cancel
Showing results for 
Search instead for 
Did you mean: 

Deaing with Security_ID field for Active Directory users

Hello,

Normalization rules such as "A member was added to a security-enabled universal group" give me the following fields:

Source User = the user who performed the operation

object = the group that was changed

Security_ID = the new group member

This is useful up to a point, but of course I don't know the account name, or the email address, or anything about the user who was added to the group unless I use Powershell to look up the SID. 

I'm wondering how others handle this problem... or if I'm missing something?

I'm on version 10.2 here.

Any help is appreciated!

Thanks in advance,

- Steve

 

2 Replies
Highlighted
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Deaing with Security_ID field for Active Directory users

Hi RsKadish.

your right! there's a simple solution for that.

you just need to add "Enrichment Fields" for the User name.

it will go the LDAP data base and query the needed fields.

 

Update here if you need help accomplishing this.

 

Best Regards👍👍👍

David.

Re: Deaing with Security_ID field for Active Directory users

Hello David,

Thanks and sorry for the late reply.  Yes, I would appreciate some help with this.  We already have some data enrichment fields for getting the full name and email address from the Source User, but from the Security_ID?  I don't see that field as an option for the Lookup Field when I create a new rule.

Thanks,

- Steve

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator