WEC and SID Translation problem.


WEC and SID Translation problem.

l

Hi everybody,

I am using Windows Event Forwarding to forward all Windows logs to a event collector machine. But, we are have a problem with SID translation. For example, for events like 4732  (A member was added to a security-enabled local group) the forwarded event contains just the SID and not showed account name.

So,two questions:

1) Why is this happening?
2) How to fix it?

Thanks!


bjvista

logic89 - 10/13/2017

Hi everybody,

I am using Windows Event Forwarding to forward all Windows logs to a event collector machine. But, we are have a problem with SID translation. For example, for events like 4732  (A member was added to a security-enabled local group) the forwarded event contains just the SID and not showed account name.

So,two questions:

1) Why is this happening?
2) How to fix it?

Thanks!


According to Microsoft this is by design.  See the explanation of the description fields on this event:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732

It says there:
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

If you are using a SIEM (I believe that Splunk extracts this data) you can probably setup a correlation rule to populate this data.  
l

bjvista - 10/13/2017
logic89 - 10/13/2017

Hi everybody,

I am using Windows Event Forwarding to forward all Windows logs to a event collector machine. But, we are have a problem with SID translation. For example, for events like 4732  (A member was added to a security-enabled local group) the forwarded event contains just the SID and not showed account name.

So,two questions:

1) Why is this happening?
2) How to fix it?

Thanks!


According to Microsoft this is by design.  See the explanation of the description fields on this event:  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732

It says there:
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

If you are using a SIEM (I believe that Splunk extracts this data) you can probably setup a correlation rule to populate this data.  

Hmm...Thanks for the answer.
Then tell me please, how to determine who was included in the group?
Not looking in the local computer's logs. I just wanted somehow to simply receive this data.


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search