Configure the Option to Send Incidents to Archer

Note: The information in this topic applies to NetWitness Version 11.2 and later.

If you want to manage incidents in NetWitness Respond, you have the option to configure the NetWitness so that you can send incidents to Archer Cyber Incident & Breach Response. If Archer is configured as a data source in Context Hub, you can send incidents to Archer Cyber Incident & Breach Response and you will be able to see a Send to Archer option and a Sent to Archer status in NetWitness Respond. For information on how to use the Send to Archer option and Sent to Archer status, see the NetWitness Respond User Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Prerequisites

  • Archer release 6.6 P4, 6.6 P5, or 6.7 P2 only is required for NetWitness 11.4 and 11.5.
  • Archer release 6.4 or later is required for NetWitness 11.2 and 11.3.

Add Archer as a Data Source for Context Hub

To configure sending incidents to Archer Cyber Incident & Breach Response from NetWitness Respond, Archer must be configured as a data source for Context Hub. For more detailed instructions for configuring the Archer data source, see the "Configure Archer as Data Source" topic in the Context Hub Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    The Services view is displayed.
  2. Select the Context Hub service, and then select netwitness_ic-actns.png > View > Config.
    The Services Config view is displayed.
  3. On the Data Sources tab, click netwitness_add.png > Archer.
    The Add Data Source dialog is displayed.
    netwitness_addarchdstoch.png
  4. Provide the following information:

    • By default, the Enable checkbox is selected. If this option is unchecked, the save button is disabled, you cannot add the data source, and cannot view the contextual information.
    • Enter the following fields:
      • Name: Enter a name for Archer data source.
      • Host: Enter the hostname or IP address where Archer server is installed.
      • SSL: By default this option is selected and enables SSL communication to Archer .
      • Trust All Certificates: Select this checkbox to add the data source without validating the certificate. If you uncheck this option, you need to upload a valid Endpoint server certificate for the connection to be successful.
      • Port: The default port is 443.
      • Username: Enter the Archer Server username.
      • Password: Enter the Archer Server password.
      • Instance: Enter the Instance name from which you want to extract data. An Archer instance is a single setup that includes unique content in a database, the connection to the database, the interface, and login. You might have individual instances for each office location or region or for development, test, and production environments. The Instance Database stores the Archer content for a specific instance.
      • Context Base: Enter the virtual directory name where the files are stored. For example, rsaarcher located at the Archer web address https://archer.company.com/rsaarcher/default.aspx. If the files are stored in the IIS default web address https://archer.company.com/default.aspx, then this field must be empty.
      • Max. Concurrent Queries: You can configure the maximum number of concurrent queries defined by the Context Hub service to be run against the configured data sources. The default value is 10.
  5. Click Test Connection to test the connection between Context Hub and the Archer data source.
  6. Click Save.
    Archer is added as a data source for Context Hub and is displayed in the Data Sources tab. A Send to Archer button and Sent to Archer status is visible in NetWitness Respond.