Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Manage Meta Groups

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 19Show Document
  • View in full screen mode

A meta group combines selected meta keys and meta entities into a group to show only data in which the meta keys and meta entities were found. In the Navigate view, you can use meta groups to filter data displayed in the Navigate view Values panel. A fresh installation of NetWitness Platform includes built-in meta groups to help you find interesting data sets in Investigate. The built-in meta group names are prefixed with RSA for identification and can be duplicated but cannot be edited or deleted. You can create your own groups, and you can duplicate and edit a built-in group to create a custom group.

With a meta group in effect during an investigation, the information in the Values panel shows only the meta keys in the selected group. When you open a Parallel Coordinates visualization, the meta keys and meta entities in a group appear as axes from left to right. It may be useful to create two versions of each custom meta group; one for analysis of meta values and one for creating a parallel coordinates chart focusing on a smaller subset of the same use case.

Custom meta groups are visible to all users of a service and may be exported for import to any service, limited by the available meta keys for that service.

Note: When an administrator adds custom meta groups manually by editing the custom index file for a service, the new groups become available to Investigate after the service is restarted.

This section describes how to add, edit, import, export, and delete custom meta groups to be used during navigation on a specific service.

Built-In Meta Groups

RSA NetWitness Platform has built-in meta groups that are available immediately after installation. The built-in meta groups are useful to focus an investigation on common use cases and to support threat detection using the RSA Hunting Pack. These are the built-in meta groups:

  • RSA Email Analysis includes meta keys that outline email interactions.
  • RSA Endpoint Analysis contains meta keys that provide insight on processes, files, users, and connections from NetWitness Endpoint (NWE) hosts.
  • RSA Malware Analysis includes meta keys that mark indicators of compromise in files contained in events.
  • RSA Outbound HTTP includes meta keys that provide insight into outbound web traffic.
  • RSA Outbound SSL/TLS includes meta keys that focus on encrypted web traffic.
  • RSA Query Hosts includes meta keys that encompass all the meta keys to find hosts.
  • RSA Query IPs includes meta keys that encompass all the meta keys to find IP addresses.
  • RSA Query Mail includes meta keys that encompass all the meta keys to find email.
  • RSA Query Users includes meta keys that encompass all the meta keys to find users.
  • RSA Threat Analysis includes meta keys that mark potential threats in the data set.
  • RSA User & Entity Behavior Analysis includes meta keys that encompass all the meta keys to analyze user and entity behavior.
  • RSA Web Analysis includes meta keys that mark anomalies in web traffic.

Create a Meta Group and Add Meta Keys

  1. While investigating a service in the Navigate view, select Meta > Manage Meta Groups in the toolbar.
    The Manage Meta Groups dialog is displayed. Initially only built-in groups are configured for a service and listed under Group Name. If other custom groups have been configured, they are also listed under Group Name.
    the Manage Meta Groups dialog
  2. In the toolbar at the top of the Meta Groups list, click Add Icon.
    The form to the right opens for editing.
    Manage Meta Groups dialog ready to create a New Meta Group
  3. Type a name for the new meta group in the Name field.
  4. In the Meta Keys toolbar, click Add Icon.
    The Available Meta Keys dialog is displayed, with keys in alphabetical order.
    the Available Meta Keys dialog
  5. To filter the list of meta keys, type a word or phrase in the Filter field and press Enter.
    The list displays matching meta keys based on a case-insensitive search. Delete the filter text and press Enter to remove the filter.
  6. To select individual meta keys to include in the meta group, select the checkboxes. To select all meta keys, select the checkbox in the title bar and click Add.
    The selected meta keys are added to the meta keys list.
  7. (Optional) If you want to change the order in which the meta keys load and are listed in an investigation, click and drag one or more meta keys to a new position.
  8. To finish creating the meta group do one of the following:
    1. To save the meta group, click Save.
      The group is created and available for use.
    2. To save and apply the meta group to the current Investigation view, click Save and Apply.
      The group is created and applied immediately to the current Investigation view.
  9. Click Close.

Duplicate and Edit a Built-In Meta Group

If you want to customize a built-in meta group, you need to duplicate the group and then edit the duplicate.

  1. Select a built-in meta group from the Manage Meta Groups list and click the Duplicate icon.
    The form to the right opens for editing with all of the meta keys as they are in the built-in group.
    Manage Meta Groups dialog with form open to select meta keys
  2. Enter a name for the new group and continue editing as described in "Edit a Meta Group" below.

Edit a Meta Group

  1. Select a group from the Meta Groups list.
    The form to the right opens for editing.
    a meta group open for editing in the Manage Meta Groups dialog
  2. (Optional) Edit the Name of the group.
  3. (Optional) Add new meta keys, as described above in "Create a Meta Group and Add Meta Keys."
  4. (Optional) To set the order for the keys, drag and drop one or more keys.
  5. (Optional) To change the initial view of a meta key, click View Options and choose one of the possible views.
    When you modify the meta group, you cannot set the key to OPEN. If you change the default view for a group of meta keys to OPEN and some of the meta keys are non-indexed, the non-indexed meta keys revert to AUTO. As a result, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are CLOSED until opened manually.
    The value for the initial view is displayed in the View column.
  6. To save, the changes, click Save.
  7. To apply the changes to the current Navigate view, click Save and Apply.

Delete a Meta Group

  1. In the Meta Groups list, select the group to be removed.
  2. Click Delete.
    A confirmation dialog provides an opportunity to cancel or complete the request.
  3. Click Yes.
    The meta group is deleted. When you close the window, if the deleted group was the currently applied meta group, it is removed and the default meta keys are used to build the view.

Export a Meta Group

User-defined meta groups are created on individual services. To make meta groups available to another service, you must export them to your local file system. To export one or more meta groups:

  1. In the Meta Groups list, select one or more groups to be exported.
  2. Click Export.
    The selected groups are downloaded to your local file system as a MetaGroups.jsn file. Every download of meta groups has the same name with a numeral appended to avoid overwriting previous downloads.

Import a Meta Group

To make user-defined meta groups from another service available to the currently investigated service, you must import the MetaGroups.jsn file from the local file system. When you import meta groups, an error message is displayed if any of the groups are already present. To import a group that is a duplicate, you must first delete the existing group. If you want to delete a meta group, it cannot be in use by a profile.

To import meta groups:

  1. In the Meta Groups list, select a file to import and click Import.
    The selection dialog is displayed.
    Meta Group Import
  2. Click Browse and navigate to the directory on your local file system where the downloaded MetaGroups.jsn files are stored. Select a file and click Open.
    The filename is displayed in the Upload File field.
  3. Click Upload.
    The upload process begins, and a message indicates that the upload was successful. The meta groups are added to Meta Group list. If the file is a duplicate of an existing meta group, a dialog tells you that the meta group already exists.

You are here
Table of Contents > Refining the Results Set > Use Meta Groups to Focus on Relevant Meta Keys