Investigate: Set Quantification Method and Sort Sequence of Meta Key Results

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode
 

You can select the way results for each meta key are quantified and sequenced in the Investigate > Navigate view.

Each meta key section in the Investigate > Navigate view contains an ordered list of values showing each meta key value (Value) and its count (Total). You can specify whether:

  • The results in each meta key section are sorted based on Value or Total.
  • The results are sorted in ascending or descending order.
  • The values shown for each meta key are quantified by number of packets (Packet Count), number of sessions or logs (Quantify by Event Count) or by the size of events (Quantify by Event Size).

Note:  If you have both a log decoder and a packet decoder for which you are viewing the metadata, the calculation of what is actually being counted is dependent on the type of key. If you select to Quantify by Packet Count and are looking at logs, the Navigate view output is the same output as if you had selected Quantify by Event Count (see Navigate View for details).

This image shows the Event Type meta key presented in order by Total in Descending order. The value with the greatest count of matches is presented first. The value failure audit has 71 matches and is listed first. The value logon has only one match and is presented last. The quantification method is Event Count.

SortTotDesc.png

This image shows the Event Type meta keys presented in order by Value in Descending order. The value names are presented in alphabetical order starting at the end of the alphabet. The value success audit  is listed first. The value connect  is presented last. The quantification method is Event Count.

Meta key in order descending alphabetically

To select the quantification method of meta key count and ordering of meta key results displayed in the Navigate view:

  1. In the toolbar, select Event Count, Event Size, or Packet Count and choose one of the quantification options in the drop-down menu. The label for the menu displays the selected option.
    Quantification Menu
    The current view is reloaded according to your selection.
  2. In the toolbar, select Total or Value and choose one of the ordering methods in the drop-down menu. The label for the menu displays the selected option.
    Order Menu
    The current view is reloaded according to your selection.
  3. In the toolbar, select Ascending or Descending and choose one of the sort order options in the drop-down menu. The label for the menu displays the selected option.
    The current view is reloaded according to your selection.
    Sort Menu
You are here
Table of Contents > Conducting an Investigation > Refining Results Displayed in the Navigate View > Set Quantification Method and Sort Sequence of Meta Key Results

Attachments

    Outcomes