RSA NetWitness® Suite Unified Data Model Meta Entities

Document created by RSA Link Team Employee on Feb 28, 2018Last modified by RSA Link Team Employee on Apr 12, 2018
Version 18Show Document
  • View in full screen mode

Meta Entities

 

In the RSA NetWitness® Platform, data is parsed into the most accurate meta key available based on the given context which is extremely important for analysts. However, this can present a challenge when analysts have use cases where they do not need the most granular context. If they need only the high level context, they do not want to have to query every possible key of relevance. For Example: To check if IP 1.1.1.1 showed up in the network, they would need to query 7 different keys namely: ip.src, ip.dst, alias.ip, stransaddr, dtransaddr, forward.ip, device.ip, etc. 

 

Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts use them as regular keys to get to multiple, similar concepts. For Example: We can link all the keys referenced above as "ip.all"

 

Note:

  1. Meta Entities are only supported on RSA NetWitness 11.1 and above.
  2. All Meta keys defined under a Meta Entity should have the same Data Type
  3. All Meta keys defined under a Meta Entity should have the same Indexing Levels
  4. Meta Entities nesting is not allowed: a Meta Entity can only reference Meta Keys and not another Meta Entity

 

Entity NameMeta Keys in EntityData TypeIndexingNotes
domain.all TextIndexValueThis Entity is linked with all relevant Domain Keys used in RSA NetWitness
 domainTextIndexValueThis key should only be used to capture a Domain when the directionality is not clear
domain.srcTextIndexValueThis key should only be used to capture Source Domain Only
domain.dstTextIndexValueThis key should only be used to capture Destination Domain Only
ec.all TextIndexValueThis Entity is linked with all relevant Event Categorization Keys used in RSA NetWitness
 ec.activityTextIndexValueThis key should only contain a value from a predefined list of Event Category - Activities
ec.outcomeTextIndexValueThis key should only contain a value from a predefined list of Event Category - Outcome
ec.subjectTextIndexValueThis key should only contain a value from a predefined list of Event Category - Subject
ec.themeTextIndexValueThis key should only contain a value from a predefined list of Event Category - Themes
email.all TextIndexValueThis Entity is linked with all relevant Email Keys used in RSA NetWitness
 email TextIndexValueThis key should only be used to capture an Email when the directionality is not clear
email.dstTextIndexValueThis key should only be used to capture Destination Email Only
email.srcTextIndexValueThis key should only be used to capture Source Email Only
eth.all MACIndexValueThis Entity is linked with all relevant Mac Address Keys used in RSA NetWitness
 alias.macMACIndexValueThis key should only be used to capture a MAC Address when the directionality is not clear
eth.dst MACIndexValueThis key should only be used to capture Destination MAC Address Only.
eth.srcMACIndexValueThis key should only be used to capture Source MAC Address Only.
host.all TextIndexValueThis Entity is linked with all relevant Hostname Keys used in RSA NetWitness
 alias.host TextIndexValueThis key should only be used to capture a hostnames when the directionality is not clear
host.dst TextIndexValueThis key should only be used to capture Destination Hostnames Only.

host.src 

TextIndexValueThis key should only be used to capture Source Hostnames Only.
 

device.host

Text

IndexValue

This is a Reserved Field, used to capture the Hostname of the Event Source

ip.all IPv4IndexValueThis Entity is linked with all relevant IPv4 Keys used in RSA NetWitness
 alias.ip IPv4IndexValueThis key should only be used to capture a IPv4 Address when the directionality is not clear
ip.dst IPv4IndexValueThis key should only be used to capture Destination IPv4 Address Only.
ip.srcIPv4IndexValueThis key should only be used to capture Source IPv4 Address Only.
ip.trans.src IPv4IndexValueThis key should only be used to capture a translated Source IPv4 Address only
ip.trans.dst IPv4IndexValueThis key should only be used to capture a translated Destination IPv4 Address only
forward.ipIPv4IndexValueThis is used to capture the IPv4 Address of the Relay system in beween the Event source and Destination
device.ipIPv4IndexValueThis is a Reserved Field, used to capture the IPv4 Address of the Event Source
ipv6.all IPv6IndexValueThis Entity is linked with all relevant IPv6 Keys used in RSA NetWitness
 alias.ipv6 IPv6IndexValueThis key should only be used to capture a IPv6 Address when the directionality is not clear
device.ipv6 IPv6IndexValueThis is a Reserved Field, used to capture the IPv6 Address of the Event Source
forward.ipv6 IPv6IndexValueThis is used to capture the IPv6 Address of the Relay system in beween the Event source and Destination
ipv6.dst IPv6IndexValueThis key should only be used to capture Destination IPv6 Address Only.
ipv6.src IPv6IndexValueThis key should only be used to capture Source IPv6 Address Only.
port.all UInt16IndexValueThis Entity is linked with all relevant Port Keys used in RSA NetWitness
portUInt16IndexValue
This key should only be used when the directionality context of Port is not clear
 port.src UInt16IndexValueThis key should only be used when it’s a Source Port.
port.dstUInt16IndexValueThis key should only be used when it’s a Destination Port.
tcp.srcport UInt16IndexValueThis key should only be used when it’s a TCP based Source Port.
tcp.dstport UInt16IndexValueThis key should only be used when it’s a TCP based Destination Port.
udp.srcport UInt16IndexValueThis key should only be used when it’s a UDP based Source Port.
udp.dstportUInt16IndexValueThis key should only be used when it’s a UDP based Destination Port.
port.trans.src UInt16IndexValueThis key should only be used when it’s a Source Translated Port Number
port.trans.dstUInt16IndexValueThis key should only be used when it’s a Destination Translated Port Number
port.src.all UInt16IndexValueThis Entity is linked with all relevant Source Port Keys used in RSA NetWitness
 port.src UInt16IndexValueThis key should only be used when it’s a Source Port.
tcp.srcport UInt16IndexValueThis key should only be used when it’s a TCP based Source Port.
udp.srcportUInt16IndexValueThis key should only be used when it’s a UDP based Source Port.
port.trans.srcUInt16IndexValueThis key should only be used when it’s a Source Translated Port Number
port.dst.all UInt16IndexValueThis Entity is linked with all relevant Destination Port Keys used in RSA NetWitness
 port.dst UInt16IndexValueThis key should only be used when it’s a Destination Port.
tcp.dstport UInt16IndexValueThis key should only be used when it’s a TCP based Destination Port.
udp.dstportUInt16IndexValueThis key should only be used when it’s a UDP based Destination Port.
port.trans.dstUInt16IndexValueThis key should only be used when it’s a Destination Translated Port Number
user.all TextIndexValueThis Entity is linked with all relevant User Keys used in RSA NetWitness
 userTextIndexValue
This key should be used when the source / destination / initiated / target of a username is not clear
user.src TextIndexValueThis key should only be used to capture the Secondary/Source User in the event
user.dst TextIndexValueThis key should only be used to capture the Primary/Destination User in the event

username

Text

IndexValue

This key has been discontinued and replaced by user. This is a part of the entity for Backward compatibility only

analysis.all TextIndexValueThis Entity is linked with all relevant Analysis Keys used in RSA NetWitness
 analysis.serviceTextIndexValueThis is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service
analysis.fileTextIndexValueThis is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file
analysis.sessionTextIndexValueThis is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session
filename.all TextIndexValueThis Entity is linked with all relevant Filename Keys used in RSA NetWitness
 filename TextIndexValueThis key is used to capture the complete filename/Webpage with extension where the directionality is not clear.  This should not include the directory/path
filename.src TextIndexValueThis key is used to capture the complete Source or Child  filename/Webpage.  This should not include the directory/path
filename.dstTextIndexValueThis key is used to capture the complete Destination or Child filename/Webpage.  This should not include the directory/path

 

 

Creating Custom Meta Keys in RSA NetWitness

 

There are often cases where a relevant meta concept may not be available in the Data model. The purpose of the model is to normalize the most common concepts used for threat detection and analysis. However, if there is a need to create a new concept not available in the data model, please use the following guidelines to maintain the overall consistency of meta key usage.

 

  1. It shouldn't clash with any of the existing concepts defined in the Unified Data Model.
  2. A new concept should be defined with a Meta Key name, Data Type, Description of its usage, Indexing and stored in a centralized place for reference. 
  3. If the key is used in a log parser, please ensure the exact same meta key is used as a Log Parser key as well. Also, the Log Parser Key Flag needs to be set
  4. RSA NetWitness allows maximum key size of 16 characters. Only alpha numeric values are allowed except "." (dot) which is a delimiter.

 

Please use the following method to create a Meta Key. A meta key has 3 logical parts: Concept, Context and Delimiter

 

Concept:

This should be the main entity or the type of value. This should always be the first part of the Meta Key.

 

For example: ip, ipv6, host, mac, port, time, etc.

 

Context:

This is the additional context needed for the concept. This is the second part of the Key. Sometimes, there is no additional context needed for the concept and sometimes, there is additional context required. RSA recommends to not have keys with more than 2 levels of additional context.  (Please note, there is a 16-character size limit for a meta key). 

 

For example: Source, Destination, Sent, Received, Primary, Secondary. 

Additional Context: Translated, Numbers

  

Delimiter:

This is used to separate out concept and context and in some cases also separate out additional context. RSA NetWitness uses "." (dot) as the delimiter. 

 

Left to Right Rule:

Most Generic to Most Specific order should be maintained while defining meta keys, with delimiters in between.

 

For Example: "Translated Source IP Address"

 

 

Other Examples:

port.src (Source Port)

ip.src (Source IP)

port.trans.src (Source Translated Port)

port (This is a generic port key, to capture port numbers where additional context is not available)

src.ip.trans (Wrong Usage)

trans.ip.src (Wrong Usage)

 

Please reach out to nw.udm@rsa.com to request changes to the existing concepts defined in the Data Model or to request additions of new concepts in the Data Model.

Attachments

    Outcomes