- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enterprise Security: why is the src_user a recommended field for the Authentication datamodel?
src_user shows only 5 or so of percent_coverage in the cim_validator for our Windows data.
Fields for Authentication event datasets
says -
-- In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
So, by definition, the src_user should exist only in the privilege escalation events. So, why is marked as a recommended field for the Authentication datamodel?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is recommended for the exact reason that you describe, for the exact events that you describe. If the field has no validity for some of your events because of the context, then it should not exist. Nothing to see here; move along.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I thought that recommended fields should exist for 100% or close to, of the events, In the case of src_user it's around 5%....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where do you see below remark?
"src_user is recommended field for the Authentication datamodel"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's what the cim_validator shows...
