I'm new to Splunk and trying to configure an alert so when Windows Event ID 4760 occurs. I have the basic syntax created, but when the event occurs in the the New Security Descriptor field, it shows the changes with the active directory SID, and I would like it to show in the alert with the friendly active directory account/group name for a quick glance check. Is there a way to do this? Thanks
Add the following to your WinEventLog Security stanza:
evt_resolve_ad_obj = 1
Keep in mind this is going to resolve objects using your default DC but you can specify the server name too by using the following attributes:
Sorry, I'm an idiot and accidentally posted this as an answer, reposting as a comment:
Let me ask this a different way. Below is an example of one of the events that I am talking about. What I am looking to do is send out an alert that reports back this event with who made the change (Account Name) and what the change was Original Security Descriptor and New Security Descriptor, but have it translate in the descriptor fields if there is a SID, like S-1-5-21-222222222-222222222-222222222-22222 in the example below) to the SAMAccountName.
01/11/2016 10:08:36 AM
SourceName=Microsoft Windows security auditing.
TaskCategory=Authorization Policy Change
Message=Permissions on an object were changed.
Security ID: S-1-5-21-111111111-111111111-1111111111-11111
Account Name: admin
Account Domain: domain
Logon ID: 0x1EEDD4C
Object Server: Security
Object Type: File
Object Name: D:\Test
Handle ID: 0x139c
Process ID: 0x998
Process Name: C:\Windows\explorer.exe
Original Security Descriptor: D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CI;DC;;;BU)
New Security Descriptor: D:ARAI(A;;FA;;;BA)(A;OICI;0x1301bf;;;S-1-5-21-222222222-222222222-222222222-22222)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)
In that case your best option is to use a lookup in order to translate SIDs into Account Names.
You've got several options to do this:
I personally prefer options 1 or 2. Whatever is easier for you. DB lookup is what I'm using at work to translate SIDs into Account Names before I can generate an alert for unauthorised access to files.
Let me know if that helps.