Translate GUID in Windows Event Log during Searcht...

muebel · ‎12-13-2010

Is there a way to translate any GUID's to their corresponding AD objects as with "evt_resolve_ad_obj," but during Searchtime?

dwaddle · ‎12-14-2010

I would assume you could do it with a lookup (scripted or CSV) that does an LDAP search against your AD tree. From what I'm seeing here, objectGUID is an operational attribute of each object.

http://msdn.microsoft.com/en-us/library/cc221017%28v=PROT.10%29.aspx

It's not perfect yet, but I got close using just ldapsearch, as follows:

ldapsearch -h my.ad.server -x -D "CN=bindaccount,CN=Users,DC=my,DC=com" -W -b DC=my,DC=com "(objectGuid=*)" distinguishedName objectGuid

This dumps (in ldif format) every object that has a GUID, showing its GUID and its DN. There's some non-entirely-trivial reformatting to turn this into a CSV for lookup purposes. The same thing might be more easily done with the Python LDAP modules:

http://www.packtpub.com/article/installing-and-configuring-the-python-ldap-library-and-binding-to-an...

http://www.packtpub.com/article/python-ldap-applications-ldap-opearations

http://www.packtpub.com/article/python-ldap-applications-more-ldap-operations-and-the-ldap-url-libra...

Translate GUID in Windows Event Log during Searchtime?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation