system
September 18, 2013, 11:30pm
1
(imported topic written by TJessee)
I have been asked to create a report that would list all users and the endpoints they are logged into. They are wanting the report to look like
UserName Workstation IP OS
I have been unable to figure out the session relevance to retrieve the correct information. Any help would be greatly appreciated.
(imported comment written by liuhoting)
So actually, I wouldn’t actually use session relevance to try to figure out this information. I’d use just good old fashioned normal relevance. I’d basically throw this sort of stuff in an analysis that had a bunch of properties defined:
Logged on username:
Q: names of logged on users
Workstation IP:
Q: addresses of adapters of network as string
OS Name:
Q: Name of operating system
system
October 9, 2013, 7:24pm
3
(imported comment written by TJessee)
I was able to take your thought process and create a property that reports on the last logged on user. I can now run a report from that and display all the information that was requested. Here is the relevance I used.
if
(name
of
operating system
as
lowercase
contains
“win”
)
then
(
if
((name
of
operating system
as
lowercase
contains
“xp”
)
or
(name
of
operating system
as
lowercase
contains
“win2003”
))
then
(
if
not
exist
keys
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName”
of
(
if
x64
of
operating system
then
(x64 registry
;
x32 registry)
else
registry)
then
values
“DefaultUserName”
of
keys
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”
of
(
if
x64
of
operating system
then
(x64 registry
;
x32 registry)
else
registry)
as
string
else
“No User Logged”
)
else
(
if
NOT
exist
keys
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser”
of
(
if
x64
of
operating system
then
(x64 registry
;
x32 registry)
else
registry)
then
values
“LastLoggedOnUser”
of
keys
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI”
of
(
if
x64
of
operating system
then
(x64 registry
;
x32 registry)
else
registry)
as
string
else
“No User Logged”
))
else
(
“Not Win”
)
(imported comment written by liuhoting)
Awesome. I’m glad that worked.