Hi All, i'm gonna be very quick about it
I have configured an action in the Health State RED for a driver which i have previously configured in the scoped of the Driverset's Health JOB, the idea is to receive an audit event in Sentinel if the Health State of the driver is calculated to RED.
Regardless of the audit event being successfully sent to sentinel, i'm not getting any info on the Event, it just says "Identity Manager Event" without any additional information.
I tried sending the fields suggested by the official documentation with no success
Then i tried sending CEF Custom Event Fields without success
This is an example of the RAW Data received in Sentinel with this events
26 Aug 27 13:14:26 1598544866339 27 IdentityManager: CEF:0|NetIQ|Identity Manager|22.214.171.124|3045B|Identity Manager Event|7|dvc=ServerIP rt=1598544903461 dvchost=ServerName cat=DirXML\\\\Engine dtz=America/Argentina/Buenos_Aires 1 32896461-58D5-1038-88CA-000C2931B424 60B110D1-CA96-1038-A6AB-000C2954E9F7 32896461-58D5-1038-88C8-000C2931B424 32896461-58D5-1038-88C9-000C2931B424 C76D2820-C395-1029-BB86-001321B5C0B3 map ServerIP 13 13 SYSLOG 2019.1r1-201904240557-RELEASE IdentityManager: CEF:0|NetIQ|Identity Manager|126.96.36.199|3045B|Identity Manager Event|7|dvc=ServerIP rt=1598544903461 dvchost=tenaris-meta3 cat=DirXML\\\\Engine dtz=America/Argentina/Buenos_Aires Aug 27 13:14:26 ServerIP IdentityManager: CEF:0|NetIQ|Identity Manager|188.8.131.52|3045B|Identity Manager Event|7|dvc=ServerIP rt=1598544903461 dvchost=ServerName cat=DirXML\\\\Engine dtz=America/Argentina/Buenos_Aires 14 IdentityManager 2020 10.1.41.50 1598534747217 822babeafdb587b38ee32f3e4fcdab3814cef2304309736046b03ff76253acfe 7 5 2017 59554 221 0
I'm using 1109 as EventID and sending Target, cs5 and Data in that event but i also tried with other fields like Value1, text1, msg, event_name.
If any of you have suggestion i may follow, it would be marvelous.
Thank you so much in advance