Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Use Meta Groups to Focus on Relevant Meta Keys

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 20Show Document
  • View in full screen mode
 

A meta group combines selected meta keys and meta entities into a group to show only data in which the meta keys and meta entities were found. In the Navigate view and the Version 11.5 and later Events view, you can use meta groups to filter data displayed in the Navigate view (Values panel) and the Events view (Filter Events panel). The same shared meta groups are available for use in both views. Private meta groups created in the Events view are not available for use in the Navigate view or in query profiles in the Legacy Events view.

Note: In the Navigate view and Legacy Events view, you can manually add non-indexed meta keys (or keys that are not in the index at all) to a meta group or column group. The non-indexed meta keys are fully available (manageable and displayable) in the Navigate view and Legacy Events view, but only partially (displayable in the Filter Events panel) in the Events view. The Events view (Filter Events panel) can display data for non-indexed meta keys that are already included in a meta group, but you cannot add non-indexed meta keys while you are editing a meta group. The non-indexed meta keys in a column group do not display data in a column and new non-indexed meta keys cannot be added to a column group in Events view.

With a meta group in effect during an investigation, the information in the Values panel or the Filter Events panel shows only the meta keys in the selected group. When you open a Parallel Coordinates visualization in the Navigate view, the meta keys and meta entities in a group appear as axes from left to right. It may be useful to create two versions of each custom meta group; one for analysis of meta values and one for creating a parallel coordinates chart focusing on a smaller subset of the same use case.

A fresh installation of NetWitness Platform includes built-in meta groups to help you find interesting data sets in Investigate. The built-in meta groups can be duplicated but cannot be edited or deleted. You can also create your own groups and edit a copy of a built-in group to create a custom group.

All groups in the Navigate view are shared and visible to all users of a service; you can export a group for import to any service, limited by the available meta keys for that service. In the Version 11.5 Events view Filter Events panel, you can create both shared and private custom meta groups; only the shared groups are visible and usable in the Navigate view. This section describes how to add, edit, import, export, and delete custom meta groups.

Built-In Meta Groups

RSA NetWitness Platform has built-in meta groups, prefixed with RSA, that are available immediately after installation. The built-in meta groups are useful to focus an investigation on common use cases and to support threat detection using the RSA Hunting Pack. You can copy these groups, give the copy a new name, then edit the copy. These are the built-in meta groups:

  • RSA Email Analysis includes meta keys that outline email interactions.
  • RSA Endpoint Analysis contains meta keys that provide insight on processes, files, users, and connections from NetWitness Endpoint (NWE) hosts.
  • RSA Malware Analysis includes meta keys that mark indicators of compromise in files contained in events.
  • RSA Outbound HTTP includes meta keys that provide insight into outbound web traffic.
  • RSA Outbound SSL/TLS includes meta keys that focus on encrypted web traffic.
  • RSA Query Hosts includes meta keys that encompass all the meta keys to find hosts.
  • RSA Query IPs includes meta keys that encompass all the meta keys to find IP addresses.
  • RSA Query Mail includes meta keys that encompass all the meta keys to find email.
  • RSA Query Users includes meta keys that encompass all the meta keys to find users.
  • RSA Threat Analysis includes meta keys that mark potential threats in the data set.
  • RSA User & Entity Behavior Analysis includes meta keys that encompass all the meta keys to analyze user and entity behavior.
  • RSA Web Analysis includes meta keys that mark anomalies in web traffic.

Default Meta Keys Group (Version 11.5 Events View)

The Default Meta Keys meta group is a special type of built-in meta group that consists of all the meta keys for the currently selected service, returned in alphabetical order. Unlike the other built-in meta groups, you cannot copy this group and you cannot see which keys are included when you view information in the Meta Group Details dialog; instead, a message in the Details dialog explains that the group includes all meta keys for the selected service The Default Meta Keys group is always at the top of the list as shown in the Meta Groups menu.

the Meta Group menu with Default Meta Keys selected

The Default Meta Keys group is used to select meta keys shown in the Filter Events panel when no meta group has been selected and none exists in local storage. You can also select this group as you would any other group. When using the Default Meta Keys group in the Filter Events panel, only the first 30 meta keys with values are open and the remaining are closed.

Custom Meta Groups

You can create custom meta groups to support scenarios that you use frequently while working in Investigate. When an administrator adds custom meta groups manually by editing the custom index file for a service, the new meta groups become available to use in meta groups after the service is restarted. Custom meta groups can be shared or private . Shared meta groups are available globally within your organization in the Navigate view and in the Filter Events panel. If you edit a shared custom meta group, your changes are applied globally. If you delete a shared custom meta group, the group is deleted and no longer available for all analysts. The Navigate view supports only shared groups. When you create custom meta group in the Events view, you can choose to share it or you can keep it private (default); you cannot change a shared group to private or a private group to shared.

Note: Private custom meta groups created in the Events view are not visible or usable in the Navigate view.

Icons identify the group type in the Meta Groups menu. These are examples of each type of custom meta group with the edit icon displayed at the end of the row.

a private group in the Column Groups menu  example of a shared column group in the Column Groups menu

Dialogs for Managing Meta Groups

While the functionality of meta groups is similar in the Navigate view and the Events view, the user interface and some of the procedures are different. The following figures illustrate the (Events view) Create Meta Group dialog and the (Navigate view) Manage Meta Groups dialog.

the Create Meta Group dialog


the Manage Meta Groups dialog

Using options in the Events view Meta Groups menu (Version 11.5 and later) , you can:

  • Select a meta group to apply.
  • See the details of a meta group.
  • Create, edit, and delete custom meta groups.
  • Copy and edit the copy of a built-in or custom meta group.

Using options In the Navigate view Manage Meta Groups dialog, you can do all of the above as well as import and export a meta group.

The rest of this topic provides instructions for working with meta groups in the 11.5 Events view and the Navigate view.

Work with Meta Groups in the Events View (Version 11.5 and Later)

After the upgrade to Version 11.5, all of the existing meta groups -- both built-in and custom -- are available for filtering events in the Filter Events panel. The meta group selection persists between logins unless browser cache is cleared.

View the Meta Keys in a Meta Group

To view details of a meta group:

  1. Go to Investigate > Events and click the submit query button (spyglass) to load events.
    The events for the default service and the default time range are loaded in the Events panel.
  2. To display the Filter Events panel, click the Filter button above the Events panel.
    The Filter Events panel opens to the left of the Events panel.
  3. To display the Meta Groups menu, click the Meta Groups menu title. The menu title is either Meta Group: Default Meta Keys or Meta Group: <currently selected meta group>. If this is your first visit after logging in, the Default Meta Keys group is selected; any subsequent visits use the meta group selected in the previous session unless browser cache is cleared. If the selected meta group from the previous session is deleted, the Default Meta Keys group is selected when you log in. When opened, the menu displays a list of built-in meta groups (RSA), shared custom meta groups, and your private custom meta groups. Above the list, visibility options and a filter make it easier to find a particular meta group.
    the initial view of the Meta Group menu
  4. (Optional) To control the types of meta groups that are visible in the list, use any combination of the visibility options: Private, Shared, or RSA (blue = selected, black = not selected). Initially none of the buttons are selected and all meta group types are visible. This is the same result as if all three buttons are selected. The visibility options work together with text in the Filter Meta Groups field. If the visibility option is hiding built-in groups (which include "RSA" in the group name) and you search for a name that contains "RSA," the list is empty. The figure below shows private and built-in meta groups selected and visible in the list.
    Private = display private groups that only you can manage
    Shared = display shared groups that anyone in your organization can manage
    RSA = display built-in groups that only RSA can manage
    the Private and RSA button selected
  5. (Optional) To filter the listed meta groups by name, type some text in the Filter Meta Groups field.
    The list is updated to show only the group names that contain the exact text.
  6. Hover over the meta group name and click the information icon (information icon) to see which meta keys are included in the group.
    The figure on the left shows the columns for the RSA Outbound HTTP meta group.
    example of the Meta Group Details dialog
  7. Do one of the following.
    1. To close the dialog, click Close.
    2. If you want to apply the meta group, click Select Meta Group.
      The dialog closes and the Filter Events panel is updated to reflect the meta keys in the selected meta group.

Select a Meta Group

  1. With the Filter Events panel open in the Version 11.5 Events view, click the Meta Groups menu title.
    The menu drops down to display a list of meta groups with a filtering option and a New Meta Group option. The list is sorted alphabetically and the name of the selected meta group is displayed in the menu label. This figure shows the menu after RSA Outbound HTTP was highlighted, but not selected.
    the initial view of the Meta Group menu
  2. Do one of the following:
    1. If the highlighted group is the one you want to apply, press ENTER.
    2. Begin typing text in the Filter Meta Groups field to search for a meta group name. As you type, the list is filtered to show only the meta group names that contain that string.
      When you see the group that you want to apply, click it or use the down or up arrow to highlight it, then press ENTER.
      The Filter Events panel is refreshed to include only meta keys in the selected meta group, and the menu title includes the selected group name. Your selection persists when you navigate away from the Events view.

    Note: If a meta key in a meta group is not part of the selected service, it does not appear in the Filter Events panel or in the Events panel.

Create a Custom Meta Group

Custom meta groups must have a unique name up to 80 characters in length, and must have at least one meta key. If any other meta group has the name you type, whether shared or private, a message informs you that you need to use a different name. The Save Meta Group button is enabled when these criteria have been met. You can adjust the order of meta keys in a group by dragging keys in the Displayed Meta Keys list.

You can also set the initial view of each meta key: Open, Closed, Hidden, or Auto (the default setting).

  • When set to Auto, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are Closed until opened manually. If you change the default view for a group of meta keys to Open and some of the meta keys are non-indexed, the non-indexed meta keys revert to Auto.
  • Open meta keys are listed in the Filter Events panel, and the values are loaded.
  • Closed meta keys are listed in the Filter Events panel, but the meta values are not loaded until you open the meta key.
  • Hidden meta keys are not listed in the Filter Events panel at all. This is useful if you are using a single meta group for multiple purposes instead of creating several meta groups; you can turn off certain keys off without removing them from the meta group. You can also use the Hidden view when testing out some new keys or if you want to prepare a meta group with some new meta keys that are not yet available and would error out if in an Auto, Open, or Closed state.
  1. With the Filter Events panel open in the 11.5 Events view, click the Meta Groups menu title.
    The menu drops down to display a list of meta groups with the Filter Meta Groups field at the top and the + New Meta Group option at the bottom.
    the Meta Group menu
  2. Select + New Meta Group.
    The Create Meta Group dialog is displayed.
    the Create Meta Group dialog
  3. In the Group Name field, type a unique name (maximum length of 80 characters) for the new meta group, for example, Custom Meta Group A.
  4. If you want to share the new meta group with your organization, set the Share with my organization option.
  5. To add a meta key to the meta group, select and add each meta key as follows:
    1. Type a text string in the Filter meta keys field and look for meta keys that contain that text in the Available Meta Keys list.
    2. When you see the meta key that you want to add, click the add icon circled plus icon that precedes the meta key name.
      The meta key is added to the end of the Displayed Meta Keys list. (This list is also filtered using the text you typed.) The maximum number of meta keys in a meta group is 500. If you attempt to add another meta key when 500 are already included in the Displayed Meta Keys list, a message advises you that the group has the maximum number of meta keys.
      meta key display options in the Create Meta Group dialog
  6. (Optional) Next to each meta key, choose the initial view for the meta key: Open, Close, Hidden, or Auto.
  7. (Optional) To find and remove a meta key from the meta group, type a text string in the Filter meta keys field and look for meta keys that contain that text in the Displayed Meta Keys list. When you see the meta key that you want to remove, click the remove icon ( the Remove icon) that precedes the meta key name in the Displayed Meta Keys list.
    The meta key is moved back to the Available Meta Keys list.
  8. (Optional) To change the order of the displayed meta keys in the Displayed Meta Keys list, place the cursor over the list order icon (the list order icon). When the cursor changes to the drag and drop icon (drag and drop icon), drag the meta key up or down in the list.
  9. Do one of the following:
    1. To close the dialog without creating the custom meta group, click Cancel.
    2. To create the group, click Save Meta Group.
      The new meta group is saved. If the new group is shared, it becomes available for all analysts. If it is private, only you can use the meta group. The buttons change to Done and Select Meta Group.
  10. Do one of the following:
    1. To close the dialog, click Done.
    2. To close the dialog and select the new meta group, click Select Meta Group.
      The new group is added to the Meta Groups menu (in alphabetical order), and if you clicked Select Meta Group, the Filter Events panel is updated to show the meta keys and values in the new meta group.

Delete a Custom Meta Group

You can delete any custom meta group, shared or private, that is not currently applied in the Events list and not used in a query profile. When you click the Delete button, a confirmation message allows you to confirm or cancel the deletion. If a meta group is being used in a query profile, the Delete button is disabled and a message identifies the query profile in which the meta group is used. The built-in meta groups are read only, and cannot be deleted.

Caution: When you delete a shared meta group, the effect is global and the group is no longer available to any analyst.

To delete a custom meta group:

  1. With the Filter Events panel open in the 11.5 Events view, click the Meta Group menu title.
    The menu drops down to display a list of meta groups with the Filter Meta Groups field at the top and the + New Meta Group option at the bottom.
    the Meta Group menu
  2. To delete a meta group, highlight a custom meta group and click the edit icon (the edit icon) to the right of the name.
  3. The Meta Group Details dialog opens with the details for the selected group displayed.
    the Meta Group Dialog with the cloned group open for editing
  4. Click the delete group icon (CGDeleteIcon).
    If the meta group is currently in effect, the following message is displayed: This meta group cannot be deleted because it is currently active.
    In Version 11.5, a confirmation message gives you the opportunity to confirm or cancel the deletion. Click Cancel or Delete Meta Group.
    The group is deleted and removed from the Meta Group menu. The meta group no longer appears anywhere for any analyst working in Investigate.

Edit a Custom Meta Group

You can edit a shared custom meta group, your own private meta group, or a copy of a built-in meta group.

  1. With the Filter Events panel open in the 11.5 Events view, click the Meta Group menu title and highlight the meta group that you want edit. This figure shows private column group RSA Outbound HTTP-1 highlighted with the edit icon is displayed to the right.
    a meta key selected for editing
  2. Click the edit icon (the edit icon).
    The Meta Group Details dialog is displayed so that you can edit the Group Name and Displayed Meta Keys. You can add or delete meta keys and rearrange the order of the meta keys in the list.
    the Meta Group Dialog with the cloned group open for editing
  3. (Optional) In the Group Name field, edit the name of the meta group.
  4. (Optional) To add a meta key to the meta group, select and add each meta key as follows:

    1. Type a text string in the Filter meta keys field and look for meta keys that contain that text in the Available Meta Keys list. Or just scroll through the list to find the meta key. For example, type port in the Filter meta keys field.
      Filtering on port in the Meta Group Details dialog
    2. When you see the meta key that you want to add, click the add icon circled plus icon that precedes the meta key name.
  5. (Optional) To find and remove a meta key from the meta group, type a text string in the Filter meta keys field to look for meta keys that contain that text in the Dispayed Meta Keys list, or simply scroll through the list. When you see the meta key that you want to remove, click the remove icon ( the Remove icon) that precedes the meta key name in the Displayed Meta Keys list.
    The meta key is moved back to the Available Meta Keys list.
  6. (Optional) To change the order of the displayed meta keys in the Displayed Meta Keys list, place the cursor over the list order icon (the list order icon). When the cursor changes to the drag and drop icon (drag and drop icon), drag the meta key up or down in the list.
    The following figure has an added meta key (capture.port) that was moved to the first position.
    an edited meta group before saving changes
  7. Do one of the following:
    1. To close the dialog without saving the changes to the custom meta group, click Reset.
    2. To save the edits to the meta group, click Update Meta Group.
      The updated meta group is saved, and the dialog is closed.

Copy a Meta Group (Version 11.5 and Later)

You can copy any meta group, built-in or custom, shared or private, as long as it does not have unsaved edits in progress. This is useful when you want a customized version of a built-in group. Also since you cannot change a custom group from private to shared or from shared to private, creating a copy allows you to select a different Sharing setting. When you copy a meta group, the same name is used with a number appended. For example, if you copy RSA Outbound HTTP twice, the first copy is named RSA Outbound HTTP-1, and a second copy is named RSA Outbound HTTP-2. After you copy the group, you can edit the copy to give it a new name and manage meta keys in the group.

Note: Some meta groups created in the Legacy Events view may have more 500 meta keys, which is above the limit for meta groups in the Events view. If you copy a group with more than 500 meta keys, you must remove the excess meta keys when you edit the meta group.

To copy a meta group:

  1. With the Filter Events panel open in the 11.5 Events view, click the Meta Group menu title.
    The menu drops down to display a list of meta groups.
  2. Highlight the meta group that you want copy.
    If you highlighted a built-in meta group, the information icon (information icon) is displayed to the right. If you highlighted a custom meta group, the edit icon (the edit icon)is displayed to the right. This figure shows RSA Outbound HTTP highlighted.
    the Meta Group menu
  3. Do one of the following:
    1. Click the information icon (information icon).
    2. Click the edit icon (the edit icon).
      The Meta Group Details dialog is displayed. This figure shows the dialog for a built-in group.
      the Meta Group Details dialog
  4. Click the Copy icon (the Copy icon).
    The Copy Meta Group dialog is displayed with a -n appended to the original meta group name.
    the Copy Meta Group dialog
  5. (Optional) In the Group Name field, edit the name of the meta group.
  6. If you want to share the new meta group with your organization, set the Share with my organization option. By default the new group is private.
  7. Do one of the following:
    1. To close the dialog without copying the group, click Cancel.
    2. To save the copy of the meta group, click Save Meta Group.
      The copy of the meta group is saved, and the Meta Group Details dialog for the copied group is displayed.
      the Meta Group Dialog with the cloned group open for editing
  8. Do one of the following:
    1. To close the dialog without editing, click Close.
    2. To close the dialog and select the copy of the meta group, click Select Meta Group.
      The group is added to the Meta Group menu. The figure below has a private copy of the RSA Outbound HTTP meta group.
      the Meta Group menu with a private clone of RSA Outbound HTTP-1

Work with Meta Groups in the Navigate View

Create a Meta Group and Add Meta Keys

  1. While investigating a service in the Navigate view, select Meta > Manage Meta Groups in the toolbar.
    The Manage Meta Groups dialog is displayed. Initially only built-in groups are configured for a service and listed under Group Name. If other custom groups have been configured, they are also listed under Group Name.
    the Manage Meta Groups dialog
  2. In the toolbar at the top of the Meta Groups list, click Add Icon.
    The form to the right opens for editing.
    Manage Meta Groups dialog ready to create a New Meta Group
  3. Type a name for the new meta group in the Name field.
  4. In the Meta Keys toolbar, click Add Icon.
    The Available Meta Keys dialog is displayed, with keys in alphabetical order.
    the Available Meta Keys dialog
  5. To filter the list of meta keys, type a word or phrase in the Filter field and press Enter.
    The list displays matching meta keys based on a case-insensitive search. Delete the filter text and press Enter to remove the filter.
  6. To select individual meta keys to include in the meta group, select the checkboxes. To select all meta keys, select the checkbox in the title bar and click Add.
    The selected meta keys are added to the meta keys list.
  7. (Optional) If you want to change the order in which the meta keys load and are listed in an investigation, click and drag one or more meta keys to a new position.
  8. To finish creating the meta group do one of the following:
    1. To save the meta group, click Save.
      The group is created and available for use.
    2. To save and apply the meta group to the current Investigation view, click Save and Apply.
      The group is created and applied immediately to the current Investigation view.
  9. Click Close.

Copy and Edit a Meta Group

If you want to customize a built-in meta group, you need to duplicate the group and then edit the duplicate.

  1. Select a built-in meta group from the Manage Meta Groups list and click the Duplicate icon.
    The form to the right opens for editing with all of the meta keys as they are in the built-in group.
    Manage Meta Groups dialog with form open to select meta keys
  2. Enter a name for the new group and continue editing as described in "Edit a Meta Group" below.

Edit a Custom Meta Group

  1. Select a custom group from the Meta Groups list.
    The form to the right opens for editing.
    a meta group open for editing in the Manage Meta Groups dialog
  2. (Optional) Edit the Name of the group.
  3. (Optional) Add new meta keys, as described above in "Create a Meta Group and Add Meta Keys."
  4. (Optional) To set the order for the keys, drag and drop one or more keys.
  5. (Optional) To change the initial view of a meta key, click View Options and choose one of the possible views.
    When you modify the meta group, you cannot set the key to OPEN. If you change the default view for a group of meta keys to OPEN and some of the meta keys are non-indexed, the non-indexed meta keys revert to AUTO. As a result, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are CLOSED until opened manually.
    The value for the initial view is displayed in the View column.
  6. To save, the changes, click Save.
  7. To apply the changes to the current Navigate view, click Save and Apply.

Delete a Meta Group

  1. In the Meta Groups list, select the group to be removed.
  2. Click Delete.
    A confirmation dialog provides an opportunity to cancel or complete the request.
  3. Click Yes.
    The meta group is deleted. When you close the window, if the deleted group was the currently applied meta group, it is removed and the default meta keys are used to build the view.

Export a Meta Group

User-defined meta groups are created on individual services. To make meta groups available to another service, you must export them to your local file system. To export one or more meta groups:

  1. In the Meta Groups list, select one or more groups to be exported.
  2. Click Export.
    The selected groups are downloaded to your local file system as a MetaGroups.jsn file. Every download of meta groups has the same name with a numeral appended to avoid overwriting previous downloads.

Import a Meta Group

To make user-defined meta groups from another service available to the currently investigated service, you must import the MetaGroups.jsn file from the local file system. When you import meta groups, an error message is displayed if any of the groups are already present. To import a group that is a duplicate, you must first delete the existing group. If you want to delete a meta group, it cannot be in use by a profile.

To import meta groups:

  1. In the Meta Groups list, select a file to import and click Import.
    The selection dialog is displayed.
    Meta Group Import
  2. Click Browse and navigate to the directory on your local file system where the downloaded MetaGroups.jsn files are stored. Select a file and click Open.
    The filename is displayed in the Upload File field.
  3. Click Upload.
    The upload process begins, and a message indicates that the upload was successful. The meta groups are added to Meta Group list. If the file is a duplicate of an existing meta group, a dialog tells you that the meta group already exists.

You are here
Table of Contents > Refining the Results Set > Use Meta Groups to Focus on Relevant Meta Keys

Attachments

    Outcomes