Splunk Enterprise Security

Enterprise Security: why is the src_user a recommended field for the Authentication datamodel?

danielbb
Motivator

src_user shows only 5 or so of percent_coverage in the cim_validator for our Windows data.

Fields for Authentication event datasets

says -

-- In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.

So, by definition, the src_user should exist only in the privilege escalation events. So, why is marked as a recommended field for the Authentication datamodel?

0 Karma

woodcock
Esteemed Legend

It is recommended for the exact reason that you describe, for the exact events that you describe. If the field has no validity for some of your events because of the context, then it should not exist. Nothing to see here; move along.

danielbb
Motivator

Ok, I thought that recommended fields should exist for 100% or close to, of the events, In the case of src_user it's around 5%....

0 Karma

jawaharas
Motivator

Where do you see below remark?

"src_user is recommended field for the Authentication datamodel"

0 Karma

danielbb
Motivator

It's what the cim_validator shows...

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...