Knowledge Management

Can anyone help me distinguish the fields user and src_user in CIM model Account Management (Change Analysis)?

rockeywen
Engager

As stated in the title, I'm looking for someone tell the differences between the field user and src_user in the CIM Model Change Analysis (All_Change.Account_Management). The definitions in Splunk document are not clear enough.

For example, when the user user_A reset the password for user user_B, I can see the following message in the logs
2016-05-24, 11:25:33.001, Account, "Password Reset", "[Dummy-0] [user:user_A ip:10.1.1.1 group:admin] Update the password of user user_B."

In this case, for user_A, shall I map it to field src_user or field user? For user_B account shall I map it to CIM field "user" or field "object"?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'd put user_A into the user field, and user_B into the object field. The user is performing the change, the object is being changed.

You can use src_user if you have two accounts being used. For example if you see changes made to a database, if your data contains both the account used to log in to the database as well as the account used to log in to the operating system you'd put the database account into user and the operating system account into src_user. If you have a remote log in to some account and also know the account used on the src from where the remote log in originated, that's again the src_user while the account used on the remote system would be the user.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...