Translate GUID in Windows Event Log during Searcht...

muebel · ‎12-13-2010

Is there a way to translate any GUID's to their corresponding AD objects as with "evt_resolve_ad_obj," but during Searchtime?

dwaddle · ‎12-14-2010

I would assume you could do it with a lookup (scripted or CSV) that does an LDAP search against your AD tree. From what I'm seeing here, objectGUID is an operational attribute of each object.

http://msdn.microsoft.com/en-us/library/cc221017%28v=PROT.10%29.aspx

It's not perfect yet, but I got close using just ldapsearch, as follows:

ldapsearch -h my.ad.server -x -D "CN=bindaccount,CN=Users,DC=my,DC=com" -W -b DC=my,DC=com "(objectGuid=*)" distinguishedName objectGuid

This dumps (in ldif format) every object that has a GUID, showing its GUID and its DN. There's some non-entirely-trivial reformatting to turn this into a CSV for lookup purposes. The same thing might be more easily done with the Python LDAP modules:

http://www.packtpub.com/article/installing-and-configuring-the-python-ldap-library-and-binding-to-an...

http://www.packtpub.com/article/python-ldap-applications-ldap-opearations

http://www.packtpub.com/article/python-ldap-applications-more-ldap-operations-and-the-ldap-url-libra...

Translate GUID in Windows Event Log during Searchtime?

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect

Join the Conversation

Translate GUID in Windows Event Log during Searchtime?

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

AI for AppInspect