regit/gist:3263cf673cbffbf7bbb58c009fd5d93d

Created June 28, 2022 12:26

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/regit/3263cf673cbffbf7bbb58c009fd5d93d.js"></script>
Save regit/3263cf673cbffbf7bbb58c009fd5d93d to your computer and use it in GitHub Desktop.

Download ZIP

JQ command to extract domain, authenticated user, associated IPs from Suricata logs

Raw

gistfile1.txt

cat eve.json | jq -r 'select(.event_type=="smb" and .smb.ntlmssp.user and .smb.ntlmssp.user!="" and .smb.status_code=="0x0" and .smb.ntlmssp.host!=.smb.ntlmssp.domain)| [ .smb.ntlmssp.domain, .smb.ntlmssp.user, .src_ip ] | @csv' | sort | uniq >users.csv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment