From 56c75302af5c9f7cfb0c6bf548a56fa002bffb53 Mon Sep 17 00:00:00 2001
From: Dmytro <47281757+tarnopolskyi@users.noreply.github.com>
Date: Thu, 20 Jun 2024 14:26:46 +0200
Subject: [PATCH 1/2] update splunk maping render
---
.../translator/mappings/platforms/splunk/aws_cloudtrail.yml | 4 ++--
.../app/translator/mappings/platforms/splunk/aws_eks.yml | 4 ++--
.../mappings/platforms/splunk/azure_AzureDiagnostics.yml | 4 ++--
.../mappings/platforms/splunk/azure_BehaviorAnalytics.yml | 4 ++--
.../splunk/azure_aadnoninteractiveusersigninlogs.yml | 4 ++--
.../mappings/platforms/splunk/azure_azureactivity.yml | 4 ++--
.../translator/mappings/platforms/splunk/azure_azuread.yml | 4 ++--
.../translator/mappings/platforms/splunk/azure_signinlogs.yml | 4 ++--
.../app/translator/mappings/platforms/splunk/firewall.yml | 4 ++--
.../translator/mappings/platforms/splunk/gcp_gcp.audit.yml | 2 +-
.../app/translator/mappings/platforms/splunk/gcp_pubsub.yml | 2 +-
.../app/translator/mappings/platforms/splunk/linux_auditd.yml | 4 ++--
.../app/translator/mappings/platforms/splunk/okta_okta.yml | 4 ++--
.../mappings/platforms/splunk/windows_bits_client.yml | 4 ++--
.../mappings/platforms/splunk/windows_dns_query.yml | 4 ++--
.../mappings/platforms/splunk/windows_driver_load.yml | 4 ++--
.../mappings/platforms/splunk/windows_file_access.yml | 4 ++--
.../mappings/platforms/splunk/windows_file_change.yml | 4 ++--
.../mappings/platforms/splunk/windows_file_create.yml | 4 ++--
.../mappings/platforms/splunk/windows_file_delete.yml | 4 ++--
.../mappings/platforms/splunk/windows_file_event.yml | 4 ++--
.../mappings/platforms/splunk/windows_file_rename.yml | 4 ++--
.../mappings/platforms/splunk/windows_image_load.yml | 4 ++--
.../mappings/platforms/splunk/windows_ldap_debug.yml | 4 ++--
.../mappings/platforms/splunk/windows_network_connection.yml | 4 ++--
.../app/translator/mappings/platforms/splunk/windows_ntlm.yml | 4 ++--
.../mappings/platforms/splunk/windows_registry_event.yml | 4 ++--
.../translator/mappings/platforms/splunk/windows_sysmon.yml | 4 ++--
.../mappings/platforms/splunk/windows_wmi_event.yml | 4 ++--
uncoder-core/app/translator/platforms/splunk/mapping.py | 2 +-
30 files changed, 57 insertions(+), 57 deletions(-)
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/aws_cloudtrail.yml b/uncoder-core/app/translator/mappings/platforms/splunk/aws_cloudtrail.yml
index acd62dbc..96bb06b8 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/aws_cloudtrail.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/aws_cloudtrail.yml
@@ -3,10 +3,10 @@ source: aws_cloudtrail
log_source:
- source_type: [aws:cloudtrail]
+ sourcetype: [aws:cloudtrail]
default_log_source:
- source_type: aws:cloudtrail
+ sourcetype: aws:cloudtrail
field_mapping:
eventSource: eventSource
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/aws_eks.yml b/uncoder-core/app/translator/mappings/platforms/splunk/aws_eks.yml
index 32302e30..38e225d7 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/aws_eks.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/aws_eks.yml
@@ -3,10 +3,10 @@ source: aws_eks
log_source:
- source_type: [aws:*]
+ sourcetype: [aws:*]
default_log_source:
- source_type: aws:*
+ sourcetype: aws:*
field_mapping:
annotations.authorization.k8s.io\/decision: annotations.authorization.k8s.io\/decision
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_AzureDiagnostics.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_AzureDiagnostics.yml
index 5cff60da..90fd75a1 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/azure_AzureDiagnostics.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/azure_AzureDiagnostics.yml
@@ -3,10 +3,10 @@ source: azure_AzureDiagnostics
log_source:
- source_type: [azure:*]
+ sourcetype: [azure:*]
default_log_source:
- source_type: azure:*
+ sourcetype: azure:*
field_mapping:
ResultDescription: ResultDescription
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_BehaviorAnalytics.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_BehaviorAnalytics.yml
index 379004da..e1f17620 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/azure_BehaviorAnalytics.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/azure_BehaviorAnalytics.yml
@@ -3,10 +3,10 @@ source: azure_BehaviorAnalytics
log_source:
- source_type: [azure:*]
+ sourcetype: [azure:*]
default_log_source:
- source_type: azure:*
+ sourcetype: azure:*
field_mapping:
ActionType: ActionType
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_aadnoninteractiveusersigninlogs.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_aadnoninteractiveusersigninlogs.yml
index 3e994fc5..ad6bb5eb 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/azure_aadnoninteractiveusersigninlogs.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/azure_aadnoninteractiveusersigninlogs.yml
@@ -3,10 +3,10 @@ source: azure_aadnoninteractiveusersigninlogs
log_source:
- source_type: [azure:*]
+ sourcetype: [azure:*]
default_log_source:
- source_type: azure:*
+ sourcetype: azure:*
field_mapping:
UserAgent: UserAgent
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_azureactivity.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_azureactivity.yml
index d3623983..337125f4 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/azure_azureactivity.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/azure_azureactivity.yml
@@ -3,10 +3,10 @@ source: azure_azureactivity
log_source:
- source_type: [mscs:azure:*, azure:*]
+ sourcetype: [mscs:azure:*, azure:*]
default_log_source:
- source_type: mscs:azure:*
+ sourcetype: mscs:azure:*
field_mapping:
ActivityStatus: ActivityStatus
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_azuread.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_azuread.yml
index 5f393c91..69e3d195 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/azure_azuread.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/azure_azuread.yml
@@ -3,10 +3,10 @@ source: azure_azuread
log_source:
- source_type: [azure:aad:*]
+ sourcetype: [azure:aad:*]
default_log_source:
- source_type: azure:aad:*
+ sourcetype: azure:aad:*
field_mapping:
ActivityDisplayName: ActivityDisplayName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/azure_signinlogs.yml b/uncoder-core/app/translator/mappings/platforms/splunk/azure_signinlogs.yml
index 23b7569b..4f669d89 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/azure_signinlogs.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/azure_signinlogs.yml
@@ -3,10 +3,10 @@ source: azure_signinlogs
log_source:
- source_type: [azure:aad:*]
+ sourcetype: [azure:aad:*]
default_log_source:
- source_type: azure:aad:*
+ sourcetype: azure:aad:*
field_mapping:
AppDisplayName: AppDisplayName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/firewall.yml b/uncoder-core/app/translator/mappings/platforms/splunk/firewall.yml
index f40ef682..ed886d9c 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/firewall.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/firewall.yml
@@ -3,11 +3,11 @@ source: firewall
log_source:
- source_type: [fortigate_traffic]
+ sourcetype: [fortigate_traffic]
index: [fortigate]
default_log_source:
- source_type: fortigate_traffic
+ sourcetype: fortigate_traffic
index: fortigate
field_mapping:
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/gcp_gcp.audit.yml b/uncoder-core/app/translator/mappings/platforms/splunk/gcp_gcp.audit.yml
index ef92fb58..be54b882 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/gcp_gcp.audit.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/gcp_gcp.audit.yml
@@ -3,7 +3,7 @@ source: gcp_gcp.audit
log_source:
- source_type: [google:gcp:*]
+ sourcetype: [google:gcp:*]
default_log_source:
index: google:gcp:*
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/gcp_pubsub.yml b/uncoder-core/app/translator/mappings/platforms/splunk/gcp_pubsub.yml
index 7ab8483c..dbfd2736 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/gcp_pubsub.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/gcp_pubsub.yml
@@ -3,7 +3,7 @@ source: gcp_pubsub
log_source:
- source_type: [google:gcp:*]
+ sourcetype: [google:gcp:*]
default_log_source:
index: google:gcp:*
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/linux_auditd.yml b/uncoder-core/app/translator/mappings/platforms/splunk/linux_auditd.yml
index ee3ac161..afd115b0 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/linux_auditd.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/linux_auditd.yml
@@ -3,10 +3,10 @@ source: linux_auditd
log_source:
- source_type: [linux:audit]
+ sourcetype: [linux:audit]
default_log_source:
- source_type: linux:audit
+ sourcetype: linux:audit
field_mapping:
a0: a0
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/okta_okta.yml b/uncoder-core/app/translator/mappings/platforms/splunk/okta_okta.yml
index 3ee6d0e1..3f55621f 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/okta_okta.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/okta_okta.yml
@@ -3,10 +3,10 @@ source: okta_okta
log_source:
- source_type: [OktaIM2:*]
+ sourcetype: [OktaIM2:*]
default_log_source:
- source_type: OktaIM2:*
+ sourcetype: OktaIM2:*
field_mapping:
client.user.id: client.user.id
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_bits_client.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_bits_client.yml
index 014287eb..babbd610 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_bits_client.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_bits_client.yml
@@ -2,10 +2,10 @@ platform: Splunk
source: windows_bits_client
log_source:
- source_type: [XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational]
default_log_source:
- source_type: XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational
field_mapping:
LocalName: LocalName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_dns_query.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_dns_query.yml
index 698e62cc..d8e40100 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_dns_query.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_dns_query.yml
@@ -4,11 +4,11 @@ source: windows_dns_query
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
Image: Image
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_driver_load.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_driver_load.yml
index f8248b8e..86b76510 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_driver_load.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_driver_load.yml
@@ -4,11 +4,11 @@ source: windows_driver_load
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
ImageLoaded: ImageLoaded
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_access.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_access.yml
index 5c1c64f2..48ab5786 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_access.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_access.yml
@@ -4,11 +4,11 @@ source: windows_file_access
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_change.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_change.yml
index 0114b7e0..f45393aa 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_change.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_change.yml
@@ -4,11 +4,11 @@ source: windows_file_change
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_create.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_create.yml
index d9b0d8c0..485ea463 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_create.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_create.yml
@@ -4,11 +4,11 @@ source: windows_file_create
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_delete.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_delete.yml
index 8b82cc38..13660235 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_delete.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_delete.yml
@@ -4,11 +4,11 @@ source: windows_file_delete
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_event.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_event.yml
index 278b9b30..ed0855d3 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_event.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_event.yml
@@ -4,11 +4,11 @@ source: windows_file_event
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_rename.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_rename.yml
index 10390535..dae50085 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_rename.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_file_rename.yml
@@ -4,11 +4,11 @@ source: windows_file_rename
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
CreationUtcTime: CreationUtcTime
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_image_load.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_image_load.yml
index 8f427639..3cc22f55 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_image_load.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_image_load.yml
@@ -4,11 +4,11 @@ source: windows_image_load
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
Image: Image
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_ldap_debug.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_ldap_debug.yml
index 8fc85d34..f8241ba4 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_ldap_debug.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_ldap_debug.yml
@@ -3,10 +3,10 @@ source: windows_ldap_debug
log_source:
- source_type: [XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug]
default_log_source:
- source_type: XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug
+ sourcetype: XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug
field_mapping:
EventID: EventID
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_network_connection.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_network_connection.yml
index d8260810..7a92b32c 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_network_connection.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_network_connection.yml
@@ -4,11 +4,11 @@ source: windows_network_connection
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
Image: Image
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_ntlm.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_ntlm.yml
index 3ea2c8ea..7902c0fe 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_ntlm.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_ntlm.yml
@@ -3,10 +3,10 @@ source: windows_ntlm
log_source:
- source_type: [XmlWinEventLog:Microsoft-Windows-NTLM/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-NTLM/Operational]
default_log_source:
- source_type: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
field_mapping:
WorkstationName: WorkstationName
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_registry_event.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_registry_event.yml
index 8cbe38f3..a2169567 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_registry_event.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_registry_event.yml
@@ -4,11 +4,11 @@ source: windows_registry_event
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
TargetObject: TargetObject
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_sysmon.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_sysmon.yml
index a361471a..89bf98e0 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_sysmon.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_sysmon.yml
@@ -3,11 +3,11 @@ source: windows_sysmon
log_source:
source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
- source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
default_log_source:
source: WinEventLog:Microsoft-Windows-Sysmon/Operational
- source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
field_mapping:
CommandLine: CommandLine
diff --git a/uncoder-core/app/translator/mappings/platforms/splunk/windows_wmi_event.yml b/uncoder-core/app/translator/mappings/platforms/splunk/windows_wmi_event.yml
index 5e1e47bd..b1e415d0 100644
--- a/uncoder-core/app/translator/mappings/platforms/splunk/windows_wmi_event.yml
+++ b/uncoder-core/app/translator/mappings/platforms/splunk/windows_wmi_event.yml
@@ -3,10 +3,10 @@ source: windows_wmi_event
log_source:
- source_type: [XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational]
+ sourcetype: [XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational]
default_log_source:
- source_type: XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational
+ sourcetype: XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational
field_mapping:
Destination: Destination
diff --git a/uncoder-core/app/translator/platforms/splunk/mapping.py b/uncoder-core/app/translator/platforms/splunk/mapping.py
index 2f9c4a8d..76660d9d 100644
--- a/uncoder-core/app/translator/platforms/splunk/mapping.py
+++ b/uncoder-core/app/translator/platforms/splunk/mapping.py
@@ -42,7 +42,7 @@ def prepare_log_source_signature(self, mapping: dict) -> SplunkLogSourceSignatur
default_log_source = mapping["default_log_source"]
return SplunkLogSourceSignature(
sources=log_source.get("source"),
- source_types=log_source.get("source_type"),
+ source_types=log_source.get("sourcetype"),
source_categories=log_source.get("source_category"),
indices=log_source.get("index"),
default_source=default_log_source,
From 1b5cfdf79a9f8a3496bc472eab13f9e350d00b90 Mon Sep 17 00:00:00 2001
From: Dmytro <47281757+tarnopolskyi@users.noreply.github.com>
Date: Thu, 20 Jun 2024 14:46:31 +0200
Subject: [PATCH 2/2] update splunk maping render
---
uncoder-core/app/translator/platforms/splunk/mapping.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/uncoder-core/app/translator/platforms/splunk/mapping.py b/uncoder-core/app/translator/platforms/splunk/mapping.py
index 76660d9d..1851b8af 100644
--- a/uncoder-core/app/translator/platforms/splunk/mapping.py
+++ b/uncoder-core/app/translator/platforms/splunk/mapping.py
@@ -43,7 +43,7 @@ def prepare_log_source_signature(self, mapping: dict) -> SplunkLogSourceSignatur
return SplunkLogSourceSignature(
sources=log_source.get("source"),
source_types=log_source.get("sourcetype"),
- source_categories=log_source.get("source_category"),
+ source_categories=log_source.get("sourcecategory"),
indices=log_source.get("index"),
default_source=default_log_source,
)
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy