From 381c26fd94c8012f958a76789018796ff7ba4758 Mon Sep 17 00:00:00 2001
From: markoverholser <14033700+markoverholser@users.noreply.github.com>
Date: Tue, 19 Jul 2022 15:16:20 -0500
Subject: [PATCH] Fix issue with using `source:` on Zeek `files` log

Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`

Commenting out line 407 fixes this.
---
 tools/config/splunk-zeek.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/config/splunk-zeek.yml b/tools/config/splunk-zeek.yml
index c7c4920bf..ad24f9f3a 100644
--- a/tools/config/splunk-zeek.yml
+++ b/tools/config/splunk-zeek.yml
@@ -404,7 +404,7 @@ fieldmappings:
     - query
     - server_name
   service.response_code: status_code
-  source: id.orig_h
+#  source: id.orig_h
   SourceAddr: id.orig_h
   SourceAddress: id.orig_h
   SourceIP: id.orig_h