From c9d3f701efb37cfdb282cb1c6244a778def7db67 Mon Sep 17 00:00:00 2001
From: Hiroshi Hatake <hiroshi@chronosphere.io>
Date: Wed, 14 Aug 2024 18:45:34 +0900
Subject: [PATCH 1/2] in_winevtlog: Skip to translate SID for capability SIDs

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
---
 plugins/in_winevtlog/pack.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/plugins/in_winevtlog/pack.c b/plugins/in_winevtlog/pack.c
index 97dacce822e..c9b65a01f18 100644
--- a/plugins/in_winevtlog/pack.c
+++ b/plugins/in_winevtlog/pack.c
@@ -277,6 +277,14 @@ static int pack_sid(struct winevtlog_config *ctx, PSID sid, int extract_sid)
 
     if (ConvertSidToStringSidW(sid, &wide_sid)) {
         if (extract_sid == FLB_TRUE) {
+            /* Skip to translate SID for capability SIDs.
+             * see also: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
+             */
+            if (wcsnicmp(wide_sid, L"S-1-15-3-", 9) == 0) {
+                flb_plg_debug(ctx->ins, "This SID is one of the capability SIDs. Skip.");
+
+                goto not_mapped_error;
+            }
             if (!LookupAccountSidA(NULL, sid,
                                    account, &len, domain,
                                    &len, &sid_type)) {

From 0d556d551082d4f79645f64716899b71c47e4d99 Mon Sep 17 00:00:00 2001
From: Hiroshi Hatake <hiroshi@chronosphere.io>
Date: Mon, 19 Aug 2024 14:17:16 +0900
Subject: [PATCH 2/2] in_winevtlog: Add a describing link for capability SIDs

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
---
 plugins/in_winevtlog/pack.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/plugins/in_winevtlog/pack.c b/plugins/in_winevtlog/pack.c
index c9b65a01f18..9242da6811c 100644
--- a/plugins/in_winevtlog/pack.c
+++ b/plugins/in_winevtlog/pack.c
@@ -278,7 +278,8 @@ static int pack_sid(struct winevtlog_config *ctx, PSID sid, int extract_sid)
     if (ConvertSidToStringSidW(sid, &wide_sid)) {
         if (extract_sid == FLB_TRUE) {
             /* Skip to translate SID for capability SIDs.
-             * see also: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
+             * ref: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
+             * See also: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names
              */
             if (wcsnicmp(wide_sid, L"S-1-15-3-", 9) == 0) {
                 flb_plg_debug(ctx->ins, "This SID is one of the capability SIDs. Skip.");