Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

ASimAuditEvent - Improperly Formatted Value for Scheduled Tasks

Open andrewj-t opened this issue 5 months ago • 0 comments

Describe the bug When the vimAuditEventMicrosoftSecurityEvents or ASimAuditEventMicrosoftSecurityEvents return parsers results for Scheduled Task Events. The Value/NewValue field contains improperly unescaped XML which can not be parsed with parse_xml. The versions of the ASIM AuditEvent parsers which operate on the WindowsEvent table, do not have this issue and will return properly formatted XML

To Reproduce Steps to reproduce the behavior:

  1. Run this Kql
ASimAuditEventMicrosoftSecurityEvents
| where EventOriginalType == 4698
  1. Observe that partially escaped XML is returned for the Value field
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
  1. Run this Kql to compare results to WindowsEvent based logs
ASimAuditEventMicrosoftWindowsEvents
| where EventOriginalType == 4698
  1. Observe that correctly formatedXML is returned for the Value field
&lt;?xml version="1.0" encoding="UTF-16"?&gt;
&lt;Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"&gt;
	&lt;RegistrationInfo&gt;

Expected behavior As these Parsers are both operating on Windows Event Logs, they should return the information consistently, and correctly formatted XML, so it can be further parsed by parse_xml or similiar by the user if required

Additional context I have created and fix and will submit a PR shortly

andrewj-t avatar Nov 20 '25 01:11 andrewj-t