Due to our network assigning IP addresses via DHCP, I would like to create a report that identifies failed authentication scan by NetBIOS name. Having a clean list with no other host attributes would be most preferable. Is this possible?
Alternative from Vaishali Deshpande, Technical Support Engineer:
In order to get NetBIOS names for all Windows Authentication Failed hosts: 1. Click on "Asset Search", select all IPs and search for QID 105015 - Windows Authentication Failed. It will give you a list of all the hosts on which Windows Authentication has Failed. 2. Create a new asset group based on these IP's.3. Create a new static search list with QID 82044 -NetBIOS Host Name and use it in Report template 4. Run a new scan on anove newly created Asset Group.
For a few hostnames, step one and two are sufficient. For many hostnames, XML parser from a Report filtering QID 105015 is the way to go. I submitted a ticket for support to find out why CSV reports were not including all the data.
You could create a report template where you uncheck every box in the report summary and the vulnerability details panes.
In the filter section, you select the following search lists from the library:
If required, you can also exclude the QID's for successful authentications.
You will however still have some details about the hosts (IP address, dns name, ...). If you really only need the NetBIOS name of machines for which authentication failed, you might consider pulling an XML version of this report (through the QG UI or with API's) and extract the desired data to the format that you prefer (flat file, csv, spreadsheet, ...)
Thanks for the tip. Exporting to a CSV would not display the NetBIOS name, strangely. Exporting an XML does! I will just extract the NetBIOS names from there.
If the host tracking method is Netbios, the device is listed by netbios in the system.
Retrieving data ...