Hi All,
We are currently trying to integrate NW 11.0 Respond with Archer SecOps and we are facing some issues.
First of all, this doc here Respond Config: Manage Incidents in Archer Cyber Incident & Breach Response is a bit confusing. It says to set archer-sec-ops-integration-enabled = true while on the screenshot it highlights a different field "export-incident-enabled". I would like to know which fields should be set to true.
After following the new integration document, we have managed to pull incidents into SecOps. However, NW 11.0 is not consuming incidents pushed into the queue from Archer.
As we know, there are two queues in the integration:
-im.archer_incident_queue
where incidents are pushed from NW to queue and pulled from UCF
-im.saim_incident_queue
where incidents are pushed from UCF to queue and pulled from NW.
In our previous 10.6 integration I can see that there are consumers for both queues. However in the new deployment 11,I can see that the saim_incident_queue has no consumer.
Did anyone had this experience before, I would appreciate your help!
Thank you!
Dimal, I created a ticket to fix the documentation for your first question. The answer is that you only need to set archer-sec-ops-integration-enabled = true.
On your second question about the queues, I'm asking someone else as I haven't configured the integration myself.