Quick background:
I'm looking for SSO logins by users that have authenticated via NTLM.
Issue:
I copied a snippet of text directly from the SSO logs ("NTLMSSP principal: DomainName= UserName") that I thought would be apparent in each event where users are using SSO but authenticating with NTLM. There are 100 fields total that are associated with the SSO index alone (i.e., typing in index=sso and hitting enter); however, when using the string of text indicated above as a search parameter it reduces the available fields from 100 to 23. Since I cannot see the entire list of fields it's causing issues because I need to be able to see the "carrierCode" field, which isn't available when using the "NTLMSSP principal: DomainName= UserName" text string in my search.
Is there a way to incorporate another search within my existing search [and subsearch] that would allow all 100 fields to be viewable in the SSO index so that I could select the carrierCode field and capture its numbers? I hope this makes sense. Any help is greatly appreciated.
index="sso" sourcetype="ping*" UserName="*" Workstation="*" "NTLMSSP principal: DomainName= UserName"
| fields index,sourcetype,UserName,Workstation
| join UserName
[search index=msad sourcetype=ActiveDirectory sAMAccountName="*"
| stats count by title,description,department,sAMAccountName,
| rename sAMAccountName AS UserName
| table description,department,UserName,title]
| stats count by Workstation,UserName,title,department,description
| sort -count
↧