Configure ECAT Alerts via Syslog into a Log Decoder

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Feb 6, 2017
Version 4Show Document
  • View in full screen mode
  

This topic provides instructions for configuring the use of RSA ECAT data in Security Analytics to provide ECAT alerts via Syslog into Log Decoder sessions. This generates meta data that is used by Security Analytics Investigation, Alerts, and Reporting Engine.

For Security Analytics networks that are consuming logs, this integration of ECAT with Security Analytics pushes ECAT events to the Log Decoder via common event format (CEF) syslog messages and generates meta data that is used by Security Analytics Investigation, Alerts, and Reporting Engine. The use case for this integration is SIEM Integration to allow centralized event management, correlation of ECAT events with other Log Decoder data, Security Analytics reporting on ECAT events, and Security Analytics alerting of ECAT events.

Prerequisites

The following are required for this integration:

  • Version 4.0 or later ECAT UI
  • Security Analytics Server Version 10.4 or above is installed.
  • Version 10.4 or later RSA Log Decoder and Concentrator connected to the Security Analytics Server in the network.
  • Port 514 open from ECAT server to Log Decoder in the firewall.

Procedure

Perform the following steps to configure this integration:

  1. Deploy the required parser (CEF or ECAT) to the Log Decoder as described in the Manage Live Resources topic in Live Services Management. After you deploy the parser, make sure the parser is enabled. For more information, See Services Config View - General Tab.

Note: Use only use one of these parsers. When the CEF parser is deployed, it supersedes the ECAT parser, and all CEF messages into Security Analytics are processed by the CEF parser. Enabling both parsers is an unnecessary burden on performance.

  1. Configure ECAT to send syslog output to Security Analytics and generate eCAT alerts to the Log Decoder.
  2. (Optional) Edit the table mapping in table-map-custom.xml and the index-concentrator-custom.xml to add fields based on user preferences for metadata to be mapped to Security Analytics.

Configure ECAT to Send Syslog Output to Security Analytics

To add the Log Decoder as a Syslog external component and generate ECAT alerts to the Log Decoder:

For ECAT version 4.0

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar select Configure > Monitoring and External Components.
  3. Right-click in the dialog box, and then select Add Component. In the dialog box, complete the fields required to enable Syslog messaging:

    Component Type = Syslog
    Unique Name = A descriptive name for the Log Decoder
    IP = The IP address of the RSA Log Decoder
    Port = 514

  4. Click Settings.
  5. In the Configure Syslog dialog box, select UDP or TCP as appropriate for your syslog serverfor the transport protocol.
  6. Click Save twice, to close the dialog boxes.
  7. Click the Enable check box to enable the component.
  8. Click Close to finish.

  9. Click Instant IOCs and change the settings to make them alertable.

When the instant IOCs are triggered, Syslog alerts from the ECAT server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

For ECAT version 4.1

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar select Configure > Monitoring and External Components.

    The External Components Configuration dialog is displayed.

  3. In SYSLOG Server, click +.

    The SYSLOG Server dialog is displayed.

    syslog-svr.png

  4. Complete the fields required to enable Syslog messaging:

    On = A descriptive name for the Log Decoder
    Server Hostname/IP = The hostname DNS orIP address of the RSA Log Decoder
    Port = 514
    Transport Protocol = Select UDP or TCP as appropriate for your Syslogserverfor the transport protocol.

  5. Click Save.
  6. Click Instant IOCs and change the settings to make them alertable.

    instant-iocs-ecat.png

When the instant IOCs are triggered, Syslog alerts from the ECAT server are sent to the Log Decoder. Log Decoder alerts are then aggregated to the Concentrator. These events are injected into the Concentrator as metadata.

Edit the Table Mapping in table-map-custom.xml

In the default RSA table-map.xml provided by RSA, the meta keys in the table-map.xml file are set to Transient. In order to view the meta keys in Investigation, the keys must be set to None. To make changes to the mapping, you must add the entries to the table-map-custom.xmlon the Log Decoder.

This is the list of meta keys in table-map.xml.

                                                                                                                                                                                                        
ECAT FieldsSecurity Analytics MappingTransient in Security Analytics
agentidclientNo
CEF Header Hostname Fieldalias.hostNo
CEF Header Product VersionversionYes
CEF Header Product NameproductYes
CEF Header SeverityseverityYes
CEF Header Signature IDevent.typeNo
CEF Header Signature Nameevent.descNo
destinationDnsDomainddomainYes
deviceDnsDomaindomainYes
dhosthost.dstNo
dstip.dstNo
endendtimeYes
fileHashchecksumYes
fnamefilenameNo
fsizefilename.sizeYes
gatewayipgatewayYes
instantIOCLevelthreat.descNo
instantIOCNamethreat.categoryNo
machineOUdnYes
machineScorerisk.numNo
md5sumchecksumYes
osOSYes
portip.dstportNo
protocolprotocolYes
Raw MessagemsgYes
remoteipstransaddrYes
rtalias.hostNo
sha256sumchecksumYes
shosthost.srcNo
smaceth.srcYes
srcip.srcNo
startstarttimeYes
suseruser.dstNo
timezonetimezoneYes
totalreceivedrbytesYes
totalsentbytes.srcNo
useragentuser.agentYes
userOUorgYes

These seven keys are not in table-map.xml; to use these keys in Security Analytics you need to add them to table-map-custom.xml, and set the flags to None.

                                             
ECAT FieldsSecurity Analytics MappingTransient in Security Analytics
moduleScorecs.modulescoreYes
moduleSignaturecs.modulesignYes
Target modulecs.targetmoduleYes
YARA resultcs.yararesultYes
Source modulecs.sourcemoduleYes
OPSWATResultcs.opswatresultYes
ReputationResultcs.represultYes

Here are the entries to be added to the table-map-custom.xml if required.

<mapping envisionName="cs_represult" nwName="cs.represult" flags="None" envisionDisplayName="ReputationResult"/>
<mapping envisionName="cs_modulescore" nwName="cs.modulescore" format="Int32" flags="None" envisionDisplayName="ModuleScore"/>
<mapping envisionName="cs_modulesign" nwName="cs.modulesign" flags="None" envisionDisplayName="ModuleSignature"/>
<mapping envisionName="cs_opswatresult" nwName="cs.opswatresult" flags="None" envisionDisplayName="OpswatResult"/>
<mapping envisionName="cs_sourcemodule" nwName="cs.sourcemodule" flags="None" envisionDisplayName="SourceModule"/>
<mapping envisionName="cs_targetmodule" nwName="cs.targetmodule" flags="None" envisionDisplayName="TargetModule"/>
<mapping envisionName="cs_yararesult" nwName="cs.yararesult" flags="None" envisionDisplayName="YaraResult"/>

Note: Restart the Log Decoder or reload the log parsers for the changes to take effect.

Configure the Security Analytics Concentrator Service

  1. Log on to Security Analytics and navigate to Administration > Services.
  2. Select a concentrator from the list, and select View > Config.
  3. Select the Files tab, and from the Files to Edit pull-down menu, select index-concentrator-custom.xml.
  4. Add the ECAT meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them.
  5. Restart the Concentrator.
  6. To add the Concentrator as a data source in the Reporting Engine, in the Administration > Services view, select the Reporting Engine and RE > View> Config > Sources.
    ECAT meta is populated in Reporting Engine, and you can run reports by selecting the appropriate meta keys.

Example

Note: The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in Security Analytics Investigation.
level is "IndexValues"
name is the ECAT meta key name from the table below

<language>
<key description="Product" format="Text" level="IndexValues" name="product" valueMax="250000" defaultAction="Open"/>
<key description="Severity" format="Text" level="IndexValues" name="severity" valueMax="250000" defaultAction="Open"/>
<key description="Destination Dns Domain" format="Text" level="IndexValues" name="ddomain" valueMax="250000" defaultAction="Open"/>
<key description="Domain" format="Text" level="IndexValues" name="domain" valueMax="250000" defaultAction="Open"/>
<key description="Destination Host" format="Text" level="IndexValues" name="host.dst" valueMax="250000" defaultAction="Open"/>
<key description="End Time" format="TimeT" level="IndexValues" name="endtime" valueMax="250000" defaultAction="Open"/>
<key description="Checksum" format="Text" level="IndexValues" name="checksum" valueMax="250000" defaultAction="Open"/>
<key description="Filename Size" format="Int64" level="IndexValues" name="filename.size" valueMax="250000" defaultAction="Open"/>
<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Distinguished Name" format="Text" level="IndexValues" name="dn" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="ReputationResult" format="Text" level="IndexValues" name="cs.represult" valueMax="250000" defaultAction="Open"/>
<key description="Module Score" format="Text" level="IndexValues" name="cs.modulescore" valueMax="250000" defaultAction="Open"/>
<key description="Module Sign" format="Text" level="IndexValues" name="cs.modulesign" valueMax="250000" defaultAction="Open"/>
<key description="opswat result" format="Text" level="IndexValues" name="cs.opswatresult" valueMax="250000" defaultAction="Open"/>
<key description="source module" format="Text" level="IndexValues" name="cs.sourcemodule" valueMax="250000" defaultAction="Open"/>
<key description="Target Module" format="Text" level="IndexValues" name="cs.targetmodule" valueMax="250000" defaultAction="Open"/>
<key description="yara result" format="Text" level="IndexValues" name="cs.yararesult" valueMax="250000" defaultAction="Open"/>
<key description="Protocol" format="Text" level="IndexValues" name="protocol" valueMax="250000" defaultAction="Open"/>
<key description="Event Time" format="TimeT" level="IndexValues" name="event.time" valueMax="250000" defaultAction="Open"/>
<key description="Source Host" format="Text" level="IndexValues" name="host.src" valueMax="250000" defaultAction="Open"/>
<key description="Start Time" format="TimeT" level="IndexValues" name="starttime" valueMax="250000" defaultAction="Open"/>
<key description="Timezone" format="Text" level="IndexValues" name="timezone" valueMax="250000" defaultAction="Open"/>
<key description="Received Bytes" format="UInt64" level="IndexValues" name="rbytes" valueMax="250000" defaultAction="Open"/>
<key description="Agent User" format="Text" level="IndexValues" name="user.agent" valueMax="250000" defaultAction="Open"/>
<key description="Source Bytes" format="UInt64" level="IndexValues" name="bytes.src" valueMax="250000" defaultAction="Open"/>
<key description="Strans Address" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>
</language>

Result

Analysts can:

  • Create Security Analytics alerts based on ECAT events by configuring ECAT events as an enrichment source.
  • Create ESA rules using ECAT meta as described in the Add Rules to the Rules Library topic in Alerting Using ESA.
  • Report on ECAT events using ECAT meta as described in the Working with Reporting Rules topic in Reporting.
  • View ECAT alerts in Incident Management as described in the Alerts View topic in Incident Management.
  • View ECAT meta keys in Investigation along with standard SA core meta keys as described in the Conduct an Investigation topic in Investigation and Malware Analysis.
You are here
Table of Contents > Configure ECAT Alerts via Syslog into a Log Decoder

Attachments

    Outcomes