From fbe8b97c046dc9d4bd9abcf200378246ca4764bb Mon Sep 17 00:00:00 2001
From: hardikhdholariya <hardikdholariya1@gmail.com>
Date: Wed, 19 Jul 2023 17:46:58 +0530
Subject: [PATCH] CY-512: Added the dashboard for win cert store addon

---
 .../static/splunk_common_js_v_utilities.js    |  71 +++---
 .../default/data/ui/nav/default.xml           |   1 +
 .../data/ui/views/cs_windows_cert_store.xml   | 240 ++++++++++++++++++
 cyences_app_for_splunk/default/macros.conf    |  10 +
 4 files changed, 290 insertions(+), 32 deletions(-)
 create mode 100644 cyences_app_for_splunk/default/data/ui/views/cs_windows_cert_store.xml

diff --git a/cyences_app_for_splunk/appserver/static/splunk_common_js_v_utilities.js b/cyences_app_for_splunk/appserver/static/splunk_common_js_v_utilities.js
index c6137eaa..f0473547 100644
--- a/cyences_app_for_splunk/appserver/static/splunk_common_js_v_utilities.js
+++ b/cyences_app_for_splunk/appserver/static/splunk_common_js_v_utilities.js
@@ -20,11 +20,11 @@ define([
             onResultCallBack(resultDataRows)
             onErrorCallBack(searchProperties)
             */
-           this.onResultCallBack = onResultCallBack;
-           this.onErrorCallBack = onErrorCallBack;
+            this.onResultCallBack = onResultCallBack;
+            this.onErrorCallBack = onErrorCallBack;
         }
 
-        _defineActions(){
+        _defineActions() {
             let _consoleSearchInfo = this.consoleSearchInfo;
             let _manager = this.searchManager;
             let _onResultCallBack = this.onResultCallBack;
@@ -33,26 +33,26 @@ define([
             this.searchManager.on('search:done', function (properties) {
                 console.log(`Search query completed. ${_consoleSearchInfo} - searchProperties=${properties}`);
 
-                let searchManagerResults = _manager.data("results", {count: 0});
-                if(('_isFetching' in searchManagerResults && searchManagerResults['_isFetching'] === true) || '_data' in searchManagerResults ){
+                let searchManagerResults = _manager.data("results", { count: 0 });
+                if (('_isFetching' in searchManagerResults && searchManagerResults['_isFetching'] === true) || '_data' in searchManagerResults) {
                     searchManagerResults.on('data', function () {
                         let resultData = searchManagerResults.data();
                         console.log(`Search query (${_consoleSearchInfo}) completed with ${resultData.rows.length} number of results.`);
-                        if (_onResultCallBack != undefined){
+                        if (_onResultCallBack != undefined) {
                             _onResultCallBack(resultData);
                         }
                     });
                 }
-                else{
-                    if (_onResultCallBack != undefined){
+                else {
+                    if (_onResultCallBack != undefined) {
                         _onResultCallBack(null);
                     }
                 }
             });
 
-            function onFailures(properties){
+            function onFailures(properties) {
                 console.error(`Unable to execute the search query. ${_consoleSearchInfo} - searchProperties=${properties}`);
-                if (_onErrorCallBack != undefined){
+                if (_onErrorCallBack != undefined) {
                     _onErrorCallBack(properties);
                 }
             }
@@ -65,7 +65,7 @@ define([
             });
         }
 
-        searchByQuery(searchQuery, earliestTime='-1m', latestTime='now', searchId=undefined, executeNow=true){
+        searchByQuery(searchQuery, earliestTime = '-1m', latestTime = 'now', searchId = undefined, executeNow = true) {
             /*
             searchQuery, earliestTime, latestTime - Parameters to define the search (only valid if searchId is not defined)
             searchId - define Id of search
@@ -80,7 +80,7 @@ define([
                 earliest_time: earliestTime,
                 latest_time: latestTime
             };
-            if(searchId != undefined){
+            if (searchId != undefined) {
                 searchManagerProperties['id'] = searchId;
             }
 
@@ -88,12 +88,12 @@ define([
 
             this._defineActions();
 
-            if(executeNow){
+            if (executeNow) {
                 this.startSearch();
             }
         }
 
-        postProcessSearchByQuery(baseManagerId, searchQuery, searchId=undefined, executeNow=true){
+        postProcessSearchByQuery(baseManagerId, searchQuery, searchId = undefined, executeNow = true) {
             /*
             searchQuery - Parameters to define the search (post process search of base search) (only valid if searchId is not defined)
             baseManagerId - id of base search
@@ -108,7 +108,7 @@ define([
                 autostart: false,
                 search: searchQuery
             };
-            if(searchId != undefined){
+            if (searchId != undefined) {
                 searchManagerProperties['id'] = searchId;
             }
 
@@ -116,12 +116,12 @@ define([
 
             this._defineActions();
 
-            if(executeNow){
+            if (executeNow) {
                 this.startSearch();
             }
         }
 
-        searchById(searchId){
+        searchById(searchId) {
             /*
             searchId - Use already defined search
             */
@@ -131,7 +131,7 @@ define([
             this._defineActions();
         }
 
-        defineReusableSearch(searchId){
+        defineReusableSearch(searchId) {
             this.consoleSearchInfo = `searchId=${searchId}`;
 
             this.searchManager = new SearchManager({
@@ -143,7 +143,7 @@ define([
             this._defineActions();
         }
 
-        executeReusableSearch(searchQuery, earliestTime='-1m', latestTime='now', executeNow=true){
+        executeReusableSearch(searchQuery, earliestTime = '-1m', latestTime = 'now', executeNow = true) {
             this.searchManager.set(
                 {
                     search: searchQuery,
@@ -151,12 +151,12 @@ define([
                     latest_time: latestTime
                 }
             );
-            if(executeNow){
+            if (executeNow) {
                 this.startSearch();
             }
         }
 
-        defineReusablePostProcessSearch(managerId, searchId){
+        defineReusablePostProcessSearch(managerId, searchId) {
             this.consoleSearchInfo = `searchId=${searchId}`;
 
             this.searchManager = new PostProcessSearchManager({
@@ -169,24 +169,24 @@ define([
             this._defineActions();
         }
 
-        executeReusablePostProcessSearch(searchQuery, executeNow=true){
+        executeReusablePostProcessSearch(searchQuery, executeNow = true) {
             this.searchManager.set(
                 {
                     search: searchQuery
                 }
             );
-            if(executeNow){
+            if (executeNow) {
                 this.startSearch();
             }
         }
 
-        startSearch(){
+        startSearch() {
             console.log("Executing the search query: ", this.consoleSearchInfo);
             this.searchManager.startSearch();
         }
     }
 
-    function vWaitUntil(checkCondition, callBackFunction, waitMilliseconds=100) {
+    function vWaitUntil(checkCondition, callBackFunction, waitMilliseconds = 100) {
         function checkFlag() {
             if (checkCondition() === false) {
                 window.setTimeout(checkFlag, waitMilliseconds);
@@ -199,7 +199,7 @@ define([
 
 
     class VTokenManager {
-        constructor(){
+        constructor() {
             this.submittedTokens = mvc.Components.getInstance('submitted');
             this.defaultTokens = mvc.Components.getInstance('default');
         }
@@ -224,7 +224,7 @@ define([
             this.submittedTokens.set(token_key, token_value);
         }
 
-        setToken(token_key, token_value){
+        setToken(token_key, token_value) {
             this.setDefaultToken(token_key, token_value);
             this.setSubmittedToken(token_key, token_value);
         }
@@ -237,7 +237,7 @@ define([
             this.submittedTokens.unset(token_key);
         }
 
-        unsetToken(token_key){
+        unsetToken(token_key) {
             this.unsetDefaultToken(token_key);
             this.unsetSubmittedToken(token_key);
         }
@@ -246,17 +246,24 @@ define([
     let VTokenManagerObj = new VTokenManager();
 
 
-    function vSetupMultiSelectInputHandler(instance_id, allOptionValue="*") {
+    function vSetupMultiSelectInputHandler(instance_id, allOptions = ["*", 'like(Issued_Common_Name, "%")']) {
 
         // Get multiselect
         var multi = mvc.Components.get(instance_id);
-  
+
         // On change, check selection
         multi.on("change", (selectedValues) => {
-  
+
+            for (let i = 0; i < allOptions.length; i++) {
+                if (selectedValues.includes(allOptions[i])) {
+                    var allOptionValue = allOptions[i]
+                    break;
+                }
+            }
+
             if (selectedValues.length > 1 && selectedValues.includes(allOptionValue)) {
                 var indexOfAll = selectedValues.indexOf(allOptionValue);
-  
+
                 // If "ALL" was selected before current (more specific) selection, remove it from list
                 if (indexOfAll == 0) {
                     selectedValues.splice(indexOfAll, 1);
diff --git a/cyences_app_for_splunk/default/data/ui/nav/default.xml b/cyences_app_for_splunk/default/data/ui/nav/default.xml
index 4b1aa227..8ff3151f 100644
--- a/cyences_app_for_splunk/default/data/ui/nav/default.xml
+++ b/cyences_app_for_splunk/default/data/ui/nav/default.xml
@@ -6,6 +6,7 @@
     <view name="cs_ad_reports" /><!--Windows-->
     <view name="cs_windows_reports" /><!--Windows-->
     <view name="cs_windows_patch" /><!--Windows-->
+    <view name="cs_windows_cert_store" /><!--Windows-->
     <view name="cs_linux_reports" /><!--Linux-->
     <collection label="Cloud Tenancies">
       <view name="cs_o365_reports" /><!--Office 365-->
diff --git a/cyences_app_for_splunk/default/data/ui/views/cs_windows_cert_store.xml b/cyences_app_for_splunk/default/data/ui/views/cs_windows_cert_store.xml
new file mode 100644
index 00000000..a798f9be
--- /dev/null
+++ b/cyences_app_for_splunk/default/data/ui/views/cs_windows_cert_store.xml
@@ -0,0 +1,240 @@
+<form theme="dark" version="1.1">
+  <label>Active Directory Certificate Service Events</label>
+  <search id="base_local_certs">
+    <query>`cs_windows_cert_store_idx` sourcetype="windows:certstore:local" | dedup host SerialNumber
+  | eval NotAfter_epoch= coalesce(strptime(NotAfter, "%d-%m-%Y %H:%M:%S"), strptime(NotAfter, "%m/%d/%Y %l:%M:%S %p")) 
+  | eval interval_start=relative_time(now(),"-1m") 
+  | eval interval_end=relative_time(now(),"+$expiry_day$d") 
+  | where interval_start&lt;NotAfter_epoch AND NotAfter_epoch&lt;interval_end
+  | rename host as Host
+  | table Host Subject DnsNameList Issuer NotBefore NotAfter FriendlyName SerialNumber PSPath PSParentPath PSParentPath_FriendlyName      
+  | fillnull value="-" PSParentPath_FriendlyName</query>
+    <earliest>$time_range.earliest$</earliest>
+    <latest>$time_range.latest$</latest>
+  </search>
+  <search id="base_ca_certs">
+    <query>`cs_windows_cert_store_idx` sourcetype="windows:certstore:ca" 
+| dedup Issued_Request_ID 
+| eval Certificate_Expiration_Date_epoch= coalesce(strptime(Certificate_Expiration_Date, "%m/%d/%Y %l:%M:%S %p"), strptime(Certificate_Expiration_Date, "%d-%m-%Y %H:%M:%S"))
+| eval interval_start=relative_time(now(),"-1m") 
+| eval interval_end=relative_time(now(),"+$issued_expiry$d") 
+| where interval_start&lt;Certificate_Expiration_Date_epoch AND Certificate_Expiration_Date_epoch&lt;interval_end 
+| join Certificate_Template type=left [`cs_windows_cert_name_mapping`]
+| eval Certificate_Template=if(isnull(Certificate_Name),Certificate_Template,Certificate_Name."(".Certificate_Template.")") 
+| table Issued_Common_Name Issued_Request_ID Certificate_Effective_Date Certificate_Expiration_Date Certificate_Template Requester_Name Request_Disposition_Message Serial_Number</query>
+    <earliest>$time_range.earliest$</earliest>
+    <latest>$time_range.latest$</latest>
+  </search>
+  <fieldset submitButton="false">
+    <input type="time" token="time_range" searchWhenChanged="true">
+      <label>Time Rnage</label>
+      <default>
+        <earliest>-24h@h</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <title>Issued Certificates on CA</title>
+      <input type="text" token="issued_expiry" searchWhenChanged="true">
+        <label>Enter the Number of Days(For Expiration)</label>
+        <default>365</default>
+        <initialValue>365</initialValue>
+      </input>
+      <input type="multiselect" token="tkn_certificate_template" searchWhenChanged="true">
+        <label>Certificate Template</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <delimiter>,</delimiter>
+        <fieldForLabel>Certificate_Template</fieldForLabel>
+        <fieldForValue>Certificate_Template</fieldForValue>
+        <search base="base_ca_certs">
+          <query>| dedup Certificate_Template</query>
+        </search>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+      </input>
+      <input type="multiselect" token="tkn_requester_name" searchWhenChanged="true">
+        <label>Requester Name</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <delimiter>,</delimiter>
+        <fieldForLabel>Requester_Name</fieldForLabel>
+        <fieldForValue>Requester_Name1</fieldForValue>
+        <search base="base_ca_certs">
+          <query>| dedup Requester_Name | eval Requester_Name1=replace(Requester_Name,"(.*)\\\(.*)","\1\\\\\\\\\2")</query>
+        </search>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+      </input>
+      <input type="multiselect" token="tkn_common_name">
+        <label>Issued Common Name</label>
+        <choice value="like(Issued_Common_Name, &quot;%&quot;)">All</choice>
+        <default>"like(Issued_Common_Name, ""%"")"</default>
+        <delimiter> OR </delimiter>
+        <fieldForLabel>Issued_Common_Name</fieldForLabel>
+        <fieldForValue>Issued_Common_Name_value</fieldForValue>
+        <search base="base_ca_certs">
+          <query>| dedup Issued_Common_Name | eval Issued_Common_Name_value="Issued_Common_Name=\"".Issued_Common_Name."\""</query>
+        </search>
+        <initialValue>like(Issued_Common_Name, "%")</initialValue>
+      </input>
+      <input type="multiselect" token="tkn_request_id" searchWhenChanged="true">
+        <label>Issued_Request_ID Name</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+        <delimiter>, </delimiter>
+        <initialValue>*</initialValue>
+        <fieldForLabel>Issued_Request_ID</fieldForLabel>
+        <fieldForValue>Issued_Request_ID</fieldForValue>
+        <search base="base_ca_certs">
+          <query>| dedup Issued_Request_ID </query>
+        </search>
+      </input>
+      <input type="multiselect" token="tkn_serial_number_ca" searchWhenChanged="true">
+        <label>Serial Number</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+        <delimiter>, </delimiter>
+        <fieldForLabel>Serial_Number</fieldForLabel>
+        <fieldForValue>Serial_Number</fieldForValue>
+        <search base="base_ca_certs">
+          <query>| dedup Serial_Number</query>
+        </search>
+        <initialValue>*</initialValue>
+      </input>
+      <input type="text" token="tkn_ca_search" searchWhenChanged="true">
+        <label>Search Anything</label>
+        <default>*</default>
+        <initialValue>*</initialValue>
+      </input>
+      <table>
+        <search base="base_ca_certs">
+          <query>| foreach * 
+    [ eval temp=if(isnull(temp),&lt;&lt;FIELD&gt;&gt;,temp." ".&lt;&lt;FIELD&gt;&gt;)] 
+| search Certificate_Template IN ($tkn_certificate_template$) Requester_Name IN ($tkn_requester_name$) Issued_Request_ID IN ($tkn_request_id$) Serial_Number IN ($tkn_serial_number_ca$) temp="*$tkn_ca_search$*" 
+| where $tkn_common_name$ 
+| fields - temp</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <title>Local Certificates On Servers</title>
+      <input type="text" token="expiry_day" searchWhenChanged="true">
+        <label>Enter the Number of Days(For Expiration)</label>
+        <default>365</default>
+        <initialValue>365</initialValue>
+      </input>
+      <input type="multiselect" token="tkn_friendly_name" searchWhenChanged="true">
+        <label>Friendly Name</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <delimiter>,</delimiter>
+        <search base="base_local_certs">
+          <query> | dedup FriendlyName</query>
+        </search>
+        <fieldForLabel>FriendlyName</fieldForLabel>
+        <fieldForValue>FriendlyName</fieldForValue>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+      </input>
+      <input type="multiselect" token="tkn_PSParentPath_FriendlyName" searchWhenChanged="true">
+        <label>PSParentPath_FriendlyName</label>
+        <choice value="*">All</choice>
+        <default>Personal</default>
+        <initialValue>Personal</initialValue>
+        <fieldForLabel>PSParentPath_FriendlyName</fieldForLabel>
+        <fieldForValue>PSParentPath_FriendlyName</fieldForValue>
+        <search base="base_local_certs">
+          <query>| dedup PSParentPath_FriendlyName </query>
+        </search>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+        <delimiter>,</delimiter>
+      </input>
+      <input type="multiselect" token="tkn_host" searchWhenChanged="true">
+        <label>Host</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <delimiter>,</delimiter>
+        <search base="base_local_certs">
+          <query> |dedup Host</query>
+        </search>
+        <fieldForLabel>Host</fieldForLabel>
+        <fieldForValue>Host</fieldForValue>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+      </input>
+      <input type="multiselect" token="tkn_issuer" searchWhenChanged="true">
+        <label>Issuer</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <delimiter>,</delimiter>
+        <search base="base_local_certs">
+          <query> | dedup Issuer</query>
+        </search>
+        <fieldForLabel>Issuer</fieldForLabel>
+        <fieldForValue>Issuer</fieldForValue>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+      </input>
+      <input type="multiselect" token="tkn_subject_local" searchWhenChanged="true">
+        <label>Subject</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <delimiter>,</delimiter>
+        <search base="base_local_certs">
+          <query> | dedup Subject</query>
+        </search>
+        <fieldForLabel>Subject</fieldForLabel>
+        <fieldForValue>Subject</fieldForValue>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+      </input>
+      <input type="multiselect" token="tkn_SerialNumber" searchWhenChanged="true">
+        <label>SerialNumber</label>
+        <choice value="*">All</choice>
+        <default>*</default>
+        <initialValue>*</initialValue>
+        <delimiter>,</delimiter>
+        <search base="base_local_certs">
+          <query> | dedup SerialNumber</query>
+        </search>
+        <fieldForLabel>SerialNumber</fieldForLabel>
+        <fieldForValue>SerialNumber</fieldForValue>
+        <valuePrefix>"</valuePrefix>
+        <valueSuffix>"</valueSuffix>
+      </input>
+      <input type="text" token="tkn_local_search" searchWhenChanged="true">
+        <label>Search Anything</label>
+        <default>*</default>
+        <initialValue>*</initialValue>
+      </input>
+      <table>
+        <search base="base_local_certs">
+          <query>| foreach * 
+    [ eval temp=if(isnull(temp),&lt;&lt;FIELD&gt;&gt;,temp." ".&lt;&lt;FIELD&gt;&gt;)] 
+| search FriendlyName IN ($tkn_friendly_name$) Host IN ($tkn_host$) Issuer IN ($tkn_issuer$) PSParentPath_FriendlyName IN ($tkn_PSParentPath_FriendlyName$) SerialNumber IN ($tkn_SerialNumber$) Subject IN ($tkn_subject_local$) temp="*$tkn_local_search$*"
+| fields - PSParentPath,PSPath,temp</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </table>
+    </panel>
+  </row>
+</form>
\ No newline at end of file
diff --git a/cyences_app_for_splunk/default/macros.conf b/cyences_app_for_splunk/default/macros.conf
index bcb04256..2406a5a4 100644
--- a/cyences_app_for_splunk/default/macros.conf
+++ b/cyences_app_for_splunk/default/macros.conf
@@ -682,6 +682,16 @@ iseval = 0
 definition = search *
 iseval = 0
 
+[cs_windows_cert_store_idx]
+definition = index IN (wincertstore)
+iseval = 0
+
+[cs_windows_cert_name_mapping]
+definition = ```Add each Certificate_Template and Certificate_Name pair in a new line separated by commas.```\
+| makeresults format=csv data="Certificate_Template, Certificate_Name \
+"-", "-"\
+"
+iseval = 0
 
 # Sysmon
 [cs_sysmon]