From 41951659eced5b46b1f2a0b72f8103a87bc83d7c Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Tue, 13 Jun 2023 14:54:15 -0600
Subject: [PATCH] Use importer's new --json flag.

Using the new --json flag is not only more reliable than using a regex, the way the import script was written even re-imports will provide a url. This means that in more cases we can provide the results to the users (even if nothing changed).
---
 salt/soc/files/bin/salt-relay.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh
index 313a21141..e59fb41ab 100755
--- a/salt/soc/files/bin/salt-relay.sh
+++ b/salt/soc/files/bin/salt-relay.sh
@@ -227,11 +227,11 @@ function import_file() {
   log "importing..."
   case $importer in
     pcap)
-      response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file'")
+      response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
       exit_code=$?
       ;;
     evtx)
-      response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file'")
+      response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
       exit_code=$?
       ;;
     *)
@@ -246,7 +246,8 @@ function import_file() {
   log "Exit Code: $exit_code"
 
   if [[ exit_code -eq 0 ]]; then
-    url=$(echo "$response" | sed ':a;N;$!ba;s/\n//g' | grep -E -o "https://\S*")
+    # trim off the node header ("manager_standalone:\n") and parse out the URL
+    url=$(echo "$response" | tail -n +2 | jq -r .url)
     $(echo "$url" > "${SOC_PIPE}")
   else
     log "false"