Issues resolving AD user SID with PowerShell Event...

Splunk Enterprise

Hi All,

Does anyone know if it is possible to use the evt_resolve_ad_obj windows monitor parameter with the PowerShell event channel to resolve the Active Directory Security IDentifier (SID) to canonical name?

I know it works under the [WinEventLog://Security] stanza but it doesn't seem to work for me with the PowerShell stanza.

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
current_only = 0
checkpointInterval = 5
renderXml = 1
whitelist = 4104
index = powershell

A normal security event, 4688 for example, shows the SID under the <EventData> tag:

<EventData> 
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  ...
</EventData>

PowerShell events 4104 for example show the SID under the <System> tag:

<System>
  ...
  <Security UserID="S-1-5-18" />
</System>

Not sure if this would cause it not to be able to extract it and resolve it or if anyone has this working?

Much appreciated.

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...