Article Number
000029299
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Reporting Engine
Platform: CentOS
Task
The purpose of this article is to help with interpreting strings such as "medium = 32" that are found in queries and rules within RSA Security Analytics.
Resolution
Sessions in Security Analytics can be created by various means, such as packets ingested by a Packet Decoder, logs ingested by a Log Decoder, sessions created due to correlation rule matches, etc.
The medium meta key of a session indicates the session type. (i.e. packets, logs, correlation, etc.) For example, if a session is created by a Packet Decoder after ingesting an Ethernet packet, the medium meta key value is set to 1. If a session is created by a Log Decoder after ingesting a log, the medium meta key value is set to 32. If a session is created by the correlation engine because a session matched a correlation rule then the medium meta key value is set to 33.
The interpretation of each integer for the meta key can be found in the /etc/netwitness/ng/index-concentrator.xml file on concentrator appliances. They are also provided in the table below.
Notes
The table below shows the relation between the
medium meta key integers and the session types.
| Integer | Session Type |
|---|
| 1 | Ethernet |
| 2 | Tokenring |
| 3 | FDDI |
| 4 | HDLC |
| 5 | NetWitness |
| 6 | 802.11 |
| 7 | 802.11 Radio |
| 8 | 802.11 AVS |
| 9 | 802.11 PPI |
| 10 | 802.11 PRISM |
| 11 | 802.11 Management |
| 12 | 802.11 Control |
| 13 | DLT Raw |
| 32 | Logs |
| 33 | Correlation |
