Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
or@we-can.co.il1 Absent Member.
Absent Member.
515 views

ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

Hello everyone,

We, at We-Ankor (formerly We!), are integrators for both HP ArcSight and RSA ECAT.

For those who are not familiar, ECAT is a tool designed to detect unknown, and possibly malicious, artifacts (processes, DLLs, drivers, host file entries, autostarts, services, hooks, etc.) on windows machines, like APT and other advanced and unique threats.

We built a bi-directional integration between the two systems that does the following:

  1. A rule is triggered in ArcSight about a host (host scanning, running brute force, etc.).
  2. ArcSight automatically deploys and ECAT agent on the host.
  3. When the installation is validated (0.5-2 minutes), the agent starts scanning the host.
  4. When the scan is complete, all detected artifacts are sent to ArcSight.
  5. If a suspicious artifact is detected, ArcSight sends a remote kill command to the process related to that artifact on the remote host, and sends the artifact to the AV vendor to be properly signed.
  6. It is also possible to request a memory dump, analyze it automatically using volatility, and upload any artifacts to Cuckoo Sandbox.

Using this automation, we were able to shorten incident response processes for some scenarios from days to an hour or so.

Please view the following presentation and video showing exactly how it works:

Presentation - ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

Video -

Please feel free to contact me about this integration.

Or.

Labels (2)
0 Likes
Reply
2 Replies
tkachouba Trusted Contributor.
Trusted Contributor.

Re: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

Very nice video and useful integration tools.

Thanks for sharing!

0 Likes
Reply
dbogdan1 Absent Member.
Absent Member.

Re: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen

HI!

I want to ask: how can I connect Arcsight with ECAT or how can i send log events (alerts) from ECAT to Arcsight? It is possible with a syslog connector? I'm interesting about how do you make the connection between this 2 tools.

Tks!

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.