Merge branch 'main' into lv/retarus_fix_parsing_sender_and_timestamp

Tenable/alsid/tests/alert_gpo_exec.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\""
+    "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\""
   },
   "expected": {
-    "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"",
+    "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"",
     "event": {
       "kind": "alert",
       "outcome": "success"
@@ -13,16 +13,16 @@
       "outcome": "success",
       "outcome_reason": "R-GPO-EXEC-SANITY-UNKNOWN-CSE",
       "properties": {
-        "ADdevianceID": 2008125,
-        "ADdomainName": "urdom.ad.domain",
+        "ADdevianceID": 2008000,
+        "ADdomainName": "test.ad.domain",
         "ADforestName": "ad.domain",
-        "ADobject": "CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain",
+        "ADobject": "CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain",
         "AttributeName": "GpcMachineExtensionName",
         "CseGuid": "{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}",
-        "GpoName": "#URDOM-APP-RSAT-TEST",
+        "GpoName": "#TEST-APP-RSAT-TEST",
         "alertID": 1,
         "alertSeverityLevel": "high",
-        "eventID": "79016668"
+        "eventID": "790160000"
       },
       "type": "alert"
     },

Tenable/alsid/tests/alert_obsolete_system.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\"   \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\"      \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2  \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\""
+    "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\"   \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\"      \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2  \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\""
   },
   "expected": {
-    "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\"   \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\"      \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2  \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"",
+    "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\"   \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\"      \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2  \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"",
     "event": {
       "kind": "alert",
       "outcome": "success"
@@ -13,16 +13,16 @@
       "outcome": "success",
       "outcome_reason": "R-SLEEPING-OBSOLETE-SYSTEMS",
       "properties": {
-        "ADdevianceID": 2007590,
-        "ADdomainName": "urdom.ad.domain",
+        "ADdevianceID": 2007000,
+        "ADdomainName": "test.ad.domain",
         "ADforestName": "ad.domain",
-        "ADobject": "CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC  ter,DC=urdom,DC=ad,DC=domain",
-        "ComputerCn": "cnpsp16bd",
+        "ADobject": "CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC  ter,DC=testDC,DC=ad,DC=domain",
+        "ComputerCn": "testComputerCN",
         "OperatingSystem": "Windows Server 2012 R2   Standard",
         "OperatingSystemVersion": "6.3 (9600)",
         "alertID": 1,
         "alertSeverityLevel": "high",
-        "eventID": "78964369"
+        "eventID": "78964000"
       },
       "type": "alert"
     },

Tenable/alsid/tests/alert_pattern2.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\""
+    "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\""
   },
   "expected": {
-    "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"",
+    "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"",
     "event": {
       "kind": "alert"
     },
@@ -13,13 +13,13 @@
         "ADforestName": "foo.ad.com",
         "ADobject": "Suspicious DC Password Change",
         "alertID": 21,
-        "dc_ip": "10.17.92.40",
-        "dc_name": "HOSTNAME-040",
+        "dc_ip": "1.2.3.4",
+        "dc_name": "HOSTNAME-000",
         "eventID": "critical",
         "eventType": "Unknown",
         "field1": "Unknown",
-        "field2": "HOSTNAME-040",
-        "field3": "10.17.92.40",
+        "field2": "HOSTNAME-000",
+        "field3": "1.2.3.4",
         "password_renewal_duration": "30:04:30:05",
         "source_hostname": "Unknown",
         "source_ip": "Unknown",

Tenable/alsid/tests/event_1.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\""
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\""
   },
   "expected": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"",
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"",
     "event": {
       "kind": "alert",
       "outcome": "success"
@@ -13,15 +13,15 @@
       "outcome": "success",
       "outcome_reason": "R-PRIVUSER-CAN-LOGON",
       "properties": {
-        "ADdevianceID": 1958016,
-        "ADdomainName": "emea.corp",
+        "ADdevianceID": 1958000,
+        "ADdomainName": "test.corp",
         "ADforestName": "Alsid Forest",
-        "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp",
-        "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp",
+        "ADobject": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp",
+        "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp",
         "PrivilegesPath": "CN=Adminintrator,CN=Users,DC=emae,DC=corp",
         "alertID": 1,
         "alertSeverityLevel": "high",
-        "eventID": "49271575"
+        "eventID": "49271000"
       },
       "type": "alert"
     },
@@ -35,7 +35,7 @@
       "type": "ldap"
     },
     "user": {
-      "domain": "emea.corp",
+      "domain": "test.corp",
       "name": "John DOE"
     }
   }

Tenable/alsid/tests/event_2.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\""
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\""
   },
   "expected": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"",
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"",
     "event": {
       "kind": "alert",
       "outcome": "success"
@@ -13,11 +13,11 @@
       "outcome": "success",
       "outcome_reason": "R-DELEG-PRIVUSERS-NOT-PROTECTED",
       "properties": {
-        "ADdevianceID": 1920595,
-        "ADdomainName": "emea.corp",
+        "ADdevianceID": 1920000,
+        "ADdomainName": "test.corp",
         "ADforestName": "Alsid Forest",
-        "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp",
-        "PrivilegesPath": "CN=Backup,CN=Builtin,DC=emea,DC=corp",
+        "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp",
+        "PrivilegesPath": "CN=Backup,CN=Builtin,DC=test,DC=corp",
         "alertID": 1,
         "alertSeverityLevel": "critical",
         "eventID": "50666797"

Tenable/alsid/tests/event_3.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\""
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\""
   },
   "expected": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"",
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"",
     "event": {
       "kind": "alert",
       "outcome": "success"
@@ -13,14 +13,14 @@
       "outcome": "success",
       "outcome_reason": "R-NOT-IN-WHITELIST",
       "properties": {
-        "ADdevianceID": 1959337,
-        "ADdomainName": "emea.corp",
+        "ADdevianceID": 1959000,
+        "ADdomainName": "test.corp",
         "ADforestName": "Alsid Forest",
-        "ADobject": "CN=Main Administrators,CN=Users,DC=emea,DC=corp",
-        "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp",
+        "ADobject": "CN=Main Administrators,CN=Users,DC=test,DC=corp",
+        "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp",
         "alertID": 1,
         "alertSeverityLevel": "critical",
-        "eventID": "51204253"
+        "eventID": "51200000"
       },
       "type": "alert"
     },

Tenable/alsid/tests/event_4.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\""
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\""
   },
   "expected": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"",
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"",
     "event": {
       "kind": "alert",
       "outcome": "success"
@@ -13,15 +13,15 @@
       "outcome": "success",
       "outcome_reason": "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST",
       "properties": {
-        "ADdevianceID": 1958033,
-        "ADdomainName": "emea.corp",
+        "ADdevianceID": 1958000,
+        "ADdomainName": "test.corp",
         "ADforestName": "Alsid Forest",
-        "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp",
-        "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp",
-        "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp",
+        "ADobject": "OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp",
+        "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp",
+        "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp",
         "alertID": 1,
         "alertSeverityLevel": "high",
-        "eventID": "49271575"
+        "eventID": "49271000"
       },
       "type": "alert"
     },
@@ -35,7 +35,7 @@
       "type": "ldap"
     },
     "user": {
-      "domain": "emea.corp",
+      "domain": "test.corp",
       "name": "John Doe"
     }
   }

Tenable/alsid/tests/ioe_security_alert1.json

@@ -1,9 +1,9 @@
 {
   "input": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\""
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\""
   },
   "expected": {
-    "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"",
+    "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"",
     "event": {
       "kind": "alert",
       "outcome": "success"
@@ -14,13 +14,13 @@
       "outcome_reason": "R-DONT-EXPIRE-SET",
       "properties": {
         "ADdevianceID": 28,
-        "ADdomainName": "emea.corp",
+        "ADdomainName": "test.corp",
         "ADforestName": "Alsid Forest",
-        "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp",
-        "TrusteeCn": "GustavoFring",
+        "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp",
+        "TrusteeCn": "JohnDoe",
         "alertID": 1,
         "alertSeverityLevel": "medium",
-        "eventID": "2434"
+        "eventID": "2400"
       },
       "type": "alert"
     },