Open jamiehynds opened 8 months ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
The amount of grief this would resolve is huge. Especially for those of us working for an MSSP (or MSP), as the GUID for non-default objects is random. Especially for Elastic SIEM built-in alerts like "WRITEDAC Access on Active Directory Object"
Linking the Beats issue - https://github.com/elastic/beats/issues/21274
Our Windows integration (and Winlogbeat) supports the translation of Windows security identifiers (SID's) within Windows events to an account name, thanks to the translate_sid processor. This SID translation ensured our users could easily build detections and leverage these username/account names during threat detection and forensic analysis within Elastic Security.
However, GUID's within Windows events still remain a challenge for our users. Could we build a translate_guide processor, to ensure we translate both SID's and GUID's?
As an example, event id 4662 includes
ObjectTypes
andObjectNames
which are displayed as GUID's within Windows Events XML and need to be translated on our side.Related issues/discussions:
https://discuss.elastic.co/t/winlogbeat-displaying-guid-in-windows-events-instead-of-object-name/71442/2 https://github.com/elastic/beats/issues/21274