Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert SID to Active Directory friendly name for an alert?

dmittel
Engager
‎01-11-2016 09:06 AM

I'm new to Splunk and trying to configure an alert so when Windows Event ID 4760 occurs. I have the basic syntax created, but when the event occurs in the the New Security Descriptor field, it shows the changes with the active directory SID, and I would like it to show in the alert with the friendly active directory account/group name for a quick glance check. Is there a way to do this? Thanks

0 Karma
Reply

javiergn
Super Champion
‎01-11-2016 10:21 AM

Add the following to your WinEventLog Security stanza:

evt_resolve_ad_obj = 1

Keep in mind this is going to resolve objects using your default DC but you can specify the server name too by using the following attributes:

evt_dc_name
evt_dns_name
0 Karma
Reply

dmittel
Engager
‎01-11-2016 01:36 PM

Sorry, I'm an idiot and accidentally posted this as an answer, reposting as a comment:

Let me ask this a different way. Below is an example of one of the events that I am talking about. What I am looking to do is send out an alert that reports back this event with who made the change (Account Name) and what the change was Original Security Descriptor and New Security Descriptor, but have it translate in the descriptor fields if there is a SID, like S-1-5-21-222222222-222222222-222222222-22222 in the example below) to the SAMAccountName.

01/11/2016 10:08:36 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4670
EventType=0
Type=Information
ComputerName=domain.org
TaskCategory=Authorization Policy Change
OpCode=Info
RecordNumber=10759617
Keywords=Audit Success
Message=Permissions on an object were changed.

Subject:
Security ID: S-1-5-21-111111111-111111111-1111111111-11111
Account Name: admin
Account Domain: domain
Logon ID: 0x1EEDD4C

Object:
Object Server: Security
Object Type: File
Object Name: D:\Test
Handle ID: 0x139c

Process:
Process ID: 0x998
Process Name: C:\Windows\explorer.exe

Permissions Change:
Original Security Descriptor: D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CI;DC;;;BU)
New Security Descriptor: D:ARAI(A;;FA;;;BA)(A;OICI;0x1301bf;;;S-1-5-21-222222222-222222222-222222222-22222)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)

0 Karma
Reply

javiergn
Super Champion
‎01-12-2016 02:13 AM

In that case your best option is to use a lookup in order to translate SIDs into Account Names.
You've got several options to do this:

  1. Dump every day (week, hour, ...) all your AD account names and SIDs into SQL and build a DB lookup
  2. Dump every day (week, hour, ...) all your AD account names and SIDs into a CSV and build a file lookup
  3. Use the LDAP app and connect to your AD

I personally prefer options 1 or 2. Whatever is easier for you. DB lookup is what I'm using at work to translate SIDs into Account Names before I can generate an alert for unauthorised access to files.

Let me know if that helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...