Archer Integ: Configure Security Analytics to Work With Archer

Document created by RSA Information Design and Development on Mar 21, 2017
Version 1Show Document
  • View in full screen mode
  

RSA Security Analytics can be configured to send alerts and incidents to RSA Archer for incident management and remediation. Integration of Security Analytics with RSA Archer SecOps can achieve the following:

  • Incident Management: All incidents created in Security Analytics can be handled in Archer for complete incident management.
  • Incident Remediation: Incidents are handled in Security Analytics, but the remediation tasks are optionally exported to Archer. 

The RSA Archer Security Operations Management solution enables you to aggregate all actionable security alerts, allowing you to become more effective, proactive, and targeted in your incident response and SOC management. For more information on RSA Archer Sec Ops capabilities, see RSA Archer documentation on the RSA Archer Community or on the RSA Archer Exchange Community

See the SecOps Installation Guide for Archer platforms supported. 

The version of RSA Archer determines how RSA Security Analytics will be integrated.

  • RSA Archer Security Operations Management 1.2 integrates with RSA Security Analytics using RSA UCF (Unified Collector Framework) which comprises SAIM integration service and RCF (RSA Connector Framework).
  • RSA Archer Security Operations Management 1.3 integrates with RSA Security Analytics using the RSA UCF (Unified Collector Framework) which comprises SAIM Integration service and SecOps Watchdog service.

Integration Methods

You have to configure system integration settings to manage incident workflow in RSA Archer Security Operations Management. When this setting is enabled, Incidents and Remediation Tasks are no longer visible in RSA Security Analytics. 

For information on how to configure system integration settings to manage incident workflow in RSA Archer Security Operations, see the Configure Integration Setting to Manage Incidents in RSA Archer Security Operations topic in the Incident Management Guide (Incident Management > System Integration > .Configure Integration Setting to Manage Incidents in RSA Archer Security Operations).

Security Analytics Incident Management Integration Service (SAIM)

The Security Analytics Incident Management Integration Service (SAIM) integrates the RSA Archer Security Operations Management solution 1.2 and 1.3 with the RSA Security Analytics Incident Management module. You can choose one of the following integration options:

  • Manage the full incident workflow in RSA Archer Security Operations Management. If you select this option, the Security Analytics Incident Management Integration Service transports incidents from the Security Analytics Incident Management module into the solution. 
  • Manage the incident workflow in the Security Analytics Incident Management module and allow analysts the option to escalate remediation tasks and open data breaches for management and remediation in the RSA Archer Security Operations Management solution. If you select this option, the Security Analytics Incident Management Integration Service transports remediation tasks (created as Findings), data breaches, or both. 

Note: You must configure the same option in both RSA Security Analytics and the Security Analytics Incident Management Integration Service. 

RSA Unified Collector Framework (UCF)

RSA Security Analytics integrates with RSA Archer SecOps 1.3 using the RSA Unified Collector Framework (UCF). 

The RSA Unified Collector Framework (UCF) integrates with all supported SIEM tools and the RSA Archer Security Operations Management solution. When integrating the RSA Security Analytics Incident Management module, you can choose one of the following integration options:

  • Manage the full incident workflow in RSA Archer Security Operations Management. If you select this option, the Unified Collector Framework transports incidents from the Security Analytics Incident Management module into the solution.
  • Manage the incident workflow in the Security Analytics Incident Management module and allow analysts the option to escalate remediation tasks and open data breaches for management and remediation in the RSA Archer Security Operations Management solution. If you select this option, the Unified Collector Framework transports remediation tasks (created as Findings), data breaches, or both.

Note:
• You must configure the same option in both RSA Security Analytics and the Unified Collector Framework. 
• Integration of the RSA Security Analytics Incident module with Reporting Engine or ESA can result in duplicate events and incidents created in RSA Archer SecOps.

UCF supports multiple SIEM tools connections at the same time, such as supporting Security Analytics Reporting Engine, HP ArcSight, and Security Analytics Incident Management. However, different instances of the same SIEM tool are not supported, such as two Security Analytics servers connected to the same UCF.

Prerequisites

  • Install RSA Archer Security Operations Management. See RSA Archer documentation on the RSA Archer Community or on the Content Tab at https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_exchange
  • Security Analytics 10.5 or later is compatible with SecOps 1.2 and SecOps 1.3. Security Analytics 10.5 is also compatible with SecOps 1.1, however, this is not recommended.

  • It is recommended that you upgrade to SecOps 1.3 if using Security Analytics 10.6.

  • Ensure that the Incident Management module is configured in RSA Security Analytics. 

  • For Archer SecOps 1.3, you must create a user account for the web service client to use to transfer data into the RSA Archer GRC Platform.

RSA Unified Collector Framework Integrations

The RSA Unified Collector Framework (UCF) allows you to integrate your RSA Archer Security Operations Management system with the following:

  • Security Analytics Incident Management (SA IM)
  • Security Analytics Reporting Engine (SA RE)
  •  Security Analytics Event Stream Analysis (SA ESA)

Create RSA Archer User Accounts for Push and Pull

Two RSA Archer user accounts are required to avoid conflicts while sending and receiving data from RSA Security Analytics.

  1. Click Administration > Access Control > Manage Users > Add New.
  2. In the First and Last Name fields, enter a name that indicates that the UCF uses this account to push data into RSA Archer GRC. For example, UCF User, Push.

    Note: When configuring the Pull account, enter a name that indicates that the UCF uses this account to pull data from RSA Archer GRC. For example, UCF User, Pull.

  3. (Optional) Enter a user name for this new user account.

    Note: If you do not specify a user name, the RSA Archer GRC Platform creates the user name from the first and last name entered when you save the new user account.

  4. In the Contact Information section, in the Email field, enter an email address to associate with this new user account 
  5. In the Localization section, change the time zone to (UTC) Coordinated Universal Time.

    Note: The UCF uses UTC time to baseline all the time-related calculations.

  6. In the Account Maintenance section, enter and confirm a new password for the new user account.

    Note: Note the user name and password for the new user account that you just created. You need to enter these credentials when you set up the UCF to communicate with the RSA Archer GRC Platform through the web service client.

  7. Clear the Force Password Change On Next Sign-In option.
  8. In the Security Parameter field, select the security parameter that you want to use for this user.

    Note: If you assign a default security parameter with a password change interval of 90 days, you also must update the user account password stored in the SA IM Integration Service every 90 days. To avoid this, you can optionally create a new security parameter for the SA IM Integration Service user account and set the password change interval to the maximum value allowed by your corporate standards.

  9. Click the Groups tab, and do the following:

    1. In the Groups section, click Lookup.
    2. In the Available Groups window, expand Groups.
    3. Scroll down and select SOC: Solution Administrator and EM: Read Only.
    4. Click OK.
  10. Click Apply, then click Save.
  11. If the machine language and regional settings of your RSA Archer GRC system are set to anything other than English-US, do the following:

    1. Open the user account you just created, and in the Localization section, in the Locale field, select English (United States), and click Save.
    2. On the Windows system hosting your RSA Archer GRC Platform, open Internet Information Services (IIS) Manager.
    3. Expand your RSA Archer GRC site, click .Net Globalization, in both the Culture and UI Culture fields, select English (United States), and click Apply.
    4. Restart your RSA Archer GRC site.
  12. Repeat steps 1 – 11 to create a second user account for the UCF to pull data from RSA Archer GRC.

Configure Endpoints in RSA Unified Collector Framework

Endpoints provide the connection details required for the UCF to reach both your RSA Security Analytics and RSA Archer GRC systems.

Note: Some endpoints are necessary to use different integrations. The following list shows the mandatory endpoints.

Mandatory Endpoint Integration

  • Archer Push Syslog endpoint
  • Security Analytics Incident Management (SA IM)
  • Archer Pull Enterprise Management plug-in endpoint
  • Mode selection: SecOps or Non-SecOps mode.
  • Syslog Server
  • Enterprise Management

Note:
• If Non-SecOps mode is selected, incidents are managed in SA IM instead of RSA Archer Security Operations Management.
• You must configure the TCP, secure TCP, and UDP ports.
• Ensure the certificate subject name for your RSA Archer GRC server matches the hostname.

Procedure

  1. On your UCF system, open the Connection Manager, as follows:
    1. Open a command prompt.
    2. Change directories to <install_dir>\SA IM integration service\data-collector.
    3. Type:

      runConnectionManager.bat

  2. In the Connection Manager, enter 1 for Add Endpoint.
  3. Add an endpoint for pushing data to RSA Archer Security Operations Management, as follows:

    1. Enter the number for Archer.

      Note: SSL must be enabled to add the RSA Archer endpoints.

    2. For the endpoint name, type push.
    3. Enter the URL of your RSA Archer GRC system.
    4. Enter the instance name of your RSA Archer GRC system.
    5. Enter the user name of the user account you created to push data into your RSA Archer GRC system.
    6. Enter the password for the user account you created to push data into your RSA Archer GRC system, and confirm the password.
    7. When asked whether this account is used for pulling data, enter False.
  4. Add an endpoint for pulling data from RSA Archer Security Operations Management, as follows:

    1. Enter the number for Archer.

      Note: SSL must be enabled to add the RSA Archer endpoints.

    2. For the endpoint name, type pull.
    3. Enter the URL of your RSA Archer GRC system.
    4. Enter the instance name of your RSA Archer GRC system.
    5. Enter the user name of the user account you created to pull data from your RSA Archer GRC system.
    6. Enter the password for the user account you created to pull data from your RSA Archer system, and confirm the password.
    7. When asked whether this account is used for pulling data, enter True.
  5. Add an endpoint for RSA Security Analytics Incident Management, as follows:

    1. Enter the number for Security Analytics IM.
    2. Enter a name for the endpoint.
    3. Enter the SA Host IP address.
    4. For SA Port, enter 5671.
    5. Enter the target queue for remediation tasks. Selecting All processes both the RSA Archer Integration (GRC) and IT Helpdesk (Operations).
    6. To automatically add certificates to the Security Analytics trust store, do the following:

      1. Enter Yes.
      2. Enter the SA Host username and password.

      Note: If you receive an error that the CA trust store failed to set, see Troubleshoot RSA Archer Integration.

  6. In UCF connection manager, select the mode, as follows:

    1. Enter the number for Mode Selection.
    2. Select one of the following options:

      • Manage incident workflow in RSA Security Analytics.
      • Manage incident workflow exclusively in RSA Archer Security Operations Management.
  7. To use third-party integrations, add the Syslog Server Endpoint, as follows:

    1. Enter the number for Syslog Server Endpoint.
    2. Enter the following:
      • Field Description
      • SSL configured
      • TCP port
      • Secure TCP port if the Syslog client sends the Syslog message in secure TCP mode.

    Note: Defaults to 1515. If you do not want to host the Syslog server in this mode, enter 0.

    TCP port: Enter the TCP port if the Syslog client sends the Syslog message in TCP mode.

    Note: Defaults to 1514. If you do not want to host the Syslog server in this mode, enter 0.

    UDP port: Enter the UDP port if the Syslog client sends the Syslog message in UDP mode.

    Note: Defaults to 514. If you do not want to host the Syslog server in this mode, enter 0.

    By default, the Syslog server will run in the above three modes, unless it is disabled by entering 0.

  8. To test the Syslog client, enter the number for Test Syslog Client. Use the Test Syslog client with the files from <install_dir>\SA IM integration service\config\mapping\test-files\.
  9. In Connection Manager, enter 5 to test each endpoint.

Configure Syslog Output Action for the Reporting Engine for Security Analytics 10.5

Note: This procedure is for SecOps 1.3 with Security Analytics 10.5.

  1. In Security Analytics, go to Administration > Services.
  2. Select your Reporting Engine Service, and click System > Config
  3. Click the Output Actions tab. 
  4. In the SA Configuration section, in the Host Name field, enter the host name or IP address of your Reporting Engine server.

    Note: If you do not enter a value in this field, the link in the RSA Archer Security Alerts application back to Security Analytics will not work. 

  5. Add the Syslog Configuration as follows:

    1. In the Server Name field, enter the hostname of the UCF
    2. In the Server Port field, enter the port that you selected in the UCF Syslog configuration.
    3. In the Protocol field, select the transport protocol.

    Note: If you select Secure TCP, SSL must be configured.

  6. Click Save.

Configure ESA Syslog Notification Settings in Security Analytics 10.5 or Later

This procedure is for SecOps 1.3 with Security Analytics 10.5 or later.

  1. Click Administration > System > Global Notifications.
  2. Click the Output tab. 
  3. Define and enable an ESA Syslog notification.
  4. Click the Servers tab. 
  5. Define and enable a Syslog notification server.
  6. In the Syslog Server Configuration section, enter the following:
  7.                          

    FieldDescription
    Server NameSpecify the hostname or IP Address of the system on which you installed the UCF.
    Server PortSpecify the port number on which you want the UCF to listen for Syslog alert messages.
    FacilitySpecify the Syslog facility.
    ProtocolSelect the Protocol.

  8. Click Save

Configure Incident Management for Integration with Archer SecOps 1.3

To configure Incident Management for Archer SecOps 1.3, do the following in Security Analytics:

                        

Step 1: Configure Incident Management Database

You have to configure the database for the Incident Management service for it to become usable.

To configure a database for the Incident Management Service:

  1. In the Security Analytics menu, select Administration > Services.

    The Services view is displayed.

  2. In the Service panel, select the Incident Management service, and  > View > Explore.

    The Services Explore view is displayed.

  3. In the options panel, select Service > Configuration > database.

    The database view is displayed in the right side panel.

  4. Provide the following information:

    • Host – The hostname or IP address of the ESA host selected as a database
    • DatabaseName – im (this is the default value)
    • Port – 27017 (this is the default value)
    • Username – The username for the user account for the IM database (ESA creates an im user with the right privileges)
    • Password – The password you selected for the im user.
  5. Restart the Incident Management Service using the following command:

    service rsa-im restart

Note: Restarting the Incident Management Service is important for the database configuration to be complete.

Step 2: Select the Mode for Security Analytics Incident Management 

To select the workflow management method in Security Analytics:

  1. In the Security Analytics menu, select Incidents > Configure.
  2. Click the Integration tab.
  3. Select one of the following options:

    • Manage incident workflow in RSA Security Analytics.

      • Allow analysts to escalate remediation tasks for the Operations target queue as tickets.
      • Allow analysts to escalate remediation tasks for the GRC target queue as Findings.
      • Allow analysts to report data breaches and trigger the breach response process in the RSA Archer Security Operations Management solution.

        For more information, see Configure Integration Setting to Manage Incidents in Security Analytics in the Incident Management guide.

    • Manage incident workflow exclusively in RSA Archer Security Operations Management.
  4. Click Apply.

Note: This step also applies to Integration with Archer SecOps 1.2.

Step 3: Configure Forwarding to Security Analytics Incident Management Service

  • To forward Security Analytics Event Stream Analysis alerts to Security Analytics Incident Management, do the following:

    1. In the Security Analytics menu, select Administration > Services > ESA service.
    2. Select an ESA Service and  > View > Config.
    3. Click the Advanced tab.
    4. Ensure that the Forward Alerts on Message Bus checkbox is selected by default. If needed, select the Forward Alerts on Message Bus checkbox and click Apply
  • To forward Security Analytics Reporting Engine alerts to Security Analytics Incident Management, do the following:

    1. In Security Analytics, click Administration > Services > Reporting Engine service.
    2. Click  > View > Config for the Reporting Engine service.
    3. Click the General tab.
    4. In the System Configuration section, select the Forward Alerts to IM checkbox and click Apply.
  • To forward Security Analytics Malware Analysis alerts to Security Analytics Incident Management, do the following:

    1. In Security Analytics, click Administration > Services > Malware Analysis service
    2. Click  > View > Config for the MA service.
    3. Click the Auditing tab.
    4. In the Incident Management Alerting section, verify that the Enabled Config Value checkbox is selected. If the checkbox is not selected, select the checkbox, and click Apply.

Step 4: Forward ECAT Alerts to the Security Analytics Incident Management Service

RSA ECAT alerts can be sent to RSA Archer GRC through Security Analytics Incident Management.

  1. Configure Alerts by Message bus: Configure ECAT Alerts Via Message Bus.
  2. In RSA ECAT, click Configure > Monitoring and External Components.
  3. In the External Components Configuration window, select the Incident Message Broker.
  4. Click Add (+).
  5. Complete the following fields: 

    • Instance Name
    • Server Hostname/IP. Enter the Host DNS or IP address of the RSA Security Analytics Server.
    • Port Number. The default port is 5671.
  6. Click Save.

Step 5: Aggregate Alerts into Incidents

Alerts coming into Security Analytics Incident Management can be automatically aggregated into incidents and forwarded to RSA Archer Security Operations Management. Aggregation rules are automatically run every minute and aggregate the alerts into incidents based on the match conditions and grouping options selected. For more information on aggregating alerts, see the Configure Alert Sources to Display Alerts in Incident Management topic in the Incident Management Configuration Guide

To configure alert aggregation:

  1. In Security Analytics, go to Incidents > Configure > Aggregation Rules.
  2. To enable the rules provided out of the box, do the following:

    1. Double-click the rule.
    2. Select Enabled.
    3. Click Save.
    4. Repeat steps a-c for each rule.
  3. To add a new rule, do the following:

    1. Click Add (+).
    2. Select Enabled.
    3. Complete the following fields:

      • Rule Name
      • Action
      • Match Conditions
      • Grouping Options
      • Incident Options
      • Priority
      • Notifications
  4. Click Save.

Configure Syslog Output Action for the Reporting Engine for Security Analytics

  1. In Security Analytics, go to Administration > Services.
  2. Select your Reporting Engine Service, and click System > Config.
  3. Click the Output Actions tab.
  4. In the SA Configuration section, in the Host Name field, enter the host name or IP address of your Reporting Engine server.
  5. Add the Syslog Configuration as follows:
    1. In the Server Name field, enter the hostname of the UCF.
    2. In the Server Port field, enter the port that you selected in the UCF Syslog configuration.
    3. In the Protocol field, select the transport protocol.

      Note: If you select Secure TCP, SSL must be configured.

  6. Click Save.

Configure SA RE SSL for Secure Syslog Server 

If the Syslog server is configured with Secure TCP, configure the SSL.

  1. Copy the certificate keystore.crt.der from the UCF machine at <install_dir>\RSA\SA IM integration service\cert-tool\certs to the Security Analytics server at /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-0.b17.el6_7.x86_64/jre/lib/security
  2. Run the following command:

    keytool -import -file keystore.crt.der -alias ucf-syslog -keystore cacerts -storepass changeit

    Note: Do not copy and paste the above code. Type it in to avoid errors.

  3. Enable ServerCertificateValidationEnabled to true:

    • Navigate to administration page of SA UI.
    • Click View > Explore of the Reporting Engine (RE) service
    • Expand com.rsa.soc.re
    • Expand sslContextConfiguration and set ServerCertificateValidationEnabled to true.
  4. Restart the RE service.

Configure Rules in Security Analytics 

  1. Click Reports > Manage.
  2. In Groups, click Rules.
  3. Click Add (+).
  4. Enter a name for the new group.
  5. Select the group you created, and in the Rule toolbar, click Add (+).
  6. In the Syslog Name field, enter a name for the SecOps syslog configuration to be used to configure alerts.
  7. In the Rule Type field, select NetWitness DB.
  8. Enter a name for the rule.
  9. Enter values in the Select and Where fields based on the rule that you want to create.

    Note: Add the Syslog configuration with the Syslog name set above.

  10. Click Save.

Note: To see the same number of alerts in SA RE and RSA Archer GRC, ensure that you’ve selected Once for execute in both the Syslog and Record tabs.

Add Alert Templates for the Reporting Engine in Security Analytics

The UCF syslog configuration comes with out-of-the-box alert templates that you can use when you create an alert with a syslog output action. These templates define the criteria used to aggregate alerts into incidents in your RSA Archer GRC Platform.

The sample templates are located in the following location on the UCF system:

<install_dir>\SA IM integration service\config\mapping\templates\SecOps_SA_Templates

  1. Click Reports > Manage > Alerts.
  2. Click the Template tab.
  3. Click Add (+).
  4. In the Name field, enter a name for the alert template.
  5. In the Message field, enter the alert message.
  6. Click Create.
  7. Repeat steps 3 to 6 for each alert template that you want to add.

Configure Alerts in Security Analytics

In RSA Security Analytics Reporting Engine, an alert is a rule that you can schedule to run on a continuous basis and log its findings to several different alerting outputs.

  1. Click Reports > Manage > Alerts.
  2. Click Add (+).
  3. Select Enable.
  4. Select the rule you created.
  5. Select Push to Decoders.

    Note: If you do not enter a value in this field, the link in the RSA Archer Security Alerts application to RSA Security Analytics will not work.

  6. From the Data Sources list, select your data source.
  7. In the Notification section, select Syslog.
  8. Click Add (+).
  9. Complete the Syslog configuration fields.
  10. In the Body Template field, select the template that you want to use for this Syslog alert.
  11. Click Save.

Configure ESA Syslog Notification Settings in Security Analytics

  1. Click Administration > System > Global Notifications.
  2. Click the Output tab.
  3. Define and enable an ESA Syslog notification.
  4. Click the Servers tab.
  5. Define and enable a Syslog notification server.
  6. In the Syslog Server Configuration section, enter the following:

    Field Description:

    • Server
    • Name
    • Specify the hostname or IP Address of the system on which you installed the UCF.
    • Server
    • Port
    • Specify the port number on which you want the UCF to listen for
    • Syslog alert messages

    Facility:

    • Specify the Syslog facility

    Protocol:

    • Select the protocol.
  7. Click Save.

Configure SA ESA SSL for Secure Syslog Server in Security Analytics

If the Syslog server is configured with Secure TCP, configure the SSL.

  1. Navigate to Administration > Services.
  2. Select the ESA service. Go to Explore > Configuration > SSL .
  3. Set ServerCertificateValidationEnabled to true.
  4. Copy the certificate keystore.crt.der from the UCF machine at <install_dir>\SAIM integration service\cert-tool\certs to the ESA box at /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65.0.b17.el6_7.x86_64/jre/lib/security.
  5. Run the following command:

    keytool -import -file keystore.crt.der -alias ucf-syslog -keystore cacerts -storepass changeit

    Note: Do not copy and paste the above code. Type it in to avoid errors.

  6. Restart the ESA service.

Add ESA Alert Templates in Security Analytics 

The UCF syslog configuration comes with out-of-the-box alert templates that you can use when you create an alert with a syslog output action. These templates define the criteria used to aggregate alerts into incidents in your RSA Archer GRC Platform.

The sample templates are located in the following location on the UCF system:

<install_dir>\SA IM integration service\config\mapping\templates\SecOps_SA_

Templates\SecOps_SA_ESA_templates.txt

Procedure:

1. Select Administration > System > Global Notifications.

2. Click the Templates tab.

3. Click Add (+).

4. In the Template Type field, select Event Stream Analysis.

5. In the Name field, enter the name for the template.

6. (Optional) In the Description field, enter a brief description for the template.

7. In the Template field, enter the alert message.

8. Click Save.

9. Repeat steps 3 – 8 for each alert template that you want to add.

Create ESA Rules in Security Analytics

  1. Click Alerts > Configure.
  2. Select your ESA device.
  3. Click Select.
  4. In the ESA Rules toolbar, click +.
  5. Select Rule Builder.
  6. In the Name field, enter a name for the rule.
  7. In the Description field, enter a description for the rule.
  8. Select a Severity.
  9. In the Condition section, do the following:

    1. Click + to build a statement.
    2. Enter a name, select a condition type, and add meta data/value pairs for your statement.
    3. Click Save.
    4. Repeat steps a – c until you have built all your statements for the rule.
  10. In the Notifications section, select Syslog.
  11. Select the notification, Syslog server, and template that were created previously.
  12. Click Save and Close.
  13. Click Alerts > Configure > Deployments.
  14. Click + for ESA Services section.
  15. Select the ESA Service.
  16. Click Deploy Now.
  17. In the ESA Rules section, click + to choose the ESA Rule that you created, and click Deploy Now.

RSA Archer Feeds

By default, only the IP Address and Criticality Rating fields in the RSA Archer Devices application are fed into RSA Security Analytics by the Security Analytics Incident Management Integration Service. You can customize the Enterprise Management plug-in to include the Business Unit and Facility fields that are cross-referenced in the Devices application in the feed. For more details, see Archer documentation at https://community.emc.com/community/connect/grc_ecosystem/rsa archer or https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_exchange.

Note: If you plan to feed Business Unit and Facility information from your RSA Archer GRC Platform into Live, you must also add keys for these fields to the index-concentrator-custom.xml file.

Several tasks can be performed by the Administrator in Security Analytics, including: 

                    

Update the Concentrator and Decoder Services

The Security Analytics Incident Management Integration Service manages the files for a custom feed and deposits these files in a local folder that you specify when you configure the Security Analytics Incident Management Integration Service. The Live module of RSA Security Analytics retrieves the feed files from this folder. Live then pushes the feed to the Decoders, which start creating metadata based on captured network traffic and the feed definition. To make each Concentrator aware of the new metadata created by the Decoders, you must edit the index-concentrator-custom.xml, index-logdecoder-custom.xml, and index-decoder-custom.xml files.

  1. In the Security Analytics menu, click Administration > Services.
  2. Select your Concentrator, and select View > Config.
  3. Click the Files tab.
  4. From the drop-down list, select index-concentrator-custom.xml. Do one of the following:
    • If content already exists in the file, add a key for the new meta data element as follows:

      <key description="Criticality" format="Text" level="IndexValues"

      name="criticality" defaultAction="Open"/>

      Note: Do not copy and paste code. Type it in to avoid errors.

    • If the file is blank, add the following content:

      <?xml version="1.0" encoding="utf-8"?>
      <language level="IndexNone" defaultAction="Auto">
      <key description="Criticality" format="Text" level="IndexValues"
      name="criticality" defaultAction="Open"/>
      </language>

  5. Click Apply.
  6. If no services are listed, click Apply.
  7. To add multiple devices, do the following:

    1. Click Push.
    2. Select the devices to which you want to push this file.
    3. Click OK.
  8. Repeat steps 1-7 for the Log Decoders and Index Decoders, using index-logdecoder-custom.xml and index-decoder-custom.xml.
  9. Stop and start the Concentrator and Decoder services.

Add the RSA Archer Enterprise Management Endpoint in the UCF

  1. In UCF connection manager, select the mode, as follows:

    1. Enter the number for Mode Selection.

    2. Select one of the following options:

      • Manage incident workflow in RSA Security Analytics.
      • Manage incident workflow exclusively in RSA Archer Security Operations Management.
  2. Add the RSA Archer Enterprise Management Endpoint, as follows:

    1. Enter the number for Enterprise Management.
    2. Complete the fields in the table below.

                                           
      FieldDescription
      Endpoint NameOptional endpoint name.
      Web Server PortDefaults to 9090. Can be configured to host the web server url. The URL with the port number should be provided as the URL in SA live feed: http(s)://hostname:port/archer/sa/feed
      Criticality

      Criticality of the assets to be pulled from RSA Archer GRC.

      If false, pull assets with any criticality.

      If true, pull assets with only high criticality.

      To configure this manually, edit the em.criticality property in the collector-config properties file to provide a comma-separated list of criticalities: LOW, MEDIUM, HIGH. 

      Feed Directory

      Directory where the assets CSV file from RSA Archer GRC are saved.

      Note: The directory path provided must exist.

      Web Server Username

      Username for authenticating to the EM web server.

      Note: This is provided while configuring the SA live feed.

      Web Server Password

      Password for authenticating to the EM web server.

      Note: This is provided while configuring the SA live feed.

      SSL Mode

      Defaults to No.

      If No, the URL uses http mode: http://hostname:port/archer/sa/feed

      If Yes, the URL uses https mode: https://hostname:port/archer/sa/feed

      If you have not updated the host file, see Update the RSA Security Analytics Host File for SSL Mode.

  3. If you selected Yes for SSL mode, complete the following fields:

    • Copy certs to SA box. Enter Yes to have the certificates automatically copied from RSA Archer Security Operations Management to RSA Security Analytics.
    • SA Host. Enter the hostname or IP address of the SA server.
    • SA Host Username. Enter the username for logging in to the SA server to copy the certificates.
    • SA Host Password. Enter the password for logging in to the SA server to copy the certificates.

Note: If copying the certificates fails and adding the endpoint failed, manually copy the certificates. See Manually Copy Enterprise Management Certificates in Troubleshoot RSA Archer Integration. After copying the certificates, you must add the Enterprise Management plug-in without automatically copying the certificates.

Update the RSA Security Analytics Host File for SSL Mode

  1. Edit the host file on the SA server at the following location: vi /etc/hosts
  2. Enter the following for the UCF host IP address:

    <ucf-host-ip> <ucf-host-name>

  3. Restart SA server by running the following command:

    restart jettysrv

  4. While configuring the SA live feed, enter the hostname for the URL instead of the IP address and the port number configured for Enterprise Management endpoint in the UCF:

    https: //<ucf-host-name> : <EM_Port>/archer/sa/feed.

  5. Verify that the connection works.

Create a Recurring Feed Task

In order for RSA Security Analytics to download feed files from the Security Analytics Incident Management Integration Service and push the feeds to Decoders, you must create a recurring feed task and define the feed settings.

Note: For RSA Archer SecOps 1.2: In order for RSA Security Analytics to download feed files from your RCF machine and push the feeds to Decoders, you must create a recurring feed task and define the feed settings. The procedure is similar to RSA Archer SecOps 1.3, with a few exceptions. See documentation on the RSA Archer Exchange Community for details. 

  1. In the Security Analytics Menu, click Live > Feeds.
  2. Click .
  3. Select Custom Feed, and click Next.
  4. Select Recurring.
  5. Enter a name for the feed.
  6. In the URL field, enter one of the following:

    where http(s):ucf_hostname_or_ip:port is the address of your Security Analytics Incident Management Integration Service system. Use https if you have enabled SSL communication with RSA Security Analytics. For example: http://10.10.10.10:9090 or https://10.10.10.10:8443.

    Note: If Incident Management is running in SSL mode, the hostname must be used in the URL.

  7. Select Authenticated.
  8. In the User Name and Password fields, enter the credentials of the user account you created for RSA Security Analytics to use to access files on the Security Analytics Incident Management Integration Service system.
  9. Define the recurrence interval for the feed.
  10. In the Date Range section, define a start and end date for the feed, and click Next.
  11. Select each Decoder to which you want to push this feed, and click Next.
  12. In the Type field, ensure that IP is selected.
  13. In the Index Column field, select 1.
  14. In the second column, set the Key value to criticality, and click Next.
  15. Review your feed configuration details, and click Finish.

Manage the RSA Unified Collector Framework

This topic provides additional tasks for configuring and managing the RSA Unified Collector Framework (UCF) for Archer SecOps 1.3 Integration. 

Start the RSA Unified Collector Framework

  1. Click Control Panel > Administrative Tools > Services.
  2. Select RSA Unified Collector Framework.
  3. Click Start.

Stop the RSA Unified Collector Framework

  1. Click Control Panel > Administrative Tools > Services.
  2. Stop the RSA SecOps WatchDog Service.

    Note: If you do not stop the Watchdog service, the Watchdog service starts the Security Analytics Incident Management Service before intended.

  1. Select RSA Unified Collector Framework.
  2. Click Stop.

Note: If the service takes too long to shutdown, use the Task Manager to end the RSASAIMDCService. 

Uninstall the RSA Unified Collector Framework

  1. Click Control Panel > Programs and Features
  2. Select RSA Unified Collector Framework.
  3. Click Uninstall.
Previous Topic:RSA Archer Integration
You are here
Table of Contents > Configure Security Analytics to Work With Archer

Attachments

    Outcomes