RSA customers who are using both RSA ECAT 4.0 and later, and RSA Security Analytics 10.4 and later, can integrate ECAT and Security Analytics in several different ways. This guide is for Security Analytics version 10.6 and later.
Built-in Endpoint Lookup
With the RSA ECAT user interface (UI) installed on the same machine where the analyst is using a browser to access Security Analytics, the built-in Endpoint Lookup from Security Analytics Investigation and Security Analytics Incident Management provides right-click access to the ECAT console server for the following meta keys: IP address (ip-src, ip-dst, ipv6-src, ipv6-dst, orig_ip), host (alias-host, domain.dst), client, and file-hash. These are described in the Launch an External Lookup of a Meta Key topic in Investigation and Malware Analysis and the Alerts View topic in Incident Management.
No Security Analytics configuration is required for endpoint lookup when you are using one of the the built-in parsers, RSA ECAT or CEF, and you have not customized the default meta keys used when loading meta data in Investigation see Manage and Apply Default Meta Keys in an Investigation in Investigation and Malware Analysis.
Note: The exception occurs if you customize Security Analytics by editing the display setting for the default meta keys in Investigation, add meta keys to the table-map-custom.xml file, or customize RSA ECAT feeds. Some configuration is required to add the custom meta keys to the context menu ECAT Lookup in the Administration > System view as described in the Add Custom Context Menu Actions topic in the System Configuration guide.
With an RSA ECAT 4.0 or later console server installed on a Windows host and proper configuration of ECAT and Security Analytics by an administrator, four additional integrations of ECAT analysis data are possible as depicted using red arrows below.
Possible RSA ECAT integrations with Security Analytics include:
- ECAT alerts via syslog (CEF)into Security Analytics Log Decoders. This integration provides the capability to apply Live intelligence to ECAT alerts and to correlate ECAT events with other log or packet metadata in the Security Analytics ecosystem (see Configure ECAT Alerts via Syslog into a Log Decoder).
- ECAT alerts via message businto Security Analytics Incident Management. This integration provides the capability for centralized Incident Management and workflow in Security Analytics (see the Configure Alert Sources to Display Alerts in Incident Management topic in the Incident Management Configuration Guide).
- Contextual data from ECAT via a Security Analytics Live recurring feed. This integration can enrich the session displayed in Security Analytics Investigation with contextual information; some examples include the host operating system, MAC address, score, and other data that may not be present in the log or packet data (see Configure Contextual Data from ECAT via Recurring Feed).
- RSA Live feeds to ECAT 4.0 and later. This integration can enrich ECAT Instant Indicators of Compromise (IOCs) using several feeds in RSA Live that contain suspicious domains and IP addresses. Instant IOCs defined within ECAT can benefit from these feeds from an intelligence perspective. ECAT 4.0 does not publish any feeds into RSA Live (see Configure ECAT to Receive RSA Live Feeds).
ECAT Alerts and Indicators of Compromise
An ECAT Instant IOC (Indicator of Compromise) is a database query that RSA ECAT runs on collected ECAT scan data to determine the presence of potential malware on scanned hosts. RSA ECAT 4.0 and later ships with IOCs that the user can enable and mark as alertable. RSA ECAT runs IOC queries regularly on new scan data, which is collected and stored in the database. If the IOC query is satisfied, this indicates a potential indicator of compromise, and the event can be reported to a user or sent to an external system as an alert.
Possible types of alerts are:
- Machine alert: This alert indicates that the machine in question is suspicious.
- Module alert: This alert indicates that a module, such as a file, a dll, or an executable, is suspicious. It contains details about the module in question.
- IP alert: This alert indicates that there has been suspicious internet activity (traffic).
- Event alert: This alert represents any other suspicious activity detected by ECAT that does not fall into the above categories.
Each of these alert types can be associated sent to Security Analytics.