From fd29a0500918f4c21cb4fc7c478a3877b79d3f1e Mon Sep 17 00:00:00 2001
From: Brandon Myers <bmyers@mozilla.com>
Date: Wed, 6 Dec 2017 14:28:38 -0600
Subject: [PATCH] Fix cloudtrail alerts with camelcase keys

---
 alerts/cloudtrail_logging_disabled.py            | 6 +++---
 tests/alerts/test_cloudtrail_deadman.py          | 2 +-
 tests/alerts/test_cloudtrail_logging_disabled.py | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/alerts/cloudtrail_logging_disabled.py b/alerts/cloudtrail_logging_disabled.py
index 0920075a..324cff65 100644
--- a/alerts/cloudtrail_logging_disabled.py
+++ b/alerts/cloudtrail_logging_disabled.py
@@ -18,10 +18,10 @@ class AlertCloudtrailLoggingDisabled(AlertTask):
 
         search_query.add_must([
             TermMatch('_type', 'cloudtrail'),
-            TermMatch('details.eventName', 'StopLogging'),
+            TermMatch('details.eventname', 'StopLogging'),
         ])
 
-        search_query.add_must_not(TermMatch('details.errorCode', 'AccessDenied'))
+        search_query.add_must_not(TermMatch('details.errorcode', 'AccessDenied'))
 
         self.filtersManual(search_query)
         self.searchEventsSimple()
@@ -32,6 +32,6 @@ class AlertCloudtrailLoggingDisabled(AlertTask):
         tags = ['cloudtrail', 'aws', 'cloudtrailpagerduty']
         severity = 'CRITICAL'
 
-        summary = 'Cloudtrail Logging Disabled: ' + event['_source']['details']['requestParameters']['name']
+        summary = 'Cloudtrail Logging Disabled: ' + event['_source']['details']['requestparameters']['name']
 
         return self.createAlertDict(summary, category, tags, [event], severity)
diff --git a/tests/alerts/test_cloudtrail_deadman.py b/tests/alerts/test_cloudtrail_deadman.py
index aef1db5c..ea14d113 100644
--- a/tests/alerts/test_cloudtrail_deadman.py
+++ b/tests/alerts/test_cloudtrail_deadman.py
@@ -14,7 +14,7 @@ class TestAlertCloudtrailDeadman(AlertTestSuite):
         "_type": "cloudtrail",
         "_source": {
             "details": {
-                "eventName": "somename"
+                "eventname": "somename"
             }
         }
     }
diff --git a/tests/alerts/test_cloudtrail_logging_disabled.py b/tests/alerts/test_cloudtrail_logging_disabled.py
index 056eacba..4de00de3 100644
--- a/tests/alerts/test_cloudtrail_logging_disabled.py
+++ b/tests/alerts/test_cloudtrail_logging_disabled.py
@@ -13,8 +13,8 @@ class TestAlertCloudtrailLoggingDisabled(AlertTestSuite):
         "_type": "cloudtrail",
         "_source": {
             "details": {
-               "eventName": "StopLogging",
-                "requestParameters": {
+               "eventname": "StopLogging",
+                "requestparameters": {
                     "name": "cloudtrail_example_name"
                 }
             }
@@ -61,7 +61,7 @@ class TestAlertCloudtrailLoggingDisabled(AlertTestSuite):
     )
 
     event = AlertTestSuite.create_event(default_event)
-    event['_source']['details']['eventName'] = 'Badeventname'
+    event['_source']['details']['eventname'] = 'Badeventname'
     test_cases.append(
         NegativeAlertTestCase(
             description="Negative test case with bad eventName",
@@ -80,7 +80,7 @@ class TestAlertCloudtrailLoggingDisabled(AlertTestSuite):
     )
 
     event = AlertTestSuite.create_event(default_event)
-    event['_source']['details']['errorCode'] = 'AccessDenied'
+    event['_source']['details']['errorcode'] = 'AccessDenied'
     test_cases.append(
         NegativeAlertTestCase(
             description="Negative test case with excluding errorCode",