suser not showing up in Syslog events

Question

We are not seeing suser (Jimmy Smit) being extracted out of the "Remote code execution attempt" logs.
Is this something that can be added?

example:

2020-01-09T10:10:22-08:00 SyslogServerA CEF[4248]0|Microsoft|Azure ATP|2.104.7548.41641|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2020-01-09T17:57:29.7867420Z app=Wmi shost=JB1V msg=Jimmy Smit made 2 attempts to run commands remotely on 13 domain controllers from JB1V using 2 WMI methods. externalId=2019 cs1Label=url cs1=https://ourbusiness.atp.azure.com/securityAlert/18e60a4c-d25c-4275-9250-434839a58a92 cs2Label=trigger cs2=update

eliofek · Answer

edhealea&nbsp;Most alerts will display either suser or shost. for this case, shost is displayed.

Forum Discussion

suser not showing up in Syslog events

1 Reply