AnsweredAssumed Answered

How to escape backslash CEF parser audit logging in NetWitness

Question asked by KEVIN DIENST on May 22, 2018
Latest reply on May 23, 2018 by KEVIN DIENST

Scenario:

We have CEF audit logging enabled. 

Usernames are not parsed correctly since it removes the backslash for the active directory domain and concatenates the domain and username. 

 

i.e. 

Domain is CONTOSO

Username is BLARGH

 

result for user.src in CEF audit log 

contosoblargh

 

What I need is to split on CONTOSO\ and only have the actual username in the user.src key. 

 

Obviously for default admin/service accounts that are local it doesn't apply and parses fine. 

 

Any ideas?

Stephanie Rojas

Outcomes