Im working on using Splunk for Windows auditing. In events 4670, 4656 and 4663 one (or more) security descriptors are present.
These descriptors are very cryptic and look like D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)
I want to translate these (either at index, parse or searchtie) to a reable format. Is this possible? If so, how can I do this?
Thanks in advance,
Coen
I think what you would wind up doing is breaking out each ACE and creating lookups for each of the different components. I think the quickest approach would be to extract each ACE, which will lead to the ACE field often being a multivalue field. Then use mvexpand which will then allow lookups against each of the ACE components. There number of ACEs in a security descriptor is variable, doing this in search is going to be somewhat complex.
Here's a link to a good breakdown of how each ACE is constructed and what the strings mean:
Linked in the ACE strings page but easy to miss: ACE SID strings
And here's a decent (but old) blog post on deciphering security descriptors in this format that ties it all together:
Thank your the answer.
I was allready afraid that I would need to do something like this. It would have been nice if the Splunk Windows TA would already do this automagically