cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

suser not showing up in Syslog events

Ed Healea
Copper Contributor

‎Jan 10 2020 02:08 PM

‎Jan 10 2020 02:08 PM

suser not showing up in Syslog events

We are not seeing suser (Jimmy Smit) being extracted out of the "Remote code execution attempt" logs.
Is this something that can be added?

example: 

2020-01-09T10:10:22-08:00 SyslogServerA CEF[4248]0|Microsoft|Azure ATP|2.104.7548.41641|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2020-01-09T17:57:29.7867420Z app=Wmi shost=JB1V msg=Jimmy Smit made 2 attempts to run commands remotely on 13 domain controllers from JB1V using 2 WMI methods. externalId=2019 cs1Label=url cs1=https://ourbusiness.atp.azure.com/securityAlert/18e60a4c-d25c-4275-9250-434839a58a92 cs2Label=trigger cs2=update

539 Views
0 Likes
1 Reply
Reply
1 Reply
Eli Ofek

‎Jan 10 2020 02:15 PM

‎Jan 10 2020 02:15 PM

Re: suser not showing up in Syslog events

@Ed Healea Most alerts will display either suser or shost. for this case, shost is displayed.

0 Likes
Reply