This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

medium = 32

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-12-29 11:38 AM

I'm going through several rules through Security Analytics and am finding the string "medium = 32" in some of our rules. What does this mean?

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-12-29 01:25 PM

Hi joegumke,

 

This means that the rule is looking for sessions created by logs.

 

Sessions that are created for logs have the value of 'medium' meta key set to 32.

 

Sessions in Security Analytics can be created by various means, e.g. packets ingested by Packet Decoder, logs ingested by Log Decoder, sessions created due to correlation rule matches, etc.

 

The 'medium' meta of a session indicates what kind of session it is (i.e. packet, logs, correlation, etc.).

 

For example, if a session is created by Packet Decoder after ingesting an ethernet packet, the 'medium' meta key's value is set to 1. If a session is created by the correlation engine because a session matched a correlation rule then the 'medium' meta key's value is set to 33.

 

We can find what each integer means by looking up the aliases for each integer in /etc/netwitness/ng/index-concentrator.xml for the key entry with name="medium".

 

Thanks,

Susam

View solution in original post

1 REPLY 1

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-12-29 01:25 PM

Hi joegumke,

 

This means that the rule is looking for sessions created by logs.

 

Sessions that are created for logs have the value of 'medium' meta key set to 32.

 

Sessions in Security Analytics can be created by various means, e.g. packets ingested by Packet Decoder, logs ingested by Log Decoder, sessions created due to correlation rule matches, etc.

 

The 'medium' meta of a session indicates what kind of session it is (i.e. packet, logs, correlation, etc.).

 

For example, if a session is created by Packet Decoder after ingesting an ethernet packet, the 'medium' meta key's value is set to 1. If a session is created by the correlation engine because a session matched a correlation rule then the 'medium' meta key's value is set to 33.

 

We can find what each integer means by looking up the aliases for each integer in /etc/netwitness/ng/index-concentrator.xml for the key entry with name="medium".

 

Thanks,

Susam

© 2022 RSA Security LLC or its affiliates. All rights reserved.