Hi. So I'm running OSSEC Windows client 2.7.1, sending alerts back to my OSSEC server, and getting emails for level 7 alerts or higher. I have a rule that is being fired and alerted on "a member was added to a security-enabled group," but if I look at the portion of the logs, it doesn't tell me much other than give me a long string of Security IDs. Is there an easy way to convert these Security IDs to account names, other than looking them up in AD every time I get an alert?
OSSEC HIDS Notification. 2014 Feb 26 18:08:49 Received From: (xxx.ccis.edu) 10.2.1.58->WinEvtLog Rule: 100064 fired (level 7) -> "(null)" Portion of the log(s): WinEvtLog: Security: AUDIT_SUCCESS(4728): Microsoft-Windows-Security-Auditing: (no user): no domain: xxx.ccis.edu: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-2052111302-2146914481-725345543-500 Account Name: administrator Account Domain: CCIS Logon ID: 0xa68bbc Member: Security ID: S-1-5-21-3889905597-3048560925-1654655959-1004 Account Name: - Group: Security ID: S-1-5-21-3889905597-3048560925-1654655959-513 Group Name: None Group Domain: ccxxx Additional Information: Privileges: - --END OF NOTIFICATION Thanks. Jason Youngquist -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
