Filter Custom Analysis?

(imported topic written by kebulm91)

I have a custom analysis that contains a property that lists all the members of each local group on a machine using the following relevance:

(it & " " , members of local group it) of (names of local groups)

The property creates a list in a format like below:

Administrators , COMPUTER\Administrator

Administrators , DOMAIN\Domain Admins

Administrators , COMPUTER\local_account

Administrators , DOMAIN\domain_account

Users , NT AUTHORITY\INTERACTIVE

Users , NT AUTHORITY\Authenticated Users

Users , DOMAIN\Domain Users

etc… (lists all users for each local group on machine)

Is there a way to filter the list of machines based on the content of this property?

For example - If I wanted the list of machines that do not have “Domain Admins” in the local administrators group - could I get that list of machines somehow using just the above property? Or would I have to create another custom property looking for that specifically with True/False answer and then just sort by that custom property to be able to see the ones that do or don’t have Domain Admins groups together in the list?

In the computers tab you can create a filter with CTRL-F and filter based on retrieved properties but I’ve not been able to find a way to do something similar in the results tab of an anaylsis filtering on the custom properties of the analysis. Am I missing something or is this not possible?

Thanks,

Ken

(imported comment written by BenKus)

Hey Ken,

Rather than return a list of all the results and then filter through it, it might be easier to make a simple Fixlet that detects if Domain Admins aren’t in the local admin group and then the status of the Fixlet will give you the list you want.

Try this:

not exists member whose (it as string as lowercase contains “domain admins”) of local group “Administrators”

(Note that I am not sure what happens if the computer can’t connect to its domain to resolve the names of the groups).

If you wanted to instead use the method of querying your existing property, you would need to use session relevance to incorporate the logic you are looking for and then build it into a custom report.

Ben

(imported comment written by kebulm91)

Thanks Ben - I was trying to avoid writing specific code for every scenario I wanted to search for. I was hoping I could just somehow filter the results within the console as there are many different things within this data that we would like to be able to filter on. We also want all the data to be there for every endpoint as we use this as a source of troubleshooting data. I guess I’ll have to do some custom fixlets for this if there’s no other way of performing that type of filter.

Ken

(imported comment written by BenKus)

Ken,

Try this:

  1. Open the presentation debugger (http://support.bigfix.com/cgi-bin/kbdirect.pl?id=508)

  2. Use the “HTML” option.

  3. Paste this relevance:

unordered lists of links of bes computers whose (exists (tuple string item 0 of it, tuple string item 1 of it) whose (item 0 of it as lowercase contains “administrators” AND item 1 of it as lowercase contains “domain admin”) of value of result (bes property “Local Admins”, it))

Substitute “Local Admins” with the name of your property.

This is basically a way to directly query the properties that you have… Let me know if that works for you (I don’t have the property on my system so I might have made a mistake). Note that you can play around with this relevance if you wanted to play around witht he filters.

Ben

(imported comment written by kebulm91)

Thanks Ben - I’ll see what I can come up with.

Ben is there a way to create and analysis that shows if there is a local administrator who account begins with say 200, but not list anyone else? I have written this, but the 200 could exist inside other accounts so I’m not getting just the ones that start with 200

exists member whose (it as string as lowercase contains “200”) of local group “Administrators”