[SA-IM] How to add "Raw Event / Alert" into the SA-IM event table (json script)

Question asked by kPaz69O9iFmkfmHp4zoBPAkBdhFrUPI9g5is5UumuUI= on Feb 3, 2016



Today i tried to do so, following by the value i saw in the UCF xml

it looked like



I tried adding it to the JSON script and for some reason, it just stopped the SA-IM from receiving incidents


the reason why i did that was because (obviously) the default one didn't bring the raw meta into Archer as it is supposed to do, and its obvious that the point of failure is the SA-IM JSON Script


UCF is configured well and Archer too


Feel free to share ideas or a solution for that as a lot of customer will probably want that option


Thanks !


Leon Lerman

David Waugh

Jaume Bonells