Malware sending CEF Alerts with number preceeding filename

When the malware appliance is configured for CEF alerting the filename will be preceeded by a number indiicating the position in the session.

For example and email my contain multiple attachments file1.txt, file2.txt file3.txt etc.

If malware is detected these will be sent via CEF with filename  1.file1.txt, 2.file2.txt 3.file3.txt

This LUA parser converts the filename back to the original!