Posted
One of our top integration requests has been Playbooks for RSA Archer. Good News: we now have numerous out-of-the-box integration capabilities for connecting RSA Archer and ThreatConnect! These apps and playbooks templates allow you to perform a variety of use cases with Archer, from saving users time by automatically assigning relevant threat intelligence to cases, to instantly creating records in Archer tied to incidents in ThreatConnect.
With ThreatConnect and Archer, you can:
- Leverage over 100 other ThreatConnect integrations to enrich information in Archer
- Automate processes across the Archer and ThreatConnect platforms to save your team time and make them more efficient
- Allow for easier collaboration and sharing of intelligence and information between teams and platforms
Below, you’ll find an overview of the Apps and Templates available directly from ThreatConnect:
Apps
- Get RSA Archer Record: This app retrieves an RSA Archer record. It’s really important to look over the Import Archer Record Playbook if you’re going to use the Get Archer Record app, as it details how to utilize the complicated Archer JSON structure within a Playbook.
- Create RSA Archer Record: This app creates an RSA Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.
- Update RSA Archer Record:This app updates an existing RSA Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.
Templates
RSA Archer | Import Archer Record
This Playbook starts with a HTTP Trigger which is intended to be triggered by an Archer advanced workflow. Once triggered, the Playbook will download and parse the Archer record based with the ID that was passed to it. From there it will create a ThreatConnect Incident and save appropriate the parsed fields in the Incident. Additionally, it will parse the Actor saved on the Archer record and either save or associated it to the Incident in ThreatConnect. Lastly, the Archer record is updated with the link back to the Incident in ThreatConnect.
https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks/rsa-archer-import-record
RSA Archer | Create Archer Record from Incident
This Playbook starts with a User Action trigger tied to ThreatConnect Incidents. When triggered it will parse the Incident attributes and create an Archer record with relevant field.
https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks/rsa-archer-create-record
Want to learn more about ThreatConnect? Join us for a quick 30-minute bi-weekly walkthrough of the ThreatConnect Platform. This is a live demo with one of our security engineers who will be happy to answer any questions about how ThreatConnect will fit into your current security program.