Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

ThreatConnect’s RSA Archer Integration, Playbooks, and Apps (oh my!)

One of our top integration requests has been Playbooks for RSA Archer. Good News: we now have numerous out-of-the-box integration capabilities for connecting RSA Archer and ThreatConnect! These apps and playbooks templates allow you to perform a variety of use cases with Archer, from saving users time by automatically assigning relevant threat intelligence to cases, to instantly creating records in Archer tied to incidents in ThreatConnect.

With ThreatConnect and Archer, you can:

  • Leverage over 100 other ThreatConnect integrations to enrich information in Archer
  • Automate processes across the Archer and ThreatConnect platforms to save your team time and make them more efficient
  • Allow for easier collaboration and sharing of intelligence and information between teams and platforms

Below, you’ll find an overview of the Apps and Templates available directly from ThreatConnect:

Apps

  • Get RSA Archer Record: This app retrieves an RSA Archer record. It’s really important to look over the Import Archer Record Playbook if you’re going to use the Get Archer Record app, as it details how to utilize the complicated Archer JSON structure within a Playbook.
  • Create RSA Archer Record: This app creates an RSA Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.
  • Update RSA Archer Record:This app updates an existing RSA Archer record. Supported field types are Text, Numeric, Date, Values List, Attachment, IP Address, and User Lists.

Templates

RSA Archer | Import Archer Record

This Playbook starts with a HTTP Trigger which is intended to be triggered by an Archer advanced workflow. Once triggered, the Playbook will download and parse the Archer record based with the ID that was passed to it. From there it will create a ThreatConnect Incident and save appropriate the parsed fields in the Incident. Additionally, it will parse the Actor saved on the Archer record and either save or associated it to the Incident in ThreatConnect. Lastly, the Archer record is updated with the link back to the Incident in ThreatConnect.

https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks/rsa-archer-import-record

 

RSA Archer | Create Archer Record from Incident

This Playbook starts with a User Action trigger tied to ThreatConnect Incidents. When triggered it will parse the Incident attributes and create an Archer record with relevant field.

 

https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks/rsa-archer-create-record

 

Want to learn more about ThreatConnect? Join us for a quick 30-minute bi-weekly walkthrough of the ThreatConnect Platform. This is a live demo with one of our security engineers who will be happy to answer any questions about how ThreatConnect will fit into your current security program.

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.