Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid YAML content in file Exploration Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml #11470

Closed
reijoh opened this issue Nov 21, 2024 · 0 comments · Fixed by #11472
Closed

Invalid YAML content in file Exploration Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml #11470

reijoh opened this issue Nov 21, 2024 · 0 comments · Fixed by #11472
Assignees
@v-visodadasi
Labels
Hunting Hunting specialty review needed

Comments

@reijoh
Copy link

reijoh commented Nov 21, 2024

Describe the bug
Invalid YAML content in file "https://github.com/Azure/Azure-Sentinel/blob/master/Exploration%20Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml".

To Reproduce
Steps to reproduce the behavior:

  1. Download the file
  2. Use PowerShell
  3. Install-Module powershell-yaml
  4. Get-Content -LiteralPath "Exploration Queries/InputEntity_Account/UserAccount_ScreenshotHosts.yaml" -Raw | ConvertFrom-Yaml
  5. Observe error:
Exception calling "Load" with "1" argument(s): "While scanning a literal block scalar, found extra spaces in first line."
At /home/me/Modules/powershell-yaml/0.4.7/powershell-yaml.psm1:48 char:9
+         $yamlStream.Load([YamlDotNet.Core.IParser] $parser)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Expected behavior
YAML file should be converted into a PowerShell PSCustomObject.

Screenshots
N/A

Desktop (please complete the following information):

  • OS: Ubuntu
  • Browser N/A
  • Version 22.04.5

Current content

Id: 81d63625-6617-455d-b1e3-ee5ed989e5f8
DisplayName: Screenshots taken
Description: Summary of hosts on which the user has taken screenshots
InputEntityType: Account
InputFields:
  - Name + UPNSuffix
OutputEntityTypes:
  - Host
QueryPeriodBefore: 24h
QueryPeriodAfter: 24h
DataSources:
  - DeviceEvents
Tactics:
  - Exfiltration
query: |
  
  let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){
    let p_Account_UPN = strcat(Account_Name,'@',Account_UPNSuffix);
    DeviceEvents 
    | where ActionType =='ScreenshotTaken' 
    | where InitiatingProcessAccountUpn =~ p_Account_UPN
    | summarize Count=count() by DeviceName
    | top 10 by Count desc
    | project Host_UnstructuredName=DeviceName
  };
  HostScreenshot('<Account_Name>', '<Account_UPNSuffix>')

Valid content

Id: 81d63625-6617-455d-b1e3-ee5ed989e5f8
DisplayName: Screenshots taken
Description: Summary of hosts on which the user has taken screenshots
InputEntityType: Account
InputFields:
  - Name + UPNSuffix
OutputEntityTypes:
  - Host
QueryPeriodBefore: 24h
QueryPeriodAfter: 24h
DataSources:
  - DeviceEvents
Tactics:
  - Exfiltration
query: |
  let HostScreenshot= (Account_Name:string, Account_UPNSuffix:string){
    let p_Account_UPN = strcat(Account_Name,'@',Account_UPNSuffix);
    DeviceEvents 
    | where ActionType =='ScreenshotTaken' 
    | where InitiatingProcessAccountUpn =~ p_Account_UPN
    | summarize Count=count() by DeviceName
    | top 10 by Count desc
    | project Host_UnstructuredName=DeviceName
  };
  HostScreenshot('<Account_Name>', '<Account_UPNSuffix>')
@v-visodadasi v-visodadasi self-assigned this Nov 22, 2024
@v-visodadasi v-visodadasi added the Hunting Hunting specialty review needed label Nov 22, 2024
@v-visodadasi v-visodadasi linked a pull request Nov 22, 2024 that will close this issue
Update UserAccount_ScreenshotHosts.yaml #11472
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-visodadasi v-visodadasi

Labels
Hunting Hunting specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update UserAccount_ScreenshotHosts.yaml Azure/Azure-Sentinel
2 participants
@reijoh @v-visodadasi