From 37d827dc45b556f7258a8f61a8d2fd2574757f7e Mon Sep 17 00:00:00 2001
From: renini <renini@gmail.com>
Date: Wed, 26 Jun 2024 19:56:00 +0200
Subject: [PATCH] Correct event.type ECS normalization

---
 aucoalesce/normalizations.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml
index ee6acbe..b7a5322 100644
--- a/aucoalesce/normalizations.yaml
+++ b/aucoalesce/normalizations.yaml
@@ -1230,7 +1230,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
 
   # Auditd internal events
 
@@ -1251,7 +1251,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
   # AUDIT_DAEMON_ACCEPT - Auditd accepted remote connection
   - record_types: DAEMON_ACCEPT
     action: remote-audit-connected
@@ -1287,7 +1287,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
   # AUDIT_DAEMON_ERR - Auditd internal error
   - record_types: DAEMON_ERR
     action: audit-error