Incident Management Config: Step 3: Configure Alert Sources to Display Alerts in Incident Management

Document created by RSA Information Design and Development on Jul 27, 2016Last modified by RSA Information Design and Development on Jul 27, 2016
Version 2Show Document
  • View in full screen mode

This topic provides information on how to configure alert sources like Reporting Engine, Malware Analytics, and ECAT to display the corresponding alerts in the Incidents > Alerts view.

This procedure is required so that alerts from the alert sources are displayed in Incident Management. You have an option to enable or disable the alerts being populated in the Incident Management view. By default this option is disabled in the Reporting Engine, Malware Analytics, and ECAT and enabled only in Event Stream Analysis. So when you install the Incident Management service you need to enable this option in the Reporting Engine, Malware Analytics, and ECAT to populate the corresponding alerts in the Incident Management view.


Ensure that you have the following:

  • The Incident Management service is installed and running on Security Analytics.
  • A database is configured for the incident management service.
  • ECAT is installed and running.

Configure Reporting Engine to Display Alerts Triggered by Reporting Engine in Incident Management View

The Reporting Engine alerts are by default disabled from being displayed in Incident Management view. To display and view the Reporting Engine alerts you have to enable the IM alerts in the Services Config view > General tab for the Reporting Engine.

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Reporting Engine service.
  3. In the Actions column, select View > Config.
    The Services Config view is displayed with the Reporting Engine General tab open.
  4. Select System Configuration.
  5. Select the checkbox for Forward Alerts to IM.
    The Reporting Engine now forwards the alerts to Incident Management

For details on parameters in the General tab, see Reporting Engine General Tab in the Reporting Engine Configuration Guide

Configure Malware Analytics to View Alerts Triggered by Malware Analytics in Incident Management view

View Incident Management alerts is a function of auditing in Malware Analysis. The procedure of enabling IM alerts is described in (Optional) Configure Auditing on Malware Analysis Host in the Malware Analysis Configuration Guide.

Configure ECAT to View Alerts Triggered by ECAT in Incident Management View

This procedure is required to integrate ECAT with Security Analytics so that the ECAT alerts are picked up by the Incident Management component of Security Analytics and displayed in the Incident > Alerts view.

Note: RSA ECAT Integration provides an overview of ECAT integration capabilities in Security Analytics as well as detailed procedures for configuring integration of ECAT with Security Analytics via the Message Bus.

The diagram below represents the flow of ECAT alerts to the Incident Management queue of Security Analytics and its display in the Incident > Alerts view.


Configure ECAT to Display ECAT Alerts

To configure ECAT to display ECAT alerts in the Security Analytics user interface:

  1. In the ECAT User Interface, click Configure > Monitoring and External Components.
    The Monitoring and External Components dialog is displayed.
  2. Right-click anywhere on the dialog and select Add Component.
    The Add Component dialog is displayed.
  3. Provide the following information:

    • Select IM broker for the Component Type from the drop-down options.
    • Type a user name to identify the IM broker.
    • Type the Host DNS or IP address of the IM broker.
    • Type the Port number. The default port is 5671.
  4. Click Save and Close to close all the dialogs.
  5. To set up SSL for IM Alerts, perform the following steps on the ECAT to set the SSL communications:
    1. On the ECAT primary console server, export the ECAT CA certificate to cer format(Base-64 encoded X.509) from the Local Computer's personal certificate store (without selecting the private key).

    2. On ECAT primary console server, generate a client certificate for ECAT using the ECAT CA certificate. (The CN name MUST be set to ecat)

      makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a sha1 -sky exchange -eku -in "EcatCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -cy end -sy 12 client.cer

    3. On ECAT primary console server, make a note of the thumbprint of the client certificate generated in step b. Enter the thumbprint value of the client certificate in the IMBrokerClientCertificateThumbprint section of the ConsoleServer.Exe.Config file as shown.

      <add key="IMBrokerClientCertificateThumbprint" value="?896df0efacf0c976d955d5300ba0073383c83abc"/>

    4. On the SA server, append the content of the ECAT CA certificate file in .cer format (from step a) to /etc/puppet/modules/rabbitmq/files/truststore.pem.

    5. On the SA server, run puppet agent as shown (or wait 30 minutes for SA server to run).
      puppet agent -t

    6. On ECAT primary console server, import the /var/lib/puppet/ssl/certs/ca.pem file from SA server to Trusted Root Certification Authorities store. This will ensure that the ECAT as a client, will be able to trust the IM server certificate.

You are here: Configure Incident Management > Step 3. Configure Alert Sources to Display Alerts in Incident Management