See "account name:administrator" below. That looks like it, although I'm not sure why the "administrators group changed" alert didn't fire. I'm not at my PC now to take a look.
P.S nnn-nnn-500 is usually the admin account "Youngquist, Jason R." <[email protected]> wrote: >Hi. > >So I'm running OSSEC Windows client 2.7.1, sending alerts back to my >OSSEC server, and getting emails for level 7 alerts or higher. I have >a rule that is being fired and alerted on "a member was added to a >security-enabled group," but if I look at the portion of the logs, it >doesn't tell me much other than give me a long string of Security IDs. >Is there an easy way to convert these Security IDs to account names, >other than looking them up in AD every time I get an alert? > > > >OSSEC HIDS Notification. >2014 Feb 26 18:08:49 > >Received From: (xxx.ccis.edu) 10.2.1.58->WinEvtLog >Rule: 100064 fired (level 7) -> "(null)" >Portion of the log(s): > >WinEvtLog: Security: AUDIT_SUCCESS(4728): >Microsoft-Windows-Security-Auditing: (no user): no domain: >xxx.ccis.edu: A member was added to a security-enabled global group. >Subject: Security ID: S-1-5-21-2052111302-2146914481-725345543-500 > Account Name: administrator Account Domain: CCIS Logon > ID: > 0xa68bbc Member: Security ID: > S-1-5-21-3889905597-3048560925-1654655959-1004 Account Name: > - >Group: Security ID: S-1-5-21-3889905597-3048560925-1654655959-513 > Group Name: None Group Domain: ccxxx Additional > Information: > Privileges: - > --END OF NOTIFICATION > > > >Thanks. >Jason Youngquist > >-- > >--- >You received this message because you are subscribed to the Google >Groups "ossec-list" group. >To unsubscribe from this group and stop receiving emails from it, send >an email to [email protected]. >For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
