Solved: How to translate SID to Username via the Lookup Ta...

Kendo213 · ‎05-23-2018

I have a lookup file which contains various fields, including the username and corresponding SID (pulled from AD).

I have a Windows event with data showing as User=NOT_TRANSLATED and Sid=(a value)

The CSV file contains a field named User and a field named Sid that matches.

I'm wanting to reference the lookup table to identify the username of the sid that is in the event data.

There is is where I am, and obviously it isn't working:

index=blah SourceName="Microsoft-Windows-User Profile Service" EventCode=1511  [| inputlookup ldap_identities.csv |  fields Sid,identity] | eval User=identity |  stats count by Sid,User

Any ideas?

Kendo213 · ‎05-23-2018

I figured this out:

index=blah SourceName="Microsoft-Windows-User Profile Service" EventCode=1511 | lookup ldap_identities.csv Sid OUTPUT identity | rename identity as User | stats count by User,Sid,host

View solution in original post

bgriffis · ‎01-23-2020

How did you get the Sid/Username lookup?

Kendo213 · ‎05-23-2018

I figured this out:

index=blah SourceName="Microsoft-Windows-User Profile Service" EventCode=1511 | lookup ldap_identities.csv Sid OUTPUT identity | rename identity as User | stats count by User,Sid,host

How to translate SID to Username via the Lookup Table?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector