Archer Integ: Troubleshoot RSA Archer Integration

Document created by RSA Information Design and Development on Oct 11, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 12Show Document
  • View in full screen mode
  

This section provides resolutions to common problems that you may encounter while configuring RSA Archer® Cyber Incident & Breach Response 1.3.1.2 with NetWitness Respond. 

                                   
ProblemSolutions

After adding the endpoint for NetWitness Respond, the Certificate Authority truststore fails to set.

Resolution

  1. Make sure that the SSH credentials for the NetWitness Platform host are valid.
  2. If the credentials are correct, but the error still occurs, manually copy certificates.
Remediation Tasks being pushed to the operations queue through the UCF are not appearing in RSA Archer® Cyber Incident & Breach Response as Findings. 
  1. Open the Connection Manager using the command prompt:
    • Change directories to <install_dir>\SA IM integration service\data-collector.
    • Type: runConnectionManager.bat
  1. Enter 2 to edit endpoint.
  2. Enter 3 to NetWitness Platform Respond.
  3. Make sure the Target Queue is set to All or Operations.
In the <install_dir>\SA IM integration service\logs\collector.log, there are SSL errors between RSA NetWitness Platform and RSA Unified Collector Framework.
  1. Verify that the SSL certificates are valid.
  2. Note: NetWitness Respond certificates are valid for two years. 

  3. If your certificates are expired, regenerate and copy the expired certificates.
  4. To regenerate and copy the certificates:

    1. In the Command Prompt, go to <install_dir>\SA IM integration service\data-collector.
    2. Enter runConnectionManager.bat
    3. Enter the number for Regenerate NetWitness Platform RESPONDIntegration Service Certificate.

    4. In the NetWitness Platform Respond endpoint, in Connection Manager, enter the number for Edit Endpoint.
    5. Enter Yes to copy the certificates automatically to the NetWitness Platform trust store.

    Note: If certificates fail to copy, manually copy the certificates.

 

When ESA alerts with severity High or Low are forwarded to RSA Archer, the Security Alert Priority field is not populated in the RSA Archer UI.None, as it functions as designed.
When ESA Command and Control Aggregate Scores details are forwarded from NetWitness Suite to RSA Archer UI, fields such as Beaconing Behavior, Rare Domains, Rare User Agents, Missing Referrers, and Suspicious Domains Aggregate Score do not get populated.None, as it functions as designed.
RSA Archer recurring feeds does not work in SSL mode.Make sure you create the RSA Archer recurring feeds in non-SSL mode.
You are here
Table of Contents > Troubleshoot RSA Archer Integration

Attachments

    Outcomes