Solved: How to tranlate SID from Windows event

evelenke · ‎05-07-2019

Hi Splunkers,

we need to analyze events with code 4662 that contains accessed AD objects, unfortunately object values are presented as IDs (example - %{bf967a86-0de6-11d0-a285-00aa003049e2}, like it is presented in EventViewer).

Will an attribute evt_resolve_ad_obj = 1 translate IDs (Object Name, Object Type) into names? OR it converts only Security ID?
Is there any suggestion how to translate those IDs to be presented as readable names in EventViewer directly?

woodcock · ‎05-07-2019

You are correct, you need the evt_resolve_ad_obj = 1 setting and it will resolve EVERYTHING.

View solution in original post

woodcock · ‎05-07-2019

You are correct, you need the evt_resolve_ad_obj = 1 setting and it will resolve EVERYTHING.

evelenke · ‎05-07-2019

Thanks,and I've found a new detail in documentation, I'm afraid with our GUIDs will not work, but have to try:

" Splunk software cannot translate SIDs that are not in the format S-1-N-NN-NNNNNNNNNN-NNNNNNNNNN-NNNNNNNNNN-NNNN"

woodcock · ‎05-07-2019

I have never seen SIDs that did not get resolved.

evelenke · ‎05-14-2019

DIdn't get to prove, because we've decided to grab sids and guids via ldapsearch and format lookup.
But thanks, accepting!

woodcock · ‎05-14-2019

WAIT! Don't click accept on this answer! We would all like to hear about your clever workaround. That sill surely help somebody else (maybe me) in the future!

How to tranlate SID from Windows event

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life