RSA NetWitness® Suite Unified Data Model

Document created by Saket Bajoria Employee on Jan 17, 2018Last modified by Saket Bajoria Employee on Feb 15, 2018
Version 48Show Document
  • View in full screen mode

The NetWitness® Suite Unified Data Model (UDM) represents the final piece in realizing the promise of combined insight from Logs, Packets and Endpoints. It organizes elements of data coming into NetWitness from disparate sources via various methods into one standardized data model. The Analysts can now look for data concepts in one place as defined by the Unified Data Model. This Model is very intuitive and provides immediate clarity to both analysts and content authors to use the data for writing Co-relation Rules, Reports, Feeds, Alerts, etc. 

 

 

The Unified Data Model contains a list of all the Meta concepts available in the out-of-the-box RSA NetWitness® Suite. These keys should be used uniformly across the RSA NetWitness® Suite to get the best consistent results. The following illustration shows a high level view of how raw data enters NetWitness and is transformed into meta data defined by the concepts in the Unified Data model. (Note: This doesn't represent the entire NetWitness architecture, it just lays out how meta flows through some services and the different configuration files involved in the process)

 

 

Simplified Meta Flow in NetWitness

 

 

 

Meta Class

High level classification of Meta concepts, to make it easier to browse the data model.

Meta Concept

Description of the Meta key.

Log Parser Key

Name of the key used in Log Parsers, which is mapped to the corresponding Meta key in the RSA NetWitness® Suite. (via Table-Map). 

Log Parser Key Flag

Flag used in the Table-Map, which decides if the Meta data is written to Disk or not. 

Transient      This will not save the meta data to disk, however it is used by Application/Co-relation Rules and Feeds

None            This will save the meta data to disk, and available to NetWitness Concentrator or Archiver for further storage or                                       processing 

Meta Key

Name of the key. (Max is 16 characters)

Meta Type

Type format of the value which can be: 

Int8, UInt8, Int16, UInt16, Int32, UInt32, Int64, UInt64, UInt128, Float32, Float64, TimeT, Binary, Text, IPv4, IPv6, MAC

Indexing

IndexNoneDefault index level which provides no indexing.
IndexKeysProvides indexing at the key level (e.g., identify which sessions have values, but do not track the actual values.  This provides highly efficient exists or !exists queries, but slower queries for other operators such as the following: key = 'some value'
IndexValuesHighest indexing level. Provides the best performance for all query operators but also takes the most time to index and requires the most storage space.

Notes

This explains how a particular key should be used, to avoid any discrepancies.

 

 

 

 

NetWitness uses Meta Keys as a way to retain context of the raw data after its parsed and stored on disk. Hence, its extremely important to parse out data in the most accurate Meta key to retain context that's needed for Threat Detection, Analytics and Response. There are over 300+ concepts available in NetWitness, To make it easier to find necessary concepts, all meta keys are classified into Meta Classes, shown below:

 

 

 

 

The Unified Data Model

Meta ClassMeta ConceptParser KeyMeta KeyMeta Type IndexingNotes
NetworkIP address V4 Generichostipalias.ipIPV4IndexValueThis key should be used when the source / destination / local / remote context of an IPv4 address is not clear
NetworkIP address V6 Generichostip_v6alias.ipv6IPV6IndexValueThis key should be used when the source or destination context of an IPv6 address is not clear
NetworkIP Address v4 Destinationdaddrip.dstIPV4IndexValueThis key should only be used when it’s a Destination IP Address.
NetworkIP Address v4 Sourcesaddrip.srcIPV4IndexValueThis key should only be used when it’s a Source IP Address.
NetworkIP Address v6 Destinationdaddr_v6ipv6.dstIPV6IndexValueThis key should only be used when it’s a Destination IP v6 Address.
NetworkIP Address v6 Sourcesaddr_v6ipv6.srcIPV6IndexValueThis key should only be used when it’s a Source IP v6 Address
NetworkIP Address v4 Translated DestinationdtransaddrdtransaddrTextIndexValueThis key should only be used when it’s a Destination Translated IP Address
NetworkIP Address v4 Translated SourcestransaddrstransaddrTextIndexValueThis key should only be used when it’s a Source Translated IP Address
NetworkHostname

hostname

devicehostnamehostid

r_hostid

workstation

web_host

web_ref_host

alias.hostTextThis key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer.
NetworkHostname Destinationdhosthost.dstTextIndexValueThis key should only be used when it’s a Destination Hostname
NetworkHostname Sourceshosthost.srcTextIndexValueThis key should only be used when it’s a Source Hostname.
NetworkMAC Address Genericalias.macMACIndexValueThis key should be used when the source or destination context of a Mac Address is not clear
NetworkMAC Address Sourcesmacaddreth.srcMACIndexValueThis key should only be used when it’s a Source Mac Address.
NetworkMAC Address Destinationdmacaddreth.dstMACIndexValueThis key should only be used when it’s a Destination Mac Address
NetworkEthernet Typeeth_typeeth.typeUInt16This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only
NetworkInterface GenericinterfaceinterfaceTextIndexValueThis key should be used when the source or destination context of an interface is not clear
NetworkInterface DestinationdinterfacedinterfaceTextIndexValueThis key should only be used when it’s a Destination Interface
NetworkInterface SourcesinterfacesinterfaceTextIndexValueThis key should only be used when it’s a Source Interface
NetworkNetwork mask GenericmaskmaskTextIndexValueThis key is used to capture the device network IPmask.
NetworkNetwork mask DestinationdmaskdmaskTextIndexValueThis key is used for Destionation Device network mask
NetworkNetwork mask SourcesmasksmaskTextIndexValueThis key is used for capturing source Network Mask
NetworkPort Translated DestinationdtransportdtransportTextIndexValueThis key should only be used when it’s a Destination Translated Port Number
NetworkPort Translated SourcestransportstransportTextIndexValueThis key should only be used when it’s a Source Translated Port Number
NetworkPort Destination
dport
port.dstUInt16IndexValueThis key should only be used when it’s a Destination Port.
NetworkPort Sourcesportport.srcUInt16IndexValueThis key should only be used when it’s a Source Port.
NetworkTCP responder port numbertcp.dstportThis key capture destination port for tcp protocol
NetworkTCP initiator port numbertcp.srcportThis key capture source port for tcp protocol
NetworkUDP initiator port numberudp.srcportThis key capture source port for udp protocol
NetworkUDP responder port numberudp.dstportThis key capture destination port for udp protocol
Network
Protocol
ip_proto
ip.proto
TextIndexValueThis key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI
NetworkDirectiondirectiondirectionTextIndexValueThis Key should never be used in a parser, this is a reserved key used by the product to calculate the direction.
NetworkGatewaygatewaygatewayTextIndexNoneThis key is used to capture the IP Address of the gateway
NetworkVlan NumbervlanThis key should only be used to capture the ID of the Virtual LAN
NetworkVlan Namevlanvlan.nameTextIndexValueThis key should only be used to capture the name of the Virtual LAN
NetworkZone GenericzonezoneTextIndexValueThis key should be used when the source or destination context of a Zone is not clear
NetworkZone Destinationdst_zonezone.dstTextIndexValueThis key should only be used when it’s a Destination Zone.
NetworkZone Sourcesrc_zonezone.srcTextIndexValueThis key should only be used when it’s a Source Zone.
NetworkPayload bytes in retransmitted packetsrpayloadTextIndexNoneThis key is used to capture the total number of payload bytes seen in the retransmitted packets. 
NetworkICMP Codeicmpcodeicmp.codeUInt32IndexNoneThis key is used to capture the ICMP code only
NetworkICMP Typeicmptypeicmp.typeUInt33IndexNoneThis key is used to capture the ICMP type only
NetworkNetwork NamenetnameTextThis key is used to capture the network name associated with an IP range. This is configured by the end user.
NetworkBytes TotalbytesbytesUInt64This key is the total number of Bytes sent/received in a session. Also, in cases where the Sent or Received context is not clear, this can be used.
NetworkBytes Sent sbytesbytes.srcUInt64This key should only be used to capture the size of Bytes Sent
NetworkBytes ReceivedrbytesrbytesUInt64This key should only be used to capture the size of Bytes Received
TimeDurationduration_stringduration.strTextA text string version of the duration
TimeDuration in secondsdurationduration.timeFloat64This key is used to capture the normalized duration/lifetime in seconds.
TimeEvent Effective timeeffective_timeeffective.timeTimeTThis key is the effective time referenced by an individual event in a Standard Timestamp format
TimeEvent End timeendtimeendtimeTimeTThis key is used to capture the End time mentioned in a session in a standard form
TimeEvent Queing Timeevent_queue_timeevent.queue.timeTimeTThis key is  the Time that the event was queued.
TimeActual Event timeevent_timeevent.timeTimeTThis key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form
TimeEvent Time Stringevent_time_stringevent.time.strTextThis key is used to capture the incomplete time mentioned in a session as a string
TimeExpiration timeexpiration_timeexpire.timeTimeTThis key is the timestamp that explicitly refers to an expiration.
TimeRecorded timerecorded_timerecorded.timeTimeTThe event time as recorded by the system the event is collected from.  The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes.  Must be in timestamp format.
TimeStart TimestarttimestarttimeTimeTThis key is used to capture the Start time mentioned in a session in a standard form
TimetimezonetimezonetimezoneTextThis key is used to capture the timezone of the Event Time
IdentityAccessesaccessesaccessesTextThis key is used to capture actual priviliges used in accessing an object 
IdentityAuthentication Methodauthmethodauth.methodTextIndexValueThis key is used to capture authentication methods used only
IdentityDistinguished NamedndnTextIndexNoneX.500 (LDAP) Distinguished Name
IdentityDistinguished Name Destinationdst_dndn.dstTextIndexNoneAn X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn 
IdentityDistinguished Name Sourcesrc_dndn.srcTextIndexNoneAn X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn 
IdentityDomain IDdomain_iddomain.idTextThis key captures Pre Windows 2000 (NetBIOS) name of the domain ONLY
IdentityFederated Identity Providerfederated_idpfederated.idpTextIndexNoneThis key is the federated Identity Provider. This is the server providing the authentication.
IdentityFederated Service Providerfederated_spfederated.spTextIndexNoneThis key is the Federated Service Provider. This is the application requesting authentication.
IdentityService Accountservice_accountservice.accountTextThis key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage
IdentityUser Unique ID/Logon ID

uid

logon_id

user.idTextThis key is used to capture Unique identifier for an account.
IdentityFirst name of a Personuser_fnamefirstnameTextIndexNoneThis key is for First Names only, this is used for Healthcare predominantly to capture Patients information
IdentityFull Name of a Person

patient_fullname

user_fullname

fullnameTextIndexNoneThis key is for Full Names only, this is used for Healthcare predominantly to capture Patients information
IdentityLast name of a Personuser_lnamelastnameTextIndexNoneThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
IdentityMiddle name of a Personuser_mnamemiddlenameTextIndexNoneThis key is for  Middle Names only, this is used for Healthcare predominantly to capture Patients information
IdentityLdap GenericldapTextIndexNoneThis key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context
IdentityLdap Responsesldap.responseTextIndexNoneThis key is to capture Results from an LDAP search
IdentityLdap search criterialdap.queryTextIndexNoneThis key is the Search criteria from an LDAP search
IdentityPasswordspasswordTextIndexNoneThis key is for Passwords seen in any session, plain text or encrypted
IdentityRealmrealmrealmTextRadius realm or similar grouping of accounts
IdentityUser ProfileprofileprofileTextIndexValueThis key is used to capture the user profile
IdentityOwner nameowneruser.ownerTextIndexValueThe identity name of the owner of an object. Legacy Usage
IdentityType of Logonlogon_typelogon.typeTextIndexValueThis key is used to capture the Type of Logon method used only
IdentityUser Roleuser_roleuser.roleTextIndexValueThis key is used to capture the Role of a user only
IdentityUser's Departmentuser_deptuser.deptTextIndexNoneUser's Department Names only
IdentityUserOrganizationuser_orgorgTextIndexValueThis key captures the User organization
IdentityDestination User Session IDsiduser.sid.dstTextIndexValueThis key captures Destination User Session ID
IdentitySource User Session IDc_siduser.sid.srcTextIndexValueThis key captures Source User Session ID
CountersDevice class Counter 1dclass_counter1dclass.c1Int32IndexNoneThis is a generic counter key that should be used with the label dclass.c1.str only
CountersDevice class Counter 1 Descriptiondclass_counter1_stringdclass.c1.strTextIndexNoneThis is a generic counter string key that should be used with the label dclass.c1 only
CountersDevice class Counter 2dclass_counter2dclass.c2Int32IndexNoneThis is a generic counter key that should be used with the label dclass.c2.str only
CountersDevice class Counter 2 Descriptiondclass_counter2_stringdclass.c2.strTextIndexNoneThis is a generic counter string key that should be used with the label dclass.c2 only
CountersDevice class Counter 3dclass_counter3dclass.c3Int32IndexNoneThis is a generic counter key that should be used with the label dclass.c3.str only
CountersDevice class Counter 3 Descriptiondclass_counter3_stringdclass.c3.strTextIndexNoneThis is a generic counter string key that should be used with the label dclass.c3 only
CountersDevice class Ratio 1dclass_ratio1dclass.r1TextIndexNoneThis is a generic ratio key that should be used with the label dclass.r1.str only
CountersDevice class Ratio 1 Descriptiondclass_ratio1_stringdclass.r1.strTextIndexNoneThis is a generic ratio string key that should be used with the label dclass.r1 only
CountersDevice class Ratio 2dclass_ratio2dclass.r2TextIndexNoneThis is a generic ratio key that should be used with the label dclass.r2.str only
CountersDevice class Ratio 2 Descriptiondclass_ratio2_stringdclass.r2.strTextIndexNoneThis is a generic ratio string key that should be used with the label dclass.r2 only
CountersDevice class Ratio 3dclass_ratio3dclass.r3TextIndexNoneThis is a generic ratio key that should be used with the label dclass.r3.str only
CountersDevice class Ratio 3 Descriptiondclass_ratio3_stringdclass.r3.strTextIndexNoneThis is a generic ratio string key that should be used with the label dclass.r3 only
CountersEvent Counterevent_counterevent.counterInt32IndexNoneThis is used to capture the number of times an event repeated
CryptographyCertificate Error Stringcert_errorcert.errorTextIndexNoneThis key captures the Certificate Error String
CryptographyCertificate host categorycert_hostname_catcert.host.catTextIndexNoneThis key is used for the hostname category value of a certificate
CryptographyCertificate statuscert_statuscert.statusTextIndexNoneThis key captures Certificate validation status
CryptographyDestination (Server) Cipherd_ciphercipher.dstTextIndexNoneThis key is for Destination (Server) Cipher
CryptographyDestination (Server) Cipher sizecipher.size.dstcipher.size.dstInt32IndexNoneThis key captures Destination (Server) Cipher Size
CryptographySource (Server) Cipher sizecipher.size.srccipher.size.srcInt32IndexNoneThis key captures Source (Client) Cipher Size
CryptographySource (Server) Ciphercipher.srccipher.srcTextIndexNoneThis key is for Source (Client) Cipher
CryptographyCryptographic Method and Versionencryption_typecryptoTextIndexNoneThis key is used to capture the Encryption Type or Encryption Key only
CryptographyIKE Negotiation PhaseikeikeTextIndexNoneIKE negotiation phase.
CryptographyIkE Cookie 1ike_cookie1ike.cookie1TextIndexNoneID of the negotiation — sent for ISAKMP Phase One
CryptographyIKE Cookie 2ike_cookie2ike.cookie2TextIndexNoneID of the negotiation — sent for ISAKMP Phase Two
CryptographyEncryption peer's IP AddresspeerpeerTextIndexNoneThis key is for Encryption peer's IP Address
CryptographyEncryption peer’s identitypeer_idpeer.idTextIndexNoneThis key is for Encryption peer’s identity
CryptographyEncryption scheme usedschemeschemeTextIndexNoneThis key captures the Encryption scheme used
CryptographyEncryption scheme usedsigtypesig.typeTextIndexNoneThis key captures the Signature Type
CryptographyCertificate signing authoritycert.caIndexNoneThis key is used to capture the Certificate signing authority only
CryptographyCertificate hostcert.commonIndexNoneThis key is used to capture the Certificate host only
CryptographyCertificate serial numbercert.serialIndexNoneThis key is used to capture the Certificate serial number only
CryptographyCertificate organizationcert.subjectIndexNoneThis key is used to capture the Certificate organization only
GeoIPGEOIP Based Latitude Destinationlatdec.dstlatdec.dstTextIndexNoneThis is used to capture the destination Latitude based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
GeoIPGEOIP Based Latitude Source

latdec.src

latdec_src

latdec.srcTextIndexNoneThis is used to capture the source Latitude based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
GeoIPGEOIP Based Longitude Source

longdec.src

longdec_src

longdec.srcTextIndexNoneThis is used to capture the source Longitude based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
GeoIPGEOIP Based Longitude Destinationlongdec.dstlongdec.dstTextIndexNoneThis is used to capture the destination Longitude based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
GeoIPGEOIP Based City Destinationcity.dstcity.dstTextIndexNoneThis is used to capture the destination City location based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
GeoIPGEOIP Based City Source city.srccity.srcTextIndexNoneThis is used to capture the source City location based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
GeoIPGEOIP Based Organization Destinationorg.dstorg.dstTextIndexNoneThis is used to capture the destination organization based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
GeoIPGEOIP Based Organization Sourceorg.srcorg.srcTextIndexNoneThis is used to capture the source organization based on the GEOPIP Maxmind database. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
DatabaseDatabase Namedb_namedatabaseTextThis key is used to capture the name of a database or an instance as seen in a session
DatabaseDatabase IDdb_iddb.idTextThis key is used to capture the unique identifier for a database
DatabaseDatabase server Process IDdb_piddb.pidInt32This key captures the process id of a connection with database server
DatabaseDatabase instance nameinstanceinstanceTextThis key is used to capture the database server instance name
DatabaseIndex IDindexindexTextThis key captures IndexID of the index.
DatabaseLogical ReadslreadlreadInt32This key is used for the number of logical reads
DatabaseLogical WriteslwritelwriteInt33This key is used for the number of logical writes
DatabasePhysical ReadspreadpreadInt34This key is used for the number of physical writes
DatabaseTable Nametbl_nametable.nameTextThis key is used to capture the table name
DatabaseSQL Transaction IDtrans_idtransact.idTextThis key captures the SQL transantion ID of the current session
DatabasePermissions

permissions,

privilege

permissionsTextThis key captures permission or privilege level assigned to a resource.
WirelessAccess Point IDaccess_pointaccess.pointTextThis key is used to capture the access point name.
WirelessWifi Channel Namewifi_channelwlan.channelUInt16This is used to capture the channel names
WirelessWLAN name/numberwlanwlan.nameTextThis key captures either WLAN number/name
WirelessSSID of a Wireless Networkssid,bssidwlan.ssidTextThis key is used to capture the ssid of a Wireless Session
HealthcarePatient's First Namebssidpatient.fnameTextThis key is for First Names only, this is used for Healthcare predominantly to capture Patients information
HealthcarePatient Identifierpatient_idpatient.idTextThis key captures the unique ID for a patient
HealthcarePatient's Last Namepatient_lnamepatient.lnameTextThis key is for Last Names only, this is used for Healthcare predominantly to capture Patients information
HealthcarePatient's Middle Namepatient_mnamepatient.mnameTextThis key is for  Middle Names only, this is used for Healthcare predominantly to capture Patients information
PhysicalCity namelocation_cityloc.cityTextIndexNoneThis is used to capture the CIty Name when the Source/Destination Context is not clear,  as seen in a session. There is a separate key for GeoIP based City
PhysicalCountry namelocation_countryloc.countryTextIndexNoneThis is used to capture the Country Name when the Source/Destination Context is not clear,  as seen in a session. 
PhysicalLocationlocation_descloc.descTextIndexNoneThis is used to capture either the complete address or a description about a location being referenced in a session
PhysicalState or province namelocation_stateloc.stateTextIndexNoneThis is used to capture the State Name as seen in a session.
StorageDisk Volumedisk_volumedisk.volumeTextIndexNoneA unique name assigned to logical units (volumes) within a physical disk
StorageLogical Unit NumberlunlunTextIndexNoneLogical Unit Number.This key is a very useful concept in Storage.
StoragePort World Wide NamepwwnpwwnTextIndexNoneThis uniquely identifies a port on a HBA.
WebCountry Code Top level domaincctldTextThis key captures Country Top Level Domain extracted from a URL
WebDestination DomainddomainddomainTextThis key captures the destination domain
WebSource Domain

c_domain

sdomain

sdomainTextThis key captures the source/client domain
WebWeb request Domainweb_domainweb.domainTextThis key captures Domain name in the Web Request
WebDNS Response Typedns.responsetypeThis key is used to capture the DNS Response type only
WebDNS Response Textdns.resptextThis key is used to capture the DNS response text only
WebFully Qualified Domain NamefqdnfqdnTextFully Qualified Domain Names
WebURL Queryweb_queryqueryTextThis key is used to capture the Query portion of the URL.
WebReferrer URL

web_referer

referer

refererTextThis is used to capture the Web Referrer URL address specifically.
WebReputation Numberreputation_numreputation.numFloat64Reputation Number of an entity. Typically used for Web Domains
WebSecond Level DomainsldSecond Level Domains extracted from a URL
WebTop Level DomaintldtldTop Level Domains extracted from a URL
WebURLurlurlTextThis key is used for capturing complete url
WebRaw URLurl_rawurl.rawTextThis is used to capture the raw URL only
WebWeb referer's hostnameweb.ref.hostTextThis key captures the Web referer's hostname.
WebWeb Cookieweb_cookieweb.cookieTextThis key is used to capture the Web cookies specifically.
WebWeb referer queryweb_ref_queryweb.ref.queryTextThis key captures Web referer's query portion of the URL
WebWeb pagewebpageweb.pageTextThe captures the web page information
WebRoot URLPathweb_rootweb.rootTextThis key captures the root URL path
WebWeb Referrer pageweb_ref_pageweb.ref.pageTextThis key captures Web referer's page information
WebWeb referer Root  URLPathweb_ref_rootweb.ref.rootTextWeb referer's root URL path
WebWeb referer Domainweb_ref_domainweb.ref.domainText
ReservedConcentrator IDcidcidTextThis is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source Classdevice.classdevice.classTextThis is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedESM Device Groupdevice.groupdevice.groupTextThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source HostNamedevice.hostdevice.hostTextThis is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source IPv4 Addressdevice.ipdevice.ipIPV4This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source IPv6 Addressdevice.ipv6device.ipv6IPV6This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedEvent Source Parser Namedevice.typedevice.typeTextThis is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedDecoder IDdiddidTextThis is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Categoryfeed.categoryfeed.categoryTextThis is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Description

feed.desc

feed_desc

feed.descTextThis is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedFeed Name

feed_name

feed.name

feed.nameTextThis is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedIP Address v4 Relayforward.ipforward.ipIPV4This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. 
ReservedIP Address v6 Relayforward.ipv6forward.ipv6IPV6This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedHeader IDheader.idheader.idTextThis is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedLog Collector IDlc.cidlc.cidTextIndexValueThis is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedLog Collector Timelc.ctimelc.ctimeTimeTIndexValueThis is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMediummediummediumTextIndexNoneThis key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedRaw MessagemsgmsgTextThis key is used to capture the raw message that comes into the Log Decoder
ReservedMessage ID1vidmsg.vidTextIndexValueThis is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedMessage ID2

msg.id

msg_id

msg.idTextIndexValueThis is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedParser Errorparse.errorparse.errorTextThis is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedPayload SizepayloadpayloadThis is the size of a payload in a Packet Session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedRemote Session IDridridThis is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession IDsessionidsessionidThis is a special ID of the session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession SizesizesizeThis is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSource FilesourcefileThis is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
ReservedSession TimetimetimeThis is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 
ReservedSplit Sessionssession.splitTextIndexValueThis key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
EmailEmail Generic

user_address

cc

bcc

emailTextIndexValueThis key is used to capture a generic email address where the source or destination context is not clear
EmailEmail Destinationtoemail.dstTextIndexValueThis key is used to capture the Destination email address only, when the destination context is not clear use email
EmailEmail Sourcefromemail.srcTextIndexValueThis key is used to capture the source email address only, when the source context is not clear use email
EmailSubjectsubjectsubjectTextThis key is used to capture the subject string from an Email only.
FileFile DirectorydirectorydirectoryTextThis key is used to capture the file directory or path only
FileFile Extension

web_extension

extension

extensionTextThis key is used to capture the extension portion of a filename / extension of the page that was requested
FileFilenamefilenamefilenameTextIndexValueThis key is used to capture the complete filename/Webpage with extension where the directionality is not clear. This should not include the directory/path
FileFilesizefilename_sizefilename.sizeTextIndexValueThis key is used to capture the size of the file only
FileFile TypefiletypefiletypeTextIndexValueThis key is used to capture the Type of File only
FileAttachment FileattachmentattachmentTextThis key captures the attachment file name
MiscellaneousAction Taken

action

web_method

actionTextThis key is used to capture the primary action in a session
MiscellaneousCategory Given by VendorcategorycategoryTextThis key is used to capture the category of an event given by the vendor in the session
MiscellaneousCredit Card Numbercc.numberValid Credit Card Numbers only
MiscellaneousChange Attributechange_attributechange.attribTextThis key is used to capture the name of the attribute that’s changing in a session
MiscellaneousChange Newchange_newchange.newTextThis key is used to capture the new values of the attribute that’s changing in a session
MiscellaneousChange Old change_oldchange.oldTextThis key is used to capture the old value of the attribute that’s changing in a session
MiscellaneousChecksum/HashchecksumchecksumTextThis is used to capture the checksum or a hash of an entity
MiscellaneousChildchild_pidchild.pidInt32This key captures the Child Process ID Number
MiscellaneousClient ApplicationagentclientTextThis key is used to capture the name of the client application only
MiscellaneousCommentscommentscommentsTextComment information provided in the log message
MiscellaneousSub component Versioncomponent_versioncomp.versionTextThis key captures the Version level of a sub-component of a product. 
MiscellaneousConnection IDconnectionidconnection.idTextThis key captures the Connection ID
MiscellaneousContentcontentTextThis key captures the content type from protocol headers
MiscellaneousContent Typecontent_typecontent.typeTextThis key is used to capture Content Type only.
MiscellaneousContent Versioncontent_versioncontent.versionTextThis key captures Version level of a signature or database content.  
MiscellaneousIndex IDinfoindexThis key captures Extra event information that could not be captured into a separate meta. 
MiscellaneousContext InfocontextcontextTextThis key captures Information which adds additional context to the event.
MiscellaneousContext Subjects_contextcontext.subjectTextThis key is to be used in an audit context where the subject is the object being identified
MiscellaneousContext Targett_contextcontext.targetTextThis key is to be used in an audit context where the Target is the object being identified
MiscellaneousCPU TimecpucpuUInt32This key is the CPU time used in the execution of the event being recorded.
MiscellaneousCVEcvecveTextThis key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities.
MiscellaneousDispositiondispotitiondispotitionTextThis key captures the The end state of an action.
MiscellaneousDNS Query Typedns_querytypedns.querytypeThis key is used to capture the DNS Query type only
MiscellaneousDocument/File numberdoc_numberdoc.numberInt32This key captures File Identification number
MiscellaneousEmployer identification numberein.numberEmployee Identification Numbers only
MiscellaneousEvent HostNameevent_computerevent.computerTextThis key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log.
MiscellaneousEvent Description

event_description

detail

event.descTextIndexValueThis key is used to capture a description of an event available directly or inferred
MiscellaneousEvent Log Nameevent_logevent.logTextThis key captures the Name of the event log
MiscellaneousEvent Sourceevent_sourceevent.sourceTextThis key captures Source of the event that’s not a hostname 
MiscellaneousEvent Stateevent_stateevent.stateTextThis key captures the current state of the object/item referenced within the event. Describing an on-going event. 
MiscellaneousEvent Typeevent_typeevent.typeTextThis key captures the event category type as specified by the event source.
MiscellaneousEvent Userevent_userevent.userTextThis key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log.
MiscellaneousExpected Valueexpected_valexpected.valTextThis key captures the Value expected (from the perspective of the device generating the log).  
MiscellaneousFilter NamefilterfilterTextIndexNoneThis key captures Filter used to reduce result set
MiscellaneousFilter Category NumberfcatnumfcatnumTextThis key captures Filter Category Number. Legacy Usage
MiscellaneousFilter ResultfresultfresultInt32This key captures the Filter Result
MiscellaneousRegex MatchfoundThis key is for regex match name from search.ini
MiscellaneousGroup NamegroupgroupTextThis key captures the Group Name value
MiscellaneousGroup IDgroupidgroup.idTextThis key captures Group ID Number (related to the group name)
MiscellaneousGroup Objectgroup_objectgroup.objectTextThis key captures a collection/grouping of entities. Specific usage
MiscellaneousHardware/Serial IDhardware_idhardware.idTextIndexNoneThis key is used to capture unique identifier for a device or system (NOT a Mac address)
MiscellaneousAdditional InfoinfoinfoThis key captures  Additional/Extra event information that could not be captured into a separate column. 
MiscellaneousJob Numberjobnumjob.numTextThis key captures the Job Number
MiscellaneousLifeTimelifetimeThis key is used to capture the  session lifetime in seconds.
MiscellaneousLink to another SessionlinkTextIndexValueThis key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness
MiscellaneousEvent Session IDsessionidlog.session.idTextIndexValueThis key is used to capture a sessionid from the session directly
MiscellaneousMessagemessageThis key captures the contents of instant messages
MiscellaneousMessage Bodymessage_bodymessage.bodyTextThis key captures the The contents of the message body.
MiscellaneousNodenodenodeTextIndexNoneCommon use case is the node name within a cluster. The cluster name is reflected by the host name.
MiscellaneousObserved Valueobserved_valobserved.valTextThis key captures the Value observed (from the perspective of the device generating the log).  
MiscellaneousOperation Numberoperation_idoperation.idTextAn alert number or operation number.  The values should be unique and non-repeating.
MiscellaneousOS NameososTextThis key captures the Name of the Operating System
MiscellaneousPackets TotalpacketspacketsTextIndexNoneThis key is the total number of packets sent/received in a session. Also, in cases where the Sent or Received context is not clear, this can be used.
MiscellaneousParametersparamparamTextThis key is the parameters passed s part of a command or application, etc.
MiscellaneousParent Node Nameparent_nodeparent.nodeTextThis key captures the Parent Node Name.  Must be related to node variable.
MiscellaneousParent process IDparent_pidparent.pidInt32This key captures Parent Process ID.
Miscellaneousadditional Info

calling_from

calling_to

phone_number

phoneTextIndexNoneThis is used to capture the Phone Number or a Calling station ID
MiscellaneousPolicy IDpolicy_idpolicy.idTextIndexValueThis key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise
MiscellaneousPolicy Namesigname,policynamepolicy.nameTextIndexValueThis key is used to capture the Policy Name only.
MiscellaneousPolicy Contentspolicy_valuepolicy.valueTextThis key captures the contents of the policy.  This contains details about the policy
MiscellaneousPool IDpool_idpool.idTextThis key captures the identifier (typically numeric field) of a resource pool
MiscellaneousPool Namepool_namepool.nameTextThis key  captures the name of a resource pool
MiscellaneousPort(Physical/Logical)portnameport.nameTextThis key is used for Physical or logical port connection but does NOT include a network port.  (Example: Printer port name).
MiscellaneousProcess Name 

process

child_process

processTextIndexValueThis key is used to capture the Process Name only
MiscellaneousProcess IDprocess_idprocess.idInt64IndexValueThis key is used to capture the Process ID value only
MiscellaneousProduct NameproductproductTextIndexValueThis key is used to capture the name of the product.
MiscellaneousEvent IDidreference.idTextIndexValueThis key is used to capture an event id from the session directly
Miscellaneousid1reference.id1TextIndexValueThis key is for Linked ID to be used as an addition to "reference.id"
Miscellaneousid2reference.id2TextIndexValueThis key is for the 2nd Linked ID.  Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play.
MiscellaneousResultresultresult TextIndexValueThis key is used to capture the outcome/result string value of an action in a session.
MiscellaneousResult Coderesultcoderesult.codeTextIndexValueThis key is used to capture the outcome/result numeric value of an action in a session
MiscellaneousError CodeserrorerrorTextThis key captures All non successful Error codes or responses
MiscellaneousRiskriskrisk TextThis key captures the non-numeric risk value
MiscellaneousRisk Numberrisk_numrisk.numFloat64This key captures a Numeric Risk value
MiscellaneousRisk Number Communityrisk_num_commrisk.num.commFloat32This key captures Risk Number Community
MiscellaneousRisk Number NextGenrisk_num_nextrisk.num.nextFloat33This key captures Risk Number NextGen
MiscellaneousRisk Number SandBoxrisk_num_sandrisk.num.sandFloat34This key captures Risk Number SandBox
MiscellaneousRisk Number Staticrisk_num_staticrisk.num.staticFloat35This key captures Risk Number Static
MiscellaneousRule NumberruleruleTextThis key captures the Rule number
MiscellaneousRule Grouprule_grouprule.groupTextThis key captures the Rule group name
MiscellaneousRule Namerulenamerule.nameTextThis key captures the Rule Name 
MiscellaneousRule Templaterule_templaterule.templateTextA default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template
MiscellaneousRule Unique IDrule_uidrule.uidTextThis key is the Unique Identifier for a rule.  
MiscellaneousSearch Textsearch.textTextIndexNoneThis key captures the Search Text used
MiscellaneousSensor NamesensorsensorTextThis key captures Name of the sensor. Typically used in IDS/IPS based devices
MiscellaneousSerial Numberserial_numberserial.numberTextThis key is the Serial number associated with a physical asset.
MiscellaneousServer ApplicationserverTextThis key is used to capture the name of the server application only
MiscellaneousSeverityseverityseverityTextThis key is used to capture the severity given the session
MiscellaneousSignature IDsigidsig.idInt32This key captures IDS/IPS Int Signature ID
MiscellaneousSignature Stringsigid_stringsig.id.strTextThis key captures a string object of the sigid variable.
MiscellaneousLinked Signature IDsigid1sig.id1Int32This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id
MiscellaneousSNMP OID snmp.oidTextIndexNoneSNMP Object Identifier
MiscellaneousSNMP Valuesnmp.valueTextIndexNoneSNMP set request value
MiscellaneousDestination SPI Indexdst_spispi.dstTextDestination SPI Index
MiscellaneousSource SPI Indexsrc_spispi.srcTextSource SPI Index
MiscellaneousStream InfostreamsThis key captures number of streams in session
MiscellaneousTCP Flagstcp_flagstcp.flagsThis key is captures the TCP flags set in any packet of session
MiscellaneousName of the TerminalterminalterminalTextIndexNoneThis key captures the Terminal Names only
MiscellaneousType Of ServicetostosInt32This key describes the type of service
MiscellaneousTrigger Descriptiontrigger_desctrigger.descTextThis key captures the Description of the trigger or threshold condition.
MiscellaneousTrigger Valuetrigger_valtrigger.valTextThis key captures the Value of the trigger or threshold condition.
MiscellaneousUser Agentuser_agentuser.agentTextThis key captures the User agent identifier or the  browser identification string 
MiscellaneousVersion OS/ApplicationversionversionTextThis key captures Version of the application or OS which is generating the event.
MiscellaneousVirus NamevirusnamevirusnameTextThis key captures the name of the virus
MiscellaneousVMWARE Targetvm_targetvm.targetTextVMWare Target **VMWARE** only varaible.
MiscellaneousVirtual system namevsysvsysTextThis key captures Virtual System Name
MiscellaneousVulnerability Referencevuln_refvuln.refTextThis key captures the Vulnerability Reference details
MiscellaneousWorkspace Descriptionworkspace_descworkspaceTextThis key captures Workspace Description
InvestigationsEvent Activityec_activityec.activityTextThis key captures the particular event activity(Ex:Logoff)
InvestigationsEvent Outcomeec_outcomeec.outcomeTextThis key captures the outcome of a particular Event(Ex:Success)
InvestigationsEvent Subjectec_subjectec.subjectText
InvestigationsEvent Themeec_themeec.themeText
InvestigationsEvent Categorization IDevent_cat,event.catevent.catUInt32This key captures the Event category number
InvestigationsEvent Category Name

event.cat.name

event_cat_name

event.cat.nameTextThis  key captures the event category name corresponding to the event cat code
InvestigationsVendor supplied Event Categoryvendor_event_catevent.vcatTextThis is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. 

 

 

List of Deprecated Concepts 

 

The following table lists all the keys/concept that have been deprecated. For backward compatibility of existing analytical content and analysts used to these keys, we will continue to use these keys. We are also copying these keys into the replacement keys, so that end users can start leveraging these keys over time. The deprecated keys will be removed from the default Content, Index-concentrator.xml and Table-map.xml files in the future releases. We advise you to start using the new keys going forward.

 

 

Deprecated Meta KeyReplaced by Meta key
ip.addralias.ip
ip.srcportport.src
ip.dstportport.dst
network.portport
ipv6.protoip.proto
permissionsprivilege
user.srcuser or user.sec based on the context 
user.dstuser or user.sec based on the context 
usernameuser or user.sec based on the context 
orig_ipip.orig or host.orig based on usage
sdomaindomain.src
ddomaindomain.dst
ad.computer.srchost.src
ad.computer.dsthost.dst
ad.domain.srcdomain.src
ad.domain.dstdomain.dst
ad.username.srcuser
ad.username.dstuser.sec
ssl.cacert.ca
ssl.checksumchecksum
ssl.commoncert.common
ssl.subjectcert.subject
ssl.ver.srcversion
ssl.ver.dstversion
risk.warningNew Investigation Model (inv.context and inv.category)
risk.infoNew Investigation Model (inv.context and inv.category)
risk.suspiciousNew Investigation Model (inv.context and inv.category)
alert.idNew Investigation Model (inv.context and inv.category)
browseruser.agent
site.catcategory

 

 

Meta Entities

 

In the RSA NetWitness® Suite, data is parsed into the most accurate meta key available based on the given context which is extremely important for analysts. But, that presents a challenge when an analyst have use cases where they don't need the most granular context and only need the high level context, in which case they have to query every possible key of relevance. For Example: To check if IP 1.1.1.1 showed up in the network, they would need to query 8 different keys namely: ip.src, ip.dst, alias.ip, stransaddr, dtransaddr, forward.ip, device.ip, etc. 

 

Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts use them as regular keys to get to multiple similar concepts. For Example: We can link all the keys referenced above as "ip.all"

 

Note:

  1. All Meta keys defined under a Meta Entity should have the same Data Type
  2. All Meta keys defined under a Meta Entity should have the same Indexing Levels
  3. Meta Entities nesting is not allowed, it can only reference Meta Keys and not another Meta Entity

 

 

Entity NameMeta Keys in EntityData TypeIndexingNotes
domain.all TextIndexValueThis Entity is linked with all relevant Domain Keys used in NetWitness
 domainTextIndexValueThis key should only be used to capture a Domain when the directionality is not clear
domain.srcTextIndexValueThis key should only be used to capture Source Domain Only.
domain.dstTextIndexValueThis key should only be used to capture Destination Domain Only.
ec.all TextIndexValueThis Entity is linked with all relevant Event Categorization Keys used in NetWitness
 ec.activityTextIndexValueThis key should only contain a value from a predefined list of Event Category - Activities
ec.outcomeTextIndexValueThis key should only contain a value from a predefined list of Event Category - Outcome
ec.subjectTextIndexValueThis key should only contain a value from a predefined list of Event Category - Subject
ec.themeTextIndexValueThis key should only contain a value from a predefined list of Event Category - Themes
email.all TextIndexValueThis Entity is linked with all relevant Email Keys used in NetWitness
 email TextIndexValueThis key should only be used to capture an Email when the directionality is not clear
email.dstTextIndexValueThis key should only be used to capture Destination Email Only.
email.srcTextIndexValueThis key should only be used to capture Source Email Only.
eth.all MACIndexValueThis Entity is linked with all relevant Mac Address Keys used in NetWitness
 alias.macMACIndexValueThis key should only be used to capture an Email when the directionality is not clear
eth.dst MACIndexValueThis key should only be used to capture Destination Email Only.
eth.srcMACIndexValueThis key should only be used to capture Source Email Only.
host.all TextIndexValueThis Entity is linked with all relevant Hostname Keys used in NetWitness
 alias.host TextIndexValueThis key should only be used to capture a hostnames when the directionality is not clear
host.dst TextIndexValueThis key should only be used to capture Destination Hostnames Only.
host.src TextIndexValueThis key should only be used to capture Source Hostnames Only.
 device.hostTextIndexValueThis is a Reserved Field, used to capture the Hostname of the Event Source
ip.all IPv4IndexValueThis Entity is linked with all relevant IPv4 Keys used in NetWitness
 alias.ip IPv4IndexValueThis key should only be used to capture a IPv4 Address when the directionality is not clear
ip.dst IPv4IndexValueThis key should only be used to capture Destination IPv4 Address Only.
ip.srcIPv4IndexValueThis key should only be used to capture Source IPv4 Address Only.
stransaddr IPv4IndexValueThis key should only be used to capture a translated Source IPv4 Address only
dtransaddr IPv4IndexValueThis key should only be used to capture a translated Destination IPv4 Address only
forward.ipIPv4IndexValueThis is used to capture the IPv4 Address of the Relay system in beween the Event source and Destination
device.ipIPv4IndexValueThis is a Reserved Field, used to capture the IPv4 Address of the Event Source
ipv6.all IPv6IndexValueThis Entity is linked with all relevant IPv6 Keys used in NetWitness
 alias.ipv6 IPv6IndexValueThis key should only be used to capture a IPv6 Address when the directionality is not clear
device.ipv6 IPv6IndexValueThis is a Reserved Field, used to capture the IPv6 Address of the Event Source
forward.ipv6 IPv6IndexValueThis is used to capture the IPv6 Address of the Relay system in beween the Event source and Destination
ipv6.dst IPv6IndexValueThis key should only be used to capture Destination IPv6 Address Only.
ipv6.src IPv6IndexValueThis key should only be used to capture Source IPv6 Address Only.
port.all UInt16IndexValueThis Entity is linked with all relevant Port Keys used in NetWitness
 port.src UInt16IndexValueThis key should only be used when it’s a Source Port.
port.dstUInt16IndexValueThis key should only be used when it’s a Destination Port.
tcp.srcport UInt16IndexValueThis key should only be used when it’s a TCP based Source Port.
tcp.dstport UInt16IndexValueThis key should only be used when it’s a TCP based Destination Port.
udp.srcport UInt16IndexValueThis key should only be used when it’s a UDP based Source Port.
udp.dstportUInt16IndexValueThis key should only be used when it’s a UDP based Destination Port.
stransport UInt16IndexValueThis key should only be used when it’s a Source Translated Port Number
dtransport UInt16IndexValueThis key should only be used when it’s a Destination Translated Port Number
port.src.all UInt16IndexValueThis Entity is linked with all relevant Source Port Keys used in NetWitness
 port.src UInt16IndexValueThis key should only be used when it’s a Source Port.
tcp.srcport UInt16IndexValueThis key should only be used when it’s a TCP based Source Port.
udp.srcportUInt16IndexValueThis key should only be used when it’s a UDP based Source Port.
stransport UInt16IndexValueThis key should only be used when it’s a Source Translated Port Number
port.dst.all UInt16IndexValueThis Entity is linked with all relevant Destination Port Keys used in NetWitness
 port.dst UInt16IndexValueThis key should only be used when it’s a Destination Port.
tcp.dstport UInt16IndexValueThis key should only be used when it’s a TCP based Destination Port.
udp.dstportUInt16IndexValueThis key should only be used when it’s a UDP based Destination Port.
dtransport UInt16IndexValueThis key should only be used when it’s a Destination Translated Port Number
user.all TextIndexValueThis Entity is linked with all relevant User Keys used in NetWitness
 userTextIndexValueThis key should only be used to capture the Primary User or the main actor referenced in the event
user.sec TextIndexValueThis key should only be used to capture the Secondary User or the recepient referenced in the event
user.src TextIndexValueThis key has been deprecated and replaced by user or user.sec based on context. This is a part of the entity for Backward compatibility only
user.dst TextIndexValueThis key has been deprecated and replaced by user or user.sec based on context. This is a part of the entity for Backward compatibility only
analysis.all TextIndexValueThis Entity is linked with all relevant Analysis Keys used in NetWitness
 analysis.serviceTextIndexValueThis is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service
analysis.fileTextIndexValueThis is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file
analysis.sessionTextIndexValueThis is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session
filename.all TextIndexValueThis Entity is linked with all relevant Filename Keys used in NetWitness
 filename TextIndexValueThis key is used to capture the complete filename/Webpage with extension where the directionality is not clear. This should not include the directory/path
filename.src TextIndexValueThis key is used to capture the complete Source or Child  filename/Webpage. This should not include the directory/path
filename.dstTextIndexValueThis key is used to capture the complete Destination or Child filename/Webpage. This should not include the directory/path

 

 

Creating Custom Meta Keys in NetWitness

 

Often times there are cases where a relevant meta concept may not be available in the Data model. The purpose of the model is to normalize the most common concepts used for Threat detection and Analysis. However, if there is a need to create a create a new concept not available in the data model, please use the following guidelines to maintain the over all consistency of meta key usage.

 

1. It shouldn't clash with any of the existing concepts defined in the Unified Data Model.

2. A new concept should be defined with a Meta Key name, Data Type, Description of its usage, Indexing and stored in a centralized place for reference. 

3. If the key is used in a log parser, please ensure the exact same meta key is used as a Log Parser key as well. Also, the Log Parser Key Flag needs to be decided.

4. NetWitness allows key sizes of 16 characters and under. Only alpha numeric values are allowed, no special characters. 

 

Please use the following method to create a Meta Key. A meta key has 3 logical parts: Concept, Context and Delimiter

 

Concept:

This should be the main entity or the type of value. This should always be the First part of the Meta Key.

 

For example: ip, ipv6, host, mac, port, time, etc.

 

Context:

This is the additional context needed for the concept. This is the Second part of the Key. Sometimes, there is no additional context needed for the concept and sometimes, there are additional context required. Its recommended to not have keys with more than 2 levels of additional context.  (Please note, there is a 16 character size limit for a meta key). 

 

For example: Source, Destination, Sent, Received, Primary, Secondary. 

Additional Context: Translated, Numbers

  

Delimiter:

This is used to seperate out concept and context and in some cases also separate out additional context. NetWitness uses "." (dot) as the delimiter. 

 

Left to Right Rule:

Most Generic to Most Specific order should be maintained while defining meta keys, with delimiters in between.

 

For Example: "Translated Source IP Address"

 

Other Examples:

port.src (Source Port)

ip.src (Source IP)

port.trans.src (Source Translated Port)

port (This is a generic port key, to capture port numbers where additional context is not available)

src.ip.trans (Wrong Usage)

trans.ip.src (Wrong Usage)

 

 

 

Please reach out to nwudm@rsa.com to request changes to the existing concepts defined in the Data Model or to request additions of new concepts in the data Model.

Attachments

    Outcomes