Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 8
Report Inappropriate Content
Message 1 of 8

Data Enrichment and Custom Types

Hello all,

I'm fairly new at this, but I've been trying to create a correlation rule that alerts when a user is added to the local administrators group on Windows machines.

This works, my rule looks for 'A member was added to a security-enabled local group' (43-263047320), among a few others. 

Unfortunately, Microsoft sends only the SIDs, and relies on the viewing client to determine who added who to what group.  ESM will resolve the SID of the user doing the adding, and the group being added to, but not the user that got added!  This just comes in as a custom type called 'Security_ID' and gives me a SID.  See the attached screenshot.

I've been experimenting with Data Enrichment through either ldap or SQL.  Using LDAP trying to query 'ObjectSID' produces an error.   I've been able to successfully query the Object SID (and resolve SAMAccountName) in my IAM SQL database, but in Destination I am unable to select Security_ID (or any custom type) as a lookup field, no matter which data source i select!   It is available in the Custom Types menu, but it's not editable.

How are others doing this?



7 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: Data Enrichment and Custom Types

Really? the event should contain both source user (actioned by) and destination user (added user). Correlation rule should just be Signature ID, and object = the security group name which you are interested in.

Level 11
Report Inappropriate Content
Message 3 of 8

Re: Data Enrichment and Custom Types

Try this:

(1) Make the Custom Type a String

(2) Assign it to Custom Field 9 or 10 to keep it out of the way of other user related fields.

Level 12
Report Inappropriate Content
Message 4 of 8

Re: Data Enrichment and Custom Types

there is Blog entry fro Dataenrichment in this community. -->

You can use this to enrich you SIEM from SID to Username.

But sssyyy is right there is a configuration in your Group policy in the Windows Domain to extend this log

Level 8
Report Inappropriate Content
Message 5 of 8

Re: Data Enrichment and Custom Types

Hi all, thanks for the replies.

To clarify, the packet captured by Signature 43-263047320 (A member was added to a security-enabled local group) only contains the following data:||Security||91729680||Microsoft-Windows-Security-Auditing||4732||61||1483539975||4||SERVER1.DOMAIN.COM||||Security Group Management||10||-||S-1-5-20||IIS_IUSRS||Builtin||S-1-5-32-568||S-1-5-21-4195886749-1299131234-950276898-294751||KevinM||DOMAIN||0xafe95984||-||A member was added to a security-enabled local group.


  Security ID: S-1-5-21-4195886749-1299131234-950276898-294751

  Account Name: KevinM

  Account Domain: DOMAIN

  Logon ID: 0xafe95984


  Security ID: S-1-5-20

  Account Name: -


  Security ID: S-1-5-32-568

  Group Name: IIS_IUSRS

  Group Domain: Builtin

Additional Information:

  Privileges: -

As you can see, the Account Name is blank, and that's the member that KevinM added to the IIS_Users group.  If there's a setting to include this data that would be great but I am unaware of it.  (I obviously changed the sensitive data).

As far as following that article for data enrichment, I'm having data type issues working with the SID to do that.  It doesn't seem to be possible.

Level 12
Report Inappropriate Content
Message 6 of 8

Re: Data Enrichment and Custom Types

Level 8
Report Inappropriate Content
Message 7 of 8

Re: Data Enrichment and Custom Types

Good find xded!  According to that article:

Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

That's what's happening with me.  When one of my sneaky server admins decides to take the easy way out and add a service account to Administrators, I want to know who got added!  It looks like the information doesn't exist, no one else has this issue?

Re: Data Enrichment and Custom Types


Did anyone ever come up with a way to handle this issue?  I'm trying to do the same thing (indeed, I want the alert for a user being added to any group, not just Domain Admins.)

Best regards,

- Steve

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community