Convert Windows SID to User Name with ArcSight Console Tool

Document created by edsale on Oct 27, 2009
Version 1Show Document
  • View in full screen mode

Here's a quick script I put together to translate
a SID like: S-1-5-21-2025429265-436374069-725345543-86376
into a username and domain name quickly from within
the "Tools" available to your ArcSight Console (if
you run your console on a Windows machine with the
cscript command for executing VB Scripts).

 

Here's all you have to do:

 

Copy sid2uname.bat and sid2uname.vbs to the folder:

    c:\arcsight_sp3\Console\current\bin\scripts

 

(your root may be different than arcsight_sp3, adjust
accordingly . . .)

 

Right-click in on an event field in the ArcSight
Console Event Viewer window and select Tools->Configure.

 

Hit the "New..." button.  Complete the fields as
shown in the attached Config_SIDtoUserName_Tool.jpg.

Hit the "OK" button.

 

Now you can right-click on a SID in your Event
Viewer and select Tools->SIDtoUserName and it will
translate the SID for you in a small window.

 

(I tried to do the same for the User Name to SID
translation.  Two problems: 1 - even though the
username2sid.vbs runs fine from the command line,
it fails when run as a Tool from the ArcSight
Console; 2 - you need a Domain Name to go with the
User Name and I'm not sure how to pass that to the
script if you want it to be different than the
domain your home computer is in -- which is how
it's coded now.  I'd love somebody to fix it and
post it here.)

 

Have a ball,

 

  --  Ed

Attachments

Outcomes