From f52f5d40805d5a98d82ccaef162872c109e1fea9 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 16 Dec 2024 12:51:01 +0100 Subject: [PATCH] Fix client data --- Tenable/alsid/tests/alert_gpo_exec.json | 14 +++++++------- Tenable/alsid/tests/alert_obsolete_system.json | 14 +++++++------- Tenable/alsid/tests/alert_pattern2.json | 12 ++++++------ Tenable/alsid/tests/event_1.json | 16 ++++++++-------- Tenable/alsid/tests/event_2.json | 12 ++++++------ Tenable/alsid/tests/event_3.json | 14 +++++++------- Tenable/alsid/tests/event_4.json | 18 +++++++++--------- Tenable/alsid/tests/ioe_security_alert1.json | 12 ++++++------ Tenable/alsid/tests/ioe_security_alert3.json | 10 +++++----- Tenable/alsid/tests/ioe_security_alert4.json | 8 ++++---- Tenable/alsid/tests/trailflow_alert1.json | 10 +++++----- Tenable/alsid/tests/trailflow_alert2.json | 10 +++++----- Tenable/alsid/tests/trailflow_alert3.json | 12 ++++++------ Tenable/alsid/tests/trailflow_alert4.json | 10 +++++----- 14 files changed, 86 insertions(+), 86 deletions(-) diff --git a/Tenable/alsid/tests/alert_gpo_exec.json b/Tenable/alsid/tests/alert_gpo_exec.json index fd44a4363..f55ff40bf 100644 --- a/Tenable/alsid/tests/alert_gpo_exec.json +++ b/Tenable/alsid/tests/alert_gpo_exec.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"" + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"", "event": { "kind": "alert", "outcome": "success" @@ -13,16 +13,16 @@ "outcome": "success", "outcome_reason": "R-GPO-EXEC-SANITY-UNKNOWN-CSE", "properties": { - "ADdevianceID": 2008125, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2008000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain", + "ADobject": "CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain", "AttributeName": "GpcMachineExtensionName", "CseGuid": "{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}", - "GpoName": "#URDOM-APP-RSAT-TEST", + "GpoName": "#TEST-APP-RSAT-TEST", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "79016668" + "eventID": "790160000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/alert_obsolete_system.json b/Tenable/alsid/tests/alert_obsolete_system.json index 32e1efc05..69c282597 100644 --- a/Tenable/alsid/tests/alert_obsolete_system.json +++ b/Tenable/alsid/tests/alert_obsolete_system.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"" + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", "event": { "kind": "alert", "outcome": "success" @@ -13,16 +13,16 @@ "outcome": "success", "outcome_reason": "R-SLEEPING-OBSOLETE-SYSTEMS", "properties": { - "ADdevianceID": 2007590, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2007000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=urdom,DC=ad,DC=domain", - "ComputerCn": "cnpsp16bd", + "ADobject": "CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=testDC,DC=ad,DC=domain", + "ComputerCn": "testComputerCN", "OperatingSystem": "Windows Server 2012 R2 Standard", "OperatingSystemVersion": "6.3 (9600)", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "78964369" + "eventID": "78964000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/alert_pattern2.json b/Tenable/alsid/tests/alert_pattern2.json index 2364c0604..c514b9478 100644 --- a/Tenable/alsid/tests/alert_pattern2.json +++ b/Tenable/alsid/tests/alert_pattern2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" + "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" }, "expected": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", + "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", "event": { "kind": "alert" }, @@ -13,13 +13,13 @@ "ADforestName": "foo.ad.com", "ADobject": "Suspicious DC Password Change", "alertID": 21, - "dc_ip": "10.17.92.40", - "dc_name": "HOSTNAME-040", + "dc_ip": "1.2.3.4", + "dc_name": "HOSTNAME-000", "eventID": "critical", "eventType": "Unknown", "field1": "Unknown", - "field2": "HOSTNAME-040", - "field3": "10.17.92.40", + "field2": "HOSTNAME-000", + "field3": "1.2.3.4", "password_renewal_duration": "30:04:30:05", "source_hostname": "Unknown", "source_ip": "Unknown", diff --git a/Tenable/alsid/tests/event_1.json b/Tenable/alsid/tests/event_1.json index 1f9418431..e12e5d53e 100644 --- a/Tenable/alsid/tests/event_1.json +++ b/Tenable/alsid/tests/event_1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,15 +13,15 @@ "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON", "properties": { - "ADdevianceID": 1958016, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "ADobject": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp", "PrivilegesPath": "CN=Adminintrator,CN=Users,DC=emae,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -35,7 +35,7 @@ "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John DOE" } } diff --git a/Tenable/alsid/tests/event_2.json b/Tenable/alsid/tests/event_2.json index 9a09badeb..99cb8e395 100644 --- a/Tenable/alsid/tests/event_2.json +++ b/Tenable/alsid/tests/event_2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,11 +13,11 @@ "outcome": "success", "outcome_reason": "R-DELEG-PRIVUSERS-NOT-PROTECTED", "properties": { - "ADdevianceID": 1920595, - "ADdomainName": "emea.corp", + "ADdevianceID": 1920000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp", - "PrivilegesPath": "CN=Backup,CN=Builtin,DC=emea,DC=corp", + "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp", + "PrivilegesPath": "CN=Backup,CN=Builtin,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", "eventID": "50666797" diff --git a/Tenable/alsid/tests/event_3.json b/Tenable/alsid/tests/event_3.json index 2611ce026..040246618 100644 --- a/Tenable/alsid/tests/event_3.json +++ b/Tenable/alsid/tests/event_3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,14 +13,14 @@ "outcome": "success", "outcome_reason": "R-NOT-IN-WHITELIST", "properties": { - "ADdevianceID": 1959337, - "ADdomainName": "emea.corp", + "ADdevianceID": 1959000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "CN=Main Administrators,CN=Users,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", - "eventID": "51204253" + "eventID": "51200000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/event_4.json b/Tenable/alsid/tests/event_4.json index 418ddd8b1..d3deeae5d 100644 --- a/Tenable/alsid/tests/event_4.json +++ b/Tenable/alsid/tests/event_4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,15 +13,15 @@ "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST", "properties": { - "ADdevianceID": 1958033, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -35,7 +35,7 @@ "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John Doe" } } diff --git a/Tenable/alsid/tests/ioe_security_alert1.json b/Tenable/alsid/tests/ioe_security_alert1.json index b149081cb..dbe95b13a 100644 --- a/Tenable/alsid/tests/ioe_security_alert1.json +++ b/Tenable/alsid/tests/ioe_security_alert1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"", "event": { "kind": "alert", "outcome": "success" @@ -14,13 +14,13 @@ "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", - "TrusteeCn": "GustavoFring", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", + "TrusteeCn": "JohnDoe", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/ioe_security_alert3.json b/Tenable/alsid/tests/ioe_security_alert3.json index abfdf8cc5..dd4f9ac7f 100644 --- a/Tenable/alsid/tests/ioe_security_alert3.json +++ b/Tenable/alsid/tests/ioe_security_alert3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\"", "event": { "kind": "alert", "outcome": "success" @@ -14,12 +14,12 @@ "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/ioe_security_alert4.json b/Tenable/alsid/tests/ioe_security_alert4.json index 4b340737e..6c89b301f 100644 --- a/Tenable/alsid/tests/ioe_security_alert4.json +++ b/Tenable/alsid/tests/ioe_security_alert4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", "event": { "kind": "alert", "outcome": "success" @@ -14,9 +14,9 @@ "outcome_reason": "R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp", + "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp", "AttributeName": "inf-system_access-lockoutbadcount", "OuCn": "Packaging", "alertID": 1, diff --git a/Tenable/alsid/tests/trailflow_alert1.json b/Tenable/alsid/tests/trailflow_alert1.json index 2fa82823e..b41cd7fcc 100644 --- a/Tenable/alsid/tests/trailflow_alert1.json +++ b/Tenable/alsid/tests/trailflow_alert1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp\" \"2434\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"" + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"" }, "expected": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp\" \"2434\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -12,13 +12,13 @@ "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp", + "ADobject": "CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "whenchanged", "alsidAttributeValue": "\"2020-01-09T09:24:41.0000000Z\"", - "eventID": "2434", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert2.json b/Tenable/alsid/tests/trailflow_alert2.json index a26f52b7b..38f57b925 100644 --- a/Tenable/alsid/tests/trailflow_alert2.json +++ b/Tenable/alsid/tests/trailflow_alert2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"2432\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"" + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"" }, "expected": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"2432\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -12,13 +12,13 @@ "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "useraccountcontrol", "alsidAttributeValue": "\"DONT_EXPIRE NORMAL \"", - "eventID": "2432", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert3.json b/Tenable/alsid/tests/trailflow_alert3.json index 0d3b1d784..b073ae6e5 100644 --- a/Tenable/alsid/tests/trailflow_alert3.json +++ b/Tenable/alsid/tests/trailflow_alert3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856795\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"" + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856000\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"" }, "expected": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856795\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856000\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -13,12 +13,12 @@ "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", "alertID": 8, "alsidAttributeName": "\"ntsecuritydescriptor\"", - "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", - "eventID": "7856795", + "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", + "eventID": "7856000", "eventType": "ACL change" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert4.json b/Tenable/alsid/tests/trailflow_alert4.json index 1d4ae660f..a2179f541 100644 --- a/Tenable/alsid/tests/trailflow_alert4.json +++ b/Tenable/alsid/tests/trailflow_alert4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855399\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"" + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855000\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"" }, "expected": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855399\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855000\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -13,12 +13,12 @@ "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", "alertID": 8, "alsidAttributeName": "\"gptini-displayname\"", "alsidAttributeValue": "\"Nouvel objet Strat\u00e9gie de groupe\"", - "eventID": "7855399", + "eventID": "7855000", "eventType": "New object" }, "type": "trailflow"