a source user added one users to local admin group of server.
in event Security ID is S-x-x-xx-xxxxxxxxxxx8-7xxxxxx4-1xxx for both subject, member and group.
in event we can see that actually who made this change but there is no such information that "which user" get added to which local security group. only we I can see the SID or UID. how can we fix this issue
I found the problem on post :
https://answers.splunk.com/answers/23502/windows-sid-resolving-in-splunk.html
One way would be to use the Subject - Login ID's value to search against 4624 (logon) to find the user.
Ideally, you would need to check with AD admin on what they did, as Subject -Security ID should also capture the domain name matching the value in Account domain. Also, member security ID should have the domain name and the actual user/object added to the Group under Group - Security ID.
I found the problem on post :
https://answers.splunk.com/answers/23502/windows-sid-resolving-in-splunk.html