suser not showing up in Syslog events

%3CLINGO-SUB%20id%3D%22lingo-sub-1102466%22%20slang%3D%22en-US%22%3Esuser%20not%20showing%20up%20in%20Syslog%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1102466%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20not%20seeing%20suser%20(Jimmy%20Smit)%20being%20extracted%20out%20of%20the%20%22%3CSPAN%20class%3D%22t%22%3ERemote%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22t%22%3Ecode%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22t%22%3Eexecution%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22t%20h%22%3Eattempt%22%3C%2FSPAN%3E%26nbsp%3Blogs.%3CBR%20%2F%3EIs%20this%20something%20that%20can%20be%20added%3F%3CBR%20%2F%3E%3CBR%20%2F%3Eexample%3A%26nbsp%3B%3C%2FP%3E%3CP%3E2020-01-09T10%3A10%3A22-08%3A00%20SyslogServerA%20CEF%5B4248%5D0%7CMicrosoft%7CAzure%20ATP%7C2.104.7548.41641%7CRemoteExecutionSecurityAlert%7CRemote%20code%20execution%20attempt%7C5%7Cstart%3D2020-01-09T17%3A57%3A29.7867420Z%20app%3DWmi%20shost%3DJB1V%20msg%3DJimmy%20Smit%20made%202%20attempts%20to%20run%20commands%20remotely%20on%2013%20domain%20controllers%20from%20JB1V%20using%202%20WMI%20methods.%20externalId%3D2019%20cs1Label%3Durl%20cs1%3D%3CA%20href%3D%22https%3A%2F%2Fourbusiness.atp.azure.com%2FsecurityAlert%2F18e60a4c-d25c-4275-9250-434839a58a92%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fourbusiness.atp.azure.com%2FsecurityAlert%2F18e60a4c-d25c-4275-9250-434839a58a92%3C%2FA%3E%20cs2Label%3Dtrigger%20cs2%3Dupdate%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1102494%22%20slang%3D%22en-US%22%3ERe%3A%20suser%20not%20showing%20up%20in%20Syslog%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1102494%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123662%22%20target%3D%22_blank%22%3E%40Ed%20Healea%3C%2FA%3E%26nbsp%3BMost%20alerts%20will%20display%20either%20suser%20or%20shost.%20for%20this%20case%2C%20shost%20is%20displayed.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We are not seeing suser (Jimmy Smit) being extracted out of the "Remote code execution attempt" logs.
Is this something that can be added?

example: 

2020-01-09T10:10:22-08:00 SyslogServerA CEF[4248]0|Microsoft|Azure ATP|2.104.7548.41641|RemoteExecutionSecurityAlert|Remote code execution attempt|5|start=2020-01-09T17:57:29.7867420Z app=Wmi shost=JB1V msg=Jimmy Smit made 2 attempts to run commands remotely on 13 domain controllers from JB1V using 2 WMI methods. externalId=2019 cs1Label=url cs1=https://ourbusiness.atp.azure.com/securityAlert/18e60a4c-d25c-4275-9250-434839a58a92 cs2Label=trigger cs2=update

1 Reply
Highlighted

@Ed Healea Most alerts will display either suser or shost. for this case, shost is displayed.