How to escape backslash CEF parser audit logging in NetWitness
We have CEF audit logging enabled.
Usernames are not parsed correctly since it removes the backslash for the active directory domain and concatenates the domain and username.
Domain is CONTOSO
Username is BLARGH
result for user.src in CEF audit log
What I need is to split on CONTOSO\ and only have the actual username in the user.src key.
Obviously for default admin/service accounts that are local it doesn't apply and parses fine.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
The events are parsed via the CEF parser then I’m guessing?
What is the raw field for the user name that is getting collapsed? Can you share the raw CEF to test/play with?
Can you trace that field to cef.xml (are there any cef-custom.xml at play?) and to table-map(-custom).xml to see what the flow is?
If required you could post process that field for a specific device.type to split the user on known domains and create just the user (and put the domain in another field).
Seeing the raw would be handy
Then we can check the RFE to make sure the slash is carried through.
Raw CEF log event
May 23 2018 18:38:18 epoc-sa01 CEF:0|RSA|Security Analytics Audit|10.6.5.1|DATA_ACCESS|HttpRequest|6|rt=May 23 2018 18:38:18 suser=BLARGH\labuser sourceServiceName=SA_SERVER deviceExternalId=b6db4dd6-b617-4a0a-beee-ccb352e1b976 deviceProcessName=SA_SERVER outcome=Success
"May 23 2018 18:38:18"
"Security Analytics Audit"
I've redacted a few meta keys and actual values just to prevent data leakage.
I believe this is fixed in 11.2? Is that correct? I've got 184.108.40.206 in my UAT environment and I'm still seeing the CEF escape issue. I'll verify again today.