The current definition for this field is this:
IDS_Attacks| user | string | The user involved with the intrusion detection event.
My data source can generate multiple user names related to an intrusion detection event.
How would be best to handle this?
"How" does it generate multiple user names? Can you paste an example of the raw log? Are you already ingesting it into Splunk? If so can you paste an example of the event from Splunk?
Here is a part of a log event:
deviceSeverity=value act=value rt=value shost=value src=value sourceZoneURI=value sproc=value dhost=value dst=value destinationZoneURI=value dntdom=value dpt=value duser=value1, value2, value3, value4 fname=value cs1= value cs2=value cs3=value cs4=value
duser should map to Intrusion Detection/User and the question is what to do with multiple values of duser.
a More generally what are the options if data source generates more fields then what exists is in the data model?
Without seeing your data source, most like you need to multikv these events in order to report on them individually.
Thinking of some common HIDS types logs such as McAffeeEPO, typically destination user events are individual and not reported in the same log..