Hi @gcusello , Hi don't get it but here the codes. REtrieve ntlmv1 request and add the field operating system to the result
index="windows" Authentication_Package=NTLM Account_Domain!="NT AUTHORITY" Package_Name__NTLM_only_="NTLM V1"
| join type=left Workstation_Name [ search index=bel_ldapsearch AND (type=server) | table name operatingSystem | rename name as Workstation_Name operatingSystem as os]
| eval AccountD=mvindex(Account_Domain,1) | eval AccountN=mvindex(Account_Name,1) | table AccountD,AccountN,Workstation_Name,Package_Name__NTLM_only_ os | rename Workstation_Name AS "Server", Package_Name__NTLM_only_ AS "NTLM Type" | where isnotnull(os)| dedup Server | sort Server and second one: index=windows EventCode=4624 [ | inputlookup damtest2.csv | rename Server AS Workstation_Name | fields Workstation_Name ]
| lookup damtest2.csv Server AS Workstation_Name OUTPUT os
| table Workstation_Name os Package_Name__NTLM_only_
| dedup Workstation_Name Package_Name__NTLM_only_
| sort Workstation_Name
| where Package_Name__NTLM_only_="NTLM V2" Thanks for your help 🙂 Regards
... View more