Tokenization of meta data
The attached proof-of-concept Lua parser can be used for simple tokenization purposes in RSA Security Analytics. This will work in both a Logs and a Packet environment. The purpose of this is to anonymize or tokenize data inside the meta database only. Other content is not modified.
This example parser reads "user.dst" meta and writes a CRC32 hash of the value to the "user.dst.token" meta. It can be used for other text meta but this would require the parser to be modified. The destination meta needs to be created in the index-concentrator-custom.xml if it does not exist already.
The original packet/log/meta may need to be removed or access needs to be restricted. There are multiple ways of doing this:
1) On a log decoder modify table-map-custom.xml set the original value to transient. This way it won't store the original meta.
2) Meta access in the Investigation module can be restricted by using sdk.roles=2 in the explorer settings for concentrator and then set RBAC for individual meta keys.
3) Another option is to restrict meta consumption on the concentrator, to not consume certain meta keys with a filter statement.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Go to Devices, Select your Concentrator, 'Explore' mode, and go to /sdk/config/system and set the system.roles to value '2'. This will create extra RBAC roles, one for each meta key on the concentrator. This will decrease performance on your system, since it now needs to do additional security checks.