We are currently trying to integrate NW 11.0 Respond with Archer SecOps and we are facing some issues.
First of all, this doc here Respond Config: Manage Incidents in Archer Cyber Incident & Breach Response is a bit confusing. It says to set archer-sec-ops-integration-enabled = true while on the screenshot it highlights a different field "export-incident-enabled". I would like to know which fields should be set to true.
After following the new integration document, we have managed to pull incidents into SecOps. However, NW 11.0 is not consuming incidents pushed into the queue from Archer.
As we know, there are two queues in the integration:
where incidents are pushed from NW to queue and pulled from UCF
where incidents are pushed from UCF to queue and pulled from NW.
In our previous 10.6 integration I can see that there are consumers for both queues. However in the new deployment 11,I can see that the saim_incident_queue has no consumer.
Did anyone had this experience before, I would appreciate your help!