Context Hub: Configure RSA ECAT as a Data Source

Document created by RSA Information Design and Development on Jul 15, 2016Last modified by Scott Marcus on Jul 20, 2016
Version 2Show Document
  • View in full screen mode
 

This topic describes the procedure to configure ECAT as a data source for Context Hub. 

To use the Context Hub service to fetch contextual information from ECAT, you must configure ECAT as a data source for Context Hub. Use the procedures in this topic to add ECAT as a data source for Context Hub service and configure the responses (if required) for ECAT. 

Responses are different types of context information that are available for a data source. The configuration of these responses for ECAT source controls what appears in the Context Lookup panel displayed in Investigation views when Context Lookup is performed. The types of responses for ECAT data source are Machines, Modules, and InstantIOCs

Responses for each data source is already configured with default values for optimal performance. You can view or edit the default values by using the procedure in this topic.

Prerequisites

Ensure that:

  • Context Hub is enabled and the service is available in Administration > Services view of Security Analytics.
  • RSA ECAT (v4.1.1 and above) is installed and configured.
    The RSA ECAT 4.1.1 documents provide detailed information about installing and configuring ECAT. Refer the ECAT documents available in https://knowledge.rsasecurity.com.

Procedures

 

Add RSA ECAT Data Source

 

 

To add RSA ECAT as a data source for Context Hub:

  1. In the Security Analytics menu, select Administration > Services.
    The Services view is displayed.
  2. In the Services panel, select the Context Hub service, and ic-actns.png > View > Config.
    The Services Config view is displayed.
  3. In the Data Sources tab, click Icon.png > ECAT
    The Add Data Source dialog is displayed.
    F-Add-ecat-ds.png
  4. Provide the following information:

                                                   
    FieldDescription
    EnableSelect Enable to enable ECAT Data Source. This option is enabled by default (checked).
    NameProvide a name for ECAT data source.
    HostEnter the hostname or IP address where ECAT API server is installed.
    PortDefault port is 9443.
    API VersionThe default API version (/api/v2) supports connection to ECAT 4.1.1 and above.
    SSLSelect SSL if you want Security Analytics to communicate with the host using SSL. This is enabled by default.
    UsernameEnter the ECAT API Server username.
    PasswordEnter the ECAT API Server password.
    Max. Concurrent QueriesYou can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 25.
  5. Click Test Connection to test the connection between Context Hub and the ECAT data source.
  6. Click Save to save the settings.
    ECAT is added as a data source for Context Hub. The added ECAT data source is displayed in the Data Sources tab.
    F-DS-tab.png
 

Change ECAT Admin Password

The API-Server Admin user assigns the roles and permissions to the new users. The admin user is not created by
default at the time of installation.

ECAT Admin username and password is as given below:

  • Username: admin
  • Password: This has to be set using the following command:
    ApiServer.exe /setadminpswd A_Strong_Password

After setting the password, restart the server.

For more information about RSA ECAT REST API Server, refer the ECAT documents available in https://knowledge.rsasecurity.com.

Configure Responses for ECAT Data Source

To view/edit responses for ECAT data source:

  1. In the Data Sources tab, select the ECAT source and click ic-actns2.png.
    The Configure ECAT Responses dialog is displayed.
    F-Conf-ecat-resp.png
  2. In the left panel, select each response (Machines, Modules, and InstantIOCs) to view and edit the settings.
  3. Configure the following fields:

                               
    FieldDescription
    EnableThis option is enabled by default (checked) and can be used to enable or disable the selected response.
    Use CacheSelect the checkbox to enable response caching. When enabled, Context Hub stores the lookup results in cache. Subsequent requests for the same meta value is served from cache for the configured time (Cache Expiration).
    Cache ExpirationThe time (in minutes) that the lookup results are stored in cache after Context Lookup is performed. The default value is 30 minutes.

    Minimum IIOC Score (For Modules only)

    The minimum IIOC score for fetching contextual information of ECAT modules. The contextual information of ECAT modules having IIOC score greater than or equal to the configured minimum score are fetched.

    The IIOC score for ECAT modules ranges between 0 to 1024, where 1024 is considered as critical.

    By default, the minimum IIOC score is set to 500

  4. Click Save to save the changes.

Next steps 

After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.

You are here: Basic Setup > Step 2. Configure Data Sources for Context Hub > Configure RSA ECAT as a Data Source for Context Hub

Attachments

    Outcomes