This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

How to replace a comma using the Expression Builder for Google SOAR Webhooks integration

Posted 3 weeks ago
BlueAnalyst
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

while working on receiving alerts from Cloudlfare via webhook, I need to replace the only text field that is sent by Cloudflare upon set up. The text includes a comma caracter inside. This is the sample
{
"text": "Hello World! This is a test message sent from https://cloudflare.com. If you can see this, your webhook is configured properly."
}

this expression would fail because of the comma character

| "text" | replace("If you can see this, your webhook is configured properly.","replaced text")

The only way I can reformat that text is to replace it, but the replace function fails as soon as a comma is the input substring. I tried to escape it with "\," unsuccessfully. I can replace everything else but the comma.

The final goal is to reply with a 200 code the initial mock json sent by cloudflare, so I though of recreating from scratch the mandatory fields

0 11 159
Topic Labels
0 Likes
11 REPLIES 11

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @BlueAnalyst

I've tried to use the expression builder to replace the comma and I see the same issue. I will take it internally with team.

But I think I can offer you a workaround that will solve the use case. It's possible to chain multiple replace operations statement.

So, what you can do is something like this:

 | "text" | replace("If you can see this","replaced text 1") | replace("your webhook is configured properly.","replaced text 2")

So, you will convert 2 parts around the comma separately.

0 Likes

Posted on --/--/---- --:-- AM
BlueAnalyst
Bronze 1
Bronze 1
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

Hi @ylandovskyy thanks for your response and for your trick.

I did try that on my own but the comma will be there, hence, it is going to be possible to transform it as a date, that is a mandatory field to satisfy

0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to BlueAnalyst
Reply posted on --/--/---- --:-- AM

@BlueAnalyst Can you elaborate why this specific field is so important to be replaced? What is the expected outcome here? 

0 Likes

Posted on --/--/---- --:-- AM
BlueAnalyst
Bronze 1
Bronze 1
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

@ylandovskyy because I was getting this output message 

{
  "status": 400,
  "statusText": "OK",
  "error": {
    "code": "Transformation",
    "error": "There was a problem parsing timestamp string: Hello World! This is a test message sent from https://cloudflare.com. If you can see this, your webhook is configured properly."
  }
}

but now I see that even though the StartTime made up with the initial comma,

{"StartTime": ",2025-04-24T13:43:23Z"}

 now it replies a 200 code, so Cloudflare will validate the initial setup and then I can work on the real alerts

{
  "status": 200,
  "statusText": "OK"
}

 Thank you

0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to BlueAnalyst
Reply posted on --/--/---- --:-- AM

@BlueAnalyst but isn't there in the Cloudflare alert object a proper timestamp field? What is the need to do replacement function on "Hello World!" string?

0 Likes

Posted on --/--/---- --:-- AM
BlueAnalyst
Bronze 1
Bronze 1
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

yes. The problem is upon webhook set up, Cloudflare sends that initial test json with that only text field. In case not receive a 200 code, it does not complete the setup

0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to BlueAnalyst
Reply posted on --/--/---- --:-- AM

@BlueAnalyst I see, so now you are unblocked, right?

0 Likes

Posted on --/--/---- --:-- AM
BlueAnalyst
Bronze 1
Bronze 1
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

I would but we are still getting a 400 code from Cloudflare side.
cloudflare_webhook_failure.PNG
Is there any secret, bearer or special header to count on? At the creation time the url is the only parameter to work with HTTP wise

0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
In response to BlueAnalyst
Reply posted on --/--/---- --:-- AM

(Sorry this thread is getting a maze lol)

parsing timestamp string

 Why does the webhook think this is a timestamp string?
If you change the mapping, I would assume a normal field would be happy with a , in it ?

0 Likes

Posted on --/--/---- --:-- AM
BlueAnalyst
Bronze 1
Bronze 1
In response to SoarAndy
Reply posted on --/--/---- --:-- AM

well I undestand that StartTime is a mandatory field, hence it is not even possible to save the webhook without mapping that field.
The only field I am going to receive from Cloudflare is that text, and it is the only information I can play with to end up returning a 200 code. Ideally when receiving a real alert at least one of the fields will contain a timestamp somewhere, but here if I just map the text key of the json to the StartTime, I get that parsing error.
Apparently when I replace and reduce to something much more similar to a date (with the comma in front), it works on the testing tab at least. Not in the real scenario.

0 Likes

Posted on --/--/---- --:-- AM
SoarAndy
Staff
In response to BlueAnalyst
Reply posted on --/--/---- --:-- AM

It's hard to say anything without seeing it firsthand and live testing, so I wonder if a support ticket is the best route at this point, sorry

0 Likes
Top Solution Authors
View all