SID Decode

Parse Security

Synopsis

Extracts and decodes Windows Security Identifier (SID) information.

Schema

- sid_decode:
    field: <ident>
    target_field: <string>
    resolve_names: <boolean>
    include_domain: <boolean>
    expand_groups: <boolean>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
field	Y	-	Source field containing SID string to decode
target_field	N	{field}_decoded	Target field to store decoded SID information
resolve_names	N	true	Resolve SID to account names when possible
include_domain	N	true	Include domain information in resolved names
expand_groups	N	false	Expand group SIDs to show member information
description	N	-	Explanatory note
if	N	-	Condition to run
ignore_failure	N	false	Continue processing if decoding fails
ignore_missing	N	false	Skip processing if referenced field doesn't exist
on_failure	N	-	See Handling Failures
on_success	N	-	See Handling Success
tag	N	-	Identifier

Details

Decodes Windows Security Identifiers (SIDs) to extract account information, authority details, and relative identifiers. The processor can resolve well-known SIDs to their account names and provide detailed breakdowns of SID components.

The processor supports both standard SID strings (S-1-5-21-...) and well-known SID aliases commonly used in Windows security contexts.

note

Windows SIDs follow the format S-R-I-S where S is the revision level, R is the identifier authority, I is the issuer identifier, and S are sub-authorities. The processor breaks down each component for analysis.

When resolve_names is enabled, the processor attempts to resolve SIDs to their corresponding account names using well-known SID mappings and domain lookups.

warning

SID resolution may not be available for all SIDs, especially domain-specific or custom SIDs. The processor will still decode the SID structure even when name resolution fails.

Examples

Basic SID Decoding

Decoding Windows SID structure...	{ "user_sid": "S-1-5-21-3623811015-3361044348-30300820-1013" } - sid_decode: field: user_sid target_field: sid_info
extracts SID components:	{ "user_sid": "S-1-5-21-3623811015-3361044348-30300820-1013", "sid_info": { "revision": 1, "authority": "NT_AUTHORITY", "authority_value": 5, "domain_identifier": "21-3623811015-3361044348-30300820", "relative_id": 1013, "type": "user", "domain_sid": "S-1-5-21-3623811015-3361044348-30300820" } }

Well-Known SID Resolution

Resolving well-known SIDs to names...	{ "account_sid": "S-1-5-32-544" } - sid_decode: field: account_sid resolve_names: true target_field: account_info
includes resolved account name:	{ "account_sid": "S-1-5-32-544", "account_info": { "revision": 1, "authority": "NT_AUTHORITY", "relative_id": 544, "type": "alias", "name": "Administrators", "domain": "BUILTIN", "well_known": true } }

Multiple SIDs

Processing array of SID values...	{ "group_sids": [ "S-1-5-32-545", "S-1-5-32-544", "S-1-1-0" ] } - sid_decode: field: group_sids resolve_names: true target_field: decoded_groups
decodes each SID:	{ "group_sids": [...], "decoded_groups": [ { "name": "Users", "type": "alias", "well_known": true }, { "name": "Administrators", "type": "alias", "well_known": true }, { "name": "Everyone", "type": "universal", "well_known": true } ] }

Domain SID Analysis

Analyzing domain-specific SIDs...	{ "domain_user": "S-1-5-21-1004336348-1177238915-682003330-512" } - sid_decode: field: domain_user include_domain: true target_field: user_details
includes domain context:	{ "domain_user": "S-1-5-21-1004336348-1177238915-682003330-512", "user_details": { "authority": "NT_AUTHORITY", "domain_identifier": "21-1004336348-1177238915-682003330", "relative_id": 512, "type": "group", "name": "Domain Admins", "domain_context": true } }