Escape '}' curly brackets in field results #1430
Replies: 1 comment
-
You can add an enhancement to the ElastAlert2 deployment, which will replace all problematic chars with something to avoid the problem. Ex: There may be other ways to solve it, such as escaping the curl braces. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello, I have the following rule:
This works 90% of the time, and it will result in something like this - which will be send by email to an analyst:
process.name:
RegistryHandler.exe
process.pid:
14160
process.args:
['C:\Program Files\util\bin\RegistryHandler.exe', 'write', 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OBSystemTray', '"C:\Program', 'Files\bin\SystemTray64.exe"']
Sometimes though, the value of "process.args" field will be too complex, and there's going to be '{' curly brackets in the field, and Elastalert won't like it, like this one:
process.name:
node.exe
process.pid:
44322
process.args:
D:\VS\MSBuild\Microsoft\VisualStudio\NodeJs\node.exe -e var p = process;p.on('message',function(m){if(m.c==='e'){p.exit(0);}else if(m.c==='rs'){try{var r=require.resolve(m.a);p.send({c:'r',s:true,r:r});}catch(err){p.send({c:'r',s:false});}}});
Here's the error message Elastalert gives:
I'm using Elastic Defend integration, and I can't decide what it's going to put in the fields. I would like a way to tell Elastalert to handle the values it pulls from Elasticsearch for the fields properly, even if there's curly brackets in them.
Do you have any idea how I can resolve this problem?
Beta Was this translation helpful? Give feedback.
All reactions