This topic describes the procedure to configure ECAT as a data source for Context Hub.
To use the Context Hub service to fetch contextual information from ECAT, you must configure ECAT as a data source for Context Hub. Use the procedures in this topic to add ECAT as a data source for Context Hub service and configure the responses (if required) for ECAT.
Responses are different types of context information that are available for a data source. The configuration of these responses for ECAT source controls what appears in the Context Lookup panel displayed in Investigation views when Context Lookup is performed. The types of responses for ECAT data source are Machines, Modules, and InstantIOCs
Responses for each data source is already configured with default values for optimal performance. You can view or edit the default values by using the procedure in this topic.
- Context Hub is enabled and the service is available in Administration > Services view of Security Analytics.
- RSA ECAT (v4.1.1 and above) is installed and configured.
The RSA ECAT 4.1.1 documents provide detailed information about installing and configuring ECAT. Refer the ECAT documents available in https://knowledge.rsasecurity.com.
Add RSA ECAT Data Source
To add RSA ECAT as a data source for Context Hub:
- In the Security Analytics menu, select Administration > Services.
The Services view is displayed.
- In the Services panel, select the Context Hub service, and > View > Config.
The Services Config view is displayed.
- In the Data Sources tab, click > ECAT.
The Add Data Source dialog is displayed.
Provide the following information:
Field Description Enable Select Enable to enable ECAT Data Source. This option is enabled by default (checked). Name Provide a name for ECAT data source. Host Enter the hostname or IP address where ECAT API server is installed. Port Default port is 9443. API Version The default API version (/api/v2) supports connection to ECAT 4.1.1 and above. SSL Select SSL if you want Security Analytics to communicate with the host using SSL. This is enabled by default. Username Enter the ECAT API Server username. Password Enter the ECAT API Server password. Max. Concurrent Queries You can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 25.
- Click Test Connection to test the connection between Context Hub and the ECAT data source.
- Click Save to save the settings.
ECAT is added as a data source for Context Hub. The added ECAT data source is displayed in the Data Sources tab.
Change ECAT Admin Password
The API-Server Admin user assigns the roles and permissions to the new users. The admin user is not created by
default at the time of installation.
ECAT Admin username and password is as given below:
- Username: admin
- Password: This has to be set using the following command:
ApiServer.exe /setadminpswd A_Strong_Password
After setting the password, restart the server.
For more information about RSA ECAT REST API Server, refer the ECAT documents available in https://knowledge.rsasecurity.com.
Configure Responses for ECAT Data Source
To view/edit responses for ECAT data source:
- In the Data Sources tab, select the ECAT source and click .
The Configure ECAT Responses dialog is displayed.
- In the left panel, select each response (Machines, Modules, and InstantIOCs) to view and edit the settings.
Configure the following fields:
Field Description Enable This option is enabled by default (checked) and can be used to enable or disable the selected response. Use Cache Select the checkbox to enable response caching. When enabled, Context Hub stores the lookup results in cache. Subsequent requests for the same meta value is served from cache for the configured time (Cache Expiration). Cache Expiration The time (in minutes) that the lookup results are stored in cache after Context Lookup is performed. The default value is 30 minutes.
Minimum IIOC Score (For Modules only)
The minimum IIOC score for fetching contextual information of ECAT modules. The contextual information of ECAT modules having IIOC score greater than or equal to the configured minimum score are fetched.
The IIOC score for ECAT modules ranges between 0 to 1024, where 1024 is considered as critical.
By default, the minimum IIOC score is set to 500.
- Click Save to save the changes.
After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.