diff --git a/Cisco/cisco-secure-firewall/ingest/parser.yml b/Cisco/cisco-secure-firewall/ingest/parser.yml index 04ce99510..3c8b6b9f2 100644 --- a/Cisco/cisco-secure-firewall/ingest/parser.yml +++ b/Cisco/cisco-secure-firewall/ingest/parser.yml @@ -55,12 +55,15 @@ pipeline: "106021": "%{CISCO_106021}" "106023": "%{CISCO_106023}" "106100": "%{CISCO_106100}" + "109201": "%{CISCO_109201}" "110002": "%{CISCO_110002}" "110003": "%{CISCO_110003}" "111007": "%{CISCO_111007}" "111008": "%{CISCO_111008}" - "113012": "%{CISCO_113012}" "113004": "%{CISCO_113004}" + "113012": "%{CISCO_113012}" + "113019": "%{CISCO_113019}" + "113039": "%{CISCO_113039}" "199019": "%{CISCO_199019}" "302013": "%{CISCO_302013_302014_302015_302016}" "302014": "%{CISCO_302013_302014_302015_302016}" @@ -120,12 +123,15 @@ pipeline: CISCO_106021: "%{CISCO_ACTION:action_name} %{DATA:network_transport} reverse path check from %{IP:source_ip} to %{IP:destination_ip} on interface %{GREEDYDATA:destination_address}" CISCO_106023: '%{CISCO_ACTION:action_name}( protocol)? %{DATA:network_transport} src %{DATA:source_address}:%{DATA:source_ip}(/%{INT:source_port})?(\(%{DATA}\))? dst %{DATA:destination_address}:%{DATA:destination_ip}(/%{INT:destination_port})?(\(%{DATA}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "?%{DATA:action_outcome_reason}"? \[%{DATA}, %{DATA}\]' CISCO_106100: 'access-list %{NOTSPACE:action_outcome_reason} %{CISCO_ACTION:action_name} %{DATA:network_transport} %{DATA:source_address}/%{IP:source_ip}\(%{INT:source_port}\)(\(%{DATA}\))? -> %{DATA:destination_address}/%{IP:destination_ip}\(%{INT:destination_port}\)(\(%{DATA}\))? hit-cnt %{INT:network_packets} %{CISCO_INTERVAL:network_duration} \[%{DATA}, %{DATA}\]' + CISCO_109201: "UAUTH: Session=%{DATA}, User=%{DATA:user_name}, Assigned IP=%{IP:source_ip}, (?PSucceeded adding entry.)" CISCO_110002: "%{CISCO_REASON:action_name} for %{DATA:network_transport} from %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port} to %{IP:destination_ip}/%{INT:destination_port}" CISCO_110003: '%{GREEDYDATA:action_name} from %{WORD}\:%{IP:source_ip}\/([1-2]?[0-9]|3[0-2]) to %{WORD}\:%{IP:destination_ip}\/([1-2]?[0-9]|3[0-2])(, %{GREEDYDATA:action_outcome_reason})?' CISCO_111007: '%{GREEDYDATA:action_name}: %{IP:source_ip} reading from %{NOTSPACE:network_transport} \[%{DATA:http_method}\]' CISCO_111008: "User '%{DATA:user_name}' executed the '%{GREEDYDATA:action_name}' command" - CISCO_113004: "%{GREEDYDATA} user authentication %{WORD} : server = (\\s*)?%{IP:destination_ip} : user = %{DATA:user_name}" + CISCO_113004: "%{GREEDYDATA} user (authentication|authorization) %{WORD} : server = (\\s*)?%{IP:destination_ip} : user = %{DATA:user_name}" CISCO_113012: "%{GREEDYDATA} user authentication %{WORD} : local database : user = %{DATA:user_name}" + CISCO_113019: "Group = %{GREEDYDATA:user_group}, Username = %{WORD:user_name}, IP = %{IP:source_ip}, %{DATA:action_outcome_reason}.Session Type: %{DATA:session_type}, Duration: %{DATA:special_duration}, Bytes xmt: %{DATA:bytes_xmt}, Bytes rcv: %{DATA:bytes_rcv}, Reason: %{GREEDYDATA:action_outcome_reason}" + CISCO_113039: "Group <%{GREEDYDATA:user_group}> User <%{WORD:user_name}> IP <%{IP:source_ip}> (?PAnyConnect parent session started.)" CISCO_199019: '%{GREEDYDATA} %{DURATION} %{WORD:process_name}\[%{GREEDYDATA:process_id}\]: %{WORD:log_host} %{GREEDYDATA:result}' CISCO_302013_302014_302015_302016: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection %{INT} for %{DATA:source_address}:%{IP:source_ip}/%{INT:source_port}( \(%{IP:source_nat_ip}/%{INT:source_nat_port}\))?(\(%{DATA}\))? to %{DATA:destination_address}:%{IP:destination_ip}/%{INT:destination_port}( \(%{IP:destination_nat_ip}/%{INT:destination_nat_port}\))?(\(%{DATA}\))?( duration %{DATA:network_duration} bytes %{INT:network_bytes})?%{DATA}( \(%{DATA:user_name}\))?' CISCO_302020_302021: '%{CISCO_ACTION:action_name}(?: %{CISCO_DIRECTION:network_direction})? %{DATA:network_transport} connection for faddr %{IP:source_ip}/%{INT:source_port}(\(%{DATA:user_group}\\%{DATA}\))? gaddr %{IP}/%{INT} laddr %{IP:destination_ip}/%{INT:destination_port}( \(%{DATA:user_name}\))?( type %{INT:icmp_type} code %{INT:icmp_code})?%{DATA}' @@ -176,7 +182,7 @@ pipeline: - name: set_common_fields - name: set_ecs_fields - filter: '{{pre_parsing.pre_message.message_number_grok in ["106001","110003", "106006", "106007", "106010", "106012", "106014", "106015", "106021", "106023", "106100", "110002", "111007", "111008", "113004", "113012", "199019", "302013", "302014", "302015", "302016", "302020", "302021", "304001", "305011", "313001", "313004", "313005", "313008", "305012", "402117", "402119", "419001", "419002", "500004", "602303", "602304", "609001", "609002", "611101", "611103", "710001", "710002", "710003", "710005", "710006", "716058", "713172", "716059", "722011", "722012", "722022", "722023", "722028", "722032", "722033", "722034", "722037", "725001", "733100", "725002", "725003", "725006", "725007", "737016", "852001"]}}' + filter: '{{pre_parsing.pre_message.message_number_grok in ["106001","110003", "106006", "106007", "106010", "106012", "106014", "106015", "106021", "106023", "106100", "109201", "110002", "111007", "111008", "113004", "113012", "113019", "113039", "199019", "302013", "302014", "302015", "302016", "302020", "302021", "304001", "305011", "313001", "313004", "313005", "313008", "305012", "402117", "402119", "419001", "419002", "500004", "602303", "602304", "609001", "609002", "611101", "611103", "710001", "710002", "710003", "710005", "710006", "716058", "713172", "716059", "722011", "722012", "722022", "722023", "722028", "722032", "722033", "722034", "722037", "725001", "733100", "725002", "725003", "725006", "725007", "737016", "852001"]}}' - name: set_ecs_fields_from_kv filter: '{{pre_parsing.pre_message.message_number_grok in ["430001","430002","430003","430004","430005"]}}' - name: set_ecs_fields_from_condition @@ -408,6 +414,18 @@ stages: event.type: ["end"] event.outcome: "success" filter: '{{pre_parsing.pre_message.message_number_grok in ["611103"]}}' + - set: + event.category: ["session"] + event.type: ["end"] + filter: '{{pre_parsing.pre_message.message_number_grok in ["113019"]}}' + - set: + event.category: ["session"] + event.type: ["start"] + filter: '{{pre_parsing.pre_message.message_number_grok in ["113039"]}}' + - set: + event.category: ["iam"] + event.type: ["user"] + filter: '{{pre_parsing.pre_message.message_number_grok in ["109201"]}}' - set: network.transport: "{{parsed_event.message.network_transport|lower }}" filter: '{{parsed_event.message.get("network_transport") != None}}' diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_109201.json b/Cisco/cisco-secure-firewall/tests/test_FTD_109201.json new file mode 100644 index 000000000..76e970cf3 --- /dev/null +++ b/Cisco/cisco-secure-firewall/tests/test_FTD_109201.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "%FTD-5-109201: UAUTH: Session=0x00fee000, User=User_Acme, Assigned IP=1.2.3.4, Succeeded adding entry." + }, + "expected": { + "message": "%FTD-5-109201: UAUTH: Session=0x00fee000, User=User_Acme, Assigned IP=1.2.3.4, Succeeded adding entry.", + "event": { + "category": [ + "iam" + ], + "code": "109201", + "reason": "Succeeded adding entry.", + "type": [ + "user" + ] + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "User_Acme" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "name": "User_Acme" + } + } +} \ No newline at end of file diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_113004_2.json b/Cisco/cisco-secure-firewall/tests/test_FTD_113004_2.json new file mode 100644 index 000000000..d10a4f80d --- /dev/null +++ b/Cisco/cisco-secure-firewall/tests/test_FTD_113004_2.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "%FTD-6-113004: AAA user authorization Successful : server = 1.2.3.4 : user = User_Acme" + }, + "expected": { + "message": "%FTD-6-113004: AAA user authorization Successful : server = 1.2.3.4 : user = User_Acme", + "event": { + "category": [ + "authentication" + ], + "code": "113004", + "outcome": "success", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "User_Acme" + ] + }, + "user": { + "name": "User_Acme" + } + } +} \ No newline at end of file diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_113019.json b/Cisco/cisco-secure-firewall/tests/test_FTD_113019.json new file mode 100644 index 000000000..028f1dc87 --- /dev/null +++ b/Cisco/cisco-secure-firewall/tests/test_FTD_113019.json @@ -0,0 +1,41 @@ +{ + "input": { + "message": "%FTD-4-113019: Group = MyGroup, Username = User_Acme, IP = 1.2.3.4, Session disconnected. Session Type: IKEv2, Duration: 2h:28m:09s, Bytes xmt: 54735230, Bytes rcv: 27473152, Reason: Idle Timeout" + }, + "expected": { + "message": "%FTD-4-113019: Group = MyGroup, Username = User_Acme, IP = 1.2.3.4, Session disconnected. Session Type: IKEv2, Duration: 2h:28m:09s, Bytes xmt: 54735230, Bytes rcv: 27473152, Reason: Idle Timeout", + "event": { + "category": [ + "session" + ], + "code": "113019", + "reason": "Idle Timeout", + "type": [ + "end" + ] + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "User_Acme" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "domain": "MyGroup", + "name": "User_Acme" + } + } +} \ No newline at end of file diff --git a/Cisco/cisco-secure-firewall/tests/test_FTD_113039.json b/Cisco/cisco-secure-firewall/tests/test_FTD_113039.json new file mode 100644 index 000000000..e9e865649 --- /dev/null +++ b/Cisco/cisco-secure-firewall/tests/test_FTD_113039.json @@ -0,0 +1,41 @@ +{ + "input": { + "message": "%FTD-6-113039: Group User IP <192.168.91.121> AnyConnect parent session started." + }, + "expected": { + "message": "%FTD-6-113039: Group User IP <192.168.91.121> AnyConnect parent session started.", + "event": { + "category": [ + "session" + ], + "code": "113039", + "reason": "AnyConnect parent session started.", + "type": [ + "start" + ] + }, + "action": { + "target": "network-traffic" + }, + "observer": { + "product": "Firepower Threat Defense", + "vendor": "Cisco" + }, + "related": { + "ip": [ + "192.168.91.121" + ], + "user": [ + "User_Acme" + ] + }, + "source": { + "address": "192.168.91.121", + "ip": "192.168.91.121" + }, + "user": { + "domain": "CLIENT_VPN", + "name": "User_Acme" + } + } +} \ No newline at end of file diff --git a/Tenable/alsid/tests/alert_certificate.json b/Tenable/alsid/tests/alert_certificate.json index a08095e2e..05bfe61bf 100644 --- a/Tenable/alsid/tests/alert_certificate.json +++ b/Tenable/alsid/tests/alert_certificate.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.corp\\\\AC750-DSI-SDAT-Espace de \ntravail-FOO-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.corp\\\\AC750-DSI-SDAT-Espace de \ntravail-FOO-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" + "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.corp\\\\AC750-DSI-SDAT-Espace de \ntravail-FOO-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.corp\\\\AC750-DSI-SDAT-Espace de \ntravail-FOO-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", + "message": "\"0\" \"1\" \"ad.corp\" \"ad.corp\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate \nTemplates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.corp\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-34\n5849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-109881018\n9-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du \ndomaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\"\n,\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \n\"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \n\"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \n\"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \n\"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", "event": { "kind": "alert", "outcome": "success" @@ -19,7 +19,7 @@ "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=corp", "ApproveCertifTestOptionChecked": "\u2610", "CertificateNameDeviantAces": "\u274c\ufe0f", - "DangerousAceList": "{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.corp\\\\AC750-DSI-SDAT-Espace de travail-FOO-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.corp\\\\AC750-DSI-SDAT-Espace de travail-FOO-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}", + "DangerousAceList": "{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.corp\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.corp\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}", "DisplayName": "DSC UCN Export", "DomainName": "ad.corp", "EkuAttributeDeviantAces": "\u274c\ufe0f", diff --git a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json index 7802789c2..0cb12607b 100644 --- a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json +++ b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.domain\\\\AC750-DSI-FOO-Espace de \n travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \n travail-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.domain\\\\AC750-DSI-FOO-Espace de \n travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \"76485473\" \n \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n \"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \n travail-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", "event": { "kind": "alert", "outcome": "success" @@ -17,7 +17,7 @@ "ADdomainName": "ad.domain", "ADforestName": "ad.domain", "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", - "DangerousAceList": "{\"Item1\": \"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item2\": \"S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item3\": \"urdom.ad.domain\\\\AC750-DSI-FOO-Espace de travail-GSW-Adm\", \"Item4\": [{\"Item1\": \"Modify permissions\", \"Item2\": \"\"}, {\"Item1\": \"Modify owner\", \"Item2\": \"\"}, {\"Item1\": \"Write all properties\", \"Item2\": \"\"}]}", + "DangerousAceList": "{\"Item1\": \"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item2\": \"S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item3\": \"test.ad.domain\\\\Espace de travail-Adm\", \"Item4\": [{\"Item1\": \"Modify permissions\", \"Item2\": \"\"}, {\"Item1\": \"Modify owner\", \"Item2\": \"\"}, {\"Item1\": \"Write all properties\", \"Item2\": \"\"}]}", "DistinguishedName": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "alertID": 1, "alertSeverityLevel": "critical", diff --git a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json index 67912a8a6..71be5247d 100644 --- a/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json +++ b/Tenable/alsid/tests/alert_certificate_DANG_ACCESS2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"urdom.ad.domain\\\\AC750-DSI-SDAT-Espace de travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"u\nrdom.ad.domain\\\\AC750-DSI-SDAT-Espace de travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"urdom.ad.domain\\\\AC750-DSI-SDAT-Espace de travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"u\nrdom.ad.domain\\\\AC750-DSI-SDAT-Espace de travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996840\" \"2\" \n\"R-CERTIF-TEMPLATE-MISCONFIG\" \"76485473\" \"DisplayName\"=\"DSC UCN Export\" \"DomainName\"=\"ad.domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item\n3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693\n739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended \nright\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}]\" \"TrustEnrollServiceAceOptionChecked\"=\"\u2610\" \n\"TrustEnrollServicesList\"=\"\u29b0\" \"ApproveCertifTestOptionChecked\"=\"\u2610\" \"EnrollmentFlagDeviantAces\"=\"?\" \"EnrollmentFlagAttributeMisconfigured\"=\"?\" \"RaSignatureAttributeDeviantAces\"=\"\u274c\ufe0f\" \n\"RaSignatureAttributeMisconfigured\"=\"\u274c\ufe0f\" \"EkuAttributeDeviantAces\"=\"\u274c\ufe0f\" \"EkuContainAuthAttribute\"=\"\u2714\ufe0f\" \"EkuContainAuthList\"=\"\u29b0\" \"SanConfigCsrOptionChecked\"=\"\u2612\" \n\"CertificateNameDeviantAces\"=\"\u274c\ufe0f\" \"SanConfigCsrMisconfigured\"=\"\u2714\ufe0f\"", "event": { "kind": "alert", "outcome": "success" @@ -19,7 +19,7 @@ "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "ApproveCertifTestOptionChecked": "\u2610", "CertificateNameDeviantAces": "\u274c\ufe0f", - "DangerousAceList": "{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.domain\\\\AC750-DSI-SDAT-Espace de travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.domain\\\\AC750-DSI-SDAT-Espace de travail-GSW-Adm\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}", + "DangerousAceList": "{\"Item1\":\"OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1098810189-8133351-2328693739-515\",\"Item2\":\"S-1-5-21-1098810189-8133351-2328693739-515\",\"Item3\":\"ad.domain\\\\Ordinateurs du domaine\",\"Item4\":[{\"Item1\":\"[Certificate Template] Extended right\",\"Item2\":\"Certificate-Enrollment\"}]},{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de travail\",\"Item4\":[{\"Item1\":\"[Certificate Template] Write all properties\",\"Item2\":\"\"}]}", "DisplayName": "DSC UCN Export", "DomainName": "ad.domain", "EkuAttributeDeviantAces": "\u274c\ufe0f", diff --git a/Tenable/alsid/tests/alert_certificate_template_acl.json b/Tenable/alsid/tests/alert_certificate_template_acl.json index 21b602beb..5d19a88c4 100644 --- a/Tenable/alsid/tests/alert_certificate_template_acl.json +++ b/Tenable/alsid/tests/alert_certificate_template_acl.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.domain\\\\AC750-DSI-SDAT-Espace de \ntravail-GSW-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"urdom.ad.domain\\\\AC750-DSI-SDAT-Espace de \ntravail-GSW-Adm\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", + "message": "\"0\" \"1\" \"ad.domain\" \"ad.domain\" \"C-PKI-DANG-ACCESS\" \"critical\" \"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \"1996839\" \"2\" \"R-CERTIF-TEMPLATE-ACL\" \n\"76485473\" \"DistinguishedName\"=\"CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain\" \n\"DangerousAceList\"=\"[{\"Item1\":\"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item2\":\"S-1-5-21-1229472208-2678311744-2345022811-345849\",\"Item3\":\"test.ad.domain\\\\Espace de \ntravail\",\"Item4\":[{\"Item1\":\"Modify permissions\",\"Item2\":\"\"},{\"Item1\":\"Modify owner\",\"Item2\":\"\"},{\"Item1\":\"Write all properties\",\"Item2\":\"\"}]}]\"", "event": { "kind": "alert", "outcome": "success" @@ -17,7 +17,7 @@ "ADdomainName": "ad.domain", "ADforestName": "ad.domain", "ADobject": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", - "DangerousAceList": "{\"Item1\": \"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item2\": \"S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item3\": \"urdom.ad.domain\\\\AC750-DSI-SDAT-Espace de travail-GSW-Adm\", \"Item4\": [{\"Item1\": \"Modify permissions\", \"Item2\": \"\"}, {\"Item1\": \"Modify owner\", \"Item2\": \"\"}, {\"Item1\": \"Write all properties\", \"Item2\": \"\"}]}", + "DangerousAceList": "{\"Item1\": \"A;;LCRPWPRCWDWO;;;S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item2\": \"S-1-5-21-1229472208-2678311744-2345022811-345849\", \"Item3\": \"test.ad.domain\\\\Espace de travail\", \"Item4\": [{\"Item1\": \"Modify permissions\", \"Item2\": \"\"}, {\"Item1\": \"Modify owner\", \"Item2\": \"\"}, {\"Item1\": \"Write all properties\", \"Item2\": \"\"}]}", "DistinguishedName": "CN=DSCUCNExport,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=domain", "alertID": 1, "alertSeverityLevel": "critical",