Group
  4. (Optional) If you want to change the name of meta group, type a new value in the Name field.
  5. In the Meta Keys toolbar, click Add Icon.
    The Available Meta Keys dialog is displayed, with keys in alphabetical order.
    Available Meta Keys
  6. To filter the list of meta keys, type a word or phrase in the Filter field and select Enter.
    The list displays matching meta keys based on a case-insensitive search. Delete the filter text and press Enter to remove the filter.
  7. To select meta keys to include in the meta group, click the checkboxes. To select all meta keys, click the checkbox in the title bar and click Add.
    The selected meta keys are added to the meta keys list.
  8. (Optional) If you want to change the order in which the meta keys load and are listed in an investigation, click and drag one or more meta keys to a new position.
  9. To finish creating the meta group do one of the following:
    1. To save the meta group, click Save.
      The group is created and available for use.
    2. To save and apply the meta group to the current Investigation view, click Save and Apply.
      The group is created and applied immediately to the current Investigation view.
  10. Click Close.

Duplicate and Edit an Out of the Box Meta Group

If you want to customize an OOTB meta group, you need to duplicate the group and then edit the duplicate.

  1. Select an OOTB meta group from the Meta Groups grid and click .
    The form to the right opens for editing with all of the meta keys as they are in the OOTB group.
  2. Enter a name for the new group and continue editing as described in "Edit a Meta Group" below.

Edit a Meta Group

  1. Select a group from the Meta Groups grid.
    The form to the right opens for editing.
    Edit Meta Group
  2. (Optional) Edit the Name of the group.
  3. (Optional) Add new meta keys, as described above in Create a Meta Group and Add Meta Keys.
  4. (Optional) To set the order for the keys, drag and drop one or more keys.
  5. (Optional) To change the initial view of a meta key, click View Options and choose one of the possible views.
    When you modify the meta group, you cannot set the key to OPEN. If you change the default view for a group of meta keys to OPEN and some of the meta keys are non-indexed, the non-indexed meta keys revert to AUTO. As a result, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are CLOSED until opened manually.
    The value for the initial view is displayed in the View column.
  6. To save, the changes, click Save.
  7. To apply the changes to the current Navigation view, click Save and Apply.

Delete a Meta Group

  1. In the Meta Groups grid, select the group to be removed.
  2. Click Delete.
    A confirmation dialog provides an opportunity to cancel or complete the request.
  3. Click OK.
    The meta group is deleted. When you close the window, if the deleted group was the currently applied meta group, it is removed and the default meta keys are used to build the view.

Export a Meta Group

User-defined meta groups are created on individual services. To make meta groups available to another service, you must export them to your local file system. To export one or more meta groups:

  1. In the Meta Groups grid, select one or more groups to be exported.
  2. Click Export.
    The selected groups are downloaded to your local file system as a MetaGroups.jsn file. Every download of meta groups has the same name with a numeral appended to avoid overwriting previous downloads.

Import a Meta Group

To make user-defined meta groups from another service available to the currently investigated service, you must import the MetaGroups.jsn file from the local file system. When you import meta groups into NetWitness Suite, NetWitness Suite displays an error message if any of the groups are already present. To import a group that is a duplicate, you must first delete the existing group. If you want to delete a meta group, it cannot be in use by a profile.

To import meta groups:

  1. In the Meta Groups grid, select a file to import and click Import.
    The selection dialog is displayed.
    Meta Group Import
  2. Click Browse and navigate to the directory on your local file system where the downloaded MetaGroups.jsn files are stored. Select a file and click Open.
    The filename is displayed in the Upload File field.
  3. Click Upload.
    The upload process begins, and a message indicates that the upload was successful. The meta groups are added to Meta Group grid. If the file is a duplicate of an existing meta group, a dialog tells you that the meta group already exists.
You are here
Table of Contents > Conducting an Investigation > Refining Results Displayed in the Navigate View > Manage Meta Groups

Attachments

    Outcomes