Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] System.UriFormatException when deserializing Microsoft.SecurityInsights/Entities of type Url #47282

Closed
vdakkerd opened this issue Nov 21, 2024 · 2 comments · Fixed by #47378
Closed

[BUG] System.UriFormatException when deserializing Microsoft.SecurityInsights/Entities of type Url #47282

vdakkerd opened this issue Nov 21, 2024 · 2 comments · Fixed by #47378
Assignees
@mcgallan
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that SecurityInsights

Comments

@vdakkerd
Copy link

Library name and version

Azure.ResourceManager.SecurityInsights 1.2.0-beta.1

Describe the bug

When deserializing a Sentinel Entity of the type Url which contains an uri which is not a valid url the System.UriFormatException exception occurs. Below an example with redacted customer information which throws an exception:

{
  "id": "/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.OperationalInsights/workspaces/<workspace name>/providers/Microsoft.SecurityInsights/Entities/<entity id>",
  "name": "<entity id>",
  "type": "Microsoft.SecurityInsights/Entities",
  "kind": "Url",
  "properties": {
    "url": "test.domain.io",
    "additionalData": {
      "DetonationVerdict": "GOOD",
      "DetonationFinalUrl": "test.domain.io"
    },
    "friendlyName": "test.domain.io"
  }
}

The exception is thrown within the file SecurityInsightsIncidentResource.cs line 870

See the SecurityInsightsUriEntity.cs model on line 80 which defines propeties.url as of type Uri.

In this case it was a Sentinel Security Incident which was ingested using a data connector from Microsoft Defender XDR.

Expected behavior

The Sentinel Entity model is aligned with the Security Graph urlEvidence resource type model.

The Sentinel Entities are aligned with the Microsoft Defender XDR evidence types. In this case the Sentinel Url Entity should have for the properties.url as type a string instead of an Url.

Actual behavior

A Microsoft Defender XDR security incident with an url evidence type which only contains the FQDN in the uri type is mapped to a Sentinel Url Entity with the same data which causes an exception when a FQDN is deserialized to an Uri type.

Reproduction Steps

Using the snippet below to request the entities of a Sentinel Incident which contains an entity that doesn't have a valid url:

var workspaceResourceId = OperationalInsightsWorkspaceSecurityInsightsResource.CreateResourceIdentifier("<subscription id>", "<resource group name>", "<workspace name>");
var cred = new ClientSecretCredential("<entra id tenant id>", "<client id>", "<secret>");
var armClient = new ArmClient(cred);
var workspaceResource = _armClient.GetOperationalInsightsWorkspaceSecurityInsightsResource(workspaceResourceId);
var incidentResource = await _workspaceResource.GetSecurityInsightsIncidentAsync("<Sentinel incident id>", CancellationToken.None);
var entities = await incidentResource.Value.GetEntitiesResultAsync(CancellationToken.None);

Below the full exception:

System.UriFormatException: Invalid URI: The format of the URI could not be determined.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
   at System.Uri..ctor(String uriString)
   at Azure.ResourceManager.SecurityInsights.Models.SecurityInsightsUriEntity.DeserializeSecurityInsightsUriEntity(JsonElement element, ModelReaderWriterOptions options)
   at Azure.ResourceManager.SecurityInsights.Models.SecurityInsightsEntity.DeserializeSecurityInsightsEntity(JsonElement element, ModelReaderWriterOptions options)
   at Azure.ResourceManager.SecurityInsights.Models.SecurityInsightsIncidentEntitiesResult.DeserializeSecurityInsightsIncidentEntitiesResult(JsonElement element, ModelReaderWriterOptions options)
   at Azure.ResourceManager.SecurityInsights.IncidentsRestOperations.ListEntitiesAsync(String subscriptionId, String resourceGroupName, String workspaceName, String incidentId, CancellationToken cancellationToken)
   at Azure.ResourceManager.SecurityInsights.SecurityInsightsIncidentResource.GetEntitiesResultAsync(CancellationToken cancellationToken)

Environment

.NET SDK:
 Version:           8.0.400
 Commit:            36fe6dda56
 Workload version:  8.0.400-manifests.74e8da0c
 MSBuild version:   17.11.3+0c8610977

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19045
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\8.0.400\
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Nov 21, 2024
@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@github-actions github-actions bot added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that SecurityInsights labels Nov 21, 2024
@ArthurMa1978
Copy link
Member

Thank you @vdakkerd for your feedback, @HarveyLink please look into this issue.

@mcgallan mcgallan assigned mcgallan and unassigned HarveyLink Nov 27, 2024
@mcgallan mcgallan mentioned this issue Dec 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mcgallan mcgallan

Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue is related to a management-plane library. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that SecurityInsights
Projects
None yet
Milestone
No milestone
4 participants
@vdakkerd @ArthurMa1978 @HarveyLink @mcgallan