Sorry, I'm an idiot and accidentally posted this as an answer, reposting as a comment:
Let me ask this a different way. Below is an example of one of the events that I am talking about. What I am looking to do is send out an alert that reports back this event with who made the change (Account Name) and what the change was Original Security Descriptor and New Security Descriptor, but have it translate in the descriptor fields if there is a SID, like S-1-5-21-222222222-222222222-222222222-22222 in the example below) to the SAMAccountName.
01/11/2016 10:08:36 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4670
EventType=0
Type=Information
ComputerName=domain.org
TaskCategory=Authorization Policy Change
OpCode=Info
RecordNumber=10759617
Keywords=Audit Success
Message=Permissions on an object were changed.
Subject:
Security ID: S-1-5-21-111111111-111111111-1111111111-11111
Account Name: admin
Account Domain: domain
Logon ID: 0x1EEDD4C
Object:
Object Server: Security
Object Type: File
Object Name: D:\Test
Handle ID: 0x139c
Process:
Process ID: 0x998
Process Name: C:\Windows\explorer.exe
Permissions Change:
Original Security Descriptor: D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CI;DC;;;BU)
New Security Descriptor: D:ARAI(A;;FA;;;BA)(A;OICI;0x1301bf;;;S-1-5-21-222222222-222222222-222222222-22222)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)
... View more