Merge pull request #161 from UncoderIO/gis-8070

Gis 8070

Author: tarnopolskyi

uncoder-core/app/translator/mappings/platforms/splunk/aws_cloudtrail.yml

@@ -3,10 +3,10 @@ source: aws_cloudtrail
 
 
 log_source:
-  source_type: [aws:cloudtrail]
+  sourcetype: [aws:cloudtrail]
 
 default_log_source:
-  source_type: aws:cloudtrail
+  sourcetype: aws:cloudtrail
 
 field_mapping:
   eventSource: eventSource

uncoder-core/app/translator/mappings/platforms/splunk/aws_eks.yml

@@ -3,10 +3,10 @@ source: aws_eks
 
 
 log_source:
-  source_type: [aws:*]
+  sourcetype: [aws:*]
 
 default_log_source:
-  source_type: aws:*
+  sourcetype: aws:*
 
 field_mapping:
   annotations.authorization.k8s.io\/decision: annotations.authorization.k8s.io\/decision

uncoder-core/app/translator/mappings/platforms/splunk/azure_AzureDiagnostics.yml

@@ -3,10 +3,10 @@ source: azure_AzureDiagnostics
 
 
 log_source:
-  source_type: [azure:*]
+  sourcetype: [azure:*]
 
 default_log_source:
-  source_type: azure:*
+  sourcetype: azure:*
 
 field_mapping:
   ResultDescription: ResultDescription

uncoder-core/app/translator/mappings/platforms/splunk/azure_BehaviorAnalytics.yml

@@ -3,10 +3,10 @@ source: azure_BehaviorAnalytics
 
 
 log_source:
-  source_type: [azure:*]
+  sourcetype: [azure:*]
 
 default_log_source:
-  source_type: azure:*
+  sourcetype: azure:*
 
 field_mapping:
   ActionType: ActionType

uncoder-core/app/translator/mappings/platforms/splunk/azure_aadnoninteractiveusersigninlogs.yml

@@ -3,10 +3,10 @@ source: azure_aadnoninteractiveusersigninlogs
 
 
 log_source:
-  source_type: [azure:*]
+  sourcetype: [azure:*]
 
 default_log_source:
-  source_type: azure:*
+  sourcetype: azure:*
 
 field_mapping:
   UserAgent: UserAgent

uncoder-core/app/translator/mappings/platforms/splunk/azure_azureactivity.yml

@@ -3,10 +3,10 @@ source: azure_azureactivity
 
 
 log_source:
-  source_type: [mscs:azure:*, azure:*]
+  sourcetype: [mscs:azure:*, azure:*]
 
 default_log_source:
-  source_type: mscs:azure:*
+  sourcetype: mscs:azure:*
 
 field_mapping:
   ActivityStatus: ActivityStatus

uncoder-core/app/translator/mappings/platforms/splunk/azure_azuread.yml

@@ -3,10 +3,10 @@ source: azure_azuread
 
 
 log_source:
-  source_type: [azure:aad:*]
+  sourcetype: [azure:aad:*]
 
 default_log_source:
-  source_type: azure:aad:*
+  sourcetype: azure:aad:*
 
 field_mapping:
   ActivityDisplayName: ActivityDisplayName

uncoder-core/app/translator/mappings/platforms/splunk/azure_signinlogs.yml

@@ -3,10 +3,10 @@ source: azure_signinlogs
 
 
 log_source:
-  source_type: [azure:aad:*]
+  sourcetype: [azure:aad:*]
 
 default_log_source:
-  source_type: azure:aad:*
+  sourcetype: azure:aad:*
 
 field_mapping:
   AppDisplayName: AppDisplayName

uncoder-core/app/translator/mappings/platforms/splunk/firewall.yml

@@ -3,11 +3,11 @@ source: firewall
 
 
 log_source:
-  source_type: [fortigate_traffic]
+  sourcetype: [fortigate_traffic]
   index: [fortigate]
 
 default_log_source:
-  source_type: fortigate_traffic
+  sourcetype: fortigate_traffic
   index: fortigate
 
 field_mapping:

uncoder-core/app/translator/mappings/platforms/splunk/gcp_gcp.audit.yml

@@ -3,7 +3,7 @@ source: gcp_gcp.audit
 
 
 log_source:
-  source_type: [google:gcp:*]
+  sourcetype: [google:gcp:*]
 
 default_log_source:
   index: google:gcp:*

uncoder-core/app/translator/mappings/platforms/splunk/gcp_pubsub.yml

@@ -3,7 +3,7 @@ source: gcp_pubsub
 
 
 log_source:
-  source_type: [google:gcp:*]
+  sourcetype: [google:gcp:*]
 
 default_log_source:
   index: google:gcp:*

uncoder-core/app/translator/mappings/platforms/splunk/linux_auditd.yml

@@ -3,10 +3,10 @@ source: linux_auditd
 
 
 log_source:
-  source_type: [linux:audit]
+  sourcetype: [linux:audit]
 
 default_log_source:
-  source_type: linux:audit
+  sourcetype: linux:audit
 
 field_mapping:
   a0: a0

uncoder-core/app/translator/mappings/platforms/splunk/okta_okta.yml

@@ -3,10 +3,10 @@ source: okta_okta
 
 
 log_source:
-  source_type: [OktaIM2:*]
+  sourcetype: [OktaIM2:*]
 
 default_log_source:
-  source_type: OktaIM2:*
+  sourcetype: OktaIM2:*
 
 field_mapping:
   client.user.id: client.user.id

uncoder-core/app/translator/mappings/platforms/splunk/windows_bits_client.yml

@@ -2,10 +2,10 @@ platform: Splunk
 source: windows_bits_client
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Bits-Client/Operational
 
 field_mapping:
   LocalName: LocalName

uncoder-core/app/translator/mappings/platforms/splunk/windows_dns_query.yml

@@ -4,11 +4,11 @@ source: windows_dns_query
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   Image: Image

uncoder-core/app/translator/mappings/platforms/splunk/windows_driver_load.yml

@@ -4,11 +4,11 @@ source: windows_driver_load
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   ImageLoaded: ImageLoaded

uncoder-core/app/translator/mappings/platforms/splunk/windows_file_access.yml

@@ -4,11 +4,11 @@ source: windows_file_access
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime

uncoder-core/app/translator/mappings/platforms/splunk/windows_file_change.yml

@@ -4,11 +4,11 @@ source: windows_file_change
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime

uncoder-core/app/translator/mappings/platforms/splunk/windows_file_create.yml

@@ -4,11 +4,11 @@ source: windows_file_create
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime

uncoder-core/app/translator/mappings/platforms/splunk/windows_file_delete.yml

@@ -4,11 +4,11 @@ source: windows_file_delete
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime

uncoder-core/app/translator/mappings/platforms/splunk/windows_file_event.yml

@@ -4,11 +4,11 @@ source: windows_file_event
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime

uncoder-core/app/translator/mappings/platforms/splunk/windows_file_rename.yml

@@ -4,11 +4,11 @@ source: windows_file_rename
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CreationUtcTime: CreationUtcTime

uncoder-core/app/translator/mappings/platforms/splunk/windows_image_load.yml

@@ -4,11 +4,11 @@ source: windows_image_load
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   Image: Image

uncoder-core/app/translator/mappings/platforms/splunk/windows_ldap_debug.yml

@@ -3,10 +3,10 @@ source: windows_ldap_debug
 
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug
+  sourcetype: XmlWinEventLog:Microsoft-Windows-LDAP-Client/Debug
 
 field_mapping:
   EventID: EventID

uncoder-core/app/translator/mappings/platforms/splunk/windows_network_connection.yml

@@ -4,11 +4,11 @@ source: windows_network_connection
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   Image: Image

uncoder-core/app/translator/mappings/platforms/splunk/windows_ntlm.yml

@@ -3,10 +3,10 @@ source: windows_ntlm
 
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-NTLM/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-NTLM/Operational]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-NTLM/Operational
 
 field_mapping:
   WorkstationName: WorkstationName

uncoder-core/app/translator/mappings/platforms/splunk/windows_registry_event.yml

@@ -4,11 +4,11 @@ source: windows_registry_event
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   TargetObject: TargetObject

uncoder-core/app/translator/mappings/platforms/splunk/windows_sysmon.yml

@@ -3,11 +3,11 @@ source: windows_sysmon
 
 log_source:
   source: [WinEventLog:Microsoft-Windows-Sysmon/Operational]
-  source_type: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]
 
 default_log_source:
   source: WinEventLog:Microsoft-Windows-Sysmon/Operational
-  source_type: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 
 field_mapping:
   CommandLine: CommandLine

uncoder-core/app/translator/mappings/platforms/splunk/windows_wmi_event.yml

@@ -3,10 +3,10 @@ source: windows_wmi_event
 
 
 log_source:
-  source_type: [XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational]
+  sourcetype: [XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational]
 
 default_log_source:
-  source_type: XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational
+  sourcetype: XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational
 
 field_mapping:
   Destination: Destination

uncoder-core/app/translator/platforms/splunk/mapping.py

@@ -42,8 +42,8 @@ def prepare_log_source_signature(self, mapping: dict) -> SplunkLogSourceSignatur
         default_log_source = mapping["default_log_source"]
         return SplunkLogSourceSignature(
             sources=log_source.get("source"),
-            source_types=log_source.get("source_type"),
-            source_categories=log_source.get("source_category"),
+            source_types=log_source.get("sourcetype"),
+            source_categories=log_source.get("sourcecategory"),
             indices=log_source.get("index"),
             default_source=default_log_source,
         )