Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect Reporting/Delta reports if multiple values in one attribute/key. Example:-ExchangeSenderMemberOf = @("{" #2545

Closed
maheshdalavi opened this issue Nov 15, 2022 · 2 comments · Fixed by #2577 or #2584
Closed

Incorrect Reporting/Delta reports if multiple values in one attribute/key. Example:-ExchangeSenderMemberOf = @("{" #2545

maheshdalavi opened this issue Nov 15, 2022 · 2 comments · Fixed by #2577 or #2584
Assignees
@NikCharlebois
Labels
Bug Something isn't working Security & Compliance Center V1.22.1109.1 Version 1.22.1109.1

Comments

@maheshdalavi
Copy link

maheshdalavi commented Nov 15, 2022
edited
Loading

Details of the scenario you tried and the problem that is occurring

  • In one of my DLP policies and other configuration, I have multiple exceptions for DL and users.
  • I pulled the M365Tenantconfig.ps1 and tried to create reports like xml, xlsx, json and Delta report from it.
  • For example, I have exceptions in “ExchangeSenderMemberOf” and “ExchangeSenderMemberOfException” in my tenant.
  • ExchangeSenderMemberOf = @("{"PrimarySmtpAddress":"maheshCase@$OrganizationName","Id.....................
  • And I noticed, parsing is inaccurate/incomplete while creating reports. This would affect the effectiveness of this module.
  • If I remove these exceptions from the config file, reports are working fine.

Verbose logs showing the problem

PS C:\WINDOWS\system32> New-M365DSCDeltaReport -Destination D:\ParserDSC\nochange\config\M365TenantConfig.ps1 -source D:\ParserDSC\nochange\config1\M365TenantConfig.ps1 -OutputPath D:\ParserDSC\nochangedelta.html -Verbose
VERBOSE: Obtaining Delta between the source and destination configurations
VERBOSE: Loading file 'D:\ParserDSC\nochange\config1\M365TenantConfig.ps1'
Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

VERBOSE: Loading file 'D:\ParserDSC\nochange\config\M365TenantConfig.ps1'
Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

PS C:\WINDOWS\system32>

Suggested solution to the issue

  • Change in the parsing to parse below affecting data (ExchangeSenderMemberOf and ExchangeSenderMemberOfException)

SCDLPCompliancePolicy f08a2b88-035e-452a-9a63-5ed5e3981d15
{
Comment = "Create a custom policy from scratch. You will choose the type of content to protect and how you want to protect it.";
Credential = $Credscredential;
Ensure = "Present";
ExchangeLocation = "All";
ExchangeSenderMemberOf = @("{"PrimarySmtpAddress":"maheshCase@$OrganizationName","Id":"1c2f32f8-6e1b-4ab9-98cf-70f82be732dc","ExchangeObjectId":"1c2f32f8-6e1b-4ab9-98cf-70f82be732dc","ExternalDirectoryObjectId":"1c2f32f8-6e1b-4ab9-98cf-70f82be732dc","DisplayName":"maheshCase","RecipientType":7,"RecipientTypeDetails":8796093022208,"AdministrativeUnits":null}");
ExchangeSenderMemberOfException = @("{"PrimarySmtpAddress":"","Id":"ef1a0e3c-676d-40de-87e8-4e4435fa5a22","ExchangeObjectId":"ef1a0e3c-676d-40de-87e8-4e4435fa5a22","ExternalDirectoryObjectId":"ef1a0e3c-676d-40de-87e8-4e4435fa5a22","DisplayName":"Contoso Web App Users","RecipientType":6,"RecipientTypeDetails":524288,"AdministrativeUnits":null}");
Mode = "Enable";
Name = "DLP policy Parser error";
OneDriveLocation = "All";
OneDriveLocationException = @();
Priority = 2;
SharePointLocation = "All";
SharePointLocationException = @();
TeamsLocation = "All";
TeamsLocationException = @();
}

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Export-M365DSCConfiguration -Components @("SCDLPCompliancePolicy", "SCDLPComplianceRule", "SCLabelPolicy", "SCSensitivityLabel") -Credential $Credential -Path D:\ParserDSC\config
-	Create a DLP policy.
-	Add exchange or teams or any sort of exceptions (User exception or Distribution group exception)
-	Pull the MTenantconfig.ps1
-	Try to compare it with other configuration or try to create a report.
# insert configuration here

param (
[parameter()]
[System.Management.Automation.PSCredential]
$Credential
)

Configuration M365TenantConfig
{
param (
[parameter()]
[System.Management.Automation.PSCredential]
$Credential
)

if ($null -eq $Credential)
{
    <# Credentials #>
    $Credscredential = Get-Credential -Message "Credentials"

}
else
{
    $CredsCredential = $Credential
}

$OrganizationName = $CredsCredential.UserName.Split('@')[1]

Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.22.1109.1'

Node localhost
{
    SCDLPCompliancePolicy 860f14e5-f31a-4e4a-96e3-2cfdd749f5ab
    {
        Comment                         = "This policy detects the presence of credit card numbers in Teams chats and channel messages. When this sensitive information is detected, admins will get an Alert notification. Users would not see any policy tip. However, you can edit these actions anytime.";
        Credential                      = $Credscredential;
        Ensure                          = "Present";
        ExchangeSenderMemberOf          = @();
        ExchangeSenderMemberOfException = @();
        Mode                            = "Enable";
        Name                            = "Default policy for Teams";
        OneDriveLocationException       = @();
        Priority                        = 0;
        SharePointLocationException     = @();
        TeamsLocation                   = "All";
        TeamsLocationException          = @();
    }
    SCDLPCompliancePolicy e9772bbe-25f9-42e0-b16b-80d4324bf6e6
    {
        Comment                         = "Create a custom policy from scratch. You will choose the type of content to protect and how you want to protect it.";
        Credential                      = $Credscredential;
        Ensure                          = "Present";
        ExchangeLocation                = "All";
        ExchangeSenderMemberOf          = @();
        ExchangeSenderMemberOfException = @();
        Mode                            = "Enable";
        Name                            = "SymantecDLP";
        OneDriveLocation                = "All";
        OneDriveLocationException       = @();
        Priority                        = 1;
        SharePointLocation              = "All";
        SharePointLocationException     = @();
        TeamsLocation                   = "All";
        TeamsLocationException          = @();
    }
    SCDLPCompliancePolicy f08a2b88-035e-452a-9a63-5ed5e3981d15
    {
        Comment                         = "Create a custom policy from scratch. You will choose the type of content to protect and how you want to protect it.";
        Credential                      = $Credscredential;
        Ensure                          = "Present";
        ExchangeLocation                = "All";
        **ExchangeSenderMemberOf          = @("{"PrimarySmtpAddress":"maheshCase@$OrganizationName","Id":"1c2f32f8-6e1b-4ab9-98cf-70f82be732dc","ExchangeObjectId":"1c2f32f8-6e1b-4ab9-98cf-70f82be732dc","ExternalDirectoryObjectId":"1c2f32f8-6e1b-4ab9-98cf-70f82be732dc","DisplayName":"maheshCase","RecipientType":7,"RecipientTypeDetails":8796093022208,"AdministrativeUnits":null}");
        ExchangeSenderMemberOfException = @("{"PrimarySmtpAddress":"","Id":"ef1a0e3c-676d-40de-87e8-4e4435fa5a22","ExchangeObjectId":"ef1a0e3c-676d-40de-87e8-4e4435fa5a22","ExternalDirectoryObjectId":"ef1a0e3c-676d-40de-87e8-4e4435fa5a22","DisplayName":"Contoso Web App Users","RecipientType":6,"RecipientTypeDetails":524288,"AdministrativeUnits":null}");**
        Mode                            = "Enable";
        Name                            = "DLP policy Parser error";
        OneDriveLocation                = "All";
        OneDriveLocationException       = @();
        Priority                        = 2;
        SharePointLocation              = "All";
        SharePointLocationException     = @();
        TeamsLocation                   = "All";
        TeamsLocationException          = @();
    }
    SCDLPComplianceRule 94059fa8-6351-4516-acb3-c579786bf07f
    {
        BlockAccess                         = $False;
        ContentContainsSensitiveInformation = MSFT_SCDLPContainsSensitiveInformation
        {
            SensitiveInformation = @(

MSFT_SCDLPSensitiveInformation
{
name = 'ABA Routing Number'
id = 'cb353f78-2b72-4c3c-8827-92ebe4f69fdf'
maxconfidence = '100'
minconfidence = '75'
classifiertype = 'Content'
mincount = '1'
maxcount = '-1'
}
) }
;
Credential = $Credscredential;
Disabled = $False;
DocumentIsPasswordProtected = $False;
DocumentIsUnsupported = $False;
Ensure = "Present";
ExceptIfDocumentIsPasswordProtected = $False;
ExceptIfDocumentIsUnsupported = $False;
ExceptIfHasSenderOverride = $False;
ExceptIfProcessingLimitExceeded = $False;
GenerateAlert = @("true");
HasSenderOverride = $False;
Name = "DSC test parser error";
Policy = "DLP policy Parser error";
ProcessingLimitExceeded = $False;
RemoveRMSTemplate = $False;
ReportSeverityLevel = "Low";
StopPolicyProcessing = $False;
}
SCDLPComplianceRule 6e9df3e2-7be5-4cda-9f0e-767bf5b4752d
{
BlockAccess = $False;
ContentContainsSensitiveInformation = MSFT_SCDLPContainsSensitiveInformation
{
SensitiveInformation = @(
MSFT_SCDLPSensitiveInformation
{
name = 'Keyword Symantec@123'
id = 'e932c3e1-53f2-49d7-8db3-826c114b9618'
maxconfidence = '100'
minconfidence = '85'
classifiertype = 'Content'
mincount = '1'
maxcount = '-1'
}
) }
;
Credential = $Credscredential;
Disabled = $False;
DocumentIsPasswordProtected = $False;
DocumentIsUnsupported = $False;
Ensure = "Present";
ExceptIfDocumentIsPasswordProtected = $False;
ExceptIfDocumentIsUnsupported = $False;
ExceptIfHasSenderOverride = $False;
ExceptIfProcessingLimitExceeded = $False;
GenerateAlert = @("true");
HasSenderOverride = $False;
Name = "SymantecDLP";
Policy = "SymantecDLP";
ProcessingLimitExceeded = $False;
RemoveRMSTemplate = $False;
ReportSeverityLevel = "Low";
StopPolicyProcessing = $False;
}
SCDLPComplianceRule c8d7c3e2-4de5-46bb-937d-1dd3e4a76c95
{
BlockAccess = $False;
Comment = "This default policy will monitor credit card details with a rule to notify the Administrator.";
ContentContainsSensitiveInformation = MSFT_SCDLPContainsSensitiveInformation
{
SensitiveInformation = @(
MSFT_SCDLPSensitiveInformation
{
name = 'Credit Card Number'
id = '50842eb7-edc8-4019-85dd-5a5c1f2bb085'
maxconfidence = '100'
minconfidence = '85'
classifiertype = 'Content'
mincount = '1'
maxcount = '-1'
}
) }
;
Credential = $Credscredential;
Disabled = $False;
DocumentIsPasswordProtected = $False;
DocumentIsUnsupported = $False;
Ensure = "Present";
ExceptIfDocumentIsPasswordProtected = $False;
ExceptIfDocumentIsUnsupported = $False;
ExceptIfHasSenderOverride = $False;
ExceptIfProcessingLimitExceeded = $False;
GenerateIncidentReport = @("SiteAdmin");
HasSenderOverride = $False;
IncidentReportContent = @("Title","DocumentAuthor","DocumentLastModifier","Service","MatchedItem","RulesMatched","Detections","Severity","RetentionLabel","SensitivityLabel");
Name = "Default Teams DLP policy rule";
Policy = "Default policy for Teams";
ProcessingLimitExceeded = $False;
RemoveRMSTemplate = $False;
ReportSeverityLevel = "Low";
StopPolicyProcessing = $False;
}
}
}

M365TenantConfig -ConfigurationData .\ConfigurationData.psd1 -Credential $Credential

The operating system the target node is running

OsName : Microsoft Windows 10 Pro
OsOperatingSystemSKU : 48
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

PS C:\WINDOWS\system32> Get-Module Microsoft365DSC | fl name,version
Name : Microsoft365DSC
Version : 1.22.1109.1

Powershell
Name Value

PSVersion 5.1.19041.1682
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1682
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
@andikrueger andikrueger added V1.22.1109.1 Version 1.22.1109.1 Bug Something isn't working Core Engine labels Nov 15, 2022
@maheshdalavi
Copy link
Author

DSCparser module shows a clear error with the Microsoft365DSC module.
PS C:\WINDOWS\system32> ConvertTo-DSCObject -Path "D:\ParserDSC\nochange\config\M365TenantConfig.ps1" -Verbose
VERBOSE: Populating RepositorySourceLocation property for module Microsoft365DSC.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCAgent.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCDocGenerator.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCErrorHandler.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCLogEngine.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCPermissions.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCReport.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCReverse.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCStubsUtility.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCTelemetryEngine.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\M365DSCUtil.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\EncodingHelpers\M365DSCEmojis.psm1'.
VERBOSE: Loading module from path 'C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.22.1109.1\modules\EncodingHelpers\M365DSCStringEncoding.psm1'.
Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

Method invocation failed because [System.Object[]] does not contain a method named 'op_Addition'.
At C:\Program Files\WindowsPowerShell\Modules\DSCParser\1.3.0.6\modules\DSCParser.psm1:185 char:21

  •                 $result.$currentProperty += $subResult

  •                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: (op_Addition:String) [], RuntimeException
    • FullyQualifiedErrorId : MethodNotFound

Name Value

ResourceName SCDLPCompliancePolicy
ResourceID 860f14e5-f31a-4e4a-96e3-2cfdd749f5ab
Comment This policy detects the presence of credit card numbers in Teams chats and channel me...
Credential $Credscredential
Ensure Present
ExchangeSenderMemberOf {}
ExchangeSenderMemberOfExcep... {}
Mode Enable
Name Default policy for Teams
OneDriveLocationException {}
Priority 0
SharePointLocationException {}
TeamsLocation All
TeamsLocationException {}
ResourceName SCDLPCompliancePolicy
ResourceID e9772bbe-25f9-42e0-b16b-80d4324bf6e6
Comment Create a custom policy from scratch. You will choose the type of content to protect a...
Credential $Credscredential
Ensure Present
ExchangeLocation All
ExchangeSenderMemberOf {}
ExchangeSenderMemberOfExcep... {}
Mode Enable
Name SymantecDLP
OneDriveLocation All
OneDriveLocationException {}
Priority 1
SharePointLocation All
SharePointLocationException {}
TeamsLocation All
TeamsLocationException {}
ResourceName SCDLPCompliancePolicy
ResourceID f08a2b88-035e-452a-9a63-5ed5e3981d15
Comment Create a custom policy from scratch. You will choose the type of content to protect a...
Credential $Credscredential$Credscredential$Credscredential$Credscredential
Ensure PresentPresentPresentPresent
ExchangeLocation All
ExchangeSenderMemberOf {{, PrimarySmtpAddress:maheshCase@$OrganizationName,Id:1c2f32f8-6e1b-4ab9-98cf-70f82b...
ExchangeSenderMemberOfExcep... {{, PrimarySmtpAddress:",Id:ef1a0e3c-676d-40de-87e8-4e4435fa5a22,ExchangeObjectId:ef1...
Mode Enable
Name DLP policy Parser errorDSC test parser errorSymantecDLPDefault Teams DLP policy rule
OneDriveLocation All
OneDriveLocationException {}
Priority 2
SharePointLocation All
SharePointLocationException {}
TeamsLocation All
TeamsLocationException {System.Collections.Specialized.OrderedDictionary}
BlockAccess 0
ContentContainsSensitiveInf... {System.Collections.Specialized.OrderedDictionary, System.Collections.Specialized.Ord...
SensitiveInformation {System.Collections.Specialized.OrderedDictionary}
Disabled 0
DocumentIsPasswordProtected 0
DocumentIsUnsupported 0
ExceptIfDocumentIsPasswordP... 0
ExceptIfDocumentIsUnsupported 0
ExceptIfHasSenderOverride 0
ExceptIfProcessingLimitExce... 0
GenerateAlert {true}
HasSenderOverride 0
Policy DLP policy Parser errorSymantecDLPDefault policy for Teams
ProcessingLimitExceeded 0
RemoveRMSTemplate 0
ReportSeverityLevel LowLowLow
StopPolicyProcessing 0
GenerateIncidentReport {SiteAdmin}
IncidentReportContent {Title, DocumentAuthor, DocumentLastModifier, Service...}

PS C:\WINDOWS\system32>

@andikrueger
Copy link
Collaborator

@malauter could you have a look at this issue. Either the escaping of the string does not work properly or we need to change the datatype of these props.

@NikCharlebois NikCharlebois self-assigned this Nov 22, 2022
@NikCharlebois NikCharlebois mentioned this issue Nov 22, 2022
Merged
NikCharlebois added a commit that referenced this issue Nov 22, 2022
@NikCharlebois
Merge pull request #2577 from NikCharlebois/Fix-#2545
3fd5c31 
Fixes #2545
@NikCharlebois NikCharlebois mentioned this issue Nov 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NikCharlebois NikCharlebois

Labels
Bug Something isn't working Security & Compliance Center V1.22.1109.1 Version 1.22.1109.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #2545 NikCharlebois/Microsoft365DSC
Release 1.22.1123.1 NikCharlebois/Microsoft365DSC
3 participants
@NikCharlebois @andikrueger @maheshdalavi