This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

'panic encountered: non-string given for securityresult.description'

Posted on 02-06-2025 08:52 AM
samryanturner
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I have the following parser code -

    # Security Result
    if [severity] == "INFO" {
        mutate {
            replace => {
                "security_result_action" => "ALLOW"
                "security_result_description" => "SUCCESS"
            }
        }
    }

 However when previewing it's output I see the following error - 

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \"idm\": index 0: recursive rawDataToProto failed: field \"read_only_udm\": index 0: recursive rawDataToProto failed: field \"security_result\": index 0: recursive rawDataToProto failed: panic encountered: non-string given for backstory.SecurityResult.description: []interface {} []interface {}{\"SUCCESS\"}"

Why is this not being interpreted as a string?

Solved Solved
0 9 302
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dlove40
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

 

filter {    
    mutate {
        replace => {
            "event_type" => "GENERIC_EVENT"
            "severity" => "INFO"
        }
    }
 # Security Result
    if [severity] == "INFO" {

        mutate {
            replace => {
                "description" => "SUCCESS"
            }
        }
        mutate {
            replace => {
                "security_action" => "ALLOW"
                "security_result.description" => "%{description}"
            }
        }
    }
    else if [severity] == "ERROR" {
        mutate {
            replace => {
                "security_action" => "BLOCK"
                "security_result.description" => "%{jsonPayload.status.message}"
            }
        }
    }
    # Merge Action
    if [security_action] != "" {
            mutate {
                merge => {
                    "security_result.action" => "security_action"
                }
            }
    }
    # Merge Security Results
    if [security_result] != "" {
        mutate {
            merge => {
                "event.idm.read_only_udm.security_result" => "security_result"
            }
        }
    }
    # Default Event Data
    mutate {
        replace => {
            "event.idm.read_only_udm.metadata.event_type"  =>  "%{event_type}"
        }
    }
    # Generate Event
    mutate {
        merge => {
            "@output" => "event" 
        }
    }
}

dlove40_0-1738864193576.png

 

 

View solution in original post

Jump to Solution
9 REPLIES 9

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
Reply posted on --/--/---- --:-- AM

Hi, 

The UDM field security_result.description takes a string as a parameter whereas security_result.action takes a constant value (predefined values). In the case above, you need to pass "SUCCESS" in a variable. Something similar to this:

 

mutate {
  replace => {
    "security_result_description" => "%{otherTokenValue}"
  }
}

Where "otherTokenValue" stores "SUCCESS"  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Okay I have the following which returns the same error -

    # Security Result
    if [severity] == "INFO" {

        mutate {
            replace => {
                "description" => "SUCCESS"
            }
        }
        mutate {
            replace => {
                "security_result_action" => "ALLOW"
                "security_result_description" => "%{description}"
            }
        }
    }
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
marcus_aurelius
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Can you please post where your security_results_description is changed to security_result.decscription? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cbryant
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Your replace statement should be fine, replace would set both of those variables to a string regardless of if you use a variable or not. The error likely lies somewhere after this, can you share the rest of your parser code? 

Jump to Solution

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
In response to cbryant
Reply posted on --/--/---- --:-- AM

Sure, here is the full block for SecurityResult -

    # Security Result
    if [severity] == "INFO" {

        mutate {
            replace => {
                "description" => "SUCCESS"
            }
        }
        mutate {
            replace => {
                "security_result_action" => "ALLOW"
                "security_result_description" => "%{description}"
            }
        }
    }
    else if [severity] == "ERROR" {
        mutate {
            replace => {
                "security_result_action" => "BLOCK"
                "security_result_description" => "%{jsonPayload.status.message}"
            }
        }
    }

    mutate {
        merge => {
            "security_result.action" => "security_result_action"
            "security_result.description" => "security_result_description"
        }
    }

    # Merge final security result
    mutate {
        merge => {
            "udm_event.idm.read_only_udm.security_result" => "security_result"
        }
    }
Jump to Solution

Posted on --/--/---- --:-- AM
cbryant
Bronze 5
Bronze 5
In response to samryanturner
Reply posted on --/--/---- --:-- AM

Based on what you have shared here, my guess would be that the contents  of jsonPayload.status.message is the problem, if you insert a statedump {} statement on line 30 and run the parser again, can you share the output of the statedump? 

Jump to Solution

Posted on --/--/---- --:-- AM
dlove40
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

 

filter {    
    mutate {
        replace => {
            "event_type" => "GENERIC_EVENT"
            "severity" => "INFO"
        }
    }
 # Security Result
    if [severity] == "INFO" {

        mutate {
            replace => {
                "description" => "SUCCESS"
            }
        }
        mutate {
            replace => {
                "security_action" => "ALLOW"
                "security_result.description" => "%{description}"
            }
        }
    }
    else if [severity] == "ERROR" {
        mutate {
            replace => {
                "security_action" => "BLOCK"
                "security_result.description" => "%{jsonPayload.status.message}"
            }
        }
    }
    # Merge Action
    if [security_action] != "" {
            mutate {
                merge => {
                    "security_result.action" => "security_action"
                }
            }
    }
    # Merge Security Results
    if [security_result] != "" {
        mutate {
            merge => {
                "event.idm.read_only_udm.security_result" => "security_result"
            }
        }
    }
    # Default Event Data
    mutate {
        replace => {
            "event.idm.read_only_udm.metadata.event_type"  =>  "%{event_type}"
        }
    }
    # Generate Event
    mutate {
        merge => {
            "@output" => "event" 
        }
    }
}

dlove40_0-1738864193576.png

 

 

Jump to Solution

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to dlove40
Reply posted on --/--/---- --:-- AM

Are you still getting the same error? Is "jsonPayload.status.message" a string or numeric? If it's not a string, then you'll need to convert it first.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
In response to dlove40
Reply posted on --/--/---- --:-- AM

Thank you, that's working now.

Jump to Solution
Top Solution Authors
View all