AnsweredAssumed Answered

How to escape backslash CEF parser audit logging in NetWitness

Question asked by KEVIN DIENST on May 22, 2018
Latest reply on Sep 18, 2018 by KEVIN DIENST


We have CEF audit logging enabled. 

Usernames are not parsed correctly since it removes the backslash for the active directory domain and concatenates the domain and username. 



Domain is CONTOSO

Username is BLARGH


result for user.src in CEF audit log 



What I need is to split on CONTOSO\ and only have the actual username in the user.src key. 


Obviously for default admin/service accounts that are local it doesn't apply and parses fine. 


Any ideas?

Stephanie Rojas