search

splunk / security_content

Splunk Security Content
https://research.splunk.com
Apache License 2.0
1.3k stars 362 forks source link

[BUG] Whitespace `\t` in several YAML rule files causing YAML load errors #3098

Closed brokensound77 closed 2 months ago

brokensound77 commented 2 months ago

Describe the bug

Two YAML rule files have improper \t whitespace causing YAML load (scanner) errors (using the python PyYAML==6.0.1 module)

Expected behavior

No YAML error. I am not familiar with how these are rendered, so unsure how the extra \t got in there, but possibly some keys may need whitespace stripped before dumping.

Additional context

Detailed error messages:

security_content/detections/cloud/o365_zap_activity_detection.yml

error loading: ../security_content/detections/cloud/o365_zap_activity_detection.yml - while scanning for the next token
found character '\t' that cannot start any token
  in "<unicode string>", line 51, column 15:
        - Attacker  
                  ^:

repr() of issue: - Attacker\t\n product:

security_content/detections/cloud/o365_sharepoint_malware_detection.yml

error loading: ../security_content/detections/cloud/o365_sharepoint_malware_detection.yml - while scanning for the next token
found character '\t' that cannot start any token
  in "<unicode string>", line 41, column 13:
        - Victim    
                ^:

repr() of issue: - Victim\t\n - name:

ljstella commented 2 months ago

@brokensound77 hey Justin, this should be good to go now for you.

brokensound77 commented 2 months ago

Awesome, thanks for the quick response