new(alert): Marshal alert to JSON

rabbitstack · rabbitstack · commit bd8608fe90d5 · 2026-01-28T11:12:57.000+01:00
diff --git a/pkg/alertsender/alert.go b/pkg/alertsender/alert.go
@@ -20,12 +20,16 @@ package alertsender
 
 import (
 	"bytes"
+	"encoding/json"
 	"fmt"
 	"reflect"
 	"strings"
+	"time"
 
 	"github.com/mitchellh/mapstructure"
+
 	"github.com/rabbitstack/fibratus/pkg/event"
+	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/yuin/goldmark"
 	"github.com/yuin/goldmark/extension"
 	"github.com/yuin/goldmark/renderer/html"
@@ -163,6 +167,182 @@ func (a *Alert) MDToHTML() error {
 	return nil
 }
 
+// MarshalJSON encodes the alert to JSON format.
+func (a Alert) MarshalJSON() ([]byte, error) {
+	var msg = &struct {
+		ID          string            `json:"id"`
+		Title       string            `json:"title"`
+		Severity    string            `json:"severity"`
+		Text        string            `json:"text,omitempty"`
+		Description string            `json:"description"`
+		Labels      map[string]string `json:"labels,omitempty"`
+		Events      []struct {
+			Name      string         `json:"name"`
+			Category  string         `json:"category"`
+			Timestamp time.Time      `json:"timestamp"`
+			Params    map[string]any `json:"params"`
+			Callstack []string       `json:"callstack,omitempty"`
+			Proc      *struct {
+				PID            uint32   `json:"pid"`
+				TID            uint32   `json:"tid"`
+				PPID           uint32   `json:"ppid"`
+				Name           string   `json:"name"`
+				Exe            string   `json:"exe"`
+				Cmdline        string   `json:"cmdline,omitempty"`
+				Pname          string   `json:"parent_name,omitempty"`
+				Pcmdline       string   `json:"parent_cmdline,omitempty"`
+				Cwd            string   `json:"cwd,omitempty"`
+				SID            string   `json:"sid"`
+				Username       string   `json:"username"`
+				Domain         string   `json:"domain"`
+				SessionID      uint32   `json:"session_id"`
+				IntegrityLevel string   `json:"integrity_level"`
+				IsWOW64        bool     `json:"is_wow64"`
+				IsPackaged     bool     `json:"is_packaged"`
+				IsProtected    bool     `json:"is_protected"`
+				Ancestors      []string `json:"ancestors"`
+			} `json:"proc,omitempty"`
+		} `json:"events"`
+	}{
+		ID:          a.ID,
+		Title:       a.Title,
+		Severity:    a.Severity.String(),
+		Text:        a.Text,
+		Description: a.Description,
+		Labels:      a.Labels,
+	}
+
+	events := make([]struct {
+		Name      string         `json:"name"`
+		Category  string         `json:"category"`
+		Timestamp time.Time      `json:"timestamp"`
+		Params    map[string]any `json:"params"`
+		Callstack []string       `json:"callstack,omitempty"`
+		Proc      *struct {
+			PID            uint32   `json:"pid"`
+			TID            uint32   `json:"tid"`
+			PPID           uint32   `json:"ppid"`
+			Name           string   `json:"name"`
+			Exe            string   `json:"exe"`
+			Cmdline        string   `json:"cmdline,omitempty"`
+			Pname          string   `json:"parent_name,omitempty"`
+			Pcmdline       string   `json:"parent_cmdline,omitempty"`
+			Cwd            string   `json:"cwd,omitempty"`
+			SID            string   `json:"sid"`
+			Username       string   `json:"username"`
+			Domain         string   `json:"domain"`
+			SessionID      uint32   `json:"session_id"`
+			IntegrityLevel string   `json:"integrity_level"`
+			IsWOW64        bool     `json:"is_wow64"`
+			IsPackaged     bool     `json:"is_packaged"`
+			IsProtected    bool     `json:"is_protected"`
+			Ancestors      []string `json:"ancestors"`
+		} `json:"proc,omitempty"`
+	}, 0, len(a.Events))
+
+	for _, e := range a.Events {
+		var evt = struct {
+			Name      string         `json:"name"`
+			Category  string         `json:"category"`
+			Timestamp time.Time      `json:"timestamp"`
+			Params    map[string]any `json:"params"`
+			Callstack []string       `json:"callstack,omitempty"`
+			Proc      *struct {
+				PID            uint32   `json:"pid"`
+				TID            uint32   `json:"tid"`
+				PPID           uint32   `json:"ppid"`
+				Name           string   `json:"name"`
+				Exe            string   `json:"exe"`
+				Cmdline        string   `json:"cmdline,omitempty"`
+				Pname          string   `json:"parent_name,omitempty"`
+				Pcmdline       string   `json:"parent_cmdline,omitempty"`
+				Cwd            string   `json:"cwd,omitempty"`
+				SID            string   `json:"sid"`
+				Username       string   `json:"username"`
+				Domain         string   `json:"domain"`
+				SessionID      uint32   `json:"session_id"`
+				IntegrityLevel string   `json:"integrity_level"`
+				IsWOW64        bool     `json:"is_wow64"`
+				IsPackaged     bool     `json:"is_packaged"`
+				IsProtected    bool     `json:"is_protected"`
+				Ancestors      []string `json:"ancestors"`
+			} `json:"proc,omitempty"`
+		}{
+			Name:      e.Name,
+			Category:  string(e.Category),
+			Timestamp: e.Timestamp,
+			Params:    make(map[string]any),
+			Callstack: make([]string, 0, len(e.Callstack)),
+		}
+
+		// populate event parameters
+		for _, param := range e.Params {
+			if param.Type == params.Bool || param.Type == params.PID ||
+				param.Type == params.TID || param.Type == params.Port || param.IsNumber() {
+				evt.Params[param.Name] = param.Value
+			} else {
+				evt.Params[param.Name] = param.String()
+			}
+		}
+
+		// populate callstack
+		for i := range e.Callstack {
+			frame := e.Callstack[len(e.Callstack)-i-1]
+			evt.Callstack = append(evt.Callstack, fmt.Sprintf("%s %s!%s", frame.Addr, frame.Module, frame.Symbol))
+		}
+
+		ps := e.PS
+		if ps != nil {
+			evt.Proc = &struct {
+				PID            uint32   `json:"pid"`
+				TID            uint32   `json:"tid"`
+				PPID           uint32   `json:"ppid"`
+				Name           string   `json:"name"`
+				Exe            string   `json:"exe"`
+				Cmdline        string   `json:"cmdline,omitempty"`
+				Pname          string   `json:"parent_name,omitempty"`
+				Pcmdline       string   `json:"parent_cmdline,omitempty"`
+				Cwd            string   `json:"cwd,omitempty"`
+				SID            string   `json:"sid"`
+				Username       string   `json:"username"`
+				Domain         string   `json:"domain"`
+				SessionID      uint32   `json:"session_id"`
+				IntegrityLevel string   `json:"integrity_level"`
+				IsWOW64        bool     `json:"is_wow64"`
+				IsPackaged     bool     `json:"is_packaged"`
+				IsProtected    bool     `json:"is_protected"`
+				Ancestors      []string `json:"ancestors"`
+			}{
+				PID:            ps.PID,
+				TID:            e.Tid,
+				PPID:           ps.Ppid,
+				Name:           ps.Name,
+				Exe:            ps.Exe,
+				Cmdline:        ps.Cmdline,
+				Cwd:            ps.Cwd,
+				SID:            ps.SID,
+				Username:       ps.Username,
+				Domain:         ps.Domain,
+				SessionID:      ps.SessionID,
+				IntegrityLevel: ps.TokenIntegrityLevel,
+				IsWOW64:        ps.IsWOW64,
+				IsPackaged:     ps.IsPackaged,
+				IsProtected:    ps.IsProtected,
+				Ancestors:      ps.Ancestors(),
+			}
+			if ps.Parent != nil {
+				evt.Proc.Pname = ps.Parent.Name
+				evt.Proc.Pcmdline = ps.Parent.Cmdline
+			}
+		}
+
+		events = append(events, evt)
+	}
+	msg.Events = events
+
+	return json.Marshal(msg)
+}
+
 // NewAlert builds a new alert.
 func NewAlert(title, text string, tags []string, severity Severity) Alert {
 	return Alert{Title: title, Text: text, Tags: tags, Severity: severity}
diff --git a/pkg/alertsender/alert_test.go b/pkg/alertsender/alert_test.go
@@ -19,11 +19,13 @@
 package alertsender
 
 import (
+	"encoding/json"
+	"testing"
+
 	"github.com/rabbitstack/fibratus/pkg/event"
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	pstypes "github.com/rabbitstack/fibratus/pkg/ps/types"
 	"github.com/stretchr/testify/require"
-	"testing"
 )
 
 func TestAlertString(t *testing.T) {
@@ -94,3 +96,33 @@ func TestAlertString(t *testing.T) {
 		})
 	}
 }
+
+func TestAlertJSON(t *testing.T) {
+	alert := NewAlertWithEvents("Credential discovery via VaultCmd.exe", "Suspicious vault enumeration via VaultCmd tool", nil, Normal, []*event.Event{{
+		Type:     event.CreateProcess,
+		Category: event.Process,
+		Params: event.Params{
+			params.Cmdline:     {Name: params.Cmdline, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-fake.exe -k RPCSS"},
+			params.ProcessName: {Name: params.ProcessName, Type: params.AnsiString, Value: "svchost-fake.exe"}},
+		Name: "CreateProcess",
+		PID:  1023,
+		PS: &pstypes.PS{
+			Name:                "svchost.exe",
+			Cmdline:             "C:\\Windows\\System32\\svchost.exe",
+			Ppid:                345,
+			Username:            "SYSTEM",
+			Domain:              "NT AUTHORITY",
+			SID:                 "S-1-5-18",
+			TokenIntegrityLevel: "HIGH",
+		},
+	}})
+
+	alert.ID = "64af2e2e-2309-4079-9c0f-985f1dd930f5"
+
+	b, err := json.MarshalIndent(alert, "", "  ")
+	require.NoError(t, err)
+
+	expectedJSON := "{\n  \"id\": \"64af2e2e-2309-4079-9c0f-985f1dd930f5\",\n  \"title\": \"Credential discovery via VaultCmd.exe\",\n  \"severity\": \"low\",\n  \"text\": \"Suspicious vault enumeration via VaultCmd tool\",\n  \"description\": \"\",\n  \"events\": [\n    {\n      \"name\": \"CreateProcess\",\n      \"category\": \"process\",\n      \"timestamp\": \"0001-01-01T00:00:00Z\",\n      \"params\": {\n        \"cmdline\": \"C:\\\\Windows\\\\system32\\\\svchost-fake.exe -k RPCSS\",\n        \"name\": \"svchost-fake.exe\"\n      },\n      \"proc\": {\n        \"pid\": 0,\n        \"tid\": 0,\n        \"ppid\": 345,\n        \"name\": \"svchost.exe\",\n        \"exe\": \"\",\n        \"cmdline\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n        \"sid\": \"S-1-5-18\",\n        \"username\": \"SYSTEM\",\n        \"domain\": \"NT AUTHORITY\",\n        \"session_id\": 0,\n        \"integrity_level\": \"HIGH\",\n        \"is_wow64\": false,\n        \"is_packaged\": false,\n        \"is_protected\": false,\n        \"ancestors\": []\n      }\n    }\n  ]\n}"
+
+	require.Equal(t, expectedJSON, string(b))
+}
