I created an alias for the X_MS_Forwarded_Client_IP (ADFS events) to equal to src. The X_MS_Forwarded_Client_IP is a multivalue field which leads me to a few questions:
1) We are running ES so do I need to do anything further to ensure that the new src field for the ADFS logs is included in the data model and CIM compliant? The app I created the initial alias was under Search & Reporting (search). Should this alias be under a different app, or does creating an alias and setting permission to all apps satisfy that requirement?
2) Do I need to make any additional config changes due to the field being multivalued? Right now for searches, I add `| makemv delim="," src` at the end to break them out. I worry with ES data models/CIM so additional configuration might need to be made to break them out automatically
Thx
↧