I'm going through several rules through Security Analytics and am finding the string "medium = 32" in some of our rules. What does this mean?
This means that the rule is looking for sessions created by logs.
Sessions that are created for logs have the value of 'medium' meta key set to 32.
Sessions in Security Analytics can be created by various means, e.g. packets ingested by Packet Decoder, logs ingested by Log Decoder, sessions created due to correlation rule matches, etc.
The 'medium' meta of a session indicates what kind of session it is (i.e. packet, logs, correlation, etc.).
For example, if a session is created by Packet Decoder after ingesting an ethernet packet, the 'medium' meta key's value is set to 1. If a session is created by the correlation engine because a session matched a correlation rule then the 'medium' meta key's value is set to 33.
We can find what each integer means by looking up the aliases for each integer in /etc/netwitness/ng/index-concentrator.xml for the key entry with name="medium".
Retrieving data ...