Cybersecurity
DevOps Cloud
IT Operations Cloud
Arcsight Platform 24.2
ESM version:7.6.4
SOAR version:24.2
Check the SOAR logs and found the following exception.
1733207588.296642389,"2024-12-03T14:33:08.296642389+08:00","[2024-12-03 06:33:08.291] [ERROR] [jms-arcsight-6] c.i.a.a.arcsight.ArcSightListener Failed to enrich alert 95996481 with base events.","soar-web-app-6b6b94c7fb-5zvg5","arcsight-installer-6vd2u","soar-web-app","arcsight.xxxx.xxx.xx"
1733207588.296644033,"2024-12-03T14:33:08.296644033+08:00","org.springframework.web.client.RestClientException: Error while extracting response for type [class com.fasterxml.jackson.databind.node.ObjectNode] and content type [application/json]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: JSON parse error: Unrecognized character escape 'D' (code 68); nested exception is com.fasterxml.jackson.core.JsonParseException: Unrecognized character escape 'D' (code 68)","soar-web-app-6b6b94c7fb-5zvg5","arcsight-installer-6vd2u","soar-web-app","arcsight.xxxx.xxx.xx"
The error occurred because of invalid character escapes in JSON data transmitted from ESM to SOAR. Specifically, the character escape sequence \D in the JSON payload was not recognized by the SOAR application’s JSON parser (based on the Jackson library).
This invalid escape sequence was introduced due to a bug in the way ESM encoded specific alert or event data fields in the JSON payload. The issue was traced to an outdated ESM version (7.6.4), where encoding logic was not compliant with JSON standards under certain conditions.