non-ascii stripping

Detections/AzureDevOpsAuditing/ADOAgentPoolCreatedDeleted.yaml

@@ -35,7 +35,7 @@ query: |
   | extend AgentPoolId = tostring(Data.AgentPoolId)
   | extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey
   | project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
   - entityType: Account
     fieldMappings:

Detections/AzureDevOpsAuditing/ADOAuditStreamDisabled.yaml

@@ -17,7 +17,7 @@ query: |
   | where OperationName =~ "AuditLog.StreamDisabledByUser"
   | extend StreamType = tostring(Data.ConsumerType)
   | project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
   - entityType: Account
     fieldMappings:

Detections/AzureDevOpsAuditing/ADONewExtensionAdded.yaml

@@ -20,7 +20,7 @@ query: |
   | extend PublisherName = tostring(Data.PublisherName)
   | where PublisherName !in (allowed_publishers)
   | project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, ScopeType, Data
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
   - entityType: Account
     fieldMappings:

Detections/AzureDevOpsAuditing/ADOPATUsedWithBrowser.yaml

@@ -17,7 +17,7 @@ query: |
   | where AuthenticationMechanism startswith "PAT"
   // Look for useragents that include a redenring engine
   | where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink")
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
   - entityType: Account
     fieldMappings:

Detections/AzureDevOpsAuditing/ADOPipelineModifiedbyNewUser.yaml

@@ -44,7 +44,7 @@ query: |
   | extend Alerts = iif(isnotempty(Alerts), Alerts, 0)
   // Uncomment the line below to only show results where the user as AADIdP alerts
   //| where Alerts > 0
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
   - entityType: Account
     fieldMappings:

Hunting Queries/AzureDevOpsAuditing/ADOInternalUpstreamPacakgeFeedAdded.yaml

@@ -26,7 +26,7 @@ query: |
   | where UpstreamsAdded.UpstreamSourceType =~ "internal"
   | extend SourceLocation = tostring(UpstreamsAdded.Location)
   | summarize by SourceLocation);
-  // Look for internal feeds being added from a new location 
+  // Look for internal feeds being added from a new location
   AzureDevOpsAuditing
   | where TimeGenerated > ago(timeframe)
   | where OperationName matches regex "Artifacts.Feed.(Org|Project).Modify"
@@ -52,7 +52,7 @@ query: |
   | where OperationName matches regex "Artifacts.Feed.(Org|Project).Create"
   | extend FeedId = tostring(Data.FeedId)
   | project FeedId, FeedCreatedBy=ActorUPN, TimeCreated=TimeGenerated) on FeedId, $left.ActorUPN==$right.FeedCreatedBy
-  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity =  IpAddress
+  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
 entityMappings:
   - entityType: Account
     fieldMappings: