zscaler_zia: Fix improper escaping of backslash characters

[kcreddy]

Proposed commit message

See title

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

elastic-package stack down && elastic-package build && elastic-package stack up -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v

--- Test results for package: zscaler_zia - START ---
╭─────────────┬─────────────┬───────────┬─────────────────────────────────┬────────┬──────────────╮
│ PACKAGE     │ DATA STREAM │ TEST TYPE │ TEST NAME                       │ RESULT │ TIME ELAPSED │
├─────────────┼─────────────┼───────────┼─────────────────────────────────┼────────┼──────────────┤
│ zscaler_zia │ alerts      │ pipeline  │ test-alerts.log                 │ PASS   │   2.356666ms │
│ zscaler_zia │ dns         │ pipeline  │ test-dns-http-endpoint.log      │ PASS   │   2.348167ms │
│ zscaler_zia │ dns         │ pipeline  │ test-dns.log                    │ PASS   │   3.147583ms │
│ zscaler_zia │ firewall    │ pipeline  │ test-firewall-http-endpoint.log │ PASS   │   2.246542ms │
│ zscaler_zia │ firewall    │ pipeline  │ test-firewall.log               │ PASS   │   2.812042ms │
│ zscaler_zia │ tunnel      │ pipeline  │ test-tunnel-http-endpoint.log   │ PASS   │   1.626791ms │
│ zscaler_zia │ tunnel      │ pipeline  │ test-tunnel.log                 │ PASS   │   3.076666ms │
│ zscaler_zia │ web         │ pipeline  │ test-web-http-endpoint.log      │ PASS   │   2.474125ms │
│ zscaler_zia │ web         │ pipeline  │ test-web.log                    │ PASS   │   5.092166ms │
╰─────────────┴─────────────┴───────────┴─────────────────────────────────┴────────┴──────────────╯
--- Test results for package: zscaler_zia - END   ---
Done

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: bea489b

History

• 💔 Build #11367 failed 5aa74f5

cc @kcreddy

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[efd6]

I'm aware that this is fixing a customer issue, but it troubles me that we are going out of our way to transform invalid JSON into valid JSON in one location at the possible cost of transforming other valid JSON into syntactically correct, but semantically incorrect JSON at many other sites (any \x escape sequence anywhere else in the input will be converted to a litteral "\x" string). Why are we not asking the sender of the invalid message to fix their encoding?

[kcreddy]

@efd6 That does make sense especially when the ZIA documentation mentions how to overcome this issue with a configuration change.

Moving the PR to draft. I will close it once the user is satisfied with the solution to change the configuration instead.