AnsweredAssumed Answered

When should one create a new indexed key?

Question asked by Tomi Reiman on May 3, 2018
Latest reply on May 10, 2018 by Naushad Kasu

In RSA NetWitness, when does it make sense to create a new index key instead of using an existing one to store more heterogeneous data?


My example use case is a key named 'hash'. If hashes from logs and other sources can be either MD5, SHA-1, SHA-256, etc., would it make more sense to create separate keys for each of them instead of using a single key called 'hash'? First of all, these hashes have different lengths so putting them all under a single key would make the size of the index bigger. Secondly, if I can extract feeds per hash type from external systems, wouldn't it make sense to only match MD5 hashes to MD5 hashes, SHA-256 hashes to SHA-256 hashes, and so on?


I plan on keeping the hash keys closed by default in the investigation view, so would there be any real and impactful downside of creating all these keys instead of just using a single key for all hashes?