Hi Guys,

Doing some forwarding of events using the HEC. So far it looks like this:

• Events come in from source(forwarder to idx) at regional location which could be anywhere other than main region in EU.

• An alert is triggered based on conditions(usually notable search that runs and triggers the alert)

• Alert information and event are then sent upon trigger via HEC to main region heavy forwarder (HF) in the EU.

• This then goes from HF to the notable index in the main SOC in EU(it does this via another search that scans the index for new events, like a temp notable index just used for scanning conditions, and then forwards again to the actual notable index in EU.

The issue i'm facing is that we have to manually add the CIM fields that we want sent along with the event when it is logged via alert. EG

• if we have an event that gets logged via alert to the initial notable_temp index, with a field "clientip" we would type in $src=$result.clientip$ in the alert trigger events properties so that it adds that field to the index and forwards it to the main SOC notable index.

Is there a way to automatically log all CIM fields with the alert action logger to the notable_temp index?EG - create one $magic_value$ that logs everything from the event to the notable_temp?

Any thoughts on this?

Thanks!