Knowledge Document: Alert can not create any cases with base events on SOAR

0 Likes

Environment

Arcsight Platform 24.2
ESM version:7.6.4
SOAR version:24.2

Situation


Check the SOAR logs and found the following exception.

1733207588.296642389,"2024-12-03T14:33:08.296642389+08:00","[2024-12-03 06:33:08.291] [ERROR] [jms-arcsight-6] c.i.a.a.arcsight.ArcSightListener Failed to enrich alert 95996481 with base events.","soar-web-app-6b6b94c7fb-5zvg5","arcsight-installer-6vd2u","soar-web-app","arcsight.xxxx.xxx.xx"

 

1733207588.296644033,"2024-12-03T14:33:08.296644033+08:00","org.springframework.web.client.RestClientException: Error while extracting response for type [class com.fasterxml.jackson.databind.node.ObjectNode] and content type [application/json]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Unrecognized character escape 'D' (code 68); nested exception is com.fasterxml.jackson.core.JsonParseException: Unrecognized character escape 'D' (code 68)","soar-web-app-6b6b94c7fb-5zvg5","arcsight-installer-6vd2u","soar-web-app","arcsight.xxxx.xxx.xx"

Cause

The error occurred because of invalid character escapes in JSON data transmitted from ESM to SOAR. Specifically, the character escape sequence \D in the JSON payload was not recognized by the SOAR application’s JSON parser (based on the Jackson library).

This invalid escape sequence was introduced due to a bug in the way ESM encoded specific alert or event data fields in the JSON payload. The issue was traced to an outdated ESM version (7.6.4), where encoding logic was not compliant with JSON standards under certain conditions.

Find resolution on support portal

Tags:

Labels:

Support Tips/Knowledge Docs
Related
Recommended