From 664669ae3d1476c8bc0d74f997bddee077920231 Mon Sep 17 00:00:00 2001
From: Alex Kinnane <17098249+akinnane@users.noreply.github.com>
Date: Fri, 10 Mar 2023 15:58:02 +0000
Subject: [PATCH] Narrow CodeScanning eventtypes again

Narrow CodeScanning eventtype definition.

In PR https://github.com/splunk/github_app_for_splunk/pull/35 @leftrightleft narrowed the eventtype for CodeScanning events but then was (accidently?) reverted by https://github.com/splunk/github_app_for_splunk/pull/37. This change narrows the eventtype again.
---
 github_app_for_splunk/default/eventtypes.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf
index e46971e..47e3b42 100644
--- a/github_app_for_splunk/default/eventtypes.conf
+++ b/github_app_for_splunk/default/eventtypes.conf
@@ -5,7 +5,7 @@ search = `github_webhooks` ref_type=branch
 search = `github_source` action=* sourcetype="github:enterprise:audit" OR sourcetype="github_audit"
 
 [GitHub::CodeScanning]
-search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=*
+search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "commit_oid"=*
 
 [GitHub::CodeVulnerability]
 search = `github_webhooks` (eventtype="GitHub::CodeScanning") "alert.html_url"="*/security/code-scanning/*"