Here is a part of a log event:
deviceSeverity=value act=value rt=value shost=value src=value sourceZoneURI=value sproc=value dhost=value dst=value destinationZoneURI=value dntdom=value dpt=value duser=value1, value2, value3, value4 fname=value cs1= value cs2=value cs3=value cs4=value
duser should map to Intrusion Detection/User and the question is what to do with multiple values of duser.
a More generally what are the options if data source generates more fields then what exists is in the data model?
... View more