src_user shows only 5 or so of percent_coverage in the cim_validator for our Windows data.
Fields for Authentication event datasets
-- In privilege escalation events, src_user represents the user who initiated the privilege escalation. This field is unnecessary when an escalation has not been performed.
So, by definition, the src_user should exist only in the privilege escalation events. So, why is marked as a recommended field for the Authentication datamodel?
It is recommended for the exact reason that you describe, for the exact events that you describe. If the field has no validity for some of your events because of the context, then it should not exist. Nothing to see here; move along.
Ok, I thought that recommended fields should exist for 100% or close to, of the events, In the case of src_user it's around 5%....
Where do you see below remark?
"src_user is recommended field for the Authentication datamodel"
It's what the cim_validator shows...