Skip to content

[windows] missing field in translate_sid processor #3988

Closed
#3989
Closed
[windows] missing field in translate_sid processor#3988
#3989
Assignees
leehinman
Labels
bugSomething isn't working, use only for issues
@leehinman

Description

@leehinman
leehinman
opened on Aug 11, 2022

For powershell_operational datastream the translate_sid processor is missing the mandatory field

processors:
  - translate_sid:
      account_name_target: winlog.event_data._MemberUserName
      domain_target:       winlog.event_data._MemberDomain
      account_type_target: winlog.event_data._MemberAccountType
      ignore_missing: true
      ignore_failure: true

should be:

  - translate_sid:
      field: winlog.event_data.MemberSid
      account_name_target: winlog.event_data._MemberUserName
      domain_target: winlog.event_data._MemberDomain
      account_type_target: winlog.event_data._MemberAccountType
      ignore_missing: true
      ignore_failure: true

Metadata

Metadata

Assignees

Labels

bugSomething isn't working, use only for issues

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions