We are currently trying to integrate NW 11.0 Respond with Archer SecOps and we are facing some issues.
First of all, this doc here Respond Config: Manage Incidents in NetWitness SecOps Manager is a bit confusing. It says to set archer-sec-ops-integration-enabled = true while on the screenshot it highlights a different field "export-incident-enabled". I would like to know which fields should be set to true.
After following the new integration document, we have managed to pull incidents into SecOps. However, NW 11.0 is not consuming incidents pushed into the queue from Archer.
As we know, there are two queues in the integration:
where incidents are pushed from NW to queue and pulled from UCF
where incidents are pushed from UCF to queue and pulled from NW.
In our previous 10.6 integration I can see that there are consumers for both queues. However in the new deployment 11,I can see that the saim_incident_queue has no consumer.
Did anyone had this experience before, I would appreciate your help!
Sorry, I don't know to answer your questions but I defiantly agree that the document is very confusing.
and because you already succeeded to figure it out, I would appreciate your help directing me to the relevant instructions to set Incident will be transferred to Archer. so far, we managed to transfer Alerts only. but the alerts doesn't hold any reference to the incident itself. Furthermore, we really want to use NW wisdom and create an Incident in Archer for any Incident created in the respond module in NW. can you help?