Hi All, Does anyone know if it is possible to use the evt_resolve_ad_obj windows monitor parameter with the PowerShell event channel to resolve the Active Directory Security IDentifier (SID) to canonical name? I know it works under the [WinEventLog://Security] stanza but it doesn't seem to work for me with the PowerShell stanza. [WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1
current_only = 0
checkpointInterval = 5
renderXml = 1
whitelist = 4104
index = powershell A normal security event, 4688 for example, shows the SID under the <EventData> tag: <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
...
</EventData> PowerShell events 4104 for example show the SID under the <System> tag: <System>
...
<Security UserID="S-1-5-18" />
</System> Not sure if this would cause it not to be able to extract it and resolve it or if anyone has this working? Much appreciated.
... View more