diff --git a/Tenable/alsid/CHANGELOG.md b/Tenable/alsid/CHANGELOG.md index d8270bce5..476a2de1a 100644 --- a/Tenable/alsid/CHANGELOG.md +++ b/Tenable/alsid/CHANGELOG.md @@ -18,7 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 | (no impact expected) at the parser level `action.properties` is of type list | `action.properties` is of type dict | | `action.properties.OperatingSystem: 'Windows'` | `action.properties.OperatingSystem: 'Windows Server 2012 R2 Standard'` | | `action.properties.OperatingSystemVersion`: '6.3' | `action.properties.OperatingSystemVersion: '6.3 (9600)'` | -| `action.properties.DisplayName`: DSC | `action.properties.DisplayName: DSC UCN Export` | +| `action.properties.DisplayName`: DSC | `action.properties.DisplayName: TESTnameCNdisplayname` | | broken value in `action.properties.DangerousAceList` | fixed, the field now contains the complete value | | broken value in `action.properties.DistinguishedName` | fixed, the field now contains the complete value | | `action.properties.ADdevianceID` type float | `action.properties.ADdevianceID` type int | diff --git a/Tenable/alsid/tests/alert_certificate.json b/Tenable/alsid/tests/alert_certificate.json index 05bfe61bf..4c4295212 100644 --- a/Tenable/alsid/tests/alert_certificate.json +++ b/Tenable/alsid/tests/alert_certificate.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" + "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"TESTnameCNdisplayname\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", + "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"TESTnameCNdisplayname\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", "event": { "kind": "alert", "outcome": "success" @@ -16,11 +16,11 @@ "ADdevianceID": 1996840, "ADdomainName": "ad.corp", "ADforestName": "ad.corp", - "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp", + "ADobject": "CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp", "ApproveCertifTestOptionChecked": "\u2610", "CertificateNameDeviantAces": "\u274c\ufe0f", "DangerousAceList": "{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}", - "DisplayName": "DSC UCN Export", + "DisplayName": "TESTnameCNdisplayname", "DomainName": "ad.corp", "EkuAttributeDeviantAces": "\u274c\ufe0f", "EkuContainAuthAttribute": "\u2714\ufe0f", diff --git a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json index 0cb12607b..3b8e3f9bd 100644 --- a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json +++ b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \n travail-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \n travail-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \n travail-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \n travail-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", "event": { "kind": "alert", "outcome": "success" @@ -16,9 +16,9 @@ "ADdevianceID": 1996839, "ADdomainName": "ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", + "ADobject": "CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "DangerousAceList": "{\"Item1\": \"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item2\": \"S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item3\": \"test.ad.domain\\\\Espace de travail-Adm\", \"Item4\": [{\"Item1\": \"Modify permissions\", \"Item2\": \"\"}, {\"Item1\": \"Modify owner\", \"Item2\": \"\"}, {\"Item1\": \"Write all properties\", \"Item2\": \"\"}]}", - "DistinguishedName": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", + "DistinguishedName": "CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "alertID": 1, "alertSeverityLevel": "critical", "eventID": "76485473" diff --git a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json index 71be5247d..162d5b05d 100644 --- a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json +++ b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"TESTnameCNdisplayname\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"TESTnameCNdisplayname\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", "event": { "kind": "alert", "outcome": "success" @@ -16,11 +16,11 @@ "ADdevianceID": 1996840, "ADdomainName": "ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", + "ADobject": "CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "ApproveCertifTestOptionChecked": "\u2610", "CertificateNameDeviantAces": "\u274c\ufe0f", "DangerousAceList": "{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}", - "DisplayName": "DSC UCN Export", + "DisplayName": "TESTnameCNdisplayname", "DomainName": "ad.domain", "EkuAttributeDeviantAces": "\u274c\ufe0f", "EkuContainAuthAttribute": "\u2714\ufe0f", diff --git a/Tenable/alsid/tests/alert_certificate_template_acl.json b/Tenable/alsid/tests/alert_certificate_template_acl.json index 5d19a88c4..626e481fa 100644 --- a/Tenable/alsid/tests/alert_certificate_template_acl.json +++ b/Tenable/alsid/tests/alert_certificate_template_acl.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", "event": { "kind": "alert", "outcome": "success" @@ -16,9 +16,9 @@ "ADdevianceID": 1996839, "ADdomainName": "ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", + "ADobject": "CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "DangerousAceList": "{\"Item1\": \"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item2\": \"S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item3\": \"test.ad.domain\\\\Espace de travail\", \"Item4\": [{\"Item1\": \"Modify permissions\", \"Item2\": \"\"}, {\"Item1\": \"Modify owner\", \"Item2\": \"\"}, {\"Item1\": \"Write all properties\", \"Item2\": \"\"}]}", - "DistinguishedName": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", + "DistinguishedName": "CN=TESTnameCN,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "alertID": 1, "alertSeverityLevel": "critical", "eventID": "76485473" diff --git a/Tenable/alsid/tests/alert_pattern2.json b/Tenable/alsid/tests/alert_pattern2.json index c514b9478..7c1a68dc9 100644 --- a/Tenable/alsid/tests/alert_pattern2.json +++ b/Tenable/alsid/tests/alert_pattern2.json @@ -1,16 +1,16 @@ { "input": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" + "message": "\"2\" \"21\" \"test.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" }, "expected": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", + "message": "\"2\" \"21\" \"test.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", "event": { "kind": "alert" }, "action": { "properties": { "ADdomainName": "AD", - "ADforestName": "foo.ad.com", + "ADforestName": "test.ad.com", "ADobject": "Suspicious DC Password Change", "alertID": 21, "dc_ip": "1.2.3.4",