While there are several enVision keys that are displayed in SA Investigation by default, many also are not. This article is designed to assist SA administrators with exposing non-default enVision keys to Investigator in SA.
To display an enVision key or a custom meta key in an RSA Security Analytics investigation, follow these steps below.
1. From a log decoder 10.3.2 or later Add an existing enVision key (copy from /etc/netwitness/ng/envision/etc/table-map.xml)or a new custom key to /etc/netwitness/ng/envision/etc/table-map-custom.xml with the flags set to "None"
10.3.1 or prior Change flags from "Transient" to "None" for an enVision key in /etc/netwitness/ng/envision/etc/table-map.xml or Add a new custom key to /etc/netwitness/ng/envision/etc/table-map.xml with the flags set to "None"
e.g. <mapping envisionName="user_lname" nwName="lastname" flags="None"/> <mapping envisionName="custom_key" nwName="custom.key" flags="None"/>
Note: Make sure that /etc/netwitness/ng/envision/table-map.xml is not present as this will override /etc/netwitness/ng/envision/etc/table-map.xml or /etc/netwitness/ng/envision/etc/table-map-custom.xml
2. Restart the log decoder service for the changes to take effect.
3. From the concentrator that aggregates data from the above log decoder, open /etc/netwitness/ng/index-concentrator.xml and check if the nwName keys from Step 1 (e.g. lastname or custom.key) already exist with the index level "IndexKeys" or "IndexValues". If true, the rest of the steps can be skipped. If the keys do not exist or the index level is set to "IndexNone", move on to the Step 4.
4. From the same concentrator, open /etc/netwitness/ng/index-concentrator-custom.xml and add the nwName keys with the index level set to "IndexVaules" or "IndexKeys" (see the knowledgebase article entitled Difference between IndexValues and IndexKeys in RSA Security Analytics and RSA NetWitness NextGen for more information on IndexValues and IndexKeys). e.g. <key description="User's Last Name" level="IndexValues" name="lastname" format="Text" valueMax="100000" defaultAction="Open"/> <key description="Custom Key" level="IndexValues" name="custom.key" format="Text" valueMax="100000" defaultAction="Open"/>
5. Restart the concentrator service for the changes to take effect.
Once the above steps are followed, Investigation will display the meta key and its value for the newly collected data.
NOTE: If the environment has a broker that aggregates from multiple concentrators, ensure that any changes made to index-concentrator-custom.xml are also applied to other concentrators.