HI,
I would like to get the servers who use only ntlmv1.
So in a first search I using this command
index="windows" EventCode=4624 AND(host="*-toto") Authentication_Package=NTLM Package_Name__NTLM_only_="NTLM V1"
I want to inject the result of this search in a second command line to retrieve the server which using ntlmV2.
At the end of those search i Want to get the server that only uses NTLMV1.
How can I proceed ?
Regards
That's different. We can just merge the two searches to get a list of computers that only use NTLMV1.
index="windows" AND (host="toto") Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by ComputerName
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
It depends on what needs to be passed from the first search to the second, how the passed fields will be used, and what the desired results are.
In general, it's like this
<<second search>> [ <<first search>> ]
The results of the first search are appended to the second search in (foo=bar OR baz=fubar) format.
Tell us more about the problem you're trying to solve and we can be more specific.
thanks @richgalloway for your answer.
AS you can see in the command line below. Firstable I search for all the computers which using ntlmv1.
index="windows" AND (host="toto") Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1"
Lets say that the result of this research give me those 3 computers name
ComputerA
ComputerB
Computer C
I want to put this result (this 3 computer) in this command line
index="windows" AND (host="toto") Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V2"
to check if these 3 computers are also using ntlmv2. I want to know if one or more of these computers do not show up after the second search. This way, I will know that computerX never used NTLMV2.
At the end of my search, I want to know the names of the computers that only use NTLMV1.
Sorry for my english.
Regards
That's different. We can just merge the two searches to get a list of computers that only use NTLMV1.
index="windows" AND (host="toto") Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by ComputerName
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
@richgalloway Perfect 🙂
HOw can I add the Host in the table given by the request. I'm enable to show host field in the result actually
index="windows" EventCode=4624 AND (host=*) Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ by Workstation_Name
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| table Workstation_Name Package_Name__NTLM_only_ os
| where isnotnull(os)
| sort Workstation_Name
Do you want to show the Host field or host field (they're different)? In which index is the Host field stored (host is in all indexes)?
host field and it's in the windows index
The challenge with using the host field from the windows index is the stats command does not provide that field. The command would have to be changed to include the field so it can be added to subsequent table commands for display.
index="windows" EventCode=4624 AND (host=*) Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" (Package_Name__NTLM_only_="NTLM V1" OR
Package_Name__NTLM_only_="NTLM V2")
| stats values(Package_Name__NTLM_only_) as Package_Name__NTLM_only_ ***values(host) as host*** by Workstation_Name
| where (mvcount(Package_Name__NTLM_only_)=1 AND Package_Name__NTLM_only_="NTLM V1")
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) earliest=-1d@d latest=@d | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| table Workstation_Name Package_Name__NTLM_only_ os ***host***
| where isnotnull(os)
| sort Workstation_Name
I used *** to indicate new code. Remove them before running the query.