Splunk Search

How to convert SID to Active Directory friendly name for an alert?


I'm new to Splunk and trying to configure an alert so when Windows Event ID 4760 occurs. I have the basic syntax created, but when the event occurs in the the New Security Descriptor field, it shows the changes with the active directory SID, and I would like it to show in the alert with the friendly active directory account/group name for a quick glance check. Is there a way to do this? Thanks

0 Karma


Add the following to your WinEventLog Security stanza:

evt_resolve_ad_obj = 1

Keep in mind this is going to resolve objects using your default DC but you can specify the server name too by using the following attributes:

0 Karma


Sorry, I'm an idiot and accidentally posted this as an answer, reposting as a comment:

Let me ask this a different way. Below is an example of one of the events that I am talking about. What I am looking to do is send out an alert that reports back this event with who made the change (Account Name) and what the change was Original Security Descriptor and New Security Descriptor, but have it translate in the descriptor fields if there is a SID, like S-1-5-21-222222222-222222222-222222222-22222 in the example below) to the SAMAccountName.

01/11/2016 10:08:36 AM
SourceName=Microsoft Windows security auditing.
TaskCategory=Authorization Policy Change
Keywords=Audit Success
Message=Permissions on an object were changed.

Security ID: S-1-5-21-111111111-111111111-1111111111-11111
Account Name: admin
Account Domain: domain
Logon ID: 0x1EEDD4C

Object Server: Security
Object Type: File
Object Name: D:\Test
Handle ID: 0x139c

Process ID: 0x998
Process Name: C:\Windows\explorer.exe

Permissions Change:
Original Security Descriptor: D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CI;DC;;;BU)
New Security Descriptor: D:ARAI(A;;FA;;;BA)(A;OICI;0x1301bf;;;S-1-5-21-222222222-222222222-222222222-22222)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)

0 Karma


In that case your best option is to use a lookup in order to translate SIDs into Account Names.
You've got several options to do this:

  1. Dump every day (week, hour, ...) all your AD account names and SIDs into SQL and build a DB lookup
  2. Dump every day (week, hour, ...) all your AD account names and SIDs into a CSV and build a file lookup
  3. Use the LDAP app and connect to your AD

I personally prefer options 1 or 2. Whatever is easier for you. DB lookup is what I'm using at work to translate SIDs into Account Names before I can generate an alert for unauthorised access to files.

Let me know if that helps.

0 Karma