Skip to content
  • There are no suggestions because the search field is empty.

ECATFEED is creating incorrect meta when indexing on device IP in Security Analytics

Issue

Security Analytics Investigation shows the wrong meta data from an ECATFEED.


Cause

If the device's IP is allocated via DHCP, when the lease expires the device's IP can change.

The generating of incorrect meta can be caused when a computer is unavailable for an ECAT Agent scan for an extended time (longer than the DHCP lease expiry time).
The ECAT ConsoleServer will show only the last known Agent scan details, including any expired DHCP IP addresses.

Setting the ECAT Console Server option "Feed Publishing Interval" for the creation of the feed file (machines.csv) to a shorter interval than the DHCP lease time (say half), and setting the Security Analytics' ECATFEED "Recur Every" interval to less than the machines.csv feed file creation interval (say half again), still doesn't resolve the issue.

Workaround

In the RSA Online Documentation URL https://sadocs.emc.com/0_en-us/090_10.4_User_Guide/95_RsaEcat/ConfviaRecurFeed, it refers to creating ECATFEED with the feed indexed on the IP address.

However if the IP address is not static, then the feed should be created by indexing on a different field.

Depending on the data being received, modify the ECATFEED to index on the MachineName, or the MacAddress.

1. In the Security Analytics UI, go to Live -> Feeds
2. Edit the ECATFEED
3. In the Define Columns, change the Index Column from ip.src to a non IP column such as eth.src.
    In the below example column 2 (ip.src) is replaced by column 5 (eth.src).

User-added
4. Save the feed and test.

Notes

Note: If the ECAT ip.src information in Column 2 is not to be relied on, then you could also create a new meta field and put the information there (something like ip.ecat). 

For how to do this reference other RSA KB articles for creating Custom meta like, How to add custom meta keys in RSA Security Analytics compared to RSA NetWitness NextGen

Product Details

RSA Product Set: Security Analytics, ECAT
RSA Product/Service Type: Live, ECAT
RSA Version/Condition: 10.4.x & 4.0.x
Platform: CentOS
O/S Version: EL6

Summary

Security Analytics Investigation shows wrong meta data from an ECATFEED.


Approval Reviewer Queue

ASOC Approval Group