Article Number
000029299
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Reporting Engine
Platform: CentOS
Task
The purpose of this article is to help with interpreting strings such as "medium = 32" that are found in queries and rules within RSA Security Analytics.
Resolution
Sessions in Security Analytics can be created by various means, such as packets ingested by a Packet Decoder, logs ingested by a Log Decoder, sessions created due to correlation rule matches, etc.
The medium meta key of a session indicates the session type. (i.e. packets, logs, correlation, etc.) For example, if a session is created by a Packet Decoder after ingesting an Ethernet packet, the medium meta key value is set to 1. If a session is created by a Log Decoder after ingesting a log, the medium meta key value is set to 32. If a session is created by the correlation engine because a session matched a correlation rule then the medium meta key value is set to 33.
The interpretation of each integer for the meta key can be found in the /etc/netwitness/ng/index-concentrator.xml file on concentrator appliances. They are also provided in the table below.
Notes
The table below shows the relation between the
medium meta key integers and the session types.
Integer | Session Type |
---|
1 | Ethernet |
2 | Tokenring |
3 | FDDI |
4 | HDLC |
5 | NetWitness |
6 | 802.11 |
7 | 802.11 Radio |
8 | 802.11 AVS |
9 | 802.11 PPI |
10 | 802.11 PRISM |
11 | 802.11 Management |
12 | 802.11 Control |
13 | DLT Raw |
32 | Logs |
33 | Correlation |