Skip to main content
Version: 1.5.1

SID Decode

Parse Security

Synopsis

Extracts and decodes Windows Security Identifier (SID) information.

Schema

- sid_decode:
    field: <ident>
    target_field: <string>
    format: <string>
    resolve_well_known: <boolean>
    add_components: <boolean>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

FieldRequiredDefaultDescription
fieldY-Source field containing SID to decode (string, byte array, or array of strings)
target_fieldN{field}_decodedTarget field to store decoded SID information
formatNAuto-detectInput format: string, hex, base64 (auto-detects if not specified)
resolve_well_knownNfalseResolve well-known SIDs to account names
add_componentsNfalseAdd parsed SID components (revision, authority, sub-authorities, domain info)
descriptionN-Explanatory note
ifN-Condition to run
ignore_failureNfalseContinue processing if decoding fails
ignore_missingNfalseSkip processing if referenced field doesn't exist
on_failureN-See Handling Failures
on_successN-See Handling Success
tagN-Identifier

Details

Decodes Windows Security Identifiers (SIDs) from multiple input formats (string, hex, base64, byte arrays) into standardized SID strings with optional component parsing and well-known SID resolution.

The processor supports three input formats with automatic detection: standard SID strings (S-1-5-21-...), hexadecimal binary SIDs, and base64-encoded binary SIDs. Byte arrays are processed directly as binary SID data.

Default behavior returns the SID string only. Use add_components to extract revision, authority, authority name, sub-authorities, domain identification, and RID information. Use resolve_well_known to map SIDs to account names like "Local System", "Administrators", "Domain Admins".

When add_components is enabled for domain SIDs (S-1-5-21-...), the processor identifies domain context, extracts domain_id, RID, and RID type (well-known, user, group/computer). Well-known RIDs (500=Administrator, 512=Domain Admins, etc.) are automatically resolved.

The processor handles arrays of SIDs, processing each element independently with consistent error handling via ignore_failure.

Examples

Basic String SID

Decoding SID string...

{
  "user_sid": "S-1-5-21-1234567890-1234567890-1234567890-1001"
}
- sid_decode:
    field: user_sid

returns SID string by default:

{
  "user_sid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
  "user_sid_decoded": "S-1-5-21-1234567890-1234567890-1234567890-1001"
}

Well-Known SID Resolution

Resolving well-known SID to account name...

{
  "sid": "S-1-5-18"
}
- sid_decode:
    field: sid
    resolve_well_known: true

adds name and well-known flag:

{
  "sid": "S-1-5-18",
  "sid_decoded": {
    "sid": "S-1-5-18",
    "name": "Local System",
    "is_well_known": true
  }
}

Component Parsing

Extracting SID component details...

{
  "sid": "S-1-5-21-1234567890-1234567890-1234567890-1001"
}
- sid_decode:
    field: sid
    add_components: true

parses all SID components:

{
  "sid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
  "sid_decoded": {
    "sid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
    "revision": 1,
    "authority": 5,
    "authority_name": "NT Authority",
    "sub_authorities": [21, 1234567890, 1234567890, 1234567890, 1001],
    "sub_authority_count": 5,
    "is_domain_sid": true,
    "domain_id": "1234567890-1234567890-1234567890",
    "rid": 1001,
    "rid_type": "user"
  }
}

Hex Binary SID

Decoding binary SID from hex...

{
  "hex_sid": "010100000000000512000000"
}
- sid_decode:
    field: hex_sid
    format: hex
    resolve_well_known: true

converts to SID string with name:

{
  "hex_sid": "010100000000000512000000",
  "hex_sid_decoded": {
    "sid": "S-1-5-18",
    "name": "Local System",
    "is_well_known": true
  }
}

Array of SIDs

Processing multiple SIDs...

{
  "sids": [
    "S-1-5-18",
    "S-1-5-32-544",
    "S-1-1-0"
  ]
}
- sid_decode:
    field: sids
    resolve_well_known: true

resolves each SID:

{
  "sids": [...],
  "sids_decoded": [
    {
      "sid": "S-1-5-18",
      "name": "Local System",
      "is_well_known": true
    },
    {
      "sid": "S-1-5-32-544",
      "name": "Administrators",
      "is_well_known": true
    },
    {
      "sid": "S-1-1-0",
      "name": "Everyone",
      "is_well_known": true
    }
  ]
}