Merge pull request #161 from UncoderIO/gis-8070

tarnopolskyi · web-flow · commit 95e0b6ebd0ce · 2024-06-27T13:28:12.000+02:00
Gis 8070
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/splunk/aws_cloudtrail.yml
@@ -3,10 +3,10 @@ source: aws_cloudtrail
 
 
 log_source:
-  source_type: [aws:cloudtrail]
+  sourcetype: [aws:cloudtrail]
 
 default_log_source:
-  source_type: aws:cloudtrail
+  sourcetype: aws:cloudtrail
 
 field_mapping:
   eventSource: eventSource
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/aws_eks.yml b/uncoder-core/app/translator/mappings/platforms/splunk/aws_eks.yml
@@ -3,10 +3,10 @@ source: aws_eks
 
 
 log_source:
-  source_type: [aws:*]
+  sourcetype: [aws:*]
 
 default_log_source:
-  source_type: aws:*
+  sourcetype: aws:*
 
 field_mapping:
   annotations.authorization.k8s.io\/decision: annotations.authorization.k8s.io\/decision
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_AzureDiagnostics.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_AzureDiagnostics.yml
@@ -3,10 +3,10 @@ source: azure_AzureDiagnostics
 
 
 log_source:
-  source_type: [azure:*]
+  sourcetype: [azure:*]
 
 default_log_source:
-  source_type: azure:*
+  sourcetype: azure:*
 
 field_mapping:
   ResultDescription: ResultDescription
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_BehaviorAnalytics.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_BehaviorAnalytics.yml
@@ -3,10 +3,10 @@ source: azure_BehaviorAnalytics
 
 
 log_source:
-  source_type: [azure:*]
+  sourcetype: [azure:*]
 
 default_log_source:
-  source_type: azure:*
+  sourcetype: azure:*
 
 field_mapping:
   ActionType: ActionType
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_aadnoninteractiveusersigninlogs.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_aadnoninteractiveusersigninlogs.yml
@@ -3,10 +3,10 @@ source: azure_aadnoninteractiveusersigninlogs
 
 
 log_source:
-  source_type: [azure:*]
+  sourcetype: [azure:*]
 
 default_log_source:
-  source_type: azure:*
+  sourcetype: azure:*
 
 field_mapping:
   UserAgent: UserAgent
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_azureactivity.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_azureactivity.yml
@@ -3,10 +3,10 @@ source: azure_azureactivity
 
 
 log_source:
-  source_type: [mscs:azure:*, azure:*]
+  sourcetype: [mscs:azure:*, azure:*]
 
 default_log_source:
-  source_type: mscs:azure:*
+  sourcetype: mscs:azure:*
 
 field_mapping:
   ActivityStatus: ActivityStatus
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_azuread.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_azuread.yml
@@ -3,10 +3,10 @@ source: azure_azuread
 
 
 log_source:
-  source_type: [azure:aad:*]
+  sourcetype: [azure:aad:*]
 
 default_log_source:
-  source_type: azure:aad:*
+  sourcetype: azure:aad:*
 
 field_mapping:
   ActivityDisplayName: ActivityDisplayName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_signinlogs.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_signinlogs.yml
@@ -3,10 +3,10 @@ source: azure_signinlogs
 
 
 log_source:
-  source_type: [azure:aad:*]
+  sourcetype: [azure:aad:*]
 
 default_log_source:
-  source_type: azure:aad:*
+  sourcetype: azure:aad:*
 
 field_mapping:
   AppDisplayName: AppDisplayName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/firewall.yml b/uncoder-core/app/translator/mappings/platforms/splunk/firewall.yml
@@ -3,11 +3,11 @@ source: firewall
 
 
 log_source:
-  source_type: [fortigate_traffic]
+  sourcetype: [fortigate_traffic]
   index: [fortigate]
 
 default_log_source:
-  source_type: fortigate_traffic
+  sourcetype: fortigate_traffic
   index: fortigate
 
 field_mapping:
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/gcp_gcp.audit.yml b/uncoder-core/app/translator/mappings/platforms/splunk/gcp_gcp.audit.yml
@@ -3,7 +3,7 @@ source: gcp_gcp.audit
 
 
 log_source:
-  source_type: [google:gcp:*]
+  sourcetype: [google:gcp:*]
 
 default_log_source:
   index: google:gcp:*
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/gcp_pubsub.yml b/uncoder-core/app/translator/mappings/platforms/splunk/gcp_pubsub.yml
@@ -3,7 +3,7 @@ source: gcp_pubsub
 
 
 log_source:
-  source_type: [google:gcp:*]
+  sourcetype: [google:gcp:*]
 
 default_log_source:
   index: google:gcp:*
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/linux_auditd.yml b/uncoder-core/app/translator/mappings/platforms/splunk/linux_auditd.yml
@@ -3,10 +3,10 @@ source: linux_auditd
 
 
 log_source:
-  source_type: [linux:audit]
+  sourcetype: [linux:audit]
 
 default_log_source:
-  source_type: linux:audit
+  sourcetype: linux:audit
 
 field_mapping:
   a0: a0
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/okta_okta.yml b/uncoder-core/app/translator/mappings/platforms/splunk/okta_okta.yml
@@ -3,10 +3,10 @@ source: okta_okta
 
 
 log_source:
-  source_type: [OktaIM2:*]
+  sourcetype: [OktaIM2:*]
 
 default_log_source:
-  source_type: OktaIM2:*
+  sourcetype: OktaIM2:*
 
 field_mapping:
   client.user.id: client.user.id
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_bits_client.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_bits_client.yml
@@ -2,10 +2,10 @@ platform: Splunk
 source: windows_bits_client
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational
 
 field_mapping:
   LocalName: LocalName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_dns_query.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_dns_query.yml
@@ -4,11 +4,11 @@ source: windows_dns_query
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   Image: Image
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_driver_load.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_driver_load.yml
@@ -4,11 +4,11 @@ source: windows_driver_load
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   ImageLoaded: ImageLoaded
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_access.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_access.yml
@@ -4,11 +4,11 @@ source: windows_file_access
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_change.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_change.yml
@@ -4,11 +4,11 @@ source: windows_file_change
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_create.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_create.yml
@@ -4,11 +4,11 @@ source: windows_file_create
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_delete.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_delete.yml
@@ -4,11 +4,11 @@ source: windows_file_delete
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_event.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_event.yml
@@ -4,11 +4,11 @@ source: windows_file_event
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_rename.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_rename.yml
@@ -4,11 +4,11 @@ source: windows_file_rename
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_image_load.yml
@@ -4,11 +4,11 @@ source: windows_image_load
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   Image: Image
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_ldap_debug.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_ldap_debug.yml
@@ -3,10 +3,10 @@ source: windows_ldap_debug
 
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug
+  sourcetype: XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug
 
 field_mapping:
   EventID: EventID
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_network_connection.yml
@@ -4,11 +4,11 @@ source: windows_network_connection
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   Image: Image
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_ntlm.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_ntlm.yml
@@ -3,10 +3,10 @@ source: windows_ntlm
 
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-NTLM/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-NTLM/Operational]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
 
 field_mapping:
   WorkstationName: WorkstationName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_registry_event.yml
@@ -4,11 +4,11 @@ source: windows_registry_event
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   TargetObject: TargetObject
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_sysmon.yml
@@ -3,11 +3,11 @@ source: windows_sysmon
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CommandLine: CommandLine
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_wmi_event.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_wmi_event.yml
@@ -3,10 +3,10 @@ source: windows_wmi_event
 
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational
 
 field_mapping:
   Destination: Destination
diff --git a/uncoder-core/app/translator/platforms/splunk/mapping.py b/uncoder-core/app/translator/platforms/splunk/mapping.py
@@ -42,8 +42,8 @@ def prepare_log_source_signature(self, mapping: dict) -> SplunkLogSourceSignatur
         default_log_source = mapping["default_log_source"]
         return SplunkLogSourceSignature(
             sources=log_source.get("source"),
-            source_types=log_source.get("source_type"),
-            source_categories=log_source.get("source_category"),
+            source_types=log_source.get("sourcetype"),
+            source_categories=log_source.get("sourcecategory"),
             indices=log_source.get("index"),
             default_source=default_log_source,
         )
