Configure ECAT to Receive RSA Live Feeds

Document created by RSA Information Design and Development on Oct 23, 2017Last modified by RSA Information Design and Development on Dec 1, 2017
Version 2Show Document
  • View in full screen mode
  

RSA ECAT 4.0 and later can be configured to receive feeds from RSA Live. Several feeds in RSA Live contain suspicious domains and IP addresses, and several Instant Indicators Of Compromise (IOC)s defined within ECAT can benefit from these feeds from an intelligence perspective. None of the feeds are enabled by default in ECAT. When a feed is enabled, ECAT Console server connects to RSA Live https://cms.netwitness.com and periodically downloads feed data into the ECAT system.

Note:
• ECAT does not publish any feeds into RSA Live. It is only a consumer of feeds.
• The procedure to configure ECAT to receive RSA Live feeds is different for ECAT version 4.0 and ECAT version 4.1. We have included instructions for both versions.

Prerequisites

The following are required for this integration:

  • Version 4.0 or later ECAT UI and Version 10.6 Security Analytics Server installed.
  • An RSA Live account, for which you can get a username and password from RSA Support.
  • ECAT Console Server should be able to connect to https://cms.netwitness.com.

Enable or Disable Feeds

For ECAT version 4.0

  1. Open the ECAT user interface and log on using the proper credentials.
  2. From the menu bar at the top of the page, select Database > Import Checksums.
    The Import Checksum dialog is displayed.
  3. Select the RSA Live tab, and then the Settings sub-tab.
  4. Fill in the details of the RSA Live server and credentials.
    The host value is usually cms.netwitness.com.
    The port is usually 443.
  5. To validate connectivity, click Test Connection.
    A Passed message is displayed if all settings are correct.
  6. Click Apply.
  7. Select the Subscribed Feeds sub-tab.
    A list of all feeds is displayed.
  8. Select the feeds that you want ECAT to import from RSA Live.
  9. Enter an appropriate interval. The recommended time is 24 hours, which configures ECAT to connect to RSA Live every 24 hours to update the imported data.
  10. (Optional) Click Refresh Now to download the feeds right away.
  11. Click Save.

To view the status of imported known bad domains and IPs from various feeds, select the Status tab and select the feed. The number of entries per feed varies from a few hundred to several thousand.

For ECAT version 4.1

  1. Create a SQL user with credentials in ECAT:
    1. Open the ECAT user interface and log on using the proper credentials.
    2. Click Configure > Manage Users and Roles.
    3. In Security, right-click in the pane and select Create a new SQL User.
    4. Provide the login name and the password.
  2. From the menu bar at the top of the page, select Configure > Monitoring and External Components.
  3. The External Components Configuration window is displayed. Select RSA Live and click +.
    ext-comp-config.png
  4. The RSA Live dialog is displayed.
    ext-comp-live.png
  5. Under RSA Live, in On, type a name to identify this component.
  6. In RSA Live Settings, do the following.
    1. In Username and Password, type the credentials to use for accessing this component.
    2. In Server Hostname/IP, the default value is cms.netwitness.com. Update the field if needed.
    3. In Port, the default port number is 443. Update the field if needed.
  7. In RSA Live Subscribed Feeds, do the following.
    1. In Refresh Interval, enter an appropriate interval. The recommended interval is 24 hours, which means that ECAT connects to RSA Live every 24 hours to update the imported data.
    2. Select the feeds for ECAT to import from RSA Live.
  8. Click Save.
    The RSA Live component is added to ECAT and the feeds are activated.
  9. To validate the connectivity, select the newly added component and then click Test Settings.
    If all settings are correct, a Passed message is displayed.

RSA Live Feeds for ECAT 4.0 and later

                                                                                       
Feed NameDescription
IDefense Threat Indicators DomainsVerisign iDefense security intelligence services gives information security executives access to accurate and actionable cyber intelligence related to vulnerabilities, malicious code, and global threats 24 hours a day, 7 days a week. Verisignidefense in-depth analysis, insight, and response recommendations help keep businesses and government organizations ahead of new and evolving threats and vulnerabilities.
Malware Domain ListList of domains commonly associated with malware sourced from www.malwaredomainlist.com
Malware DomainsList of domains associates with malware sourced from www.malwaredomains.com
Malware IP ListList of ip addresses commonly associated with malware sourced from www.malwaredomainlist.com
RSA FirstWatch APT Threat DomainsThis feed contains domains known to be associated with APTs.
RSA FirstWatch APT Threat IPsThis feed contains IPs known to be associated with APTs.
RSA FirstWatch Command and Control DomainsThis feed contains Domains that are known to be associated with malware command and control.
RSA FirstWatch Command and Control IPsThis feed contains IPs that are known to be associated with malware command and control.
RSA FirstWatch Criminal SOCKS node IPsThis feed contains IPs that represent known SOCKS nodes for criminal anonymization services.
RSA FirstWatch Criminal Socks User IPsThis feed contains IPs that have been observed using criminal anonymization services.
RSA FirstWatch Criminal VPN Entry IPsThis feed contains ips that represent known VPN entry nodes for criminal anonymization services.
RSA FirstWatch Criminal VPN Exit IPsThis feed contains ips that represent known VPN exit nodes for criminal anonymization services.
RSA FirstWatch IP ReputationThis feed contains IP that are known to be compromised.
RSA FraudAction DomainsThis feed contains domains from the RSA FraudAction feed.
RSA FraudAction IPsThis feed contains IPs from the RSA FraudAction feed.
Spamhaus DROP List IP RangesDROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers.
SpyEye Domain TrackerSpyEye domain tracker is a list of spyeye (also known as zbot, prg, wsnpoem, gorhax and kneber) command&control domain names. SpyEye tracker has tracked more than 2,800 malicious spyeye c&c servers. SpyEye is spread mainly through drive-by downloads and phishing schemes.
Tor Exit NodesThis feed contains IPs that are listed as active exit nodes for the Tor network.
Tor NodesThis feed contains IPs that are listed as active nodes in the Tor network.
Previous Topic:RSA ECAT Integration
You are here
Table of Contents > Configure ECAT to Receive RSA Live Feeds

Attachments

    Outcomes