Splunk Enterprise Security

Enterprise Security: why is the src_user a recommended field for the Authentication datamodel?

danielbb
Motivator

src_user shows only 5 or so of percent_coverage in the cim_validator for our Windows data.

Fields for Authentication event datasets

says -

-- In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.

So, by definition, the src_user should exist only in the privilege escalation events. So, why is marked as a recommended field for the Authentication datamodel?

0 Karma

woodcock
Esteemed Legend

It is recommended for the exact reason that you describe, for the exact events that you describe. If the field has no validity for some of your events because of the context, then it should not exist. Nothing to see here; move along.

danielbb
Motivator

Ok, I thought that recommended fields should exist for 100% or close to, of the events, In the case of src_user it's around 5%....

0 Karma

jawaharas
Motivator

Where do you see below remark?

"src_user is recommended field for the Authentication datamodel"

0 Karma

danielbb
Motivator

It's what the cim_validator shows...

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.