Jan 10 2020 02:08 PM
We are not seeing suser (Jimmy Smit) being extracted out of the "Remote code execution attempt" logs.
Is this something that can be added?
example:
2020-01-09T10:10:22-08:00 SyslogServerA CEF[4248]0|Microsoft|Azure ATP|2.104.7548.41641|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2020-01-09T17:57:29.7867420Z app=Wmi shost=JB1V msg=Jimmy Smit made 2 attempts to run commands remotely on 13 domain controllers from JB1V using 2 WMI methods. externalId=2019 cs1Label=url cs1=https://ourbusiness.atp.azure.com/securityAlert/18e60a4c-d25c-4275-9250-434839a58a92 cs2Label=trigger cs2=update
Jan 10 2020 02:15 PM
@Ed Healea Most alerts will display either suser or shost. for this case, shost is displayed.