This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Enriching S-1-5-18 System Account

Posted 3 weeks ago
ohoxha
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Does anyone else have an issue with the SID S-1-5-18 (System / LocalSystem)? It's not being pulled from our AD logs, and as a result, it's just showing up as the SID within Chronicle. Has anyone successfully mapped this to the Local System username?

1 1 57
1 REPLY 1

Posted on --/--/---- --:-- AM
jkephsecru
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @ohoxha ,

Could you please provide some more information about how you are collecting AD data / enriching your SIEM tenant?

For example, when enriched via Tanium Stream this appears to identify the user as ; "NT AUTHORITY\SYSTEM" and places this into UDM.

Top Solution Authors
View all