For Palo logs, the username is being extracted with the domain in front of it, i.e., domain\user
To be CIM compliant, shouldn't the domain\ be removed so only the user is listed as a value? Is there a way to remove the domain\ from the user field extraction?
Thx