Solved: Re: using the result of a first search in entry o...

darphboubou · ‎08-23-2022

HI,

I would like to get the servers who use only ntlmv1.

So in a first search I using this command

index="windows" EventCode=4624  AND(host="*-toto")   Authentication_Package=NTLM Package_Name__NTLM_only_="NTLM V1"

I want to inject the result of this search in a second command line to retrieve the server which using ntlmV2.

At the end of those search i Want to get the server that only uses NTLMV1.

How can I proceed ?

Regards

richgalloway · ‎08-23-2022

That's different. We can just merge the two searches to get a list of computers that only use NTLMV1.

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by ComputerName
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-23-2022

It depends on what needs to be passed from the first search to the second, how the passed fields will be used, and what the desired results are.

In general, it's like this

<<second search>> [ <<first search>> ]

The results of the first search are appended to the second search in (foo=bar OR baz=fubar) format.

Tell us more about the problem you're trying to solve and we can be more specific.

---
If this reply helps you, Karma would be appreciated.

darphboubou · ‎08-23-2022

thanks @richgalloway for your answer.

AS you can see in the command line below. Firstable I search for all the computers which using ntlmv1.

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1"

Lets say that the result of this research give me those 3 computers name

ComputerA

ComputerB

Computer C

I want to put this result (this 3 computer) in this command line

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V2"

to check if these 3 computers are also using ntlmv2. I want to know if one or more of these computers do not show up after the second search. This way, I will know that computerX never used NTLMV2.

At the end of my search, I want to know the names of the computers that only use NTLMV1.

Sorry for my english.

Regards

richgalloway · ‎08-23-2022

That's different. We can just merge the two searches to get a list of computers that only use NTLMV1.

index="windows" AND (host="toto")  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by ComputerName
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")

---
If this reply helps you, Karma would be appreciated.

darphboubou · ‎08-23-2022

@richgalloway Perfect 🙂

darphboubou · ‎09-09-2022

HOw can I add the Host in the table given by the request. I'm enable to show host field in the result actually

index="windows"  EventCode=4624 AND (host=*)  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by Workstation_Name
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| table Workstation_Name Package_Name__NTLM_only_  os 
| where isnotnull(os)
| sort Workstation_Name

richgalloway · ‎09-09-2022

Do you want to show the Host field or host field (they're different)? In which index is the Host field stored (host is in all indexes)?

---
If this reply helps you, Karma would be appreciated.

darphboubou · ‎09-09-2022

host field and it's in the windows index

richgalloway · ‎09-09-2022

The challenge with using the host field from the windows index is the stats command does not provide that field. The command would have to be changed to include the field so it can be added to subsequent table commands for display.

index="windows"  EventCode=4624 AND (host=*)  Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ ***values(host) as host*** by Workstation_Name
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| table Workstation_Name Package_Name__NTLM_only_  os ***host***
| where isnotnull(os)
| sort Workstation_Name

I used *** to indicate new code. Remove them before running the query.

---
If this reply helps you, Karma would be appreciated.

How to use the result of a first search in entry of a second search?

subsearch

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!