Fixed config and added index field

* Added index field _index to backend implementation
* Fixed index values in config

tools/config/sumologic.yml

@@ -4,65 +4,51 @@
 logsources:
   linux:
     product: linux
-    index:
-      - _index=LINUX
+    index: LINUX
   linux-sshd:
     product: linux
     service: sshd
-    index:
-      - _index=LINUX
+    index: LINUX
   linux-auth:
     product: linux
     service: auth
-    index:
-      - _index=LINUX
+    index: LINUX
   linux-clamav:
     product: linux
     service: clamav
-    index:
-      - _index=LINUX
+    index: LINUX
   windows:
     product: windows
-    index:
-      - _index=WINDOWS
+    index: WINDOWS
   windows-sysmon:
     product: windows
     service: sysmon
     conditions:
       EventChannel: Microsoft-Windows-Sysmon
-    index:
-      - _index=WINDOWS
+    index: WINDOWS
   windows-security:
     product: windows
     service: security
     conditions:
       EventChannel: Security
-    index:
-      - _index=WINDOWS
+    index: WINDOWS
   windows-powershell:
     product: windows
     service: powershell
     conditions:
       EventChannel: Microsoft-Windows-Powershell
-    index:
-      - _index=WINDOWS
+    index: WINDOWS
   windows-system:
     product: windows
     service: system
     conditions:
       EventChannel: System
-    index:
-      - _index=WINDOWS
+    index: WINDOWS
   apache:
     product: apache
     service: apache
-    index:
-      - _index=WEBSERVER
+    index: WEBSERVER
   firewall:
     product: firewall
-    index:
-      - _index=FIREWALL
+    index: FIREWALL
 # if no index, search in all indexes
-defaultindex:
-# all mappings depends either on FER or on query parsing
-fieldmappings:

tools/sigma/backends/sumologic.py

@@ -31,6 +31,7 @@ class SumoLogicBackend(SingleTextQueryBackend):
     identifier = "sumologic"
     active = True
 
+    index_field = "_index"
     reEscape = re.compile('("|\\\\(?![*?]))')
     reClear = None
     andToken = " AND "