Splunk Observability Cloud Certified Metrics User — Question 66

According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?

Answer options

• A. username
• B. src_user_id
• C. src_user
• D. dest_user

Correct answer: C

Explanation

The correct answer is C, src_user, as it specifically denotes the user who triggered the privilege escalation action. Option A, username, is more generic and does not pertain specifically to privilege escalation. Options B and D, src_user_id and dest_user, do not accurately identify the initiating user in this context.