Skip to content

Add built-in caching to translate_sid processor #46899

New issue
New issue
Open
Enhancement
Open
Add built-in caching to translate_sid processor#46899
Enhancement
Labels
:ProcessorsTeam:Security-Windows PlatformWindows Platform Team in Security Solutionwindows
@andrewkroh

Description

@andrewkroh
andrewkroh
opened on Oct 2, 2025

Describe the enhancement:

Add built-in caching to the translate_sid processor to reduce Active Directory queries and improve reliability when translating Windows Security Identifiers (SIDs) to account names.

The processor currently performs uncached, synchronous network queries to Active Directory domain controllers for non-local SID resolution (libbeat/processors/translate_sid/translatesid.go:107). Each event triggers a fresh AD query, making the processor susceptible to network timeouts that result in ERROR_NONE_MAPPED errors, and creating unnecessary load on AD infrastructure.

The proposed enhancement would add optional in-memory caching with configurable capacity and TTL:

- translate_sid:
    field: winlog.event_data.MemberSid
    account_name_target: member_user.name
    domain_target: member_user.domain
    cache:
      capacity: 10000  # Maximum number of cached entries
      ttl: 24h         # Time-to-live for cached entries

Describe a specific use case for the enhancement or feature:

A user monitoring Windows Security Events processes thousands of events per hour, each containing SIDs that require translation. Without caching, the translate_sid processor performs AD lookups for the same SIDs repeatedly, causing:

  • Network timeouts resulting in ERROR_NONE_MAPPED errors for SIDs that can be successfully translated in PowerShell
  • High latency in event processing pipeline
  • Increased load on domain controllers

The user implemented a workaround using the cache processor which successfully resolved the issue by caching successful SID translations. This validates that built-in caching would improve the processor's reliability and performance.

With native caching, the processor would:

  • Perform AD lookup once per unique SID within the TTL window
  • Reduce network traffic to domain controllers
  • Eliminate timeout-related translation failures for frequently-seen SIDs
  • Improve overall event processing throughput
  • Simplify configuration by eliminating the need for manual cache processor workarounds

Metadata

Metadata

Assignees

No one assigned

    Labels

    :ProcessorsTeam:Security-Windows PlatformWindows Platform Team in Security Solutionwindows

    Type

    Enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions