Custom Field Mapping
I have done similar mappings for Symantec Endpoint and it worked. Try this from ESM;
Right click the WUC connector
Select Send command > Mapping > Map Additional Data Name
Enter these values;
Device Vendor: Microsoft
Device Product: Microsoft Windows
Additional data name: ad.User:Account_,Name
ArcSight field: flexString1
Just a note on your additional data name, this name needs to match the field in the Microsoft ad. attributes So if ad.User: is not part of the field name and just a prefix I would drop it and only use Account_Name. Also I notice a comma before name in ad.User:Account_,Name is that supposed to be there?
Hope it helps
It's important that you map the original data field of the log, which for me was 'CmdSet' instead of 'ad.CmdSet'