Manage Incidents in Archer Cyber Incident & Breach Response

If you want to manage incidents in Archer Cyber Incident & Breach Response instead of NetWitness Respond, you have to configure system integration settings in the Respond Server service Explore view. After you configure the system integration settings, all incidents are managed in Archer Cyber Incident & Breach Response. Incidents created before the integration will not be managed in Archer Cyber Incident & Breach Response.

Caution: If you are managing incidents in Archer Cyber Incident & Breach Response instead of NetWitness Respond, do not use the following in the Respond view: Incidents List view, Incident Details view, and Tasks List view. Do not create incidents from the Respond Alerts List view or from Investigate. In NetWitness 11.4 and later, you can manually create incidents from Respond and Investigate.

For more detailed integration information, see the NetWitness Archer Integration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.

Prerequisites

  • Archer Cyber Incident & Breach Response 1.3.1.2 (NetWitness 11.0 works only with Archer Cyber Incident & Breach Response 1.3.1.2.)

Procedure

Follow this procedure to configure Respond Server service settings to manage incidents in Archer Cyber Incident & Breach Response.

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services, select the Respond Server service, and then select netwitness_ic-actns.png > Config > Explore.
  2. In the Explore view node list, select respond/integration/export.
    netwitness_12.1_resparcherexpl_1122_9600x5303.png
  3. In the archer-exchange-name field, type incidents.archer.
    You will see a notice that the configuration was successfully updated.
  4. In the archer-sec-ops-integration-enabled field, select true.
    A message informs you that the configuration was successfully updated.
    Incidents will be managed exclusively in Archer Cyber Incident & Breach Response.