Enterprise Security: why is the src_user a recomme...

danielbb · ‎10-10-2019

src_user shows only 5 or so of percent_coverage in the cim_validator for our Windows data.

Fields for Authentication event datasets

says -

-- In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.

So, by definition, the src_user should exist only in the privilege escalation events. So, why is marked as a recommended field for the Authentication datamodel?

woodcock · ‎10-13-2019

It is recommended for the exact reason that you describe, for the exact events that you describe. If the field has no validity for some of your events because of the context, then it should not exist. Nothing to see here; move along.

danielbb · ‎10-15-2019

Ok, I thought that recommended fields should exist for 100% or close to, of the events, In the case of src_user it's around 5%....

jawaharas · ‎10-10-2019

Where do you see below remark?

"src_user is recommended field for the Authentication datamodel"

danielbb · ‎10-11-2019

It's what the cim_validator shows...

Enterprise Security: why is the src_user a recommended field for the Authentication datamodel?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?