From 1182ee2de2da9e368e3b5e1789e49f7b4aa7a5c3 Mon Sep 17 00:00:00 2001
From: John Tuckner <tuckner329@gmail.com>
Date: Thu, 7 Mar 2019 10:43:22 -0600
Subject: [PATCH] added ala to makefile

---
 Makefile                    | 1 +
 tools/sigma/backends/ala.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index e25a3cc47..e078b0192 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,7 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t wdatp rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-dsl rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t powershell -c tools/config/powershell-windows-all.yml -Ocsv rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null
diff --git a/tools/sigma/backends/ala.py b/tools/sigma/backends/ala.py
index 48f27aeeb..30018bfe8 100644
--- a/tools/sigma/backends/ala.py
+++ b/tools/sigma/backends/ala.py
@@ -133,7 +133,7 @@ class AzureLogAnalyticsBackend(SingleTextQueryBackend):
             if self.service == "sysmon":
                 self.table = "Event"
                 self.eventid = value
-            else:
+            elif self.service == "security":
                 self.table = "SecurityEvent"
         elif type(value) in (str, int):     # default value processing
             mapping = (key, self.default_value_mapping)