This procedure is required so that alerts from the alert sources are displayed in Incident Management. You have an option to enable or disable the alerts being populated in the Incident Management view. By default this option is disabled in the Reporting Engine, Malware Analytics, and ECAT and enabled only in Event Stream Analysis. So when you install the Incident Management service you need to enable this option in the Reporting Engine, Malware Analytics, and ECAT to populate the corresponding alerts in the Incident Management view.
- The Incident Management service is installed and running on Security Analytics.
- A database is configured for the incident management service.
- ECAT is installed and running.
Configure Reporting Engine to Display Alerts Triggered by Reporting Engine in Incident Management View
The Reporting Engine alerts are by default disabled from being displayed in Incident Management view. To display and view the Reporting Engine alerts, you have to enable the Incident Management alerts in the Services Config view > General tab for the Reporting Engine.
- In the Security Analytics menu, select Administration > Services.
- Select a Reporting Engine service, and select > View > Config.
The Services Config view is displayed with the Reporting Engine General tab open.
- Select System Configuration.
- Select the checkbox for Forward Alerts to IM.
The Reporting Engine now forwards the alerts to Incident Management.
For details on parameters in the General tab, see the Reporting Engine General Tab topic in the Reporting Engine Configuration Guide.
Configure Malware Analytics to View Alerts Triggered by Malware Analytics in Incident Management view
Viewing Incident Management alerts is a function of auditing in Malware Analysis. The procedure of enabling IM alerts is described in the (Optional) Configure Auditing on Malware Analysis Host topic in the Malware Analysis Configuration Guide.
Configure ECAT to View Alerts Triggered by ECAT in Incident Management View
This procedure is required to integrate ECAT with Security Analytics so that the ECAT alerts are picked up by the Incident Management component of Security Analytics and displayed in the Incident > Alerts view.
The diagram below represents the flow of ECAT alerts to the Incident Management queue of Security Analytics and its display in the Incident > Alerts view.
Configure ECAT to Display ECAT Alerts
To configure ECAT to display ECAT alerts in the Security Analytics user interface:
In the ECAT User Interface, click Configure > Monitoring and External Components.
The Monitoring and External Components dialog is displayed.
Right-click anywhere on the dialog and select Add Component.
The Add Component dialog is displayed.
Provide the following information:
- Select IM broker for the Component Type from the drop-down options.
- Type a user name to identify the IM broker.
- Type the Host DNS or IP address of the IM broker.
- Type the Port number. The default port is 5671.
- Click Save and Close to close all the dialogs.
To set up SSL for IM Alerts, perform the following steps on the ECAT to set the SSL communications:
- On the ECAT primary console server, export the ECAT CA certificate to cer format(Base-64 encoded X.509) from the Local Computer's personal certificate store (without selecting the private key).
On ECAT primary console server, generate a client certificate for ECAT using the ECAT CA certificate. (The CN name MUST be set to ecat.)
makecert -pe -n "CN=ecat" -len 2048 -ss my -sr LocalMachine -a sha1 -sky exchange -eku 18.104.22.168.22.214.171.124.2 -in "EcatCA" -is MY -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -cy end -sy 12 client.cer
On ECAT primary console server, make a note of the thumbprint of the client certificate generated in step b. Enter the thumbprint value of the client certificate in the IMBrokerClientCertificateThumbprint section of the ConsoleServer.Exe.Config file as shown.
<add key="IMBrokerClientCertificateThumbprint" value="?896df0efacf0c976d955d5300ba0073383c83abc"/>
- On the SA server, append the content of the ECAT CA certificate file in .cer format (from step a) to /etc/puppet/modules/rabbitmq/files/truststore.pem.
On the SA server, run puppet agent as shown (or wait 30 minutes for SA server to run).
puppet agent -t
- On ECAT primary console server, import the /var/lib/puppet/ssl/certs/ca.pem file from SA server to Trusted Root Certification Authorities store. This will ensure that the ECAT as a client, will be able to trust the IM server certificate