AnsweredAssumed Answered

[SA-IM] How to add "Raw Event / Alert" into the SA-IM event table (json script)

Question asked by kPaz69O9iFmkfmHp4zoBPAkBdhFrUPI9g5is5UumuUI= on Feb 3, 2016

Hello,

 

Today i tried to do so, following by the value i saw in the UCF xml

it looked like

"generic.rawalert"

 

I tried adding it to the JSON script and for some reason, it just stopped the SA-IM from receiving incidents

 

the reason why i did that was because (obviously) the default one didn't bring the raw meta into Archer as it is supposed to do, and its obvious that the point of failure is the SA-IM JSON Script

 

UCF is configured well and Archer too

 

Feel free to share ideas or a solution for that as a lot of customer will probably want that option

 

Thanks !

 

Leon Lerman

David Waugh

Jaume Bonells

Outcomes