Scenario:
We have CEF audit logging enabled.
Usernames are not parsed correctly since it removes the backslash for the active directory domain and concatenates the domain and username.
i.e.
Domain is CONTOSO
Username is BLARGH
result for user.src in CEF audit log
contosoblargh
What I need is to split on CONTOSO\ and only have the actual username in the user.src key.
Obviously for default admin/service accounts that are local it doesn't apply and parses fine.
Any ideas?
Raw CEF log event
May 23 2018 18:38:18 epoc-sa01 CEF:0|RSA|Security Analytics Audit|10.6.5.1|DATA_ACCESS|HttpRequest|6|rt=May 23 2018 18:38:18 suser=BLARGH\labuser sourceServiceName=SA_SERVER deviceExternalId=b6db4dd6-b617-4a0a-beee-ccb352e1b976 deviceProcessName=SA_SERVER outcome=Success
sessionid | = | 6728489709983 |
time | = | 2018-05-23T18:38:20.0 |
size | = | 332 |
lc.cid | = | "LAB04" |
device.ip | = | REDACTED |
ipaddresses | = | REDACTED |
device.type | = | "securityanalytics" |
collectionMethod | = | "syslog" |
device.class | = | "Analysis" |
event.time.str | = | "May 23 2018 18:38:18" |
product | = | "Security Analytics Audit" |
version | = | "10.6.5.1" |
event.type | = | "DATA_ACCESS" |
event.desc | = | "HttpRequest" |
severity | = | "6" |
user.src | = | "BLARGHlabuser" |
usernames | = | "BLARGHlabuser" |
service.name | = | "SA_SERVER" |
process | = | "SA_SERVER" |
result | = | "Success" |
event.name | = | "HttpRequest" |
event.time | = | 2018-05-23 18:38:18.000 |
usb.parser | = | "CEF" |
msg.id | = | "securityanalytics" |
event.cat.name | = | "Other.Default" |
I've redacted a few meta keys and actual values just to prevent data leakage.
The events are parsed via the CEF parser then I’m guessing?
What is the raw field for the user name that is getting collapsed? Can you share the raw CEF to test/play with?
Can you trace that field to cef.xml (are there any cef-custom.xml at play?) and to table-map(-custom).xml to see what the flow is?
If required you could post process that field for a specific device.type to split the user on known domains and create just the user (and put the domain in another field).
Seeing the raw would be handy
Then we can check the RFE to make sure the slash is carried through.
Eric