No alerts in Archer from Netwitness
I sent incident from Netwitness 11.4 to Archer (using "Send to Archer" button in Respond). There are not alerts in Archer! I had alerts and events when I used UCF interface (from ESA or Respod).
Why? What to do?
Is it only one place where I can send usefull information to Archer from NW Respod is incident name that is editable?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Hi Janusz, and thanks for your question.
The non-UCF "Send To Archer" integration is designed to only send the high level Incident information to Archer. As you've noted, alerts and events do not come over as part of this. One workaround you can consider is configuring Archer to automatically create a link back to the appropriate Incident in Respond when more in-depth alert and event analysis as necessary. Essentially saving the time of manually browsing to the proper incident in Respond to get the details.
The steps to do this are:
1) Create or choose the field in an Archer Incident record that you wish to hold the Respond Incident ID (can re-use an existing field or create a new one)
2) Gather the UUID for the Archer field, in lower-case
3) Update Respond field mapping to include the Incident ID (not enabled by default). This involves getting onto the Respond server under /var/lib/netwitness/respond-server/archer/mapping/incident.json and adding a new section for "id" to the JSON file as per the attached image:
At this point, when sending an Incident to Archer, the new field should be populated with the same Incident ID value from Respond.
4) Create another new field in Archer for Incident records, or re-use an existing one. This will be a calculated text field that uses the newly created ID field. To create this calculated field in Archer, when created a new field ensure you check "Calculated Field":
5) In the Formula bar, you can enter this formula:
IF(NOT(ISEMPTY(ID)),"<a target='_new' href='https://" & <NetWitnessHost> & "/respond/incident/" &[ID]& "'>" & "View Details" &"</a>
Where <NetWitnessHost> is replaced by the IP or hostname of your NetWitness server, and "ID" is whatever field name you had created in #1
If this workaround isn't sufficient and/or you'd like to see any other new capabilities in NetWitness, please feel free to generate a request on our Ideas portal. From here you can also help us prioritize other future capabilities by casting your vote: https://community.rsa.com/community/products/ideas
In addition I'd to sent to Archer name of assignee user (for test to Archer summary field which is unused ), but modification of incident.json did not result.
Where can I find real names of Netwitness field? From Archer side - I think - using of UUID in "archerFieldGuid" is sufficient.
It looks like your "Assignee” field should be lowercased à "assignee”.
The fields you can use for this integration should be mostly identical to the Incident Attributes available through the Respond API: https://community.rsa.com/docs/DOC-110164 (pg. 9). The only attributes in that list that I suspect are not available for this integration are
…because those are fields that the API is doing additional work to create, and this integration is not using the API.