ThreatConnect's RSA Archer Integration, Playbooks, and Apps (oh my!)

One of our top integration requests has been Playbooks for RSA Archer. Good News: we now have numerous out-of-the-box integration capabilities for connecting RSA Archer and ThreatConnect! These apps and playbooks templates allow you to perform a variety of use cases with Archer, from saving users time by automatically assigning relevant threat intelligence to cases, to instantly creating records in Archer tied to incidents in ThreatConnect.

With ThreatConnect and Archer, you can:

  • Leverage over 100 other ThreatConnect integrations to enrich information in Archer
  • Automate processes across the Archer and ThreatConnect platforms to save your team time and make them more efficient
  • Allow for easier collaboration and sharing of intelligence and information between teams and platforms

Below, you’ll find an overview of the Apps and Templates available directly from ThreatConnect:


  • Get RSA Archer Record: This app retrieves an RSA Archer record. It’s really important to look over the Import Archer Record Playbook if you’re going to use the Get Archer Record app, as it details how to utilize the complicated Archer JSON structure within a Playbook.
  • Create RSA Archer Record: This app creates an RSA Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.
  • Update RSA Archer Record:This app updates an existing RSA Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.


RSA Archer | Import Archer Record

This Playbook starts with a HTTP Trigger which is intended to be triggered by an Archer advanced workflow. Once triggered, the Playbook will download and parse the Archer record based with the ID that was passed to it. From there it will create a ThreatConnect Incident and save appropriate the parsed fields in the Incident. Additionally, it will parse the Actor saved on the Archer record and either save or associated it to the Incident in ThreatConnect. Lastly, the Archer record is updated with the link back to the Incident in ThreatConnect.


RSA Archer | Create Archer Record from Incident

This Playbook starts with a User Action trigger tied to ThreatConnect Incidents. When triggered it will parse the Incident attributes and create an Archer record with relevant field.


Want to learn more about ThreatConnect? Join us for a quick 30-minute bi-weekly walkthrough of the ThreatConnect Platform. This is a live demo with one of our security engineers who will be happy to answer any questions about how ThreatConnect will fit into your current security program.

About the Author

ThreatConnect is the only security platform with comprehensive intelligence, analytics, automation, orchestration, and workflow capabilities native within a single solution. With ThreatConnect, you will be able to increase accuracy and efficiency, improve collaboration of teams and technology, strengthen business-security goal alignment, and build a single source of truth for your entire security team.