ECAT: Configure Alerts via Syslog into a Log Decoder

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode

This topic provides instructions for configuring the use of RSA ECAT data in Security Analytics to provide ECAT alerts via Syslog into Log Decoder sessions. This generates meta data that is used by Security Analytics Investigation, Alerts, and Reporting Engine.

For Security Analytics networks that are consuming logs, this integration of ECAT with Security Analytics pushes ECAT events to the Log Decoder via common event format (CEF) syslog messages and generates meta data that is used by Security Analytics Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of ECAT events with other Log Decoder data, Security Analytics reporting on ECAT events, and Security Analytics alerting of ECAT events.


The following are required for this integration:

  • Version 4.0 or later ECAT UI
  • Security Analytics Server Version 10.4 or above is installed.
  • Version 10.4 or later RSA Log Decoder and Concentrator connected to the Security Analytics Server in the network.
  • Port 514 open from ECAT server to Log Decoder in the firewall.

Perform the following steps to configure this integration:

  1. Deploy the required parser (CEF or ECAT) to the Log Decoder as described in Step 4: Manage Live Resources in the Live Resource Management Guide.

Note: Use only use one of these parsers. When the CEF parser is deployed, it supersedes the ECAT parser, and all CEF messages into Security Analytics are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure ECAT to send syslog output to Security Analytics and generate eCAT alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to Security Analytics.

Configure ECAT to Send Syslog Output to Security Analytics

To add the Log Decoder as a Syslog external component and generate ECAT alerts to the Log Decoder:

For ECAT version 4.0

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar select Configure > Monitoring and External Components.
  3. Right-click in the dialog box, and then select Add Component. In the dialog box, complete the fields required to enable Syslog messaging:
    Component Type = Syslog
    Unique Name = A descriptive name for the Log Decoder
    IP = The IP address of the RSA Log Decoder
    Port = 514
  4. Click Settings.
  5. In the Configure Syslog dialog box, select UDP or TCP as appropriate for your syslog server for the transport protocol.
  6. Click Save twice, to close the dialog boxes.
  7. Click the Enable check box to enable the component.
  8. Click Close to finish.
  9. Click Instant IOCs and change the settings to make them alertable.

    When the instant IOCs are triggered, Syslog alerts from the ECAT server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

For ECAT version 4.1

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar select Configure > Monitoring and External Components.
    The External Components Configuration dialog is displayed.
  3. In SYSLOG Server, click +.
    The SYSLOG Server dialog is displayed.
  4. Complete the fields required to enable Syslog messaging:
    On = A descriptive name for the Log Decoder
    Server Hostname/IP = The hostname DNS orIP address of the RSA Log Decoder
    Port = 514
    Transport Protocol = Select UDP or TCP as appropriate for your Syslogserverfor the transport protocol.
  5. Click Save.
  6. Click Instant IOCs and change the settings to make them alertable.
    When the instant IOCs are triggered, Syslog alerts from the ECAT server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

Edit the Table Mapping in table-map-custom.xml

In the default RSA table-map.xml provided by RSA, the meta keys in the table-map.xml file are set to Transient. In order to view the meta keys in Investigation, the keys must be set to None. To make changes to the mapping, you need to create a copy of the file, named table-map-custom.xml, on the Log Decoder and set the meta keys to None.

This is the list of meta keys in table-map.xml.

ECAT FieldsSecurity Analytics MappingTransient in Security Analytics
CEF Header Hostname Fieldalias.hostNo
CEF Header Product VersionversionYes
CEF Header Product NameProductYes
CEF Header SeverityseverityYes
CEF Header Signature IDevent.typeNo
CEF Header Signature Nameevent.descNo
Raw MessagemsgYes

These seven keys are not in table-map.xml; to use these keys in Security Analytics you need to add them to table-map-custom.xml, and set the flags to None.

ECAT FieldsSecurity Analytics MappingTransient in Security Analytics
Target modulecs.targetmoduleYes
YARA resultcs.yararesultYes
Source modulecs.sourcemoduleYes

Here are the entries to be added to the table-map-custom.xml if required.

<mapping envisionName="cs_bit9status" nwName="cs.bit9status" flags="None" envisionDisplayName="Bit9Status"/>
<mapping envisionName="cs_modulescore" nwName="cs.modulescore" format="Int32" flags="None" envisionDisplayName="ModuleScore"/>
<mapping envisionName="cs_modulesign" nwName="cs.modulesign" flags="None" envisionDisplayName="ModuleSignature"/>
<mapping envisionName="cs_opswatresult" nwName="cs.opswatresult" flags="None" envisionDisplayName="OpswatResult"/>
<mapping envisionName="cs_sourcemodule" nwName="cs.sourcemodule" flags="None" envisionDisplayName="SourceModule"/>
<mapping envisionName="cs_targetmodule" nwName="cs.targetmodule" flags="None" envisionDisplayName="TargetModule"/>
<mapping envisionName="cs_yararesult" nwName="cs.yararesult" flags="None" envisionDisplayName="YaraResult"/>

Note: Restart the Log Decoder or reload the log parsers for the changes to take effect.

Configure the Security Analytics Concentrator Service

  1. Log on to Security Analytics and navigate to Administration > Services.
  2. Select a concentrator from the list, and select View > Config.
  3. Select the Files tab, and from the Files to Edit pull-down menu, select index-concentrator-custom.xml.
  4. Add the ECAT meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them.
  5. Restart the Concentrator.
  6. To add the Concentrator as a data source in the Reporting Engine, in the Administration > Services view, select the Reporting Engine and RE > View> Config > Sources.
    ECAT meta is populated in Reporting Engine, and you can run reports by selecting the appropriate meta keys.


Note: The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in Security Analytics Investigation.
level is "IndexValues"
name is the ECAT meta key name from the table below

<key description="Product" format="Text" level="IndexValues" name="product" valueMax="250000" defaultAction="Open"/>
<key description="Severity" format="Text" level="IndexValues" name="severity" valueMax="250000" defaultAction="Open"/>
<key description="Destination Dns Domain" format="Text" level="IndexValues" name="ddomain" valueMax="250000" defaultAction="Open"/>
<key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>
<key description="Destination Host" format="Text" level="IndexValues" name="host.dst" valueMax="250000" defaultAction="Open"/>
<key description="End Time" format="TimeT" level="IndexValues" name="endtime" valueMax="250000" defaultAction="Open"/>
<key description="Checksum" format="Text" level="IndexValues" name="checksum" valueMax="250000" defaultAction="Open"/>
<key description="Filename Size" format="Int64" level="IndexValues" name="filename.size" valueMax="250000" defaultAction="Open"/>
<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Distinguished Name" format="Text" level="IndexValues" name="dn" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="Bit9Status" format="Text" level="IndexValues" name="cs.bit9status" valueMax="250000" defaultAction="Open"/>
<key description="Module Score" format="Text" level="IndexValues" name="cs.modulescore" valueMax="250000" defaultAction="Open"/>
<key description="Module Sign" format="Text" level="IndexValues" name="cs.modulesign" valueMax="250000" defaultAction="Open"/>
<key description="opswat result" format="Text" level="IndexValues" name="cs.opswatresult" valueMax="250000" defaultAction="Open"/>
<key description="source module" format="Text" level="IndexValues" name="cs.sourcemodule" valueMax="250000" defaultAction="Open"/>
<key description="Target Module" format="Text" level="IndexValues" name="cs.targetmodule" valueMax="250000" defaultAction="Open"/>
<key description="yara result" format="Text" level="IndexValues" name="cs.yararesult" valueMax="250000" defaultAction="Open"/>
<key description="Protocol" format="Text" level="IndexValues" name="protocol" valueMax="250000" defaultAction="Open"/>
<key description="Event Time" format="TimeT" level="IndexValues" name="event.time" valueMax="250000" defaultAction="Open"/>
<key description="Source Host" format="Text" level="IndexValues" name="host.src" valueMax="250000" defaultAction="Open"/>
<key description="Start Time" format="TimeT" level="IndexValues" name="starttime" valueMax="250000" defaultAction="Open"/>
<key description="Timezone" format="Text" level="IndexValues" name="timezone" valueMax="250000" defaultAction="Open"/>
<key description="Received Bytes" format="UInt64" level="IndexValues" name="rbytes" valueMax="250000" defaultAction="Open"/>
<key description="Agent User" format="Text" level="IndexValues" name="user.agent" valueMax="250000" defaultAction="Open"/>
<key description="Source Bytes" format="UInt64" level="IndexValues" name="bytes.src" valueMax="250000" defaultAction="Open"/>
<key description="Strans Address" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>

ECAT Meta Keys

These are the ECAT meta key names and descriptions used in the sample index file.

Security Analytics Meta Key NameUseECAT Meta Key (name)
MachineNameHost name of the Windows
LocalIpIPv4 addressindex
RemoteIpFar end IP as seen by the routerstransaddr
GatewayIpGateway IPgateway
MacAddressMAC addresseth.src
OperatingSystemOperating system used by the Windows agentOS
AgentIDAgent ID of the host (unique ID assigned to the agent)client
ConnectionUTCTimeLast time when agent connected to ECAT serverecat.ctime
Source DomainDomaindomain.src
ScanUTC timeLast time when the agent was scannedecat.stime
Machine ScoreScoreof the agent indicating the suspicious levelrisk.num


Analysts can:

  • Create Security Analytics alerts based on ECAT events by configuring ECAT events as an enrichment source.
  • Create ESA rules using ECAT meta as described in Add Rules to the Rules Library topic in the Alerting Using ESA Guide.
  • Report on ECAT events using ECAT meta as described in Rule Overview topic in the Reporting Guide.
  • View ECAT alerts in Incident Management as described in Alert View topic in the Reporting Guide.
  • View ECAT meta keys in Investigation along with standard SA core meta keys as described in Conduct an Investigation topic in the Investigation and Malware Analysis Guide.
You are here: Configure ECAT Alerts via Syslog into a Log Decoder