Meta Class |
High level classification of Meta concepts, to make it easier to browse the data model. | |
Meta Concept |
Description of the Meta key. | |
Log Parser Key |
Name of the key used in Log Parsers, which is mapped to the corresponding Meta key in the RSA NetWitness® Suite. (via Table-Map). |
|
Log Parser Key Flag |
Flag used in the Table-Map, which decides if the Meta data is written to Disk or not. |
|
Transient | This will not save the meta data to disk, however it is used by Application/Co-relation Rules and Feeds | |
None | This will save the meta data to disk, and available to NetWitness Concentrator or Archiver for further storage or processing | |
Meta Key |
Name of the key. (Max is 16 characters) |
|
Meta Type |
Type format of the value which can be: Int8, UInt8, Int16, UInt16, Int32, UInt32, Int64, UInt64, UInt128, Float32, Float64, TimeT, Binary, Text, IPv4, IPv6, MAC |
|
Indexing |
IndexNone | Default index level which provides no indexing. |
IndexKeys | Provides indexing at the key level (e.g., identify which sessions have values, but do not track the actual values. This provides highly efficient exists or !exists queries, but slower queries for other operators such as the following: key = 'some value' | |
IndexValues | Highest indexing level. Provides the best performance for all query operators but also takes the most time to index and requires the most storage space. | |
Notes |
This explains how a particular key should be used, to avoid any discrepancies. |
RSA NetWitness uses Meta Keys as a way to retain context of the raw data after it is parsed and stored on disk. Hence, it is extremely important to parse out data into the most accurate Meta key to retain context that's needed for Threat Detection, Analytics and Response. The table below lists over 350 concepts that are available in RSA NetWitness.