Problem: Our Windows Security pipeline does not automatically resolve MemberSid fields, causing a visibility gap when monitoring events such as Active Directory user/group creation and modification. Users can manually apply the translate_sid processor , but requires extra effort and awareness that the processor even exists.
Solution: Add the processor this to our integrations that handle Windows security logs. This would create new fields in the event distinguished from the original fields by using the underscore (_) prefix. The Ingest Pipeline could then be enhanced to map those value to the appropriate ECS fields based on the context of the event.
Problem: Our Windows Security pipeline does not automatically resolve MemberSid fields, causing a visibility gap when monitoring events such as Active Directory user/group creation and modification. Users can manually apply the translate_sid processor , but requires extra effort and awareness that the processor even exists.
Solution: Add the processor this to our integrations that handle Windows security logs. This would create new fields in the event distinguished from the original fields by using the underscore (_) prefix. The Ingest Pipeline could then be enhanced to map those value to the appropriate ECS fields based on the context of the event.