This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Information regarding Unified Data Model (UDM)

someone
Contributor
Contributor

‎2018-04-24 07:02 AM

I've seen a lot of "marketing" articles describing RSA's vision to change most METAs that customers use and give another fancy name to it, creating more work for everyone without properly informing them about such a massive change. This is unprofessional and inappropriately communicated (no communication). 

 

The reason for this Question is to get all the information that I should have received and explain what needs to be done so that .

Based on the existing documentation it is clear that this is available on both 10.6 and 11.

 

RSA staff admitting in the very first sentence what a MASSIVE change this would be for admins, and obviously analysts. At the same time, not providing any proper documentation that would make sense to people that were not present in RSA's brainstorming sessions. https://community.rsa.com/community/products/netwitness/blog/2018/04/09/automating-meta-key-updates-with-udm 

 

Can we avoid it? Previous changes in METAs through various content packs have been optional.

How is this pushed? Clearly it hasn't been.

Why these steps are not in the documentation? 

 

Why LINK/DOCS team thought that this massive change that would potentially cause reports and charts to fail and analysts unable to work should not have been communicated via e-mail?

For both Admins and Analysts this change is bigger than an upgrade yet RSA are trying to make it transparent by not telling anyone??

0 Likes
4 REPLIES 4

EricPartington
Employee
Employee

‎2018-04-24 07:48 PM

NetWitness 11.1 release notes page 14 -> Link to UDM

https://community.rsa.com/community/products/netwitness/rsa-content/udm 

0 Likes

SaketBajoria
Beginner
Beginner

‎2018-04-25 12:13 AM

Hi Marinos, 

 

Thanks for sharing your experience. I think there is a misunderstanding here. There are no forced massive changes made. The Unified Data Mode presents all the Meta concepts used in Netwitness (Across Logs/Packets/Endpoints) today. It lists out all the necessary details about each concept like indexing, table-map retention, and its usage. The idea is to provide complete transparency, so that everybody can align to 1 unified model. We have also introduced the Meta Entity feature, which really helps the End user look for similar concepts very easily. This product feature is only available in 11.1

 

Based on our analysis and research we came across certain concepts that were redundant and we have very carefully decided to deprecate them in the future. Please be assured that all the OOTB/Custom content will not be impacted. We plan/recommend to start using the new keys for any new content thats developed. 

 

I'll setup sometime with you to walk though the overall vision and would love to discuss any concerns. 

 

Thanks,

Saket

0 Likes

someone
Contributor
Contributor
In response to EricPartington

‎2018-04-25 10:44 AM

Thanks Eric, but this is exactly the problem that RSA is creating for users and I described above.

This feature is version independent (except the entities) but yet as you've pointed out, it is only documented on a "service pack" of one of the version branches. 

I would bet that more than 50% of users are still on 10.6.x so they may not get around v11 documentation for up to one more year from now.

SADOCS team need to think like customers and is impractical for customers to raise 10 DOCS tickets for every new feature RSA pushes out. 

0 Likes

someone
Contributor
Contributor

‎2018-04-25 11:11 AM

Thanks for your response. 

 

I don't think is worth going into a debate about the usefulness of this change because RSA will always claim they know better, on behalf of their customers. Unfortunately noone from RSA asked for our opinion nor pre-sales have discussed this with us during their monthly visits.

 

Some META keys have been used for years by some customers, even since 9.8, so let the customers decide what is better for their environment and the way they work. They have trained their analysts and created documentation around these keys and created content.

I understand that RSA doesn't care about that but there is the other side of the coin too. 

 

My question still remains. How would we be affected if we don't use the new META keys that RSA recommends?

There is no public roadmap (that I know of), so I cannot connect the dots and understand the direction of the product.

 

If we would only be missing out from the content from LIVE then it might not be so bad since these are mostly templates and shouldn't be used without customisation. 

Can you explain what you mean by "carefully decided to deprecate them in the future"?

Are they only going to be deprecated from RSA's end just on the content from LIVE? Would the impact be different a year from now (I'm guessing that they would have been fully deprecated by then)?

© 2022 RSA Security LLC or its affiliates. All rights reserved.