Scribd
Upload
130 views34 pages

RSA Archer Integration Guide

Its User Guide for Archer integration it’s very helpful to integrate archer with archer system

Uploaded by

Nitesh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
130 views34 pages

RSA Archer Integration Guide

Its User Guide for Archer integration it’s very helpful to integrate archer with archer system

Uploaded by

Nitesh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

RSA Archer Integration Guide

for Version 10.6.6


Contact Information
RSA Link at https://community.rsa.com contains a knowledgebase that answers common
questions and provides solutions to known problems, product documentation, community
discussions, and case management.

Trademarks
For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the
documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights
thereto is hereby transferred. Any unauthorized use or reproduction of this software and the
documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment
by EMC.

Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license
agreements applicable to third-party software in this product may be viewed on the product
documentation page on RSA Link. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.

Note on Encryption Technologies


This product may contain encryption technology. Many countries prohibit or restrict the use,
import, or export of encryption technologies, and current use, import, and export regulations
should be followed when using, importing or exporting this product.

Distribution
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
April 2019
RSA Archer Integration Guide

Contents

RSA Archer Integration 5

Configure Security Analytics to Work With Archer 6


Integration Methods 6
Security Analytics Incident Management Integration Service (SAIM) 7
RSA Unified Collector Framework (UCF) 7
Prerequisites 8
RSA Unified Collector Framework Integrations 8
Create RSA Archer User Accounts for Push and Pull 8
Configure Endpoints in RSA Unified Collector Framework 10
Configure Syslog Output Action for the Reporting Engine for Security Analytics 10.5 13
Configure ESA Syslog Notification Settings in Security Analytics 10.5 or Later 13
Configure Incident Management for Integration with Archer SecOps 1.3 14
Step 1: Configure Incident Management Database 15
Step 2: Select the Mode for Security Analytics Incident Management 15
Step 3: Configure Forwarding to Security Analytics Incident Management Service 16
Step 4: Forward ECAT Alerts to the Security Analytics Incident Management Service 17
Step 5: Aggregate Alerts into Incidents 17
Configure Syslog Output Action for the Reporting Engine for Security Analytics 18
Configure SA RE SSL for Secure Syslog Server 19
Configure Rules in Security Analytics 19
Add Alert Templates for the Reporting Engine in Security Analytics 20
Configure Alerts in Security Analytics 20
Configure ESA Syslog Notification Settings in Security Analytics 21
Configure SA ESA SSL for Secure Syslog Server in Security Analytics 22
Add ESA Alert Templates in Security Analytics 22
Create ESA Rules in Security Analytics 23
RSA Archer Feeds 24
Update the Concentrator and Decoder Services 24
Add the RSA Archer Enterprise Management Endpoint in the UCF 25
Update the RSA Security Analytics Host File for SSL Mode 27
Create a Recurring Feed Task 27

3
RSA Archer Integration Guide

Manage the RSA Unified Collector Framework 28


Start the RSA Unified Collector Framework 28
Stop the RSA Unified Collector Framework 29
Uninstall the RSA Unified Collector Framework 29

Troubleshoot RSA Archer Integration 30


Setting the CA Truststore 30
Manually Copy Enterprise Management Certificates 30
Security Analytics Incident Management Certificates 30
Incidents in RSA Archer Security Operations Management Solution 31
Remediation Tasks in RSA Archer Security Operations Management 33
Errors between RSA Security Analytics and RSA Unified Collector Framework 33

4
RSA Archer Integration Guide

RSA Archer Integration


Administrators can integrate RSA Security Analytics with RSA Archer Security Operations
(SecOps) to send alerts and incidents from Security Analytics to Archer for incident
management and remediation.This guide provides a high-level workflow for configuring this
integration.
You can integrate Security Analytics with RSA Archer SecOps to achieve the following:
l Incident Management: All incidents created in Security Analytics can be handled in Archer
for complete incident management.

l Incident Remediation: Incidents are handled in Security Analytics, but the remediation tasks
are optionally exported to Archer.

Archer Security Ana-


SecOps lytics 10.5 Reference
Version Integration

1.1 Event See the Configure a Template topic in the System


Configuration guide:
Stream Analysis
System Configuration > Standard Procedures > Configure
(ESA) module
Templates for Notifications > Configure a Template

1.2 Incident Man- See the Configure Integration Setting to Manage


Incidents in RSA Archer Security Operations topic in the
agement
Incident Management guide:
Incident Management > System Integration > Configure
Integration Setting to Manage Incidents in RSA Archer
Security Operations

Topics
l Configure Security Analytics to Work With Archer

l Troubleshoot RSA Archer Integration

RSA Archer Integration 5


RSA Archer Integration Guide

Configure Security Analytics to Work With Archer


RSA Security Analytics can be configured to send alerts and incidents to RSA Archer for
incident management and remediation. Integration of Security Analytics with RSA Archer
SecOps can achieve the following:
l Incident Management: All incidents created in Security Analytics can be handled in Archer
for complete incident management.

l Incident Remediation: Incidents are handled in Security Analytics, but the remediation tasks
are optionally exported to Archer.

The RSA Archer Security Operations Management solution enables you to aggregate all
actionable security alerts, allowing you to become more effective, proactive, and targeted in
your incident response and SOC management. For more information on RSA Archer Sec Ops
capabilities, see RSA Archer documentation on the RSA Archer Community or on the RSA
Archer Exchange Community.
See the SecOps Installation Guide for Archer platforms supported.
The version of RSA Archer determines how RSA Security Analytics will be integrated.
l RSA Archer Security Operations Management 1.2 integrates with RSA Security Analytics
using RSA UCF (Unified Collector Framework) which comprises SAIM integration service
and RCF (RSA Connector Framework).

l RSA Archer Security Operations Management 1.3 integrates with RSA Security Analytics
using the RSA UCF (Unified Collector Framework) which comprises SAIM Integration
service and SecOps Watchdog service.

Integration Methods
You have to configure system integration settings to manage incident workflow in RSA Archer
Security Operations Management. When this setting is enabled, Incidents and Remediation
Tasks are no longer visible in RSA Security Analytics.
For information on how to configure system integration settings to manage incident workflow in
RSA Archer Security Operations, see the Configure Integration Setting to Manage Incidents
in RSA Archer Security Operations topic in the Incident Management Guide (Incident
Management > System Integration > .Configure Integration Setting to Manage Incidents in RSA
Archer Security Operations).

6 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

Security Analytics Incident Management Integration Service (SAIM)


The Security Analytics Incident Management Integration Service (SAIM) integrates the RSA
Archer Security Operations Management solution 1.2 and 1.3 with the RSA Security Analytics
Incident Management module. You can choose one of the following integration options:
l Manage the full incident workflow in RSA Archer Security Operations Management. If you
select this option, the Security Analytics Incident Management Integration Service transports
incidents from the Security Analytics Incident Management module into the solution.

l Manage the incident workflow in the Security Analytics Incident Management module and
allow analysts the option to escalate remediation tasks and open data breaches for
management and remediation in the RSA Archer Security Operations Management solution.
If you select this option, the Security Analytics Incident Management Integration Service
transports remediation tasks (created as Findings), data breaches, or both.

Note: You must configure the same option in both RSA Security Analytics and the Security
Analytics Incident Management Integration Service. ​

RSA Unified Collector Framework (UCF)


RSA Security Analytics integrates with RSA Archer SecOps 1.3 using the RSA Unified
Collector Framework (UCF).
The RSA Unified Collector Framework (UCF) integrates with all supported SIEM tools and the
RSA Archer Security Operations Management solution. When integrating the RSA Security
Analytics Incident Management module, you can choose one of the following integration options:
l Manage the full incident workflow in RSA Archer Security Operations Management. If you
select this option, the Unified Collector Framework transports incidents from the Security
Analytics Incident Management module into the solution.

l Manage the incident workflow in the Security Analytics Incident Management module and
allow analysts the option to escalate remediation tasks and open data breaches for
management and remediation in the RSA Archer Security Operations Management solution.
If you select this option, the Unified Collector Framework transports remediation tasks
(created as Findings), data breaches, or both.

Note:
• You must configure the same option in both RSA Security Analytics and the Unified
Collector Framework.
• Integration of the RSA Security Analytics Incident module with Reporting Engine or ESA
can result in duplicate events and incidents created in RSA Archer SecOps.

Configure Security Analytics to Work With Archer 7


RSA Archer Integration Guide

UCF supports multiple SIEM tools connections at the same time, such as supporting Security
Analytics Reporting Engine, HP ArcSight, and Security Analytics Incident Management.
However, different instances of the same SIEM tool are not supported, such as two Security
Analytics servers connected to the same UCF.

Prerequisites
l Install RSA Archer Security Operations Management. See RSA Archer documentation on the
RSA Archer Community or on the Content Tab
at https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_exchange.

l Security Analytics 10.5 or later is compatible with SecOps 1.2 and SecOps 1.3. Security
Analytics 10.5 is also compatible with SecOps 1.1, however, this is not recommended.

l It is recommended that you upgrade to SecOps 1.3 if using Security Analytics 10.6.

l Ensure that the Incident Management module is configured in RSA Security Analytics.

l For Archer SecOps 1.3, you must create a user account for the web service client to use to
transfer data into the RSA Archer GRC Platform.

RSA Unified Collector Framework Integrations


The RSA Unified Collector Framework (UCF) allows you to integrate your RSA Archer
Security Operations Management system with the following:
l Security Analytics Incident Management (SA IM)

l Security Analytics Reporting Engine (SA RE)

l Security Analytics Event Stream Analysis (SA ESA)

Create RSA Archer User Accounts for Push and Pull


Two RSA Archer user accounts are required to avoid conflicts while sending and receiving data
from RSA Security Analytics.
1. Click Administration > Access Control > Manage Users > Add New.

2. In the First and Last Name fields, enter a name that indicates that the UCF uses this account
to push data into RSA Archer GRC. For example, UCF User, Push.

Note: When configuring the Pull account, enter a name that indicates that the UCF uses
this account to pull data from RSA Archer GRC. For example, UCF User, Pull.

3. (Optional) Enter a user name for this new user account.

8 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

Note: If you do not specify a user name, the RSA Archer GRC Platform creates the user
name from the first and last name entered when you save the new user account.

4. In the Contact Information section, in the Email field, enter an email address to associate
with this new user account

5. In the Localization section, change the time zone to (UTC) Coordinated Universal Time.

Note: The UCF uses UTC time to baseline all the time-related calculations.

6. In the Account Maintenance section, enter and confirm a new password for the new user
account.

Note: Note the user name and password for the new user account that you just created.
You need to enter these credentials when you set up the UCF to communicate with the
RSA Archer GRC Platform through the web service client.

7. Clear the Force Password Change On Next Sign-In option.

8. In the Security Parameter field, select the security parameter that you want to use for this
user.

Note: If you assign a default security parameter with a password change interval of 90
days, you also must update the user account password stored in the SA IM Integration
Service every 90 days. To avoid this, you can optionally create a new security parameter
for the SA IM Integration Service user account and set the password change interval to the
maximum value allowed by your corporate standards.

9. Click the Groups tab, and do the following:


a. In the Groups section, click Lookup.

b. In the Available Groups window, expand Groups.

c. Scroll down and select SOC: Solution Administrator and EM: Read Only.

d. Click OK.

10. Click Apply, then click Save.

11. If the machine language and regional settings of your RSA Archer GRC system are set to
anything other than English-US, do the following:

a. Open the user account you just created, and in the Localization section, in the Locale
field, select English (United States), and click Save.

b. On the Windows system hosting your RSA Archer GRC Platform, open Internet
Information Services (IIS) Manager.

Configure Security Analytics to Work With Archer 9


RSA Archer Integration Guide

c. Expand your RSA Archer GRC site, click .Net Globalization, in both the Culture and UI
Culture fields, select English (United States), and click Apply.

d. Restart your RSA Archer GRC site.

12. Repeat steps 1 – 11 to create a second user account for the UCF to pull data from RSA
Archer GRC.

Configure Endpoints in RSA Unified Collector Framework


Endpoints provide the connection details required for the UCF to reach both your RSA Security
Analytics and RSA Archer GRC systems.

Note: Some endpoints are necessary to use different integrations. The following list shows the
mandatory endpoints.

Mandatory Endpoint Integration


l Archer Push Syslog endpoint

l Security Analytics Incident Management (SA IM)

l Archer Pull Enterprise Management plug-in endpoint

l Mode selection: SecOps or Non-SecOps mode.

l Syslog Server

l Enterprise Management

Note:
• If Non-SecOps mode is selected, incidents are managed in SA IM instead of RSA Archer
Security Operations Management.
• You must configure the TCP, secure TCP, and UDP ports.
• Ensure the certificate subject name for your RSA Archer GRC server matches the
hostname.

10 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

Procedure
1. On your UCF system, open the Connection Manager, as follows:

a. Open a command prompt.

b. Change directories to <install_dir>\SA IM integration service\data-collector.

c. Type:
runConnectionManager.bat

2. In the Connection Manager, enter 1 for Add Endpoint.

3. Add an endpoint for pushing data to RSA Archer Security Operations Management, as
follows:

a. Enter the number for Archer.

Note: SSL must be enabled to add the RSA Archer endpoints.

b. For the endpoint name, type push.

c. Enter the URL of your RSA Archer GRC system.

d. Enter the instance name of your RSA Archer GRC system.

e. Enter the user name of the user account you created to push data into your RSA Archer
GRC system.

f. Enter the password for the user account you created to push data into your RSA Archer
GRC system, and confirm the password.

g. When asked whether this account is used for pulling data, enter False.

4. Add an endpoint for pulling data from RSA Archer Security Operations Management, as
follows:

a. Enter the number for Archer.

Note: SSL must be enabled to add the RSA Archer endpoints.

b. For the endpoint name, type pull.

c. Enter the URL of your RSA Archer GRC system.

d. Enter the instance name of your RSA Archer GRC system.

e. Enter the user name of the user account you created to pull data from your RSA Archer
GRC system.

Configure Security Analytics to Work With Archer 11


RSA Archer Integration Guide

f. Enter the password for the user account you created to pull data from your RSA Archer
system, and confirm the password.

g. When asked whether this account is used for pulling data, enter True.

5. Add an endpoint for RSA Security Analytics Incident Management, as follows:


a. Enter the number for Security Analytics IM.

b. Enter a name for the endpoint.

c. Enter the SA Host IP address.

d. For SA Port, enter 5671.

e. Enter the target queue for remediation tasks. Selecting All processes both the RSA
Archer Integration (GRC) and IT Helpdesk (Operations).

f. To automatically add certificates to the Security Analytics trust store, do the following:
i. Enter Yes.

ii. Enter the SA Host username and password.

Note: If you receive an error that the CA trust store failed to set, see Troubleshoot RSA
Archer Integration.

6. In UCF connection manager, select the mode, as follows:


a. Enter the number for Mode Selection.

b. Select one of the following options:


l Manage incident workflow in RSA Security Analytics.

l Manage incident workflow exclusively in RSA Archer Security Operations


Management.

7. To use third-party integrations, add the Syslog Server Endpoint, as follows:


a. Enter the number for Syslog Server Endpoint.

b. Enter the following:

l Field Description

l SSL configured

l TCP port

l Secure TCP port if the Syslog client sends the Syslog message in secure TCP mode.

Note: Defaults to 1515. If you do not want to host the Syslog server in this mode, enter 0.

12 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

TCP port: Enter the TCP port if the Syslog client sends the Syslog message in TCP mode.

Note: Defaults to 1514. If you do not want to host the Syslog server in this mode, enter 0.

UDP port: Enter the UDP port if the Syslog client sends the Syslog message in UDP mode.

Note: Defaults to 514. If you do not want to host the Syslog server in this mode, enter 0.

By default, the Syslog server will run in the above three modes, unless it is disabled by
entering 0.

8. To test the Syslog client, enter the number for Test Syslog Client. Use the Test Syslog client
with the files from <install_dir>\SA IM integration service\config\mapping\test-files\.

9. In Connection Manager, enter 5 to test each endpoint.

Configure Syslog Output Action for the Reporting Engine for Security
Analytics 10.5

Note: This procedure is for SecOps 1.3 with Security Analytics 10.5.

1. In Security Analytics, go to Administration > Services.

2. Select your Reporting Engine Service, and click System > Config.

3. Click the Output Actions tab.

4. In the SA Configuration section, in the Host Name field, enter the host name or IP address of
your Reporting Engine server.

Note: If you do not enter a value in this field, the link in the RSA Archer Security Alerts
application back to Security Analytics will not work.

5. Add the Syslog Configuration as follows:


a. In the Server Name field, enter the hostname of the UCF

b. In the Server Port field, enter the port that you selected in the UCF Syslog configuration.

c. In the Protocol field, select the transport protocol.

Note: If you select Secure TCP, SSL must be configured.

6. Click Save.

Configure ESA Syslog Notification Settings in Security Analytics 10.5 or


Later
This procedure is for SecOps 1.3 with Security Analytics 10.5 or later.

Configure Security Analytics to Work With Archer 13


RSA Archer Integration Guide

1. Click Administration > System > Global Notifications.

2. Click the Output tab.

3. Define and enable an ESA Syslog notification.

4. Click the Servers tab.

5. Define and enable a Syslog notification server.

6. In the Syslog Server Configuration section, enter the following:

Field Description

Server Specify the hostname or IP Address of the system on which you installed the
Name UCF.

Server Port Specify the port number on which you want the UCF to listen for Syslog alert
messages.

Facility Specify the Syslog facility.

Protocol Select the Protocol.

7. Click Save.

Configure Incident Management for Integration with Archer


SecOps 1.3
To configure Incident Management for Archer SecOps 1.3, do the following in Security
Analytics:

Task / Link to Instructions

Step 1: Configure Incident Management Database

Step 2: Select the Mode for Security Analytics Incident Management

Step 3: Configure Forwarding to Security Analytics Incident Management Service

Step 4: Forward ECAT Alerts to the Security Analytics Incident Management Service

Step 5: Aggregate Alerts into Incidents

14 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

Step 1: Configure Incident Management Database


You have to configure the database for the Incident Management service for it to become
usable.

To configure a database for the Incident Management Service:


1. In the Security Analytics menu, select Administration > Services.
The Services view is displayed.

2. In the Service panel, select the Incident Management service, and > View >
Explore.
The Services Explore view is displayed.

3. In the options panel, select Service > Configuration > database.


The database view is displayed in the right side panel.

4. Provide the following information:


l Host – The hostname or IP address of the ESA host selected as a database

l DatabaseName – im (this is the default value)

l Port – 27017 (this is the default value)

l Username – The username for the user account for the IM database (ESA creates an
im user with the right privileges)

l Password – The password you selected for the im user.

5. Restart the Incident Management Service using the following command:


service rsa-im restart

Note: Restarting the Incident Management Service is important for the database configuration
to be complete.

Step 2: Select the Mode for Security Analytics Incident Management


To select the workflow management method in Security Analytics:
1. In the Security Analytics menu, select Incidents > Configure.

2. Click the Integration tab.

3. Select one of the following options:

Configure Security Analytics to Work With Archer 15


RSA Archer Integration Guide

l Manage incident workflow in RSA Security Analytics.

l ​Allow analysts to escalate remediation tasks for the Operations target queue as
tickets.

l Allow analysts to escalate remediation tasks for the GRC target queue as Findings.

l Allow analysts to report data breaches and trigger the breach response process in the
RSA Archer Security Operations Management solution.
For more information, see Configure Integration Setting to Manage Incidents in
Security Analytics in the Incident Management guide.

l Manage incident workflow exclusively in RSA Archer Security Operations Management.

4. Click Apply.

Note: This step also applies to Integration with Archer SecOps 1.2.

Step 3: Configure Forwarding to Security Analytics Incident Management


Service

l To forward Security Analytics Event Stream Analysis alerts to Security Analytics


Incident Management, do the following:

a. In the Security Analytics menu, select Administration > Services > ESA service.

b. Select an ESA Service and > View > Config.

c. Click the Advanced tab.

d. Ensure that the Forward Alerts on Message Bus checkbox is selected by default. If
needed, select the Forward Alerts on Message Bus checkbox and click Apply.

l To forward Security Analytics Reporting Engine alerts to Security Analytics Incident


Management, do the following:

a. In Security Analytics, click Administration > Services > Reporting Engine service.

b. Click > View > Config for the Reporting Engine service.

c. Click the General tab.

d. In the System Configuration section, select the Forward Alerts to IM checkbox and
click Apply.

16 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

l To forward Security Analytics Malware Analysis alerts to Security Analytics


Incident Management, do the following:

a. In Security Analytics, click Administration > Services > Malware Analysis service

b. Click > View > Config for the MA service.

c. Click the Auditing tab.

d. In the Incident Management Alerting section, verify that the Enabled Config Value
checkbox is selected. If the checkbox is not selected, select the checkbox, and click
Apply.

Step 4: Forward ECAT Alerts to the Security Analytics Incident Management


Service
RSA ECAT alerts can be sent to RSA Archer GRC through
Security Analytics Incident Management.
1. Configure Alerts by Message bus: Configure ECAT Alerts Via Message Bus.

2. In RSA ECAT, click Configure > Monitoring and External Components.

3. In the External Components Configuration window, select the Incident Message Broker.

4. Click Add (+).

5. Complete the following fields:


l Instance Name

l Server Hostname/IP. Enter the Host DNS or IP address of the RSA Security Analytics
Server.

l Port Number. The default port is 5671.

6. Click Save.

Step 5: Aggregate Alerts into Incidents


Alerts coming into Security Analytics Incident Management can be automatically aggregated
into incidents and forwarded to RSA Archer Security Operations Management. Aggregation
rules are automatically run every minute and aggregate the alerts into incidents based on
the match conditions and grouping options selected. For more information on aggregating alerts,
see the Configure Alert Sources to Display Alerts in Incident Management topic in the
Incident Management Configuration Guide.

Configure Security Analytics to Work With Archer 17


RSA Archer Integration Guide

To configure alert aggregation:


1. In Security Analytics, go to Incidents > Configure > Aggregation Rules.

2. To enable the rules provided out of the box, do the following:


a. Double-click the rule.

b. Select Enabled.

c. Click Save.

d. Repeat steps a-c for each rule.

3. To add a new rule, do the following:


a. Click Add (+).

b. Select Enabled.

c. Complete the following fields:


l Rule Name

l Action

l Match Conditions

l Grouping Options

l Incident Options

l Priority

l Notifications

4. Click Save.

Configure Syslog Output Action for the Reporting Engine for Secur-
ity Analytics
1. In Security Analytics, go to Administration > Services.

2. Select your Reporting Engine Service, and click System > Config.

3. Click the Output Actions tab.

4. In the SA Configuration section, in the Host Name field, enter the host name or IP address of
your Reporting Engine server.

5. Add the Syslog Configuration as follows:

18 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

a. In the Server Name field, enter the hostname of the UCF.

b. In the Server Port field, enter the port that you selected in the UCF Syslog configuration.

c. In the Protocol field, select the transport protocol.

Note: If you select Secure TCP, SSL must be configured.

6. Click Save.

Configure SA RE SSL for Secure Syslog Server


If the Syslog server is configured with Secure TCP, configure the SSL.
1. Copy the certificate keystore.crt.der from the UCF machine at <install_dir>\RSA\SA IM
integration service\cert-tool\certs to the Security Analytics server at /usr/lib/jvm/java-1.8.0-
openjdk-1.8.0.65-0.b17.el6_7.x86_64/jre/lib/security

2. Run the following command:


keytool -import -file keystore.crt.der -alias ucf-syslog -
keystore cacerts -storepass changeit

Note: Do not copy and paste the above code. Type it in to avoid errors.

3. Enable ServerCertificateValidationEnabled to true:


l Navigate to administration page of SA UI.

l Click View > Explore of the Reporting Engine (RE) service

l Expand com.rsa.soc.re

l Expand sslContextConfiguration and set ServerCertificateValidationEnabled to true.

4. Restart the RE service.

Configure Rules in Security Analytics


1. Click Reports > Manage.

2. In Groups, click Rules.

3. Click Add (+).

4. Enter a name for the new group.

5. Select the group you created, and in the Rule toolbar, click Add (+).

Configure Security Analytics to Work With Archer 19


RSA Archer Integration Guide

6. In the Syslog Name field, enter a name for the SecOps syslog configuration to be used to
configure alerts.

7. In the Rule Type field, select NetWitness DB.

8. Enter a name for the rule.

9. Enter values in the Select and Where fields based on the rule that you want to create.

Note: Add the Syslog configuration with the Syslog name set above.

10. Click Save.

Note: To see the same number of alerts in SA RE and RSA Archer GRC, ensure that you’ve
selected Once for execute in both the Syslog and Record tabs.

Add Alert Templates for the Reporting Engine in Security Analytics


The UCF syslog configuration comes with out-of-the-box alert templates that you can use when
you create an alert with a syslog output action. These templates define the criteria used to
aggregate alerts into incidents in your RSA Archer GRC Platform.
The sample templates are located in the following location on the UCF system:
<install_dir>\SA IM integration service\config\mapping\templates\SecOps_SA_Templates
1. Click Reports > Manage > Alerts.

2. Click the Template tab.

3. Click Add (+).

4. In the Name field, enter a name for the alert template.

5. In the Message field, enter the alert message.

6. Click Create.

7. Repeat steps 3 to 6 for each alert template that you want to add.

Configure Alerts in Security Analytics


In RSA Security Analytics Reporting Engine, an alert is a rule that you can schedule to run on a
continuous basis and log its findings to several different alerting outputs.
1. Click Reports > Manage > Alerts.

2. Click Add (+).

3. Select Enable.

4. Select the rule you created.

20 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

5. Select Push to Decoders.

Note: If you do not enter a value in this field, the link in the RSA Archer Security Alerts
application to RSA Security Analytics will not work.

6. From the Data Sources list, select your data source.

7. In the Notification section, select Syslog.

8. Click Add (+).

9. Complete the Syslog configuration fields.

10. In the Body Template field, select the template that you want to use for this Syslog alert.

11. Click Save.

Configure ESA Syslog Notification Settings in Security Analytics

1. Click Administration > System > Global Notifications.

2. Click the Output tab.

3. Define and enable an ESA Syslog notification.

4. Click the Servers tab.

5. Define and enable a Syslog notification server.

6. In the Syslog Server Configuration section, enter the following:


Field Description:

l Server

l Name

l Specify the hostname or IP Address of the system on which you installed the UCF.

l Server

l Port

l Specify the port number on which you want the UCF to listen for

l Syslog alert messages


Facility:

l Specify the Syslog facility


Protocol:

Configure Security Analytics to Work With Archer 21


RSA Archer Integration Guide

l Select the protocol.

7. Click Save.

Configure SA ESA SSL for Secure Syslog Server in Security Analytics


If the Syslog server is configured with Secure TCP, configure the SSL.
1. Navigate to Administration > Services.

2. Select the ESA service. Go to Explore > Configuration > SSL .

3. Set ServerCertificateValidationEnabled to true.

4. Copy the certificate keystore.crt.der from the UCF machine at <install_dir>\SAIM


integration service\cert-tool\certs to the ESA box at /usr/lib/jvm/java-1.8.0-openjdk-
1.8.0.65.0.b17.el6_7.x86_64/jre/lib/security.

5. Run the following command:


keytool -import -file keystore.crt.der -alias ucf-syslog -keystore cacerts -
storepass changeit

Note: Do not copy and paste the above code. Type it in to avoid errors.

6. Restart the ESA service.

Add ESA Alert Templates in Security Analytics


The UCF syslog configuration comes with out-of-the-box alert templates that you can use when
you create an alert with a syslog output action. These templates define the criteria used to
aggregate alerts into incidents in your RSA Archer GRC Platform.
The sample templates are located in the following location on the UCF system:
<install_dir>\SA IM integration service\config\mapping\templates\SecOps_SA_
Templates\SecOps_SA_ESA_templates.txt

Procedure:
1. Select Administration > System > Global Notifications.
2. Click the Templates tab.
3. Click Add (+).
4. In the Template Type field, select Event Stream Analysis.
5. In the Name field, enter the name for the template.
6. (Optional) In the Description field, enter a brief description for the template.
7. In the Template field, enter the alert message.

22 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

8. Click Save.
9. Repeat steps 3 – 8 for each alert template that you want to add.

Create ESA Rules in Security Analytics

1. Click Alerts > Configure.

2. Select your ESA device.

3. Click Select.

4. In the ESA Rules toolbar, click +.

5. Select Rule Builder.

6. In the Name field, enter a name for the rule.

7. In the Description field, enter a description for the rule.

8. Select a Severity.

9. In the Condition section, do the following:


a. Click + to build a statement.

b. Enter a name, select a condition type, and add meta data/value pairs for your statement.

c. Click Save.

d. Repeat steps a – c until you have built all your statements for the rule.

10. In the Notifications section, select Syslog.

11. Select the notification, Syslog server, and template that were created previously.

12. Click Save and Close.

13. Click Alerts > Configure > Deployments.

14. Click + for ESA Services section.

15. Select the ESA Service.

16. Click Deploy Now.

17. In the ESA Rules section, click + to choose the ESA Rule that you created, and click Deploy
Now.

Configure Security Analytics to Work With Archer 23


RSA Archer Integration Guide

RSA Archer Feeds


By default, only the IP Address and Criticality Rating fields in the RSA Archer Devices
application are fed into RSA Security Analytics by the Security Analytics Incident
Management Integration Service. You can customize the Enterprise Management plug-in to
include the Business Unit and Facility fields that are cross-referenced in the Devices application
in the feed. For more details, see Archer documentation
at https://community.emc.com/community/connect/grc_ecosystem/rsa
archer or https://community.emc.com/community/connect/grc_ecosystem/rsa_archer_exchange.

Note: If you plan to feed Business Unit and Facility information from your RSA Archer GRC
Platform into Live, you must also add keys for these fields to the index-concentrator-
custom.xml file.

Several tasks can be performed by the Administrator in Security Analytics, including:

Task

Update the Concentrator and Decoder Services

Add the RSA Archer Enterprise Management Endpoint in the UCF

Update the RSA Security Analytics Host File for SSL Mode

Create a Recurring Feed Task

Update the Concentrator and Decoder Services


The Security Analytics Incident Management Integration Service manages the files for a custom
feed and deposits these files in a local folder that you specify when you configure the Security
Analytics Incident Management Integration Service. The Live module of RSA Security
Analytics retrieves the feed files from this folder. Live then pushes the feed to the Decoders,
which start creating metadata based on captured network traffic and the feed definition. To
make each Concentrator aware of the new metadata created by the Decoders, you must edit the
index-concentrator-custom.xml, index-logdecoder-custom.xml, and index-decoder-custom.xml
files.
1. In the Security Analytics menu, click Administration > Services.

2. Select your Concentrator, and select > View > Config.

3. Click the Files tab.

4. From the drop-down list, select index-concentrator-custom.xml. Do one of the following:

24 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

l If content already exists in the file, add a key for the new meta data element as follows:
<key description="Criticality" format="Text"
level="IndexValues"
name="criticality" defaultAction="Open"/>

Note: Do not copy and paste code. Type it in to avoid errors.

l If the file is blank, add the following content:


<?xml version="1.0" encoding="utf-8"?>
<language level="IndexNone" defaultAction="Auto">
<key description="Criticality" format="Text" level="IndexValues"
name="criticality" defaultAction="Open"/>
</language>

5. Click Apply.

6. If no services are listed, click Apply.

7. To add multiple devices, do the following:


a. Click Push.

b. Select the devices to which you want to push this file.

c. Click OK.

8. Repeat steps 1-7 for the Log Decoders and Index Decoders, using index-logdecoder-
custom.xml and index-decoder-custom.xml.

9. Stop and start the Concentrator and Decoder services.

Add the RSA Archer Enterprise Management Endpoint in the UCF

1. In UCF connection manager, select the mode, as follows:


a. Enter the number for Mode Selection.

b. Select one of the following options:


l Manage incident workflow in RSA Security Analytics.

l Manage incident workflow exclusively in RSA Archer Security Operations


Management.

2. Add the RSA Archer Enterprise Management Endpoint, as follows:


a. Enter the number for Enterprise Management.

b. Complete the fields in the table below.

Configure Security Analytics to Work With Archer 25


RSA Archer Integration Guide

Field Description

Endpoint Optional endpoint name.


Name

Web Defaults to 9090. Can be configured to host the web server url. The URL
Server with the port number should be provided as the URL in SA live feed: http
Port (s)://hostname:port/archer/sa/feed

Criticality Criticality of the assets to be pulled from RSA Archer GRC.


If false, pull assets with any criticality.
If true, pull assets with only high criticality.
To configure this manually, edit the em.criticality property in the collector-
config properties file to provide a comma-separated list of criticalities:
LOW, MEDIUM, HIGH.

Feed Directory where the assets CSV file from RSA Archer GRC are saved.
Directory
Note: The directory path provided must exist.

Web Username for authenticating to the EM web server.


Server
Note: This is provided while configuring the SA live feed.
Username

Web Password for authenticating to the EM web server.


Server
Note: This is provided while configuring the SA live feed.
Password

SSL Defaults to No.


Mode If No, the URL uses http mode: http://hostname:port/archer/sa/feed
If Yes, the URL uses https mode: https://hostname:port/archer/sa/feed
If you have not updated the host file, see Update the RSA Security Analytics
Host File for SSL Mode.

3. If you selected Yes for SSL mode, complete the following fields:
l Copy certs to SA box. Enter Yes to have the certificates automatically copied from RSA
Archer Security Operations Management to RSA Security Analytics.

l SA Host. Enter the hostname or IP address of the SA server.

26 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

l SA Host Username. Enter the username for logging in to the SA server to copy the
certificates.

l SA Host Password. Enter the password for logging in to the SA server to copy the
certificates.

Note: If copying the certificates fails and adding the endpoint failed, manually copy the
certificates. See Manually Copy Enterprise Management Certificates in Troubleshoot RSA
Archer Integration. After copying the certificates, you must add the Enterprise Management
plug-in without automatically copying the certificates.

Update the RSA Security Analytics Host File for SSL Mode

1. Edit the host file on the SA server at the following location: vi /etc/hosts

2. Enter the following for the UCF host IP address:


<ucf-host-ip> <ucf-host-name>

3. Restart SA server by running the following command:


restart jettysrv

4. While configuring the SA live feed, enter the hostname for the URL instead of the IP
address and the port number configured for Enterprise Management endpoint in the UCF:
https: //<ucf-host-name> : <EM_Port>/archer/sa/feed.

5. Verify that the connection works.

Create a Recurring Feed Task


In order for RSA Security Analytics to download feed files from the Security
Analytics Incident Management Integration Service and push the feeds to Decoders, you must
create a recurring feed task and define the feed settings.

Note: For RSA Archer SecOps 1.2: In order for RSA Security Analytics to download feed
files from your RCF machine and push the feeds to Decoders, you must create a recurring
feed task and define the feed settings. The procedure is similar to RSA Archer SecOps 1.3,
with a few exceptions.

1. In the Security Analytics Menu, click Live > Feeds.

2. Click .

3. Select Custom Feed, and click Next.

4. Select Recurring.

5. Enter a name for the feed.

Configure Security Analytics to Work With Archer 27


RSA Archer Integration Guide

6. In the URL field, enter one of the following:


l http://ucf_hostname/archer/sa/feed

l https://ucf_hostname_or_ip:port/archer/sa/feed
where http(s):ucf_hostname_or_ip:port is the address of your Security Analytics
Incident Management Integration Service system. Use https if you have enabled
SSL communication with RSA Security Analytics. For example: http://10.10.10.10:9090 or
https://10.10.10.10:8443.

Note: If Incident Management is running in SSL mode, the hostname must be used in the
URL.

7. Select Authenticated.

8. In the User Name and Password fields, enter the credentials of the user account you created
for RSA Security Analytics to use to access files on the Security Analytics Incident
Management Integration Service system.

9. Define the recurrence interval for the feed.

10. In the Date Range section, define a start and end date for the feed, and click Next.

11. Select each Decoder to which you want to push this feed, and click Next.

12. In the Type field, ensure that IP is selected.

13. In the Index Column field, select 1.

14. In the second column, set the Key value to criticality, and click Next.

15. Review your feed configuration details, and click Finish.

Manage the RSA Unified Collector Framework


This topic provides additional tasks for configuring and managing the RSA Unified Collector
Framework (UCF) for Archer SecOps 1.3 Integration.

Start the RSA Unified Collector Framework

1. Click Control Panel > Administrative Tools > Services.

2. Select RSA Unified Collector Framework.

3. Click Start.

28 Configure Security Analytics to Work With Archer


RSA Archer Integration Guide

Stop the RSA Unified Collector Framework

1. Click Control Panel > Administrative Tools > Services.

2. Stop the RSA SecOps WatchDog Service.

Note: If you do not stop the Watchdog service, the Watchdog service starts the
Security Analytics Incident Management Service before intended.

3. Select RSA Unified Collector Framework.

4. Click Stop.

Note: If the service takes too long to shutdown, use the Task Manager to end the
RSASAIMDCService.

Uninstall the RSA Unified Collector Framework

1. Click Control Panel > Programs and Features

2. Select RSA Unified Collector Framework.

3. Click Uninstall.

Configure Security Analytics to Work With Archer 29


RSA Archer Integration Guide

Troubleshoot RSA Archer Integration


This section provides resolutions to common problems that you may encounter while configuring
Archer SecOps 1.2 or Archer SecOps 1.3 with Security Analytics Incident Management.

Setting the CA Truststore


Problem: After adding the endpoint for Security Analytics Incident Management, the CA
truststore fails to set.
Resolution:
1. Ensure that the SSH credentials for the Security Analytics host are valid.

2. If the credentials are correct, but the error still occurs, Manually Copy Certificates.

Manually Copy Enterprise Management Certificates


If certificates were not automatically copied, you can manually copy the certificates.
1. Copy the certificate keystore-em.crt from the UCF machine at the following location:
<install_dir>\SA IM integration service\cert-tool\certs to the Security Analytics server at
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64/jre/lib/security.

2. Log on to the machine that has RSA Security Analytics installed.

3. Go to the location where the SA truststore certificate is copied:


cd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_
64/jre/lib/security

4. Run the following command:


keytool -import -alias ucfcert -keystore cacerts -
filekeystore-em.crt.der

Note: If you copied the certificates because adding the Enterprise Management endpoint
failed, you must add the endpoint again without automatically copying the certificates. See
Configure Endpoints in RSA Unified Collector Framework in Configure Security Analytics
to Work With Archer.

Security Analytics Incident Management Certificates


If certificates are not automatically copied, you can manually copy the certificates.
1. Copy the certificate rootcastore.crt.pem from the UCF machine at <install_dir>\SA IM
integration service\cert-tool\certs to the Security Analytics server at a path /tmp.

30 Troubleshoot RSA Archer Integration


RSA Archer Integration Guide

2. Make sure the format of the copied file is a windows text file. The following example
displays the file with carriage return and line feed (CRLF) characters.
# file rootcastore.crt.pem
rootcastore.crt.pem: ASCII text, with CRLF line terminators

3. If you find CRLF line terminators in the output, run the following command to remove the
CRLF line terminators.
# vi rootcastore.crt.pem

4. You must run the following command to convert text file from windows text format to unix
format
:%s/\r//g
set ff=unix

5. Using :wq command save the file.

6. Run the following command to create a backup of ca.pem file.


cp /var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/ca.pem.$(date +"%Y%m%d_%H%M")

7. Append the certificate to ca.pem using the following command:


cat /tmp/rootcastore.crt.pem >>
/var/lib/puppet/ssl/certs/ca.pem

8. Using sed -ri '/^\s*$/d' /var/lib/puppet/ssl/certs/ca.pem you can


remove the blank lines from the file.

9. Run puppet agent -t to populate the certificates to truststore.pem.

10. You can check the truststore.pem using cat


/etc/rabbitmq/ssl/truststore.pem command.

11. Once the agent completes, exit the connection manager.

12. Restart RSA Unified Collector Framework service from services.msc.

13. Run Connection Manager again to continue with the SA endpoints configuration.

Incidents in RSA Archer Security Operations Management Solution


Problem: Findings and Security Incidents do not appear in RSA Archer Security
Operations Management solution.
Resolution:

Troubleshoot RSA Archer Integration 31


RSA Archer Integration Guide

1. Confirm that the time on your middleware system and the RSA Archer Platform are
synchronized or with a difference of no more than one second.

2. Verify that the endpoint is configured correctly.

3. Confirm that the UCF is set to the appropriate mode.

l For Findings, you should select to manage the incident workflow in RSA Security
Analytics.

l For Security Incidents, you should select to manage the incident workflow in RSA Archer
Security Operations Management.

4. SSH to the SA web server host and enter the following command to verify that the RSA
Archer incident queue (im.archer_incident_queue) is created:
curl -k -u guest:guest
https://127.0.0.1:15671/api/queues/%2Frsa%2Fi
m%2Fintegration/im.archer_incident_queue --
silent --stderr - | grep -o '"name"\:.*

Note: If the queue is created, the output reads as follows:

"name":"im.archer_incident_
queue","vhost":"/rsa/im/integration","durable
":true,"auto_delete":false,"arguments":
{},"node":"sa@localhost"}

5. SSH to the SA web server host and enter the following command to verify that the RSA
Archer tickets queue (im.archer_tickets_queue) is created:
curl -k -u guest:guest
https://127.0.0.1:15671/api/queues/%2Frsa%2Fi
m%2Fintegration/im.archer_tickets_queue --
silent --stderr - | grep -o '"name"\:.*'

Note: If the queue is created, the output reads as follows:

"name":"im.archer_tickets_
queue","vhost":"/rsa/im/integration","durable
":true,"auto_delete":false,"arguments":
{},"node":"sa@localhost"}

32 Troubleshoot RSA Archer Integration


RSA Archer Integration Guide

6. SSH to the SA web server host and enter the following command to check the number of
messages in the incident queue:
curl -k -u guest:guest
https://127.0.0.1:15671/api/queues/%2Frsa%2Fi
m%2Fintegration/im.archer_incident_queue -- silent --stderr -
| grep -o '"messages"\:[0-
9]*'

Note: If the queue is created, the output reads as follows: "messages" : 5

7. Confirm the above queues are populated with messages from the UCF.

Remediation Tasks in RSA Archer Security Operations Management


Problem: Remediation Tasks being pushed to the Operations queue through the UCF are
not appearing in RSA Archer Security Operations Management as Findings.
Resolution:
1. Open the Connection Manager:

l Open a command prompt

l Change directories to <install_dir>\SA IM integration service\data-collector.

l Type: runConnectionManager.bat

2. Enter 2 for Edit Endpoint.

3. Enter 3 for Security Analytics Incident Management.

4. Ensure the Target Queue is set to All or Operations.

Errors between RSA Security Analytics and RSA Unified Collector


Framework
Problem: In the <install_dir>\SA IM integration service\logs\collector.log, there are SSL
errors between RSA Security Analytics and RSA Unified Collector Framework.
Resolution:
1. Verify that the SSL certificates are valid.

Note: Security Analytics Incident Management certificates are valid for two years.

2. If your certificates are expired, regenerate and copy the expired certificates.

Troubleshoot RSA Archer Integration 33


RSA Archer Integration Guide

To regenerate and copy the certificates, do the following:


1. In Command Prompt, go to <install_dir>\SA IM integration service\data-collector.

2. Type: runConnectionManager.bat

3. Enter the number for Regenerate Security Analytics Incident Management Integration
Service Certificate.

4. In the Security Analytics Incident Management endpoint in Connection Manager, enter the
number for Edit Endpoint.

5. Enter Yes to copy the certificates automatically to the Security Analytics trust store.

Note: If certificates fail to copy, manually copy the certificates.

34 Troubleshoot RSA Archer Integration

You might also like