Hello,
I noticed that some "Security and Compliance" alerts log usernames and others do not. For instance, the alert name "File Uploaded to Document Library For The First Time" clearly logs the user who performed the action. However, the alert, "A Potentially Malicious URL Was Clicked" does not log the user who clicked on this information. I tried to extracts new fields and again, I observed that this particular alert does not contain the username.
For obvious reasons, I would like to have that information on hand whenever an alert such as this one comes through. I looked in the MS Security Portal, and that does have the username. It just does not get to Splunk, and therefore, cannot be apart of the alert.
Is there any way to resolve this? To be clear I would like all of these alerts to have a username associated with each. Thanks.