The Windows Technology Add-on uses a transform file to extract the source domain and destination domain based on the SOURCE_KEY Account_Domain. In the props.conf file, it has a REPORT line for both the source and destination Account_Domain.
props.conf
[source::*:Security]
REPORT-dest_nt_domain_for_windows_security = Account_Domain_as_dest_nt_domain
REPORT-src_nt_domain_for_windows_security = Account_Domain_as_src_nt_domain
transform.conf
[Account_Domain_as_dest_nt_domain]
SOURCE_KEY = Account_Domain
REGEX = ([^\n]+)\n(.*)
FORMAT = dest_nt_domain::"$2"
[Account_Name_as_src_user]
SOURCE_KEY = Account_Name
REGEX = ([^\n]+)\n
FORMAT = src_user::"$1"
I want to be able to flip the meaning of these two fields for a specific eventlog entry. I created a new eventtype based on the EventCode. In props.conf, I created the following entry:
[eventtype::Flipped_Account_Domain]
REPORT-flipped_src_nt_domain = Flipped_Account_Domain_as_src_nt_domain
REPORT-flipped_dest_nt_domain = Flipped_Account_Domain_as_dest_nt_domain
Unfortuantly, my fields did not get switched like I wanted. First, did I misunderstand the eventtype stanza used above? If not, how would you flip the extraction for this specific event?