Hi, have you noticed that FortiGate authentication events are tagged with "default" by the Fortinet FortiGate Add-on for Splunk, even when they represent non-default user authentications? The Authentication data model expects the tags "authentication" and "default". According to the current tagging in the TA, all authentication-related event types receive the "default" tag: default: eventtype=ftnt_fortigate_auth eventtype=ftnt_fortigate_vpn_auth eventtype=ftnt_fortigate_wireless_client_authentication My understanding is that the "default" tag should only be applied when the authenticating account is a built-in or default account, such as "admin", "root", or similar. Is this the behavior you are seeing as well, or am I misunderstanding the intended CIM mapping? Thanks.
... View more