Merge pull request #12423 from Security-Onion-Solutions/jppfiec

convert _x_ to . for soc ui to config

salt/soc/merged.map.jinja

@@ -66,6 +66,8 @@
 {%   do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %}
 {%   do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %}
 
+{# replace the _x_ with . for soc ui to config conversion #}
+{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.process': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_process') }) %}
 {% set standard_eventFields = SOCMERGED.config.pop('eventFields') %}
 {%   do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %}
 {%   do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %}

salt/soc/soc_soc.yaml

@@ -55,10 +55,11 @@ soc:
       global: True
       forcedType: "[]{}"
     eventFields:
-      default:
+      default: &eventFields
-        description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
+        description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
         global: True
         advanced: True
+      ':endpoint:endpoint_x_events_x_process': *eventFields
     server:
       srvKey:
         description: Unique key for protecting the integrity of user submitted data via the web browser.