We have CEF audit logging enabled.
Usernames are not parsed correctly since it removes the backslash for the active directory domain and concatenates the domain and username.
Domain is CONTOSO
Username is BLARGH
result for user.src in CEF audit log
What I need is to split on CONTOSO\ and only have the actual username in the user.src key.
Obviously for default admin/service accounts that are local it doesn't apply and parses fine.