ThreatConnect

The ThreatConnect integration with Archer is a series of Playbook apps and templates that enables users to automate a variety of actions with Archer. This integration allows users to save time by orchestrating the creation, update, and retrieval of Archer records as part of a ThreatConnect Playbook.

On this page

Release history

Last updated: November 2018

Solution summary

Benefits

  • Enabling the orchestration of investigative and response actions using ThreatConnect Playbooks from Archer

  • Leveraging of over 100 other ThreatConnect integrations to enrich information in Archer

  • Automation of processes across the Archer and ThreatConnect platforms to save your team time and make the processes more efficient

  • Easier collaboration and sharing of intelligence and information between teams and platforms

Partner Integration Overview

Archer Solution

IT Security Risk Management

Archer Use Case

Cyber Incident and Breach Response

Archer Applications

Security Incidents

Uses Custom Application

No

Requires On-Demand License

No

ThreatConnect Apps

Get Archer record

This app retrieves an Archer record.

Create Archer record

This app creates an Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.

Update Archer record

This app updates an existing Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.

ThreatConnect Templates

Import Archer record

This Playbook starts with an HTTP Trigger that is intended to be triggered by an Archer advanced workflow. Once triggered, the Playbook will download and parse the Archer record based on the ID that was passed to it. It will then create an Incident in ThreatConnect and save the appropriate parsed fields in the Incident. It will also parse the Actor saved on the Archer record and either save or associate it to the Incident in ThreatConnect. Lastly, it will update the Archer record with the link back to the Incident in ThreatConnect.

Create Archer record from incident

This Playbook starts with a UserAction Trigger tied to ThreatConnect Incidents. When triggered, it will parse the Attributes of the Incident and create an Archer record with relevant fields.

Partner product configuration

Before you begin 

This section provides instructions for configuring ThreatConnect with Archer. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both a working knowledge of all products involved and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All ThreatConnect components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is the case before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

ThreatConnect platform configuration

Archer integration for ThreatConnect is configured by using ThreatConnect Playbooks. For detailed instructions on using Playbooks, see the following article: https://kb.threatconnect.com/customer/en/portal/articles/2744775.

  1. Ensure that the Archer apps are installed in TC Exchange™. See the Installing an App sub-section of the Apps and Jobs section of the ThreatConnect System Administration Guide for instructions on how to install the Archer apps for ThreatConnect.

  1. If using templates to get started, download Archer templates from Github: https://github.com/ThreatConnect-Inc/threatconnect- playbooks/tree/master/playbooks.

    See the Importing a Playbook section of the ThreatConnect Knowledge Base article on Playbook Templates for instructions on how to import the downloaded Playbook templates: https://kb.threatconnect.com/customer/portal/articles/2958668.

  1. Configure the Archer Playbook apps. See the in-app documentation in Playbooks for detailed information about each Archer configuration parameter.

Archer configuration

The Archer account used to configure the integration must have permissions to use the REST API and the target Archer application. Archer web services must be enabled in order for the integration to use the REST API. Consult the Archer RESTful API Reference Guide for more information on requirements for using the APIs.

Certification environment

Date ested: October 2018

Product Name

Version Information

Operating System

Archer

6.4

Windows 2016

ThreatConnect

5.6