Does anyone else have an issue with the SID S-1-5-18 (System / LocalSystem)? It's not being pulled from our AD logs, and as a result, it's just showing up as the SID within Chronicle. Has anyone successfully mapped this to the Local System username?
Hi @ohoxha ,
Could you please provide some more information about how you are collecting AD data / enriching your SIEM tenant?
For example, when enriched via Tanium Stream this appears to identify the user as ; "NT AUTHORITY\SYSTEM" and places this into UDM.