Cysiv Command

Cysiv Command is a modern security operations and analytics platform. It is the foundation for Cysiv’s threat monitoring, detection, hunting, investigation, and remediation service features. It combines several essential technologies and functions into a single platform, leveraging a broad range of advanced data science techniques to automate the time-consuming, complex but essential activities and processes for truly effective threat detection, hunting, investigation, and remediation.

Cysiv Command integrates with the Archer IT & Security Risk Management solution, specifically the Archer Cyber Security & Breach Response use case. Cysiv Command integrates with Archer Security Incidents and Incident Journal applications. This integration provides an ongoing management of incidents and security posture using Archer, while allowing a MSSP (Cysiv) to provide SOC-as-a-Service and SIEM-as-a-Service.

On this page

Release history

Last updated: February 2020

Overview of Cysiv Command

Key features and benefits

The Cysiv Command integration with Archer provides the following feature and benefits:

Potential security incidents in Cysiv Command (co-managed SIEM with the end customers) are mirrored to Archer as a means of both informing and interacting with the customer on security investigations.
Case details and case comments are mirrored bi-directionally to enable the Cysiv SOC team to use Cysiv Command while customers use Archer. This allows customers of the MSSP services Cysiv provides to track metrics and cases in the Archer tool set, which is important as the customer may have other incidents, cases or GRC activities that are not tracked by Cysiv. Archer acts as the overall security health and performance system for the customer.

Requirements

Components	Requirement
Archer Solution	Archer IT & Security Risk Management
Archer Use Case	Archer Cyber Incident and Breach Response
Archer Applications	Security Incidents, Incident Journal
Requires On-Demand License	No

Prerequisites (system requirements)

Components	Recommended Software
Operating System	Windows Server 2012 R2 or 2016 Standard or Datacenter editions
Database Server	Microsoft SQL Server 2016 SP 1 (64-bit) or greater Note: SQL Express is not supported
Services Server	Java Runtime Environment (JRE) 8 (64-bit)
Archer	Archer 6.6 and later
Pre-Requisite Applications	N/A

Integration diagram

The following diagram shows the data flow between Cysiv Command and Archer.

As shown in the diagram there are five main use cases that result in data flow between Cysiv Command and Archer. After a Cysiv user successfully enables the Archer integration in Cysiv Command by retrieving a session token, the user can perform the following actions:

Create a new Archer security incident from a Cysiv Command case, which populates fields in the Archer security incident application such as title, incident summary, incident details, and priority. This operation also includes posting a new incident journal entry to the security incident that includes additional information about the Cysiv Command case.

Link a Cysiv Command case to an existing Archer security incident. This operation includes posting a new incident journal entry with additional information about the Cysiv Command case as well as syncing Cysiv Command case comments with Archer incident journal entries. In addition, some key fields in the Archer security incident application, including the incident id, status, priority, and owner are retrieved and saved in Cysiv Command.

Once a Cysiv Command case is linked to an Archer security incident by performing one of the actions above, a Cysiv Command user can then do the following:

Create a new incident journal entry in the linked Archer security incident.
Retrieve new incident journal entries and security incident data from the linked Archer security incident.
Resolve a Cysiv Command case that is linked to an Archer security incident, which will trigger Cysiv Command to create a new incident journal entry in Archer informing that the Command case has been closed and the reason for closing the case.

ConfigureCysiv Command and Archer integration

All Cysiv Command components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

Configure Cysiv Command

Add Archer App integration

Note: Only privileged Cysiv Command users that have the necessary permissions can perform these steps.

Log into Cysiv Command
Navigate to Administration > App Integrations
Click the “Connect” button in the Archer row
Fill in the fields, which include:
- Instance name
- Username
- Password
- User Domain (optional)
- Archer Hostname
- Archer Port Number
- Archer URL Path
Click the “Connect” to add the integration.

Note: Archer Hostname, Port Number, and URL Path fields can be retrieved from the URL that is used to access Archer. For example, if the URL that is used to access Archer is https://my.archer.host.com/archer, the hostname, port number, and URL path would be “my.archer.host.com”, 443 (since https is used), and Archer, respectively.
If connecting to Archer is successful, the “Connect” button next to the Archer row will be greyed out in the App Integrations page.

Configure Archer

Note: The two tasks below are optional. If the custom fields are not present in the application, they will not be populated by Cysiv Command.

Optional: Set the following fields to Private access Everyone. This lets everyone have read access to the fields but without modify capabilities.

Task 1: Add custom fields to the security incident application

Add Cysiv_ID field of type numeric
Add Target_Asset field of type text
Add Created_By field of type text
Add DateTime_Closed field of type text
Add Closed_By field of type text
Add Closed_Reason field of type text
Add Reason_Closed_Notes field of type text

Task 2: Add custom field to the security incident application’s source values list

Add Cysiv as a new source

Certification environment

Date tested: January 2020

Product Name	Version Information	Operating System
Archer	6.6	Windows Server 2016 Standard
Cysiv Command	N/A	N/A

ADDRESS	ABOUT ARCHER	CUSTOMERS
13200 Metcalf Ave	Events	Archer Academy
Suite 300	Resources	Archer Exchange
Overland Park, KS 66213	Services	Support
	About Us	Archer Community