https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-with-Http-Event-Collector-HEC-forwarding-via/m-p/412634#M4896 <P>Hi Guys,</P> <P>Doing some forwarding of events using the HEC. So far it looks like this:</P> <UL> <LI><P>Events come in from source(forwarder to idx) at regional location which could be anywhere other than main region in EU.</P></LI> <LI><P>An alert is triggered based on conditions(usually notable search that runs and triggers the alert)</P></LI> <LI><P>Alert information and event are then sent upon trigger via HEC to main region heavy forwarder (HF) in the EU. </P></LI> <LI><P>This then goes from HF to the notable index in the main SOC in EU(it does this via another search that scans the index for new events, like a temp notable index just used for scanning conditions, and then forwards again to the actual notable index in EU.</P></LI> </UL> <P>The issue i'm facing is that we have to manually add the CIM fields that we want sent along with the event when it is logged via alert. EG </P> <UL> <LI>if we have an event that gets logged via alert to the initial notable_temp index, with a field "clientip" we would type in $src=$result.clientip$ in the alert trigger events properties so that it adds that field to the index and forwards it to the main SOC notable index.</LI> </UL> <P>Is there a way to automatically log all CIM fields with the alert action logger to the notable_temp index?EG - create one $magic_value$ that logs everything from the event to the notable_temp?</P> <P>Any thoughts on this?</P> <P>Thanks!</P> Tue, 29 Sep 2020 21:32:10 GMT mwdbhyat 2020-09-29T21:32:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-with-Http-Event-Collector-HEC-forwarding-via/m-p/412634#M4896 <P>Hi Guys,</P> <P>Doing some forwarding of events using the HEC. So far it looks like this:</P> <UL> <LI><P>Events come in from source(forwarder to idx) at regional location which could be anywhere other than main region in EU.</P></LI> <LI><P>An alert is triggered based on conditions(usually notable search that runs and triggers the alert)</P></LI> <LI><P>Alert information and event are then sent upon trigger via HEC to main region heavy forwarder (HF) in the EU. </P></LI> <LI><P>This then goes from HF to the notable index in the main SOC in EU(it does this via another search that scans the index for new events, like a temp notable index just used for scanning conditions, and then forwards again to the actual notable index in EU.</P></LI> </UL> <P>The issue i'm facing is that we have to manually add the CIM fields that we want sent along with the event when it is logged via alert. EG </P> <UL> <LI>if we have an event that gets logged via alert to the initial notable_temp index, with a field "clientip" we would type in $src=$result.clientip$ in the alert trigger events properties so that it adds that field to the index and forwards it to the main SOC notable index.</LI> </UL> <P>Is there a way to automatically log all CIM fields with the alert action logger to the notable_temp index?EG - create one $magic_value$ that logs everything from the event to the notable_temp?</P> <P>Any thoughts on this?</P> <P>Thanks!</P> Tue, 29 Sep 2020 21:32:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-with-Http-Event-Collector-HEC-forwarding-via/m-p/412634#M4896 mwdbhyat 2020-09-29T21:32:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-with-Http-Event-Collector-HEC-forwarding-via/m-p/412635#M4897 <P>What are you using to send the notable via hec? Custom code? if you send the entire search result line you should get all fields associated with it.</P> Tue, 09 Oct 2018 19:33:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-with-Http-Event-Collector-HEC-forwarding-via/m-p/412635#M4897 starcher 2018-10-09T19:33:20Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-with-Http-Event-Collector-HEC-forwarding-via/m-p/412636#M4898 <P>Answering my own question here.. I used this app <A href="https://splunkbase.splunk.com/app/3837/">https://splunkbase.splunk.com/app/3837/</A> --which is a custom alert action that allows you to run another search based on an alert. </P> Mon, 15 Oct 2018 08:28:49 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Can-you-help-me-with-Http-Event-Collector-HEC-forwarding-via/m-p/412636#M4898 mwdbhyat 2018-10-15T08:28:49Z