suser not showing up in Syslog events

Copper Contributor

We are not seeing suser (Jimmy Smit) being extracted out of the "Remote code execution attempt" logs.
Is this something that can be added?


2020-01-09T10:10:22-08:00 SyslogServerA CEF[4248]0|Microsoft|Azure ATP|2.104.7548.41641|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2020-01-09T17:57:29.7867420Z app=Wmi shost=JB1V msg=Jimmy Smit made 2 attempts to run commands remotely on 13 domain controllers from JB1V using 2 WMI methods. externalId=2019 cs1Label=url cs1= cs2Label=trigger cs2=update

1 Reply

@Ed Healea Most alerts will display either suser or shost. for this case, shost is displayed.