This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Integrating NW 11.0 with SecOps 1.3.1.2

DimalZeqiri1
New Contributor
New Contributor

‎2018-08-14 07:56 AM

Hi All,

 

We are currently trying to integrate NW 11.0 Respond with Archer SecOps and we are facing some issues.

 

First of all, this doc here Respond Config: Manage Incidents in NetWitness SecOps Manager  is a bit confusing. It says to set archer-sec-ops-integration-enabled = true while on the screenshot it highlights a different field "export-incident-enabled". I would like to know which fields should be set to true.

 

After following the new integration document, we have managed to pull incidents into SecOps. However, NW 11.0 is not consuming incidents pushed into the queue from Archer.

As we know, there are two queues in the integration:

 

-im.archer_incident_queue

where incidents are pushed from NW to queue and pulled from UCF

 

-im.saim_incident_queue

where incidents are pushed from UCF to queue and pulled from NW.

 

In our previous 10.6 integration I can see that there are consumers for both queues. However in the new deployment 11,I can see that the saim_incident_queue has no consumer. 

 

Did anyone had this experience before, I would appreciate your help!

 

Thank you!

5 REPLIES 5

Anonymous
Not applicable

‎2018-08-14 11:10 AM

Dimal, I created a ticket to fix the documentation for your first question. The answer is that you only need to set archer-sec-ops-integration-enabled = true.

 

On your second question about the queues, I'm asking someone else as I haven't configured the integration myself.

DimalZeqiri1
New Contributor
New Contributor
In response to Anonymous

‎2018-08-14 11:25 AM

Thank you Sean,

 

I have also opened a ticket for the queues.

0 Likes

Anonymous
Not applicable
In response to DimalZeqiri1

‎2018-08-14 12:45 PM

Dimal,

 

#2 is not a supported use-case with 11.0 integration i.e. data can be sent from NetWitness Respond to Archer but NetWitness doesn't listen for any data back from Archer.

0 Likes

TamarShelach
Employee
Employee

‎2018-10-21 05:11 AM

Hi Dimal,

Sorry, I don't know to answer your questions but I defiantly agree that the document is very confusing.

and because you already succeeded to figure it out, I would appreciate your help directing me to the relevant instructions to set Incident will be transferred to Archer. so far, we managed to transfer Alerts only. but the alerts doesn't hold any reference to the incident itself. Furthermore, we really want to use NW wisdom and create an Incident in Archer for any Incident created in the respond module in NW. can you help?

0 Likes

DimalZeqiri1
New Contributor
New Contributor
In response to TamarShelach

‎2018-10-22 11:49 AM

Hi Tamar,

 

Using the standard document the mapping should work just fine. Make sure you have the mapping file in UCF correctly mapped to GUID's of Archer.

© 2022 RSA Security LLC or its affiliates. All rights reserved.