The purpose of this article is to help with interpreting strings such as "medium = 32" that are found in queries and rules within RSA Security Analytics.
Sessions in Security Analytics can be created by various means, such as packets ingested by a Packet Decoder, logs ingested by a Log Decoder, sessions created due to correlation rule matches, etc.
The medium meta key of a session indicates the session type. (i.e. packets, logs, correlation, etc.) For example, if a session is created by a Packet Decoder after ingesting an Ethernet packet, the medium meta key value is set to 1. If a session is created by a Log Decoder after ingesting a log, the medium meta key value is set to 32. If a session is created by the correlation engine because a session matched a correlation rule then the medium meta key value is set to 33.
The interpretation of each integer for the meta key can be found in the /etc/netwitness/ng/index-concentrator.xml file on concentrator appliances. They are also provided in the table below.
The table below shows the relation between the medium meta key integers and the session types.