From b0240df97c10be05989f5769072457448120e918 Mon Sep 17 00:00:00 2001
From: Sam Erde <20478745+SamErde@users.noreply.github.com>
Date: Thu, 1 Feb 2024 12:46:54 -0500
Subject: [PATCH] Snippets for working with event logs

---
 Resolve SID in Event Logs.ps1 | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 Resolve SID in Event Logs.ps1

diff --git a/Resolve SID in Event Logs.ps1 b/Resolve SID in Event Logs.ps1
new file mode 100644
index 0000000..85c66ac
--- /dev/null
+++ b/Resolve SID in Event Logs.ps1	
@@ -0,0 +1,5 @@
+# When you have a security principal
+((Get-WinEvent -FilterHashtable @{LogName = 'System'; ID=1501} -MaxEvents 1).UserId).Translate([System.Security.Principal.NTAccount]).Value
+
+# When you have a SID as a string
+[System.Security.Principal.SecurityIdentifier]::new($sid).Translate([System.Security.Principal.NTAccount]).value