AnsweredAssumed Answered

Integrating NW 11.0 with SecOps 1.3.1.2

Question asked by Dimal Zeqiri on Aug 14, 2018
Latest reply on Oct 22, 2018 by Dimal Zeqiri

Hi All,

 

We are currently trying to integrate NW 11.0 Respond with Archer SecOps and we are facing some issues.

 

First of all, this doc here Respond Config: Manage Incidents in Archer Cyber Incident & Breach Response  is a bit confusing. It says to set archer-sec-ops-integration-enabled = true while on the screenshot it highlights a different field "export-incident-enabled". I would like to know which fields should be set to true.

 

After following the new integration document, we have managed to pull incidents into SecOps. However, NW 11.0 is not consuming incidents pushed into the queue from Archer.

As we know, there are two queues in the integration:

 

-im.archer_incident_queue

where incidents are pushed from NW to queue and pulled from UCF

 

-im.saim_incident_queue

where incidents are pushed from UCF to queue and pulled from NW.

 

In our previous 10.6 integration I can see that there are consumers for both queues. However in the new deployment 11,I can see that the saim_incident_queue has no consumer. 

 

Did anyone had this experience before, I would appreciate your help!

 

Thank you!

Outcomes