In order to use the Declared Incident advanced workflow, you must configure your SIEM tool to send data to Archer using APIs. The following table includes the fields that are required to use the declared incident process. You may choose to send additional details to Archer, however the fields listed in the following table represent the minimal amount of data that you must send.
|
Field Name |
Field Type |
|---|---|
|
Title Note: This is a required field. |
Text |
|
Incident Summary Note: This is a required field. |
Text |
|
Incident Details |
Text |
|
Source |
Values List |
|
Declared Incident - No of Alerts |
Numeric |
|
Threat Category |
Values List |
|
Declared Incident: Yes Note: This field must be set to Yes. |
Values List |
|
Declared Incident - Helper: Yes Note: Archer enrolls an incident record in the Declared Incident advanced workflow when this field is set to Yes. |
Values List |
|
Source Device - Enterprise Management Context Note: This field enables you to look up existing device content IDs. |
Cross Reference |
|
Destination Device - Enterprise Management Context Note: This field enables you to look up existing device content IDs. |
Cross Reference |
