000029172 - RSA Archer SecOps / Cyber Incident and Breach Response versions and technology compatibility with integrated RSA products

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Mar 9, 2020
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000029172
Applies ToRSA Product Set: RSA Archer Suite, RSA NetWitness Platform

RSA Product/Service Type: RSA SecOps, RSA Cyber Incident and Breach Response
RSA SecOps Versions: 1.0, 1.1, 1.2
RSA Archer Suite Versions: 5.3.x, 5.4.1, 5.4.1.1, 5.5.x, 5.5.1.x, 6.x
RSA NetWitness Platform Versions: 10.1, 10.2.2.x, 10.3.1, 10.3.2, 10.3.3, 10.4.x, 10.5.x, 10.6.x, 11.x
AIMS Versions: 1.0, 1.1
ACI Versions: 2.0
IssueThis article details version compatibility between RSA Archer SecOps, the RSA Archer Platform and the RSA NetWitness Platform.

RSA introduced SAIM in RSA Archer SecOps 1.2, which is used in the RSA NetWitness Platform (formerly RSA Security Analytics) to populate incidents in the RSA Archer Suite. See the glossary in the resolution section below for further details.

Tasks

 
Resolution

Version Compatibility



RSA Archer Suite / RSA NetWitness Platform10.3.110.3.210.3.310.4.x10.6.0.110.6.2.111.0.x, 11.1.x, 11.2.x
5.5.xAIMS 1.1, 
   RSA SecOps 1.1
RSA SecOps 1.1RSA SecOps 1.1RSA SecOps 1.2   
5.5.1.xAIMS 1.1,   RSA SecOps 1.2   
5.5.4.x    RSA SecOps 1.3.1.xRSA SecOps 1.3.1.x 
6.2.0.1    RSA SecOps 1.3.1.xRSA SecOps 1.3.1.x 
6.2.0.8      RSA SecOps 1.3.1.2
6.3    RSA SecOps 1.3.1.xRSA SecOps 1.3.1.x 
6.4, 6.5, 6.6, 6.7    RSA Cyber Incident and Breach Response (SecOps 1.3.1.2 )RSA Cyber Incident and Breach Response (SecOps 1.3.1.2 )RSA Cyber Incident and Breach Response (SecOps 1.3.1.2 )


In version 11.x of the RSA NetWitness Platform, we only support traffic from the RSA NetWitness Platform to the RSA Archer Suite and no longer for the opposite direction. RSA will continue to use the SA IM endpoint for that part of the traffic. However, data in the RabbitMQ queue im.saim_incident_queue is no longer processed by the RSA NetWitness Platform.


 

Technology Compatibility



Versions/TechnologyPopulate Alerts/IncidentsPopulate Business Context 
RSA SecOps 1.2(RSA NetWitness Platform)  SAIM service, 
   (Splunk/ArcSight) RCF 2.7 - RSA SecOps plugins
RCF 2.7 - EM plugins

 

RSA Unified Collector Framework versions shipped with RSA SecOps



Versions/TechnologyRSA Unified Collector Framework Version
   as reported in Add/Remove Programs and Features
RSA SecOps 1.31.3.0.581
RSA SecOps 1.3.11.3.1.52.58
RSA SecOps 1.3.1.21.3.1.53.26

 

Glossary



RCFRSA Connector Framework. It is a Java-based program to facilitate various plugins.
AIMS PluginsA plug-in module within RCF. It listens to syslog traffic and populates Alert information to the RSA Archer Suite.
ACI PluginsA plug-in module within RCF. It pulls Device records from the RSA Archer Suite and stored it as CSV. It also acts as a Web server for RSA NetWitness Live to retrieve the CSV.
RSA SecOps PluginsSimilar to AIMS plugins, with the added capability to process ESA alerts from the RSA NetWitness Platform. (RCF 2.7)
EM PluginsSimilar to ACI plugins.
SAIM ServiceIt includes an instance of RabbitMQ server. It communicates to the RabbitMQ server on the RSA NetWitness Platform using AMQP with SSL. There are 2 modes of integration, Full mode and Mixed mode. Full mode populates all incidents from the RSA NetWitness Platform Incident Management module to the RSA Archer Suite. Mixed mode allows for incident triage within SA, as well as populate to Archer. It also allows the RSA NetWitness Platform to create remediation tasks and populate to the RSA Archer Suite.

Attachments

    Outcomes