Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with Http Event Collector (HEC) forwarding via alert?

mwdbhyat
Builder
‎10-09-2018 11:41 AM

Hi Guys,

Doing some forwarding of events using the HEC. So far it looks like this:

  • Events come in from source(forwarder to idx) at regional location which could be anywhere other than main region in EU.

  • An alert is triggered based on conditions(usually notable search that runs and triggers the alert)

  • Alert information and event are then sent upon trigger via HEC to main region heavy forwarder (HF) in the EU.

  • This then goes from HF to the notable index in the main SOC in EU(it does this via another search that scans the index for new events, like a temp notable index just used for scanning conditions, and then forwards again to the actual notable index in EU.

The issue i'm facing is that we have to manually add the CIM fields that we want sent along with the event when it is logged via alert. EG

  • if we have an event that gets logged via alert to the initial notable_temp index, with a field "clientip" we would type in $src=$result.clientip$ in the alert trigger events properties so that it adds that field to the index and forwards it to the main SOC notable index.

Is there a way to automatically log all CIM fields with the alert action logger to the notable_temp index?EG - create one $magic_value$ that logs everything from the event to the notable_temp?

Any thoughts on this?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mwdbhyat
Builder
‎10-15-2018 01:28 AM

Answering my own question here.. I used this app https://splunkbase.splunk.com/app/3837/ --which is a custom alert action that allows you to run another search based on an alert.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mwdbhyat
Builder
‎10-15-2018 01:28 AM

Answering my own question here.. I used this app https://splunkbase.splunk.com/app/3837/ --which is a custom alert action that allows you to run another search based on an alert.

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎10-09-2018 12:33 PM

What are you using to send the notable via hec? Custom code? if you send the entire search result line you should get all fields associated with it.

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...