X-Pack Watcher Webhook malformed json with backslashes

Elastic Stack Elasticsearch
1

legend:

As part of payload, I'm grabbing one field, which contains backslashes
"C:\Windows\System32\wbem\WmiPrvSE.exe"

But when I'm trying to send it to webhook in json, it doesn't escape it properly, so in the end I'm getting malformed json.

I'm trying to use painless transform to "doubleescape" these backslashes, but can't figure out the right usage.

action script:

   "actions": {
    "logstash_hook": {
      "webhook": {
        "scheme": "http",
        "host": "x.x.x.x",
        "port": 9000,
        "method": "post",
        "path": "/api/alert",
        "params": {},
        "headers": {
          "Authorization": "Bearer xxxxxx"
        },
        "body": {
          "source": {
            "title": "{{ctx.metadata.name}}",
            "description": "xxxxxxx",
            "type": "external",
            "severity": 3,
            "tlp": 3,
            "artifacts": [
              {
                "dataType": "fqdn",
                "data": "{{ctx.payload.hostname}}",
                "tags": [
                  "hostname"
                ]
              },
              {
                "dataType": "other",
                "data": "{{ctx.payload.user}}",
                "tags": [
                  "src-user"
                ]
              },
              {
                "dataType": "other",
                "data": "{{ctx.payload.process_name}}",
                "tags": [
                  "process_name"
                ]
              }
            ],
            "source": "xpack",
            "sourceRef": "{{ctx.payload.alertid}}"
          },
          "lang": "mustache",
          "options": {
            "content_type": "application/json; charset=UTF-8"
          }
        }
      }
    }
  },

results:

{
... 

    "transform": {
      "type": "script",
      "status": "success",
      "payload": {
        "hostname": "windows-2012-r2.demo.local",
        "@timestamp": "2017-11-10T12:17:47.500Z",
        "process_name": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
        "alertid": "AV-aEH8d9J44Pmhi7J2h",
        "user": "WINDOWS-2012-R2$"
      }
    },
      "actions": [
      {
        "id": "logstash_hook",
        "type": "webhook",
        "status": "simulated",
        "webhook": {
          "request": {
            "host": "x.x.x.x",
            "port": 9000,
            "scheme": "http",
            "method": "post",
            "path": "/api/alert",
            "headers": {
              "Authorization": "Bearer xxxxxxxxx",
              "Content-Type": "application/json; charset=UTF-8"
            },
            "body": "{\"title\":\"\",\"description\":\"xxxxxxxxx\",\"type\":\"external\",\"severity\":3,\"tlp\":3,\"artifacts\":[{\"dataType\":\"fqdn\",\"data\":\"windows-2012-r2.demo.local\",\"tags\":[\"hostname\"]},{\"dataType\":\"other\",\"data\":\"WINDOWS-2012-R2$\",\"tags\":[\"src-user\"]},{\"dataType\":\"other\",\"data\":\"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\",\"tags\":[\"process_name\"]}],\"source\":\"xpack\",\"sourceRef\":\"AV-aEH8d9J44Pmhi7J2h\"}"
          }
        }
...

transform script:

  "transform": {
    "script": {
      "source": "String pname = /\\\\/.matcher(ctx.payload.hits.hits.0._source.ProcessName).replaceAll('\\\\\\\\'); return ['@timestamp':ctx.trigger.triggered_time,'process_name': pname, 'hostname': ctx.payload.hits.hits.0._source.Hostname, 'user': ctx.payload.hits.hits.0._source.user, 'alertid': ctx.payload.hits.hits.0._id]",
      "lang": "painless"
    }
  },
2

can you provide the full watch and even more important, the full output of running the Execute Watch API

Thank you!

--Alex

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.