https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441239#M76934 <P>Thanks,and I've found a new detail in <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/MonitorWindowseventlogdata">documentation</A>, I'm afraid with our GUIDs will not work, but have to try: </P> <P>" Splunk software cannot translate SIDs that are not in the format S-1-N-NN-NNNNNNNNNN-NNNNNNNNNN-NNNNNNNNNN-NNNN"</P> Tue, 07 May 2019 23:59:35 GMT evelenke 2019-05-07T23:59:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441237#M76932 <P>Hi Splunkers,</P> <P>we need to analyze events with code <CODE>4662</CODE> that contains accessed AD objects, unfortunately object values are presented as IDs (example - %{bf967a86-0de6-11d0-a285-00aa003049e2}, like it is presented in EventViewer).</P> <UL> <LI>Will an attribute <CODE>evt_resolve_ad_obj = 1</CODE> translate IDs (Object Name, Object Type) into names? OR it converts only Security ID?</LI> <LI>Is there any suggestion how to translate those IDs to be presented as readable names in EventViewer directly?</LI> </UL> Tue, 07 May 2019 13:57:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441237#M76932 evelenke 2019-05-07T13:57:44Z https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441238#M76933 <P>You are correct, you need the <CODE>evt_resolve_ad_obj = 1</CODE> setting and it will resolve EVERYTHING.</P> Tue, 07 May 2019 15:55:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441238#M76933 woodcock 2019-05-07T15:55:24Z https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441239#M76934 <P>Thanks,and I've found a new detail in <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/MonitorWindowseventlogdata">documentation</A>, I'm afraid with our GUIDs will not work, but have to try: </P> <P>" Splunk software cannot translate SIDs that are not in the format S-1-N-NN-NNNNNNNNNN-NNNNNNNNNN-NNNNNNNNNN-NNNN"</P> Tue, 07 May 2019 23:59:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441239#M76934 evelenke 2019-05-07T23:59:35Z https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441240#M76935 <P>I have never seen SIDs that did not get resolved.</P> Wed, 08 May 2019 01:43:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441240#M76935 woodcock 2019-05-08T01:43:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441241#M76936 <P>DIdn't get to prove, because we've decided to grab sids and guids via <CODE>ldapsearch</CODE> and format lookup. <BR /> But thanks, accepting!</P> Tue, 14 May 2019 09:51:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441241#M76936 evelenke 2019-05-14T09:51:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441242#M76937 <P>WAIT! Don't click accept on this answer! We would all like to hear about your clever workaround. That sill surely help somebody else (maybe me) in the future!</P> Tue, 14 May 2019 14:53:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-tranlate-SID-from-Windows-event/m-p/441242#M76937 woodcock 2019-05-14T14:53:54Z