CyberSponse CyOPs

Archer enables you to build effective and collaborative enterprise governance, risk and compliance solutions across domains, including Security Risk Management, Operational Risk Management, and Regulatory and Corporate Compliance.

CyberSponse helps analysts to automate security investigation workflows. Archer complements this activity, by providing a platform to manage the security incident’s investigation process. This integration of CyberSponse with Archer enables analysts to leverage the same in automated investigation workflows within CyOPs™, allowing them to create, update, close, or access security incidents in Archer. Apart from these actions, analysts can also query for more information around users, groups, and applications within Archer. This helps them to keep the focus on more critical aspects of the investigation.

On this page

Release history

Last updated: October 2018

Solution summary

Partner Integration Overview

Archer Solution

IT Security Risk Management

Archer Use Case

Cyber Incident & Breach Response

Archer Applications

Security Incidents

Uses Custom Application

No

Requires On-Demand License

No

Partner product configuration

Before you begin 

This section provides instructions for configuring CyberSponse CyOPs™ with Archer. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has a working knowledge of all the products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products required for this integration to install the required components.

All CyberSponse components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding with the integration.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

CyberSponse CyOPs™ configuration

Configuring access to Archer in CyOPs™ requires configuring two components: connectors and playbooks. Using the CyOPs™ playbook designer, you can visually create playbooks effectively and easily to create automation workflows. While creating the workflow if you require to connect to an external security tool, Connectors, are used. Connectors are plug-play integrations to other security products, for example, Archer.

It is recommended that you have configured a user on Archer who has API access permissions before configuring the connector.

Configuring Archer connector

  1. Login to CyOPs™.

  1. In CyOPs™, on the left pane, click Automation > Connectors. On the Connectors page, you will see the Archer connector.

  1. To configure the connector parameters, click Configure in the Archer connector row and enter the required configuration details in the Configurations tab. To configure the Archer connector, specify the following parameters:

    1. In the Configuration Name field, enter a unique name for your configuration. For example, production-env.

    2. Check the Mark As Default Configuration option to make the selected configuration, the default configuration of this connector, on the particular CyOPs™ instance. Once selected, by default, the connector will point to this configuration.

    3. In the ServerURL field, enter the IP address or URL of the Archer server to which you will connect and perform automated operations.

    4. In the Port field, enter the port number used for connecting to the Archer server. By default, this is set to 80.

    5. In the Instance Name field, enter the instance name of the Archer server to which you will connect and perform the automated operations.

    6. In the Username field, enter the username to access the Archer server.

    7. In the Password field, enter the password to access the Archer server.

    8. In the IIS Virtual Path field, enter the virtual Path that is configured in the IIS Manager.

      Archer is hosted in IIS Manager, and the IIS Virtual path is configured on "/RSArcher,".

      The IIS Virtual Path is used to create the base URL. For example, if your IP is xx.xx.xx.xx1, then the base URL will be created as https://xx.xx.xx.xx1/<IIS Virtual Path>.

    9. Select the Verify SSL checkbox to verify the SSL certificate for the server. By default, it is set to True.

  1. To save your configuration, click Save.

    • To view the list of actions that can be performed by the connector, click the Actions tab.

    • To view the list of playbooks bundled with the connector, click the Sample Playbooks tab.

  1. (Optional) To check the connectivity to the Archer server and validity of the credentials provided perform a health check, by clicking the Refresh icon that is present in the Health Check bar.

    • If all the details are correct and the Archer server is available, then the health check status displays as Available.

    • If any of the details are incorrect or the Archer server is unavailable, then the health check status displays as Disconnected.

Using connector actions

Archer playbook collection comes bundled with the Archer connector so that you can use these samples as templates and create custom playbooks according to your requirements. You can see the bundled playbooks in the Automation > Playbooks section in CyOPs™ after importing the Archer connector.

Important: If you plan to use any of the sample playbooks in your environment, then ensure that you clone those playbooks and move them to a different collection since the sample playbook collection (Sample - Archer - 1.0.2) gets deleted during connector upgrade and delete.

The names of the included playbooks and the names of the connector actions are the same, for example, if the name of the included playbook is Create Record, then the connector action name is also Create Record.

  1. Login to CyOPs™.

  1. In CyOPs™, on the left pane, click Automation > Playbooks.

  1. In the Playbook Collections tab, click on Sample - Archer - 1.0.2 to view the playbook collection, i.e., the list of playbooks, that comes bundled with the Archer connector.

  1. Click on the playbook whose steps you want to view. For example, select the Create Record playbook. This opens the Create Record playbook in the playbook designer. Click on the Create Record step to view the parameters of the step.

    Archer connector includes the following connector steps and playbooks:

  • Create Record

  • Create Record in Metrics

  • Create Security Incident

  • Get All Groups Details

  • Get All Users Details

  • Get Details For All Modules

  • Get Details For All Reports

  • Get Fields Details of Module

  • Get Record

  • Get Records by Report

  • Get Reports Details of Module

  • Get Values List Item

  • Update Record

For details on connector steps, see the Connector Documentation included with the Archer connector.

Given below is an explanation of some of the connector steps and includes what you need to require as input to the connector steps.

Create record

Use this connector step to create a record in the Archer module, you have specified. The JSON output for this operation contains the ID of the record you have created on the Archer server.

Provide input for the following parameter(s) for this playbook:

  • Module ID/Name/Alias: ID, Name, or Alias of the Archer module (application) in which you want to create records.

    The input value of this field must be in string format. For example: In case of the Security Incident module:

    • If you know the Module ID where you want to create records, you can enter the Module ID as "189" or '189' in this field.

    • If you know the Module Name where you want to create records, you can enter the Module Name as "Security Incident" or 'Security Incident' in this field.

  • Field Values: This parameter must be in the dictionary (dict) format and contains a Key-Value pair. For more information on the value required for this parameter, see the Connector Documentation included with the Archer connector. For example:

{

“Title”: “Alert ID: 224939”,

“Incident Summary”: “This incident is Created by CyberSponse”

“Source”: “RSA NetWitness”,

“Incident Status”: “New”,

“Incident Details”: “This Incident is created by CyberSponse for

Demo Purposes”

}

Update record

Use this connector step to update a record in the Archer server, based on the record ID you have specified. The JSON output for this operation contains the details of the record you have updated on the Archer server.

Provide input for the following parameters for this playbook:

  • Module ID/Name/Alias: ID, Name, or Alias of the Archer module (application) in which you want to update records. The input value of this field must be in string format.

  • Record Content ID: ID of the record that you want to update.

  • Field Values: This parameter must be in the dictionary (dict) format and contains a Key- Value pair. For more information on the value required for this parameter, see the Connector Documentation included with the Archer connector.

Get field details of module

Use this connector step to retrieve all the details of the all the fields for the specified module (application) from the Archer server.

Provide input for the following parameter(s) for this playbook:

  • Module ID/Name/Alias: ID, Name, or Alias of the Archer module (application) from which you want to retrieve field details. The input value of this field must be in string format.

  • Save Output as HTML Attachment (Optional): Select the Save Output as HTML Attachment check box if in addition to the JSON output you also want to add the contents of the output to an HTML file and add that HTML file to the Attachments Module in CyOPs™.

Get record

Use this connector step to retrieve all the details about a record from the Archer server, based on the record ID that you have specified.

Provide input for the following parameter(s) for this playbook:

  • RecordID: ID of the Archer record whose details you want to retrieve. For example: RecordID: 189.

Solution overview

CyOPs™ leverages the Archer REST API to query for metadata, such as retrieving information for modules, records, users and groups. The information gathered from Archer is then used in automated workflows that creates or updates security incidents, on the Archer Platform based on alerts generated in CyOPs™. These security incidents are created and assigned automatically to incident responders or analysts, enabling the analysts to investigate the alerts quickly.

An alert is created in CyOPs™ based on data received from a SIEM, for example, RSA® NetWitness®. You want to create a Security Incident in the Security Incident Management module in Archer for the same, as well as, automatically assign this record to an analyst for further investigation. Perform the following steps in CyOPs™ for this scenario:

Note: Based on the type of alert created in CyOPs™ you can create records in all the modules, such as Incident Management, Audit Findings, and Security Incidents in Archer.

  1. Login to CyOPs™.

  1. In CyOPs™, on the left pane, click Incident Response > Alerts.

  1. Select the alert for which you want to create a record in Archer and then click Execute > Archer: Create Security Incidents in the top bar of the Alerts module.

  2. Once you click Archer: Create Security Incidents, CyOPs™ calls the Create Record connector action, which in turn creates a record in Archer in the Security Incident Management module. The record is created based on the parameters you have specified in the Field Values parameter. The Field Value parameter input includes an Assigned To parameter based on which the records automatically get assigned to an analyst. For information on the on the Field Values parameter, see Create Record.

  3. To view the output for this action, click Automation > Playbooks and then click the Execution History Tab. Click the Archer: Create Security Incidents playbook to display the connector log for this action and to see the output for this connector action in the JSON format. Click the Create Record step and in the Output tab, click data and navigate to CreateRecordResponse to see the details of the record that is created Archer.

  4. To view the record that has been created on the Archer server, log in to your Archer server that you have configured for this integration, see Configuring the Archer Connector. Click Show All > IT Security Risk Management > Security Incident Management > Security Incidents and you will see a list of security incidents. Click a security incident, and it will display a record.

Certification environment

Date tested: October 2018

Product Name

Version Information

Operating System

Archer

6.2.0.1

Virtual Appliance

CyberSponse CyOPs™

4.11.0-1161

Virtual Appliance

Archer Connector

1.0.2