Does anyone else have an issue with the SID S-1-5-18 (System / LocalSystem)? It's not being pulled from our AD logs, and as a result, it's just showing up as the SID within Chronicle. Has anyone successfully mapped this to the Local System username?
+3- Bronze 1
Hi @ohoxha ,
Could you please provide some more information about how you are collecting AD data / enriching your SIEM tenant?
For example, when enriched via Tanium Stream this appears to identify the user as ; "NT AUTHORITY\\SYSTEM" and places this into UDM.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.