We have onboarded Workday logs and in the user activity input section, checked "Include target details". Now the question is would it be possible to view username who has performed some action on Windows systems? Is there a field for that?
The user_activity sourcetype contains a field called systemAccount (also aliased to user) which contains a unique identifier for the user that performed the action. Depending on the tenant setup this value can be a username or id number.
Edit Tenant Setup - System task and ensure that the
Enable User Activity Logging checkbox is selected.
- You can able to search for user activity
Edit Tenant Setup - Security task and ensure that the OAuth 2.0 Clients Enabled checkbox is selected.