The RSA NetWitness® Platform Unified Data Model (UDM) provides combined insight from Logs, Network and Endpoints. It organizes elements of data coming into RSA NetWitness from disparate sources via various methods into one, standardized data model. Analysts can now look for data concepts in one place, as defined by the Unified Data Model. This model is intuitive and provides immediate clarity to both analysts and content authors to use the data for writing Log/Packet parsers and Analytical content, such as Co-relation Rules, Reports, Feeds, Alerts, and so on.
The Unified Data Model contains a list of all the Meta concepts available in the out-of-the-box RSA NetWitness® Platform. These keys should be used uniformly across the RSA NetWitness® Platform to get the most consistent results. The following illustration shows a high level view of how raw data enters RSA NetWitness and is transformed into meta data defined by the concepts in the Unified Data model. (Note: This does not represent the entire RSA NetWitness architecture; it just lays out how meta flows through some services and the different configuration files involved in the process)
Meta Flow in the RSA NetWitness Platform