Splunk Enterprise

Issues resolving AD user SID with PowerShell EventLog - evt_resolve_ad_obj

andrewnice
Loves-to-Learn

Hi All, 

Does anyone know if it is possible to use the evt_resolve_ad_obj windows monitor parameter with the PowerShell event channel to resolve the Active Directory Security IDentifier (SID) to canonical name?

I know it works under the [WinEventLog://Security] stanza but it doesn't seem to work for me with the PowerShell stanza.

 

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
current_only = 0
checkpointInterval = 5
renderXml = 1
whitelist = 4104
index = powershell

 

A normal security event, 4688 for example, shows the SID under the <EventData> tag: 

 

<EventData> 
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  ...
</EventData>

 

PowerShell events 4104 for example show the SID under the <System> tag: 

 

<System>
  ...
  <Security UserID="S-1-5-18" />
</System>

 

Not sure if this would cause it not to be able to extract it and resolve it or if anyone has this working?

Much appreciated.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...