Incident Management Config: Step 3. Configure Alert Sources

Document created by RSA Information Design and Development on May 10, 2016
Version 1Show Document
  • View in full screen mode

This procedure is required so that alerts from the alert sources are displayed in Incident Management. You have an option to enable or disable the alerts being populated in the Incident Management view. By default this option is disabled in the Reporting Engine, Malware Analytics, and ECAT and enabled only in Event Stream Analysis. So when you install the Incident Management service you need to enable this option in the Reporting Engine, Malware Analytics, and ECAT to populate the corresponding alerts in the Incident Management view.


Ensure that:

  • The Incident Management service is installed and running on Security Analytics.
  • A database is configured for the incident management service.
  • ECAT is installed and running.

Configure Reporting Engine to Display Alerts Triggered by Reporting Engine in Incident Management View

The Reporting Engine alerts are by default disabled from being displayed in Incident Management view. To display and view the Reporting Engine alerts, you have to enable the Incident Management alerts in the Services Config view > General tab for the Reporting Engine.

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Reporting Engine service, and select  > View > Config.
    The Services Config view is displayed with the Reporting Engine General tab open.
  3. Select System Configuration.
  4. Select the checkbox for Forward Alerts to IM.
    The Reporting Engine now forwards the alerts to Incident Management.

For details on parameters in the General tab, see the Reporting Engine General Tab topic in the Reporting Engine Configuration Guide.

Configure Malware Analytics to View Alerts Triggered by Malware Analytics in Incident Management view

Viewing Incident Management alerts is a function of auditing in Malware Analysis. The procedure of enabling IM alerts is described in the (Optional) Configure Auditing on Malware Analysis Host topic in the Malware Analysis Configuration Guide.

Configure ECAT to View Alerts Triggered by ECAT in Incident Management View

This procedure is required to integrate ECAT with Security Analytics so that the ECAT alerts are picked up by the Incident Management component of Security Analytics and displayed in the Incident > Alerts view.

Note: The RSA ECAT Integration topic in the RSA ECAT Integration Guide provides an overview of ECAT integration capabilities in Security Analytics as well as detailed procedures for configuring integration of ECAT with Security Analytics via the Message Bus.

The diagram below represents the flow of ECAT alerts to the Incident Management queue of Security Analytics and its display in the Incident > Alerts view.


Configure ECAT to Display ECAT Alerts

To configure ECAT to display ECAT alerts in the Security Analytics user interface:

  1. In the ECAT User Interface, click Configure > Monitoring and External Components.

    The Monitoring and External Components dialog is displayed.

  2. Right-click anywhere on the dialog and select Add Component.

    The Add Component dialog is displayed.

  3. Provide the following information:

    • Select IM broker for the Component Type from the drop-down options.
    • Type a user name to identify the IM broker.
    • Type the Host DNS or IP address of the IM broker.
    • Type the Port number. The default port is 5671.
  4. Click Save and Close to close all the dialogs.
  5. To set up SSL for IM Alerts, perform the following steps on the ECAT to set the SSL communications:

    1. On the ECAT primary console server, export the ECAT CA certificate to cer format(Base-64 encoded X.509) from the Local Computer's personal certificate store (without selecting the private key).
    2. On ECAT primary console server, generate a client certificate for ECAT using the ECAT CA certificate. (The CN name MUST be set to ecat.)

      makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a sha1 -sky exchange -eku -in "EcatCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -cy end -sy 12 client.cer

    3. On ECAT primary console server, make a note of the thumbprint of the client certificate generated in step b. Enter the thumbprint value of the client certificate in the IMBrokerClientCertificateThumbprint section of the ConsoleServer.Exe.Config file as shown.

      <add key="IMBrokerClientCertificateThumbprint" value="?896df0efacf0c976d955d5300ba0073383c83abc"/>

    4. On the SA server, append the content of the ECAT CA certificate file in .cer format (from step a) to /etc/puppet/modules/rabbitmq/files/truststore.pem.
    5. On the SA server, run puppet agent as shown (or wait 30 minutes for SA server to run).

      puppet agent -t

    6. On ECAT primary console server, import the /var/lib/puppet/ssl/certs/ca.pem file from SA server to Trusted Root Certification Authorities store. This will ensure that the ECAT as a client, will be able to trust the IM server certificate
You are here: Configure Incident Management > Step 3. Configure Alert Sources to Display Alerts in Incident Management