Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,129 questions
Sentinel watchlists import issue when the field starts or ends with double quotes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 53%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AK
1
Reputation point
Hi team,
I wanted to report a bug that was present in Microsoft Sentinel for a long time and it was not addressed by Microsoft yet.
The bug is present in the Sentinel watchlists.
When you create a new watchlist with any random fields and then you edit the watchlist and you edit a field for example like this:
Old value: cmd.exe
New value: "cmd.exe"
Or even this new value (where the value starts with a double quotes): "cmd.exe" /some parameters here
This works properly and you can see in the watchlist editor or in the logs the double quotes present in the beginning or/and at the end of the value.
The issue starts when you export the watchlist from the logs as a CSV. This is what an example looks like:
Watchlist in the Sentinel watchlist editor
| column1 | column2 |
|---|---|
| Cell 1 | Cell 2 |
| value1 | "cmd.exe" |
column1,column2
"value1","""value2"""
So that was the watchlist after exporting it.
When I try to import it again as a watchlist, I get the following preview:
which is great.
But what I didn't expect is when I save the watchlist, this is what I get:
The double quotes are gone. And they are gone only when they are used in the beginning of any field or/and the end of any field. No matter how many fields matches that condition, the double quotes are deleted. The double quotes remain in the middle of the fields but not at the beginning or at the end.
I experienced the same issue when I used the watchlist Azure CLI as well (this is the only way I could use to automate the deployment of a CSV file and I insist that I can only deploy a CSV file not a JSON file):
New-AzResourceGroupDeployment -Name $deploymentName -ResourceGroupName $ResourceGroupName -TemplateFile $path -displayName $displayName -alias $alias -description $description -itemsSearchKey $itemsSearchKey -numberOfLinesToSkip $numberOfLinesToSkip -workspace $workspaceName -TemplateParameterFile $parameterFile -ErrorAction Stop -csv_file_content $watchlistCSVContent | Out-Host
Un`fortunately, the update operation in the Sentinel Watchlist editor (in the web browser) is performed using JSON (the following screenshot was taken from the network tab of my web browser when I updated the watchlist from the Watchlist editor by clicking on the "save" button):
If the bulk update preview showed that there are double quotes, why the real content of the watchlist doesn't show the double quotes?
I'd like to ask Microsoft to fix the bug of the double quotes removal for the "New-AzResourceGroupDeployment" CLI (mainly) because I'm updating the watchlist in an automated way. And of course I'd like to ask Microsoft to fix the bug when the bulk update is used in Sentinel (in the web browser).
I'd appreciate if I can get an estimation on how much time the bug could be fixed.
Thank you for your collaboration.
Best regards
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu 330 Reputation points Microsoft Employee2024-09-23T19:31:35.5733333+00:00 Hello @AK,
Thank you for this feedback.
Do you have a support plan with Microsoft? If you do, you can create a support case, and someone will help with this.
Sign in to comment
Sign in to answer