Splunk Search

How to convert SID to Active Directory friendly name for an alert?

Engager

I'm new to Splunk and trying to configure an alert so when Windows Event ID 4760 occurs. I have the basic syntax created, but when the event occurs in the the New Security Descriptor field, it shows the changes with the active directory SID, and I would like it to show in the alert with the friendly active directory account/group name for a quick glance check. Is there a way to do this? Thanks

0 Karma

SplunkTrust
SplunkTrust

Add the following to your WinEventLog Security stanza:

evt_resolve_ad_obj = 1

Keep in mind this is going to resolve objects using your default DC but you can specify the server name too by using the following attributes:

evt_dc_name
evt_dns_name
0 Karma

Engager

Sorry, I'm an idiot and accidentally posted this as an answer, reposting as a comment:

Let me ask this a different way. Below is an example of one of the events that I am talking about. What I am looking to do is send out an alert that reports back this event with who made the change (Account Name) and what the change was Original Security Descriptor and New Security Descriptor, but have it translate in the descriptor fields if there is a SID, like S-1-5-21-222222222-222222222-222222222-22222 in the example below) to the SAMAccountName.

01/11/2016 10:08:36 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4670
EventType=0
Type=Information
ComputerName=domain.org
TaskCategory=Authorization Policy Change
OpCode=Info
RecordNumber=10759617
Keywords=Audit Success
Message=Permissions on an object were changed.

Subject:
Security ID: S-1-5-21-111111111-111111111-1111111111-11111
Account Name: admin
Account Domain: domain
Logon ID: 0x1EEDD4C

Object:
Object Server: Security
Object Type: File
Object Name: D:\Test
Handle ID: 0x139c

Process:
Process ID: 0x998
Process Name: C:\Windows\explorer.exe

Permissions Change:
Original Security Descriptor: D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CI;DC;;;BU)
New Security Descriptor: D:ARAI(A;;FA;;;BA)(A;OICI;0x1301bf;;;S-1-5-21-222222222-222222222-222222222-22222)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)

0 Karma

SplunkTrust
SplunkTrust

In that case your best option is to use a lookup in order to translate SIDs into Account Names.
You've got several options to do this:

  1. Dump every day (week, hour, ...) all your AD account names and SIDs into SQL and build a DB lookup
  2. Dump every day (week, hour, ...) all your AD account names and SIDs into a CSV and build a file lookup
  3. Use the LDAP app and connect to your AD

I personally prefer options 1 or 2. Whatever is easier for you. DB lookup is what I'm using at work to translate SIDs into Account Names before I can generate an alert for unauthorised access to files.

Let me know if that helps.

0 Karma