non-ascii removal

2021-02-16 16:19:03 -08:00 · 2021-02-16 16:19:03 -08:00 · 7fefdea87a
--- a/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml
+++ b/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml
@ -18,7 +18,7 @@ query: |
  | where Data.SettingName in ("PurgeArtifacts", "PurgeRuns")
  | where Data.NewValue == 0
  | project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml
@ -24,7 +24,7 @@ query: |
  | where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)
  | where Type != "AzureKeyVault"
  | where Data_Variables !has "IsSecret"
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml
@ -32,7 +32,7 @@ query: |
 	| where UserKey !in (historical_data)
 	| project-away UserKey
  | project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml
+++ b/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml
@ -13,28 +13,28 @@ tactics:
 relevantTechniques:
  - T1199
 query: |
-	// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).
-	let allowed_sources = dynamic(["NuGet Gallery"]);
-	let allowed_locations = dynamic(["https://api.nuget.org/v3/index.json"]);
+	// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).
+	let allowed_sources = dynamic(["NuGet Gallery"]);
+	let allowed_locations = dynamic(["https://api.nuget.org/v3/index.json"]);
 	AzureDevOpsAuditing
-	// Look for feeds created or modified at either the organization or project level
-	| where OperationName matches regex "Artifacts.Feed.(Org|Project).Modify"
-	| where Details has "UpstreamSources, added"
-	| extend FeedName = tostring(Data.FeedName)
-	| extend FeedId = tostring(Data.FeedId)
-	| extend UpstreamsAdded = Data.UpstreamsAdded
-	// As multiple feeds may be added expand these out
-	| mv-expand UpstreamsAdded
-	// Only focus on external feeds
-	| where UpstreamsAdded.UpstreamSourceType !~ "internal"
-	| extend SourceLocation = tostring(UpstreamsAdded.Location)
-	| extend SourceName = tostring(UpstreamsAdded.Name)
-	// Exclude sources and locations in the allow list
-	| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)
-	| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)
-	| extend SourceStatus = tostring(UpstreamsAdded.Status)
-  | project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+	// Look for feeds created or modified at either the organization or project level
+	| where OperationName matches regex "Artifacts.Feed.(Org|Project).Modify"
+	| where Details has "UpstreamSources, added"
+	| extend FeedName = tostring(Data.FeedName)
+	| extend FeedId = tostring(Data.FeedId)
+	| extend UpstreamsAdded = Data.UpstreamsAdded
+	// As multiple feeds may be added expand these out
+	| mv-expand UpstreamsAdded
+	// Only focus on external feeds
+	| where UpstreamsAdded.UpstreamSourceType !~ "internal"
+	| extend SourceLocation = tostring(UpstreamsAdded.Location)
+	| extend SourceName = tostring(UpstreamsAdded.Name)
+	// Exclude sources and locations in the allow list
+	| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)
+	| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)
+	| extend SourceStatus = tostring(UpstreamsAdded.Status)
+  | project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
+++ b/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
@ -51,7 +51,7 @@ query: |
  | extend OsDescription = tostring(Data.OsDescription)
  | extend SystemDetails = Data.SystemCapabilities
  | project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml
+++ b/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml
@ -24,7 +24,7 @@ query: |
  | join (AzureDevOpsAuditing
  | extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId
  | summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADOBuildCheckDeleted.yaml
+++ b/Queries/AzureDevOpsAuditing/ADOBuildCheckDeleted.yaml
@ -13,7 +13,7 @@ query: |
    | extend ResourceName = tostring(Data.ResourceName)
    | extend Type = tostring(Data.Type)
    | project-reorder TimeGenerated, OperationName, ResourceName, Type, ActorUPN, IpAddress, UserAgent
-    | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+    | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADOBuildDeletedAfterPipelineMod.yaml
+++ b/Queries/AzureDevOpsAuditing/ADOBuildDeletedAfterPipelineMod.yaml
@ -22,7 +22,7 @@ query: |
  | extend ReleaseName = tostring(Data.ReleaseName)
  | project-rename TimeModified = TimeGenerated1, TimeDeleted = TimeGenerated, ModifyOperation = OperationName1, ModifyUser=ActorUPN1, ModifyIP=IpAddress1, ModifyUA= UserAgent1, DeleteOperation=OperationName, DeleteUser=ActorUPN, DeleteIP=IpAddress, DeleteUA=UserAgent
  | project-reorder TimeModified, ProjectName, PipelineName, ModifyUser, ModifyIP, ModifyUA, TimeDeleted, DeleteOperation, DeleteUser, DeleteIP, DeleteUA,ReleaseName
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADONewAgentPoolCreated.yaml
+++ b/Queries/AzureDevOpsAuditing/ADONewAgentPoolCreated.yaml
@ -15,7 +15,7 @@ query: |
  | extend IsHosted = tostring(Data.IsHosted)
  | extend IsLegacy = tostring(Data.IsLegacy)
  | project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADONewPATOperation.yaml
+++ b/Queries/AzureDevOpsAuditing/ADONewPATOperation.yaml
@ -18,7 +18,7 @@ query: |
  | where TimeGenerated > ago(timeframe)
  | where AuthenticationMechanism startswith "PAT"
  | where OperationName !in (PAT_Actions)
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml
+++ b/Queries/AzureDevOpsAuditing/ADONewPackageFeedCreated.yaml
@ -23,7 +23,7 @@ query: |
  | summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId
  | extend Alerts = iif(isempty(Alerts), 0, Alerts)
  | project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADONewReleaseApprover.yaml
+++ b/Queries/AzureDevOpsAuditing/ADONewReleaseApprover.yaml
@ -27,7 +27,7 @@ query: |
  | extend StageName = tostring(Data.StageName)
  | extend ReleaseName = tostring(Data.ReleaseName)) on ActorUPN
  | project-reorder TimeGenerated, PipelineName, ActorUPN, ApprovalType, StageName, ReleaseName, IpAddress, UserAgent, AuthenticationMechanism
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADOReleasePipelineCreated.yaml
+++ b/Queries/AzureDevOpsAuditing/ADOReleasePipelineCreated.yaml
@ -37,7 +37,7 @@ query: |
  | extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)
  | summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId
  | project-reorder TimeGenerated, ProjectName, Details, ActorUPN, IpAddress, UserAgent, Alerts
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings:
--- a/Queries/AzureDevOpsAuditing/ADOVariableCreatedDeleted.yaml
+++ b/Queries/AzureDevOpsAuditing/ADOVariableCreatedDeleted.yaml
@ -26,7 +26,7 @@ query: |
  | extend VariablesRemoved = set_difference(bag_keys(variables), bag_keys(variables1)) 
  | project-rename TimeCreated=TimeGenerated, TimeDeleted = TimeGenerated1, CreatingUser = ActorUPN, DeletingUser = ActorUPN1, CreatingIP = IpAddress, DeletingIP = IpAddress1, CreatingUA = UserAgent, DeletingUA = UserAgent1
  | project-reorder VariableGroupName, TimeCreated, TimeDeleted, VariablesRemoved, CreatingUser, CreatingIP, CreatingUA, DeletingUser, DeletingIP, DeletingUA
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
  - entityType: Account
    fieldMappings: