This topic provides instructions for configuring use of RSA ECAT data in Security Analytics to provide contextual data from ECAT to Decoder and Log Decoder sessions. This configuration adds contextual meta values in addition to the instant IOC alerts that can be used to build correlations to other meta data in the Security Analytics ecosystem.
Administrators can configure Security Analytics to consume system scan contextual data from ECAT via a Security Analytics Live recurring feed. This integration can enrich the session from a Decoder or Log Decoder with contextual information displayed in Security Analytics Investigation; some examples include the host operating system, MAC address, score, and other data that may not be present in the log or packet data. into sessions from a Decoder or Log Decoder.
Note: Although this feature is targeted for customers with a packet Decoder, a recurring feed can also be implemented in Log Decoders.
Caution: In environments with many ECAT hosts, use of this recurring feed may result in decreased performance on the Security Analytics ingest devices (Decoder and Log Decoder).
- Version 4.0 or later ECAT Console server and Security Analytics Server Version Version 10.4 and above installed.
- Version 10.4 or later RSA Decoder and Concentrator connected to the Security Analytics Server in the network.
To configure this integration:
- Enable the ECAT Feed for Security Analytics in the ECAT User Interface.
- Export the ECAT CA Certificate from the ECAT Console server and Import into Security Analytics trust store.
- Configure the Security Analytics Concentrator service to define which meta keys are indexed.
- Create a recurring feed in Security Analytics Live.
Enable the ECAT Feed for Security Analytics
For ECAT version 4.0
- Open the ECAT user interface and log on using the proper credentials.
From the menu bar, select Configure > Monitoring External Components.
The Add Components dialog is displayed.
Add a Security Analytics component. Enter the Unique Name, Host DNS or IP, and click Settings.
The Configure Security Analytics dialog is displayed.
Enter the Timezone and click the Feed Config tab.
Select Enable ECAT Feed, enter the Username and Password. Configure the Feed Publishing Interval. Click Save.
A feed is created.
- Make a note of the URL assigned to the feed, and the username and password. This information is used in Security Analytics.
- To verify that the feed has been successfully created, open a browser and type in the URL. When prompted, enter the username and password. Check to see if a file named machines.csv is downloaded.
For ECAT version 4.1 or later
In the ECAT User Interface:
- Create an SQL user in ECAT:
- From the menu bar, select Configure > Monitoring External Components.
The External Components Configuration dialog is displayed.
- In Security Analytics, click +.
The Security Analytics dialog is displayed.
- Under Security Analytics, in On, type a name to identify the Security Analytics component.
- Under Security Analytics Connection, do the following.
- In Server Hostname/IP, type the host name or IP address of the Security Analytics server.
- In Port, the default port number is 443. Update the field if needed.
- Under Configure Security Analytics, do the following:
- In Servers Time Zone, enter a time zone for the component.
- In Device Identifier, type the Security Analytics concentrator device ID.
- In Query Optimization, do the following:
- In Min, enter the number of minutes for the minimum query time range. This value is used to automatically increase the time range submitted to Security Analytics. This ensures that a query returns a positive response if the ECAT Agent's reported time is slightly different than Security Analytic's time.
- In Max, enter the number of minutes to limit the time range. This value is used to automatically limit the time range submitted to Security Analytics, so that a query does not overload the Security Analytics server.
- In Do Not Perform Query Older Than, enter a number of days to limit the query period. Enter 0 if you want to discard this feature.
- In Configure ECAT Feeds for SA, do the following:
- Select Enable ECAT Feed.
- Enter the SQL Username and Password (configured in step 1) to access the location of the feed.
The URL field is populated when you click Save.
- Enter the time interval for the frequency at which feeds are published.
- Click Save.
A feed is created.
Note: You can find the Device Identifier in Security Analytics when you look up a Concentrator or Broker in Investigation > Navigate ><Concentrator or Broker Name>. The Device Identifier is the number in the URL after "investigation." For example, in the URL https://<IP address>investigation/319/navigate/values, the Device Identifier is 319.
The URI field is populated when you click Save.
Export the ECAT SSL Certificate
Note: This procedure works only for Security Analytics 10.5 and above because Java 8 support was added for 10.5. If you are using an earlier version of Security Analytics, refer to the applicable version of this guide.
To export the ECAT CA certificate from the ECAT Console server and copy it to the Security Analytics host:
- Log on to the ECAT Console
- Open MMC.
- Add a certificate snap-in for Computer account.
- Export the certificate named EcatCA.
- Export without private key.
- Export in DER encoded binary X.509 (.CER) format.
- Name it EcatCA.cer.
- Copy the ECAT CA certificate to the Security Analytics host:
scp EcatCA.cer root@<sa-machine>:.
- To import the ECAT CA certificate into the Security Analytics Trusted store, perform the following:
- Check the Java version installed on your Security Analytics using the following command:
The openjdk version is displayed. For example, openjdk version "1.8.0_71"
Note: The openjdk version may vary based on the Security Analytics version.
To set the JDK parameter, navigate to java directory. Enter the following commands:
$JDK/bin/keytool -import -v -trustcacerts -alias ecatca -file ~/EcatCA.cer -keystore $JDK/lib/security/cacerts -storepass changeit
When prompted for certificate update confirmation, enter Yes.
- Check the Java version installed on your Security Analytics using the following command:
- On the Security Analytics host, edit /etc/hosts to map the IP address of the ECAT Console server to the name ecatserverexported by adding the following line to the file:
<ip-address of ECAT> ecatserverexported
For example, 10.31.204.60 ecatserverexported
- To restart Security Analytics, enter the following commands:
Configure the Recurring Custom Feed Task in Security Analytics
To configure the recurring feed task in Security Analytics:
- Log on to Security Analytics and navigate to Live > Feeds.
- Select Custom Feed > Next.
- Do the following:
- Select Recurring.
- Enter a Name, for example: EcatFeed.
- Enter the URL with the hostname of the Windows server on which ECAT is installed:
- For RSA ECAT version 4.0, use the URL https://ecatserverexported:9443/ext/feed/machines.csv
- For RSA ECAT version 4.1, use the URL https://ecatserverexported:9443/api/v2/feed/machines.csv
- Enable the checkbox Authenticated and enter the username and password as noted in Enable the ECAT Feed above.
- Select Verify to check that Security Analytics can reach the web resource.
- Define the schedule. Click Next.
- In the Select Services tab, select the Decoder or groups to consume the feed. Click Next.
- In the Define Columns tab, enter the column names as shown in the table below and save the feed.
The following table shows the columns in the CSV file for the ECAT feed.
|Column||Name||Description||Column Name in Security Analytics (Meta Key Name)|
|1||MachineName||Host name of the Windows agent||alias.host|
|3||RemoteIp||Far end IP as seen by the router||stransaddr|
|4||GatewayIp||IP of the gateway||gateway|
|6||OperatingSystem||Operating system used by the Windows Agent||OS|
|7||AgentID||Agent ID of the host (unique ID assigned to the agent)||client|
|8||ConnectionUTCTime||Last time when the agent connected to ECAT server||ecat.ctime|
|10||ScanUTC time||Last time when the agent was scanned||ecat.stime|
|11||Machine Score||Score of the agent indicating the suspicious level||risk.num|
|12||User Name||User name of the client machine||username|
Note: In the table, the recommended index setting is LocalIp. However, if the LocalIp for ECAT Agent PC is allocated by a DHCP Server and the DHCP lease has expired, and if the IP is then re-allocated to another PC, the metadata created by the feed will be incorrect. To avoid this risk, use the machine name or the Mac address instead of the localIP address as the Feed's index. For example, to use a Mac address, you could enter the values as shown in the following figure.
Configure the Security Analytics Concentrator Service
- Log on to Security Analytics and navigate to Administration > Services.
- Select a concentrator from the list, and select View > Config.
- Select the Files tab, and from the Files to Edit pull-down menu, select index-concentrator-custom.xml.
- Add the following ECAT meta keys to the file and click Apply. Make sure that this file contains the XML sections already; if the lines are not included, add them. The following lines are examples; make sure the values match your configuration and the column names you included in the feed definition, where:
description is the name of the meta key you want to display in Security Analytics Investigation.
level is "IndexValues"
name matches the column name of the CSV file that Security Analytics uses while defining the recurring feed.
For example, the meta keys can be indexed in the following manner:
<key description="Gateway" format="Text" level="IndexValues" name="gateway" valueMax="250000" defaultAction="Open"/>
<key description="Risk Number" format="Float64" level="IndexValues" name="risk.num" valueMax="250000" defaultAction="Open"/>
<key description="Strans Addr" format="Text" level="IndexValues" name="stransaddr" valueMax="250000" defaultAction="Open"/>
<key description="Ecat Scan Time" format="Text" level="IndexValues" name="ecat.stime" valueMax="250000" defaultAction="Open"/>
<key description="Ecat Connection Time" format="Text" level="IndexValues" name="ecat.ctime" valueMax="250000" defaultAction="Open"/>
<key description="User Account" format="Text" level="IndexValues" name="username" valueMax="250000" defaultAction="Open"/>
Note: The Recurring feed for User account or username meta key is supported in ECAT version 4.3 or later.
Note: The ECAT feed related meta keys that are not indexed in the default file (index-concentrator.xml) can be indexed in accordance with your requirement as shown in the example above.
The below is the list of all the ECAT feed related meta keys:
Column Name Description Column Name in Security Analytics (Meta Key Name) 1 MachineName Host name of the Windows agent alias.host 2 LocalIp IPv4 address index 3 RemoteIp Far end IP as seen by the router stransaddr 4 GatewayIp IP of the gateway gateway 5 MacAddress MAC address eth.src 6 OperatingSystem Operating system used by the Windows Agent OS 7 AgentID Agent ID of the host (unique ID assigned to the agent) client 8 ConnectionUTCTime Last time when the agent connected to ECAT server ecat.ctime 9 Source Domain Domain domain.src 10 ScanUTC time Last time when the agent was scanned ecat.stime 11 Machine Score Score of the agent indicating the suspicious level risk.num 12 User Name User name of the client machine username
- Restart the Concentrator to activate the custom key updates.
When viewing feed data in Security Analytics, upon match of the indexed value (ip.src), meta data is populated in Investigation, Reporting and Alerting Interfaces.
This section suggests how to resolve problems you may encounter when working with recurring feeds.
|With ECAT 18.104.22.168 and ECAT 4.1.1, ECAT feed integration does not work for Security Analytics.||You must use ECAT 22.214.171.124 for the feed to work.|