Json pipline Unrecognized character escape


(MZ) #1

Please help

Trying to parse json

My Pipeline:

rule “extract_json”
when
has_field(“json”)
then
parse_json(to_string($message.json));
end

Below is the error i get in the graylog log

exception_message
Unrecognized character escape ‘a’ (code 97)
at [Source:
{“atp_protocol”:“rrs”,“data_direction”:1,“data_source_ip”:null,“data_source_url”:null,“data_source_url_domain”:null,“data_source_url_referer”:null,“device_ip”:“xxx.xx.xx.xxx”,“device_name”:“xxxxxx”,“device_time”:“2018-12-22T03:32:42.710Z”,“device_uid”:“1ec71456-6d43-4e89-824a-108cffe408fa”,“disposition”:1,“downloaded_portal_id”:null,“enterprise_uid”:“AF6158E4770CFA9CCA9F85E22ED85FB8”,“external_ip”:null,“feature_name”:“ATP:Endpoint”,“feature_ver”:“2014.2.0”,“file”:{“attributes”:null,“confidence”:4,“confidence_atp”:4,“desc”:null,“disposition”:1,“disposition_atp”:1,“file_age”:null,“first_seen”:null,“folder”:“CSIDL_WINDOWS\assembly ativeimages_v2.0.50727_32\microsoft.visualstu#\a95c7cb1fd41f7b018c53bd4c05424ed”,“md5”:“b59aae7e1f317f87ce0baf5d2867d6c5”,“name”:“Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll”,“prevalence”:0,“prevalence_band”:0,“reputation_band”:4,“sha2”:“aa6faa778cb4f4b7a7e548143415b1c9c8afa48b38e8892418d13b85c2951800”,“signature_company_name”:null,“signature_issuer”:null,“signature_serial_number”:null,“size”:134144},“id”:2,“initiating_engine”:null,“parent_file_name”:null,“parent_file_sha2”:null,“parent_installer_url”:null,“product_name”:“ATP:Endpoint”,“request_reason”:null,“rule_id”:null,“rule_version”:0,“sep_mid”:“766fe06491274fd38dabb35390988fc9”,“type_id”:4096,“zone_id”:null,“user_name”:“xxxxxxxxx”,“sep_installed”:true}; line: 1, column: 629]

It is always different Unrecognized character escape. I guess here at - WINDOWS\assembly - it recognize backslash as escape.

Any advice?

Thanks.


(Jan Doberstein) #2

your json needs to be escaped properly


(MZ) #3

Jan,
Thank you for you reply.

I’m still in the learning process. I’ll really appreciate if you can clarify what do you mean by “needs to be escaped properly”

This message I got from Symantec ATP and it’s in CEF format, so I used CEF input which parses the message to multiple fields including “json” filed and that json field contains all that information.

Thank you.


(MZ) #4

Here is another message, but this time it was successfully parsed by JSON extractor

{“atp_protocol”:“bash”,“bash”:{“disposition”:“1”,“engine_version”:“10.4.0.43”,“recommended_action”:“1”,“signature_version”:“20181217.001”,“submission_type”:“BASH-SONAR-PROD-GOOD”,“virus_id”:“4294920985”,“virus_name”:“SONAR.Module!gen3”},“data_source_url”:null,“data_source_url_domain”:null,“device_ip”:“xxx.xx.xx.xxx”,“device_name”:“xxxxxxx”,“device_time”:“2018-12-24T19:20:08.944Z”,“disposition”:1,“feature_name”:“ATP:Endpoint”,“feature_ver”:“xxxx.x.x”,“file”:{“attributes”:null,“desc”:null,“folder”:“CSIDL_WINDOWS\temp”,“md5”:“fa49146dd9d7877f4eb1524d23a9ef17”,“name”:“msi6f31.tmp”,“sha2”:“df668bc0cb2a91626c8dc0f61e435d9b91ece902c56c39797315b40d78718df2”,“size”:237246},“host”:“xxxxxxx.xx.xxxx.symantec.com”,“id”:0,“platform”:{“country”:“1”,“language”:“English”,“processor”:“x00 Family x Model xx Stepping x”,“system”:“Windows x build xxxx Service Pack x”},“product_name”:“ATP:Endpoint”,“sep_mid”:“5dff8f5cba699350c4133f3e244a8219”,“type_id”:4100,“device_uid”:“abed4e50-38af-4bae-9c44-3ec23e1b7648”,“user_name”:“xxxxxxx”,“sep_installed”:true}


(MZ) #5

Plaintext message seem to have correct escape character

<13>Dec 24 22:19:17 localhost sep_proxy_insight_event: INFO - symatp CEF:0|Symantec|ATPU|3.2.0|4096|sep_proxy_insight_event|0|device_time=2018-12-24T22:19:16.928Z device_uid=aeb6632f-453a-4310-8107-61052d25f4df internalIP=xxx.xx.xx.xx internalHost=xxxxx filePath=CSIDL_WINDOWS\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\bbc88a5feed8764d266682bf4d5702b9 fname=Microsoft.PowerShell.Commands.Utility.ni.dll sha2=be677525a30093d7d2976269c16f4a89f4ce3b23c0971b02afbafb789d4fd531 md5=bf407e8aadad4cf08eecb2a2b2b290b0 disposition=0 disposition_atp=0 user_name=xxxxxxxxx json={“atp_protocol”:“rrs”,“data_direction”:1,“data_source_ip”:null,“data_source_url”:null,“data_source_url_domain”:null,“data_source_url_referer”:null,“device_ip”:“xxx.xx.xx.xx”,“device_name”:“xxxxx”,“device_time”:“2018-12-24T22:19:16.928Z”,“device_uid”:“aeb54654f-453a-4310-8107-61052d25f4df”,“disposition”:1,“downloaded_portal_id”:null,“enterprise_uid”:“AF61582212120CFA9CCA9F85E22ED85FB8”,“external_ip”:null,“feature_name”:“ATP:Endpoint”,“feature_ver”:“2014.2.0”,“file”:{“attributes”:null,“confidence”:78,“confidence_atp”:78,“desc”:null,“disposition”:0,“disposition_atp”:0,“file_age”:2,“first_seen”:“2018-10-19T02:02:45.000Z”,“folder”:“CSIDL_WINDOWS\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\bbc88a5feed8764d266682bf4d5702b9”,“md5”:“bf407e8aadad4cf08eecb2a2b2b290b0”,“name”:“Microsoft.PowerShell.Commands.Utility.ni.dll”,“prevalence”:166,“prevalence_band”:7,“reputation_band”:1,“sha2”:“be677525a30093d7d2976269c16f4a89f4ce3b23c0971b02afbafb789d4fd531”,“signature_company_name”:null,“signature_issuer”:null,“signature_serial_number”:null,“size”:2176512},“id”:0,“initiating_engine”:null,“parent_file_name”:null,“parent_file_sha2”:null,“parent_installer_url”:null,“product_name”:“ATP:Endpoint”,“request_reason”:null,“rule_id”:null,“rule_version”:0,“sep_mid”:“b32e0241d7bb2db9c9955a8a9d7d2d92”,“type_id”:4096,“zone_id”:null,“user_name”:“xxxxxxxxx”,“sep_installed”:true}


(system) closed #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.