The document states, "Security alerts ingested through this add-on are mapped to the Splunk Common Information Model", but when I review the events, every event has the same event type - GraphSecurityAlert - and the same 15 tags assigned to each event.
Is there a need to create specific event types with associated tags to ensure this add-on is mapped to the Splunk Common Information Model, or is it OK to go with the defaults?
Thx