For many Windows Security Auditing events (and WEF events) SIDs for users and groups (and attribute GUIDs) are not resolved. Yet for events like 4624/4625 these fields are resolved to human readable values despite the fact that the values for these fields are still unresolved SIDs in the XML event representation on the source machine.
What process is resolving these SIDs and making the events human readable for some events but not others, such as 4627?
I know that if I have UEBA turned on I can use the IdentityInfo table to resolve user SIDs, but what about Group, or other object SIDs? Am I left to create my own fact table for this?