Configure Contextual Data from ECAT via Recurring Feed

Document created by RSA Information Design and Development on May 5, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic provides instructions for configuring use of RSA ECAT data in Security Analytics to provide contextual data from ECAT to Decoder and Log Decoder sessions. This configuration adds contextual meta values in addition to the instant IOC alerts that can be used to build correlations to other meta data in the Security Analytics ecosystem.

Administrators can configure Security Analytics to consume system scan contextual data from ECAT via a Security Analytics Live recurring feed. This integration can enrich the session from a Decoder or Log Decoder with contextual information displayed in Security Analytics Investigation; some examples include the host operating system, MAC address, score, and other data that may not be present in the log or packet data. into sessions from a Decoder or Log Decoder.

Note: Although this feature is targeted for customers with a packet Decoder, a recurring feed can also be implemented in Log Decoders.

Caution: In environments with many ECAT hosts, use of this recurring feed may result in decreased performance on the Security Analytics ingest devices (Decoder and Log Decoder).

Prerequisites

  • Version 4.0 or later ECAT Console server and Security Analytics Server Version Version 10.4 and above installed.
  • Version 10.4 or later RSA Decoder and Concentrator connected to the Security Analytics Server in the network.

Configuration

To configure this integration:

  1. Enable the ECAT Feed for Security Analytics in the ECAT User Interface.
  2. Export the ECAT CA Certificate from the eCAT Console server and Import into Security Analytics trust store.
  3. Configure the Security Analytics Concentrator service to define which meta keys are indexed.
  4. Create a recurring feed in Security Analytics Live.

Enable the ECAT Feed for Security Analytics

For ECAT version 4.0

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar, select Configure > Monitoring External Components.

    The Add Components dialog is displayed.

     

  3. Add a Security Analytics component. Enter the Unique Name, Host DNS or IP, and click Settings.

    The Configure Security Analytics dialog is displayed.

    EcatConfSADialog.png

  4. Enter the Timezone and click the Feed Config tab.

    EcatFeedConfTb.png

  5. Select Enable ECAT Feed, enter the Username and Password. Configure the Feed Publishing Interval. Click Save.

    A feed is created.

  6. Make a note of the URL assigned to the feed, and the username and password. This information is used in Security Analytics.
  7. To verify that the feed has been successfully created, open a browser and type in the URL. When prompted, enter the username and password. Check to see if a file named machines.csv is downloaded.

For ECAT version 4.1

In the ECAT User Interface:

  1. Create an SQL user in ECAT:
    1. Open the ECAT user interface and log on using the proper credentials.
    2. Under Security, right-click in the pane and select create sql user.
      The Create a new SQL User dialog is displayed.
      create-sql-usr.png
    3. Provide the login name and the password.
  2. From the menu bar, select Configure > Monitoring External Components.
    The External Components Configuration dialog is displayed.
    ext-comp-config.png
  3. In Security Analytics, click +.
    The Security Analytics dialog is displayed.
    sa_ecat.png
  4. Under Security Analytics, in On, type a name to identify the Security Analytics component.
  5. Under Security Analytics Connection, do the following.
    1. In Server Hostname/IP, type the host name or IP address of the Security Analytics server.
    2. In Port, the default port number is 443. Update the field if needed.
  6. Under Configure Security Analytics, do the following:
    1. In Servers Time Zone, enter a time zone for the component.
    2. In Device Identifier, type the Security Analytics concentrator device ID.
  7. Note: You can find the Device Identifier in Security Analytics when you look up a Concentrator or Broker in Investigation > Navigate ><Concentrator or Broker Name>. The Device Identifier is the number in the URL after "investigation." For example, in the URL https://<IP address>investigation/319/navigate/values, the Device Identifier is 319.

    The URI field is populated when you click Save.

  8. In Query Optimization, do the following:
    1. In Min, enter the number of minutes for the minimum query time range. This value is used to automatically increase the time range submitted to Security Analytics. This ensures that a query returns a positive response if the ECAT Agent's reported time is slightly different than Security Analytic's time.
    2. In Max, enter the number of minutes to limit the time range. This value is used to automatically limit the time range submitted to Security Analytics, so that a query does not overload the Security Analytics server.
    3. In Do Not Perform Query Older Than, enter a number of days to limit the query period. Enter 0 if you want to discard this feature.
  9. In Configure ECAT Feeds for SA, do the following:
    1. Select Enable ECAT Feed.
    2. Enter the SQL Username and Password (configured in step 1) to access the location of the feed.
      The URL field is populated when you click Save.
    3. Enter the time interval for the frequency at which feeds are published.
  10. Click Save.
    A feed is created.

Export the ECAT SSL Certificate

Note: This procedure works only for Security Analytics 10.5 and above because Java 8 support was added for 10.5. If you are using an earlier version of Security Analytics, refer to the applicable version of this guide.

To export the ECAT CA certificate from the ECAT Console server and copy it to the Security Analytics host:

  1. Log on to the ECAT Console
  2. Open MMC.
  3. Add a certificate snap-in for Computer account.
  4. Export the certificate named EcatCA.
    1. Export without private key.
    2. Export in DER encoded binary X.509 (.CER) format.
    3. Name it EcatCA.cer.
  5. Copy the ECAT CA certificate to the Security Analytics host:
    scp EcatCA.cer root@<sa-machine>:.
  6. To import the ECAT CA certificate into the Security Analytics Trusted store, enter the following commands:
    JDK=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7.x86_64/jre/
    $JDK/bin/keytool -import -v -trustcacerts -alias ecatca -file ~/EcatCA.cer -keystore $JDK/lib/security/cacerts -storepass changeit

    When prompted for certificate update confirmation, enter Yes.
  7. On the Security Analytics host, edit /etc/hosts to map the IP address of the ECAT Console server to the name ecatserverexported by adding the following line to the file:
    <ip-address-ecat-cs> ecatserverexported
  8. To restart Security Analytics, enter the following commands:
    stop jettysrv
    start jettysrv

Configure the Security Analytics Concentrator Service

  1. Log on to Security Analytics and navigate to Administration > Services.
  2. Select a concentrator from the list, and select View > Config.
  3. Select the Files tab, and from the Files to Edit pull-down menu, select index-concentrator-custom.xml.
  4. Add the following ECAT meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them. The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
    description is the name of the meta key you want to display in Security Analytics Investigation.
    level is "IndexValues"
    name matches the column name of the CSV file that Security Analytics uses while defining the recurring feed (see the table in Configure the Recuring Custom Feed Task in Security Analytics below).

    <key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/><key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/><key description="Strans Addr" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>

  5. Restart the Concentrator to activate the custom key updates.

Configure the Recurring Custom Feed Task in Security Analytics

To configure the recurring feed task in Security Analytics:

  1. Log on to Security Analytics and navigate to Live > Feeds.
  2. Select Custom Feed > Next.
  3. Do the following:
    • Select Recurring.
    • Enter a Name, for example: EcatFeed.
    • Enter the URL with the hostname of the Windows server on which ECAT is installed:
      • For RSA ECAT version 4.0, use the URL https://<EcatServerHostname>:9443/ext/feed/machines.csv.
      • For RSA ECAT version 4.1, use the URL https://<EcatServerExported>:9443/api/v2/feed/machines.csv.
  4. Enable the checkbox Authenticated and enter the username and password as noted in Enable the ECAT Feed above.
  5. Select Verify to check that Security Analytics can reach the web resource.
  6. Define the schedule. Click Next.
    EcatDefineLiveFeed.png
  7. In the Select Services tab, select the Decoder or groups to consume the feed. Click Next.
  8. In the Define Columns tab, enter the column names as shown in the table below and save the feed.
    EcatDefColLive.png

The following table shows the columns in the CSV file for the ECAT feed.

                                                                             
ColumnNameDescriptionColumn Name in Security Analytics (Meta Key Name)
1MachineNameHost name of the Windows agentalias.host
2LocalIpIPv4 addressindex
3RemoteIpFar end IP as seen by the routerstransaddr
4GatewayIpIP of the gatewaygateway
5MacAddressMAC addresseth.src
6OperatingSystemOperating system used by the Windows AgentOS
7AgentIDAgent ID of the host (unique ID assigned to the agent)cllient
8ConnectionUTCTimeLast time when the agent connected to ECAT serverecat.ctime
9Source DomainDomaindomain.src
10ScanUTC timeLast time when the agent was scannedecat.stime
11Machine ScoreScore of the agent indicating the suspicious levelrisk.num

Note: In the table, the recommended index setting is LocalIp. However, if the LocalIp for ECAT Agent PC is allocated by a DHCP Server and the DHCP lease has expired, and if the IP is then re-allocated to another PC, the metadata created by the feed will be incorrect. To avoid this risk, use the machine name or the Mac address instead of the localIP address as the Feed's index. For example, to use a Mac address, you could enter the values as shown in the following figure.

ecatfeed_mac.png

Result

When viewing feed data in Security Analytics, upon match of the indexed value (ip.src), meta data is populated in Investigation, Reporting and Alerting Interfaces.

Troubleshooting

This section suggests how to resolve problems you may encounter when working with recurring feeds.

             
Known IssuesSolutions
With ECAT 4.1.0.2 and ECAT 4.1.1, ECAT feed integration does not work for Security Analytics.You must use ECAT 4.1.1.1 for the feed to work.
You are here: Configure Contextual Data from ECAT via Recurring Feed

Attachments

    Outcomes