have you noticed that FortiGate authentication events are tagged with "default" by the Fortinet FortiGate Add-on for Splunk, even when they represent non-default user authentications?
The Authentication data model expects the tags "authentication" and "default". According to the current tagging in the TA, all authentication-related event types receive the "default" tag:
My understanding is that the "default" tag should only be applied when the authenticating account is a built-in or default account, such as "admin", "root", or similar.
Is this the behavior you are seeing as well, or am I misunderstanding the intended CIM mapping?