I sent incident from Netwitness 11.4 to Archer (using "Send to Archer" button in Respond). There are not alerts in Archer! I had alerts and events when I used UCF interface (from ESA or Respod).
Why? What to do?
Is it only one place where I can send usefull information to Archer from NW Respod is incident name that is editable?
Hi Janusz, and thanks for your question.
The non-UCF "Send To Archer" integration is designed to only send the high level Incident information to Archer. As you've noted, alerts and events do not come over as part of this. One workaround you can consider is configuring Archer to automatically create a link back to the appropriate Incident in Respond when more in-depth alert and event analysis as necessary. Essentially saving the time of manually browsing to the proper incident in Respond to get the details.
The steps to do this are:
1) Create or choose the field in an Archer Incident record that you wish to hold the Respond Incident ID (can re-use an existing field or create a new one)

2) Gather the UUID for the Archer field, in lower-case
3) Update Respond field mapping to include the Incident ID (not enabled by default). This involves getting onto the Respond server under /var/lib/netwitness/respond-server/archer/mapping/incident.json and adding a new section for "id" to the JSON file as per the attached image:
At this point, when sending an Incident to Archer, the new field should be populated with the same Incident ID value from Respond.
4) Create another new field in Archer for Incident records, or re-use an existing one. This will be a calculated text field that uses the newly created ID field. To create this calculated field in Archer, when created a new field ensure you check "Calculated Field":

5) In the Formula bar, you can enter this formula:
Where <NetWitnessHost> is replaced by the IP or hostname of your NetWitness server, and "ID" is whatever field name you had created in #1
If this workaround isn't sufficient and/or you'd like to see any other new capabilities in NetWitness, please feel free to generate a request on our Ideas portal. From here you can also help us prioritize other future capabilities by casting your vote: RSA Ideas