ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
We, at We-Ankor (formerly We!), are integrators for both HP ArcSight and RSA ECAT.
For those who are not familiar, ECAT is a tool designed to detect unknown, and possibly malicious, artifacts (processes, DLLs, drivers, host file entries, autostarts, services, hooks, etc.) on windows machines, like APT and other advanced and unique threats.
We built a bi-directional integration between the two systems that does the following:
- A rule is triggered in ArcSight about a host (host scanning, running brute force, etc.).
- ArcSight automatically deploys and ECAT agent on the host.
- When the installation is validated (0.5-2 minutes), the agent starts scanning the host.
- When the scan is complete, all detected artifacts are sent to ArcSight.
- If a suspicious artifact is detected, ArcSight sends a remote kill command to the process related to that artifact on the remote host, and sends the artifact to the AV vendor to be properly signed.
- It is also possible to request a memory dump, analyze it automatically using volatility, and upload any artifacts to Cuckoo Sandbox.
Using this automation, we were able to shorten incident response processes for some scenarios from days to an hour or so.
Please view the following presentation and video showing exactly how it works:
Presentation - ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
Please feel free to contact me about this integration.
Re: ArcSight & RSA ECAT Integration - By We-Ankor & Or Cohen
I want to ask: how can I connect Arcsight with ECAT or how can i send log events (alerts) from ECAT to Arcsight? It is possible with a syslog connector? I'm interesting about how do you make the connection between this 2 tools.