X-Pack Watcher Webhook malformed json with backslashes

lctrcl · November 10, 2017, 1:53pm

legend:

As part of payload, I'm grabbing one field, which contains backslashes
"C:\Windows\System32\wbem\WmiPrvSE.exe"

But when I'm trying to send it to webhook in json, it doesn't escape it properly, so in the end I'm getting malformed json.

I'm trying to use painless transform to "doubleescape" these backslashes, but can't figure out the right usage.

action script:

   "actions": {
    "logstash_hook": {
      "webhook": {
        "scheme": "http",
        "host": "x.x.x.x",
        "port": 9000,
        "method": "post",
        "path": "/api/alert",
        "params": {},
        "headers": {
          "Authorization": "Bearer xxxxxx"
        },
        "body": {
          "source": {
            "title": "{{ctx.metadata.name}}",
            "description": "xxxxxxx",
            "type": "external",
            "severity": 3,
            "tlp": 3,
            "artifacts": [
              {
                "dataType": "fqdn",
                "data": "{{ctx.payload.hostname}}",
                "tags": [
                  "hostname"
                ]
              },
              {
                "dataType": "other",
                "data": "{{ctx.payload.user}}",
                "tags": [
                  "src-user"
                ]
              },
              {
                "dataType": "other",
                "data": "{{ctx.payload.process_name}}",
                "tags": [
                  "process_name"
                ]
              }
            ],
            "source": "xpack",
            "sourceRef": "{{ctx.payload.alertid}}"
          },
          "lang": "mustache",
          "options": {
            "content_type": "application/json; charset=UTF-8"
          }
        }
      }
    }
  },

results:

{
... 

    "transform": {
      "type": "script",
      "status": "success",
      "payload": {
        "hostname": "windows-2012-r2.demo.local",
        "@timestamp": "2017-11-10T12:17:47.500Z",
        "process_name": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
        "alertid": "AV-aEH8d9J44Pmhi7J2h",
        "user": "WINDOWS-2012-R2$"
      }
    },
      "actions": [
      {
        "id": "logstash_hook",
        "type": "webhook",
        "status": "simulated",
        "webhook": {
          "request": {
            "host": "x.x.x.x",
            "port": 9000,
            "scheme": "http",
            "method": "post",
            "path": "/api/alert",
            "headers": {
              "Authorization": "Bearer xxxxxxxxx",
              "Content-Type": "application/json; charset=UTF-8"
            },
            "body": "{\"title\":\"\",\"description\":\"xxxxxxxxx\",\"type\":\"external\",\"severity\":3,\"tlp\":3,\"artifacts\":[{\"dataType\":\"fqdn\",\"data\":\"windows-2012-r2.demo.local\",\"tags\":[\"hostname\"]},{\"dataType\":\"other\",\"data\":\"WINDOWS-2012-R2$\",\"tags\":[\"src-user\"]},{\"dataType\":\"other\",\"data\":\"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\",\"tags\":[\"process_name\"]}],\"source\":\"xpack\",\"sourceRef\":\"AV-aEH8d9J44Pmhi7J2h\"}"
          }
        }
...

transform script:

  "transform": {
    "script": {
      "source": "String pname = /\\\\/.matcher(ctx.payload.hits.hits.0._source.ProcessName).replaceAll('\\\\\\\\'); return ['@timestamp':ctx.trigger.triggered_time,'process_name': pname, 'hostname': ctx.payload.hits.hits.0._source.Hostname, 'user': ctx.payload.hits.hits.0._source.user, 'alertid': ctx.payload.hits.hits.0._id]",
      "lang": "painless"
    }
  },

spinscale · November 13, 2017, 8:59am

can you provide the full watch and even more important, the full output of running the Execute Watch API

Thank you!

--Alex

system · December 11, 2017, 8:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.