ECAT: Configure ECAT to Receive RSA Live Feeds

Document created by RSA Information Design and Development on Jul 29, 2016Last modified by Scott Marcus on Jul 12, 2017
Version 3Show Document
  • View in full screen mode
 

ECAT 4.0 and later can be configured to receive feeds from RSA Live. Several feeds in RSA Live contain suspicious domains and IP addresses, and several Instant Indicators Of Compromise (IOC)s defined within ECAT can benefit from these feeds from an intelligence perspective. None of the feeds are enabled by default in ECAT. When a feed is enabled, ECAT Console server connects to RSA Live (https://cms.netwitness.com) and periodically downloads feed data into the ECAT system.

Note: ECAT does not publish any feeds into RSA Live. It is only a consumer of feeds.

Note: The procedure to configure ECAT to receive RSA Live feeds is different for ECAT version 4.0 and ECAT version 4.1. We have included instructions for both versions.

Prerequisites

The following are required for this integration:

  • Version 4.0 or later ECAT UI and Version 10.5 Security Analytics Server installed.
  • An RSA Live account, for which you can get a username and password from RSA Support.
  • ECAT Console Server should be able to connect to https://cms.netwitness.com.

Enable or Disable Feeds

For ECAT version 4.0

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar at the top of the page, select Database > Import Checksums.
    The Import Checksum dialog is displayed.
  3. Select the RSA Live tab, and then the Settings sub-tab.
  4. Fill in the details of the RSA Live server and credentials.
    The host value is usually cms.netwitness.com.
    The port is usually 443.
  5. To validate connectivity, click Test Connection.
    A Passed message is displayed if all settings are correct.
  6. Click Apply.
  7. Select the Subscribed Feeds sub-tab.
    A list of all feeds is displayed.
  8. Select the feeds that you want ECAT to import from RSA Live.
  9. Enter an appropriate interval. The recommended time is 24 hours, which configures ECAT to connect to RSA Live every 24 hours to update the imported data.
  10. (Optional) Click Refresh Now to download the feeds right away.
  11. Click Save.

To view the status of imported known bad domains and IPs from various feeds, select the Status tab and select the feed. The number of entries per feed varies from a few hundred to several thousand.

For ECAT version 4.1

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar at the top of the page, select Configure > Monitoring and External Components.
    The External Components Configuration window is displayed. Select RSA Live and click +.
    ext-comp-config.png
  3. The RSA Live dialog is displayed.
    ext-comp-live.png
  4. Under RSA Live, in On, type a name to identify this component.
  5. In RSA Live Settings, do the following.
    1. In Username and Password, type the credentials to use for accessing this component.
    2. In Server Hostname/IP, the default value is cms.netwitness.com. Update the field if needed.
    3. In Port, the default port number is 443. Update the field if needed.
  6. In RSA Live Subscribed Feeds, do the following.
    1. In Refresh Interval, enter an appropriate interval. The recommended interval is 24 hours, which means that ECAT connects to RSA Live every 24 hours to update the imported data.
    2. Select the feeds for ECAT to import from RSA Live.
  7. Click Save.
    The RSA Live component is added to ECAT and the feeds are activated.
  8. To validate the connectivity, select the newly added component and then click Test Settings.
    If all settings are correct, a Passed message is displayed.

RSA Live Feeds for ECAT 4.0 and later

For more information about the feeds provided by RSA Live, see https://community.rsa.com/docs/DOC-76076. Some feeds may be discontinued within RSA Live. To check the list of discontinued feeds, see https://community.rsa.com/docs/DOC-57979.

 

You are here: Configure ECAT to Receive RSA Live Feeds

Attachments

    Outcomes