This topic describes the procedure to configure ECAT as a data source for Context Hub.
To use the Context Hub service to fetch contextual information from ECAT, you must configure ECAT as a data source for Context Hub. Use the procedures in this topic to add ECAT as a data source for Context Hub service and configure the responses (if required) for ECAT.
Responses are different types of context information that are available for a data source. The configuration of these responses for ECAT source controls what appears in the Context Lookup panel displayed in Investigation views when Context Lookup is performed. The types of responses for ECAT data source are Machines, Modules, and InstantIOCs
Responses for each data source is already configured with default values for optimal performance. You can view or edit the default values by using the procedure in this topic.
- Context Hub is enabled and the service is available in Administration > Services view of Security Analytics.
- RSA ECAT (v4.1.1 and above) is installed and configured.
The RSA ECAT 4.1.1 documents provide detailed information about installing and configuring ECAT. Refer the ECAT documents available in https://knowledge.rsasecurity.com.
Add RSA ECAT Data Source
To add RSA ECAT as a data source for Context Hub:
- In the Security Analytics menu, select Administration > Services.
The Services view is displayed.
- In the Services panel, select the Context Hub service, and > View > Config.
The Services Config view is displayed.
- In the Data Sources tab, click > ECAT.
The Add Data Source dialog is displayed.
Provide the following information:
- Click Test Connection to test the connection between Context Hub and the ECAT data source.
- Click Save to save the settings.
ECAT is added as a data source for Context Hub. The added ECAT data source is displayed in the Data Sources tab.
Change ECAT Admin Password
The API-Server Admin user assigns the roles and permissions to the new users. The admin user is not created by
default at the time of installation.
ECAT Admin username and password is as given below:
- Username: admin
- Password: This has to be set using the following command:
ApiServer.exe /setadminpswd A_Strong_Password
After setting the password, restart the server.
For more information about RSA ECAT REST API Server, refer the ECAT documents available in https://knowledge.rsasecurity.com.
Configure Responses for ECAT Data Source
To view/edit responses for ECAT data source:
- In the Data Sources tab, select the ECAT source and click .
The Configure ECAT Responses dialog is displayed.
- In the left panel, select each response (Machines, Modules, and InstantIOCs) to view and edit the settings.
Configure the following fields:
- Click Save to save the changes.
After completing the configuration, you can use the Context Lookup option in Investigate > Navigate view or Investigation > Events view to fetch contextual information. For instructions, see the View Additional Context for a Data Point topic in the Investigation and Malware Analysis Guide.