Hi Splunkers,
we need to analyze events with code 4662
that contains accessed AD objects, unfortunately object values are presented as IDs (example - %{bf967a86-0de6-11d0-a285-00aa003049e2}, like it is presented in EventViewer).
evt_resolve_ad_obj = 1
translate IDs (Object Name, Object Type) into names? OR it converts only Security ID?You are correct, you need the evt_resolve_ad_obj = 1
setting and it will resolve EVERYTHING.
You are correct, you need the evt_resolve_ad_obj = 1
setting and it will resolve EVERYTHING.
Thanks,and I've found a new detail in documentation, I'm afraid with our GUIDs will not work, but have to try:
" Splunk software cannot translate SIDs that are not in the format S-1-N-NN-NNNNNNNNNN-NNNNNNNNNN-NNNNNNNNNN-NNNN"
I have never seen SIDs that did not get resolved.
DIdn't get to prove, because we've decided to grab sids and guids via ldapsearch
and format lookup.
But thanks, accepting!
WAIT! Don't click accept on this answer! We would all like to hear about your clever workaround. That sill surely help somebody else (maybe me) in the future!