Hello Splunk Security Team,
i was auditing this scenario after that didnt see any output in my test suit auditing, i checked the scenario and find out that in the scenario logic line:
| where user=src_user
the value of user and src_user are like this user=DA-1 and src_user=da-1 and the scenario wont fire.
so i changed this line to this:
| where lower(user)=lower(src_user)
and the problem fixed
please modify the scenario logic
regards,
Mahdi Hamedani Nezhad
Hello Splunk Security Team,
i was auditing this scenario after that didnt see any output in my test suit auditing, i checked the scenario and find out that in the scenario logic line:
| where user=src_userthe value of user and src_user are like this user=DA-1 and src_user=da-1 and the scenario wont fire.
so i changed this line to this:
| where lower(user)=lower(src_user)and the problem fixed
please modify the scenario logic
regards,
Mahdi Hamedani Nezhad