search

cisagov / ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
Creative Commons Zero v1.0 Universal
1.65k stars 221 forks source link

unable to parse input: yaml: line 1136: found unknown escape character (Defender) #1214

Closed pegasass closed 1 month ago

pegasass commented 3 months ago

Problem with JSON parsing

There is an issue when generating report for a Defender:

Invoke-SCuBA -OPAPath "C:\Temp\ScubaGear\" -ProductNames defender -OutPath "C:\Temp\ScubaGear"

unable to parse input: yaml: line 1136: found unknown escape character
Fatal Error involving the OPA output function.
            Ending ScubaGear execution. See the exception message for more details: Cannot bind argument to parameter 'InputObject' because it is null.
At C:\Program Files\WindowsPowerShell\Modules\ScubaGear\1.3.0\Modules\Orchestrator.psm1:736 char:13
+             throw $InvokeRegoErrorMessage
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (Fatal Error inv...use it is null.:String) [], RuntimeException
    + FullyQualifiedErrorId : Fatal Error involving the OPA output function.
            Ending ScubaGear execution. See the exception message for more details: Cannot bind argument to parameter 'InputObject' because it is null.

Offending lines in ProviderSettingsExport.json are 1136,1137:

"Identity":  "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/<tenant>.onmicrosoft.com/Configuration/PESEL sharing (Sharepoint\Onedrive, alert \u003e= 10)",
"Id":  "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations/<tenant>.onmicrosoft.com/Configuration/PESEL sharing (Sharepoint\Onedrive, alert \u003e= 10)",

Solution

To workaround this problem you need to use method mentioned by adhilto in #807:

  1. Run Import-Module .\PowerShell\ScubaGear from the main folder of the repo.
  2. Run Invoke-RunCached -p defender -OutPath example. The same error you ran into before will occur.
  3. Open the ProviderSettingsExport.json file within the example folder and correct the json error.

In my case I had to change:

\ -> \\

in

Sharepoint\Onedrive -> Sharepoint\\Onedrive
  1. Run Invoke-RunCached -p defender -OutPath example -ExportProvider $false. ScubaGear will run using the modified json file, allowing you to bypass the bug until we work out a fix.
Sektorsync commented 3 months ago

I'm currently having the same problem.

it's caused by a backslash ("\") in the name of a CompliancePolicyRule

"Identity": "FFO.extest.microsoft.com/Microsoft Exchange Hosted Organizations//Configuration/<name-part-1\<name-part-2",

I was able to use the workaround descibed by @pegasass to get the report from defender. @pegasass: Thanks a lot! :-)

schrolla commented 3 months ago

@pegasass Thank you for your report and the noted workaround. An epic for resolving the escaping issue #1138 has been generated and is being tracked to resolve this long term. For now, the workaround you indicated is sufficient or if you know where the appropriate configuration item is and rename it to remove the backslash, that would allow for a full report to be generated without triggering the issue as well.