Meta Entities

In the RSA NetWitness® Platform, data is parsed into the most accurate meta key available based on the given context which is extremely important for analysts. However, this can present a challenge when analysts have use cases where they do not need the most granular context. If they need only the high level context, they do not want to have to query every possible key of relevance. For Example: To check if IP 1.1.1.1 showed up in the network, they would need to query 7 different keys namely: ip.src, ip.dst, alias.ip, stransaddr, dtransaddr, forward.ip, device.ip, etc. 

Meta Entities provide a way to link similar meta keys together. Once they are defined, an entity can be used the same way as a key, so that analysts use them as regular keys to get to multiple, similar concepts. For Example: We can link all the keys referenced above as "ip.all"

Note:

1. Meta Entities are only supported on RSA NetWitness 11.1 and above.
2. All Meta keys defined under a Meta Entity should have the same Data Type
3. All Meta keys defined under a Meta Entity should have the same Indexing Levels
4. Meta Entities nesting is not allowed: a Meta Entity can only reference Meta Keys and not another Meta Entity

Creating Custom Meta Keys in RSA NetWitness

There are often cases where a relevant meta concept may not be available in the Data model. The purpose of the model is to normalize the most common concepts used for threat detection and analysis. However, if there is a need to create a new concept not available in the data model, please use the following guidelines to maintain the overall consistency of meta key usage.

1. It shouldn't clash with any of the existing concepts defined in the Unified Data Model.
2. A new concept should be defined with a Meta Key name, Data Type, Description of its usage, Indexing and stored in a centralized place for reference. 
3. If the key is used in a log parser, please ensure the exact same meta key is used as a Log Parser key as well. Also, the Log Parser Key Flag needs to be set
4. RSA NetWitness allows maximum key size of 16 characters. Only alpha numeric values are allowed except "." (dot) which is a delimiter.

Please use the following method to create a Meta Key. A meta key has 3 logical parts: Concept, Context and Delimiter

Concept:

This should be the main entity or the type of value. This should always be the first part of the Meta Key.

For example: ip, ipv6, host, mac, port, time, etc.

Context:

This is the additional context needed for the concept. This is the second part of the Key. Sometimes, there is no additional context needed for the concept and sometimes, there is additional context required. RSA recommends to not have keys with more than 2 levels of additional context.  (Please note, there is a 16-character size limit for a meta key). 

For example: Source, Destination, Sent, Received, Primary, Secondary. 

Additional Context: Translated, Numbers

Delimiter:

This is used to separate out concept and context and in some cases also separate out additional context. RSA NetWitness uses "." (dot) as the delimiter. 

Left to Right Rule:

Most Generic to Most Specific order should be maintained while defining meta keys, with delimiters in between.

For Example: "Translated Source IP Address"

Other Examples:

port.src (Source Port)

ip.src (Source IP)

port.trans.src (Source Translated Port)

port (This is a generic port key, to capture port numbers where additional context is not available)

src.ip.trans (Wrong Usage)

trans.ip.src (Wrong Usage)

Please reach out to nw.udm@rsa.com to request changes to the existing concepts defined in the Data Model or to request additions of new concepts in the Data Model.

Next