Hello Again, I'm developing a compliance app (CIM, with tstats), now is the turn to write a search to monitor processes ran by users on the domain (windows and linux, maybe some other source of interest)
My doubt is, what datamodel should I use? I'm between Endpoint and Change. But endpoint does not have a user field, I don't understand why ¿What would be the right approarch?
For filesystem changes, I personally like Change but the SA-Cim definition, on the constraint part worries me, it litterally says:
(`cim_Change_indexes`) tag=change NOT (object_category=file OR object_category=directory OR object_category=registry)
I could just not parse the events with objectcategory=file, but I would like to know why is this, I mean, the endpoint datamodel does not have an objectcategory field, for example. Why I can't use it?