diff --git a/.gitignore b/.gitignore
index fc04d59..93aee7d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 
 .DS_Store
 /.idea/
+pcaps/edited_syslog.pcap
+pcaps/zeek*
diff --git a/.gitpod.yml b/.gitpod.yml
index fecb6c9..93e775e 100644
--- a/.gitpod.yml
+++ b/.gitpod.yml
@@ -16,10 +16,17 @@ tasks:
     init: python3 scripts/get_pcap.py
   
   - name: download docker images
-    init: docker-compose pull 
+    init: docker-compose build && docker-compose pull
 
   - name: start services
-    command: docker-compose up -d
+    command: |
+      if [[ -z "$SUBMIT_CONNECTORS" ]]; then
+        docker-compose up -d
+        echo "Started without connectors"
+      else
+        docker-compose -f docker-compose.yml -f kafka-connect/submit-connectors.yml up -d
+        echo "Started with connectors"
+      fi
 
 ports:
 
diff --git a/README.md b/README.md
index 1c6f56d..c241d97 100644
--- a/README.md
+++ b/README.md
@@ -11,9 +11,11 @@ The examples in this repository give you hands-on experience optimizing Security
 This demo runs best using Gitpod. Gitpod uses your existing git service account (GitHub, Gitlab, or BitBucket) for authentication. See the [gitpod tips](./instructions/gitpod-tips.md) to get acquainted with gitpod.
 
 **Launch a workspace** to get hands-on with the labs:
-- (if demo not in confluentinc yet) https://gitpod.io/#https://github.com/chuck-confluent/demo-siem-optimization
 - https://gitpod.io/#https://github.com/confluentinc/demo-siem-optimization
 
+If you want to launch a workspace that **automatically submits all connectors**, use this link instead:
+- https://gitpod.io/#SUBMIT_CONNECTORS=true/https://github.com/confluentinc/demo-siem-optimization
+
 If you want to run locally or in a different environment, see the [appendix](./instructions/appendix.md).
 
 ### Hands-On Lab Instructions
@@ -43,4 +45,6 @@ Run through entire end-to-end demo to get the big picture. Zoom in on the indivi
 
 ### Confluent Sigma
 
-- https://github.com/michaelpeacock/kafka-sigma-streams
+
+- https://github.com/confluentinc/cyber/tree/master/confluent-sigma
+
diff --git a/docker-compose.yml b/docker-compose.yml
index eeae036..6fe6ccc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -25,18 +25,16 @@ services:
       KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
       KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
       KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://broker:29092,PLAINTEXT_HOST://localhost:9092
-      KAFKA_METRIC_REPORTERS: io.confluent.metrics.reporter.ConfluentMetricsReporter
       KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
       KAFKA_AUTO_CREATE_TOPICS_ENABLE: "true"
       KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
       KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 1
+      KAFKA_CONFLUENT_REPORTERS_TELEMETRY_AUTO_ENABLE: 'false'
+      KAFKA_CONFLUENT_BALANCER_ENABLE: 'false'
+      KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: http://schema-registry:8081
       KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
       KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
       KAFKA_JMX_PORT: 9101
-      KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: http://schema-registry:8081
-      CONFLUENT_METRICS_REPORTER_BOOTSTRAP_SERVERS: broker:29092
-      CONFLUENT_METRICS_REPORTER_TOPIC_REPLICAS: 1
-      CONFLUENT_METRICS_ENABLE: 'true'
       CONFLUENT_SUPPORT_CUSTOMER_ID: 'anonymous'
 
   schema-registry:
@@ -52,7 +50,7 @@ services:
       SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: 'broker:29092'
 
   connect:
-    image: confluentinc/cp-server-connect-base:latest
+    build: kafka-connect
     hostname: connect
     container_name: connect
     user: root
@@ -81,22 +79,14 @@ services:
       CONNECT_OFFSET_FLUSH_INTERVAL_MS: 10000
       CONNECT_KEY_CONVERTER: org.apache.kafka.connect.storage.StringConverter
       # CONNECT_KEY_CONVERTER: io.confluent.connect.avro.AvroConverter
-      # ^^ From Johnny's docker-compose.yml file
       CONNECT_VALUE_CONVERTER: io.confluent.connect.avro.AvroConverter
       CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_URL: http://schema-registry:8081
       CONNECT_INTERNAL_KEY_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
       CONNECT_INTERNAL_VALUE_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
-      # CLASSPATH required due to CC-2422
-      CLASSPATH: /usr/share/java/monitoring-interceptors/monitoring-interceptors-latest.jar
-      CONNECT_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
-      CONNECT_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"
       CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components"
       CONNECT_LOG4J_LOGGERS: org.apache.zookeeper=ERROR,org.I0Itec.zkclient=ERROR,org.reflections=ERROR
     volumes:
       - ./spooldir/:/var/spooldir/
-      - ./scripts/:/tmp/scripts/
-    command:
-      - /tmp/scripts/startKafkaConnectComponents.sh
 
   control-center:
     image: confluentinc/cp-enterprise-control-center:latest
@@ -113,14 +103,16 @@ services:
     environment:
       CONTROL_CENTER_BOOTSTRAP_SERVERS: 'broker:29092'
       CONTROL_CENTER_CONNECT_CONNECT-DEFAULT_CLUSTER: 'connect:8083'
+      # The control center server connects to ksqlDB through the docker network
       CONTROL_CENTER_KSQL_KSQLDB1_URL: "http://ksqldb-server:8088"
+      # If running in Gitpod, your browser must connect to ksqlDB via Gitpod's proxy URL
       CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL: https://8088-${GITPOD_WORKSPACE_ID}.${GITPOD_WORKSPACE_CLUSTER_HOST}
+      # If running locally, your browser must connect to ksqlDB through localhost 8088. Comment out the above line and uncomment the line below.
+      # CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL: https://localhost:8088
       CONTROL_CENTER_SCHEMA_REGISTRY_URL: "http://schema-registry:8081"
       CONTROL_CENTER_REPLICATION_FACTOR: 1
       CONTROL_CENTER_INTERNAL_TOPICS_PARTITIONS: 1
-      CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_PARTITIONS: 1
-      CONFLUENT_METRICS_TOPIC_REPLICATION: 1
-      PORT: 9021
+      CONTROL_CENTER_MODE_ENABLE: "management"
 
   ksqldb-server:
     image: confluentinc/cp-ksqldb-server:latest
@@ -132,7 +124,7 @@ services:
     ports:
       - "8088:8088"
     volumes:
-      - ./ksql-extension:/etc/ksql-extension/
+      - ./ksqlDB/ksql-extension:/etc/ksql-extension/
       - ./mmdb:/opt/mmdb/
     environment:
       KSQL_CONFIG_DIR: "/etc/ksql"
@@ -144,8 +136,6 @@ services:
       KSQL_LISTENERS: "http://0.0.0.0:8088"
       KSQL_CACHE_MAX_BYTES_BUFFERING: 0
       KSQL_KSQL_SCHEMA_REGISTRY_URL: "http://schema-registry:8081"
-      KSQL_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
-      KSQL_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"
       KSQL_KSQL_CONNECT_URL: "http://connect:8083"
       KSQL_KSQL_HIDDEN_TOPICS: '^_.*'
       KSQL_KSQL_LOGGING_PROCESSING_STREAM_AUTO_CREATE: "true"
@@ -161,7 +151,7 @@ services:
     entrypoint: /bin/sh
     tty: true
     volumes:
-      - ./ksqldb_scripts:/ksqldb_scripts
+      - ./ksqlDB/queries:/queries
 
   # See https://github.com/berthayes/zeek-tcpreplay-kafka
   zeek-streamer:
@@ -175,8 +165,7 @@ services:
     volumes:
       - ./scripts/init_dummy.sh:/init_dummy.sh
       - ./pcaps:/pcaps
-      - ./local.zeek:/usr/local/zeek/share/zeek/site/local.zeek
-      - ./send-to-kafka.zeek:/usr/local/zeek/share/zeek/site/send-to-kafka.zeek
+      - ./zeek:/usr/local/zeek/share/zeek/site
     cap_add:
       - NET_ADMIN
 
@@ -221,22 +210,23 @@ services:
       - 8000:8000
       - 8090:8090
     volumes:
-      - ./default.yml:/tmp/defaults/default.yml
+      - ./splunk/default.yml:/tmp/defaults/default.yml
+      - ./splunk/splunk-search/:/opt/splunk/etc/apps/splunk-search
 
   splunk_uf1:
-      image: splunk/universalforwarder:latest
+      image: splunk/universalforwarder:8.2.1
       hostname: splunk_uf1
       container_name: splunk_uf1
       depends_on:
         - connect
       environment:
-        - SPLUNK_START_ARGS=--accept-license
+        - SPLUNK_START_ARGS=--accept-license --answer-yes --no-prompt
         - SPLUNK_PASSWORD=dingdong
         - SPLUNK_APPS_URL=https://raw.githubusercontent.com/JohnnyMirza/confluent_splunk_demo/main/splunk-add-on-for-cisco-asa_410.tgz
       volumes:
-        - $PWD/splunk-uf1/:/opt/splunkforwarder/etc/apps/splunk-uf1/
+        - ./splunk/splunk-uf1/:/opt/splunkforwarder/etc/apps/splunk-uf1/
       ports:
-        - 3333:3333
+        - "3333"
 
   splunk_eventgen:
     image: guilhemmarchand/splunk-eventgen:latest
@@ -244,7 +234,7 @@ services:
     restart: unless-stopped
     user: 'root'
     volumes:
-      - $PWD/splunk-eventgen/:/opt/splunk-eventgen
+      - ./splunk/splunk-eventgen/:/opt/splunk-eventgen
     ports:
       - 6379:6379
       - 9500:9500
@@ -262,7 +252,7 @@ services:
       - ksqldb-server
     hostname: cyber-sigma-streams
     volumes:
-      - $PWD/scripts/:/tmp/config
+      - ./sigma:/tmp/config
     command:
       - bash
       - -c
@@ -273,7 +263,7 @@ services:
         sleep infinity
 
   cyber-sigma-regex-ui:
-    image: michaelpeacock/confluent-sigma-regex-ui:v2_1
+    image: michaelpeacock/confluent-sigma-regex-ui:latest
     container_name: cyber-sigma-regex-ui
     depends_on:
       - broker
diff --git a/elastic-connect.json b/elastic-connect.json
deleted file mode 100644
index 0e5da4a..0000000
--- a/elastic-connect.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  "name": "ElasticsearchSinkConnectorConnector_0",
-  "config": {
-    "name": "ElasticsearchSinkConnectorConnector_0",
-    "connector.class": "io.confluent.connect.elasticsearch.ElasticsearchSinkConnector",
-    "tasks.max": "1",
-    "topics": "DNS_AVRO",
-    "connection.url": "http://elasticsearch:9200",
-    "key.ignore": "true"
-  }
-}
\ No newline at end of file
diff --git a/instructions/00-executive-demo.md b/instructions/00-executive-demo.md
index 200a1ed..c9037da 100644
--- a/instructions/00-executive-demo.md
+++ b/instructions/00-executive-demo.md
@@ -107,7 +107,7 @@ Back in Gitpod, open Confluent Control Center by launching a new tab for port `9
 
 ### Filter and Enrich the DNS Stream
 
-> Let's use Confluent to optimize your data and look for threats upstream of your SIEM. We're going to use Confluent's stream processing database ksqlDB to filter, enrich, and aggregate these data streams in real-time. 
+> Let's use Confluent to optimize your data and look for threats upstream of your SIEM. We're going to use Confluent's stream processing capability ksqlDB to filter, enrich, and aggregate these data streams in real-time. 
 
 2. Create the `conn_stream` in the KSQL editor.
 
@@ -520,7 +520,7 @@ EMIT CHANGES;
 
 5. In the terminal, execute
     ```bash
-    ./scripts/submit_splunk_sink.sh
+    ./scripts/submit-connector.sh kafka-connect/connectors/splunk-sink.json
     ```
 
 6. Go to the Connect cluster in Control Center.
@@ -547,7 +547,7 @@ EMIT CHANGES;
 
 1. In the terminal, submit the connector and then go to Connect -> connectors in Control Center:
     ```bash
-    ./scripts/submit_elastic_sink.sh
+    ./scripts/submit-connector.sh kafka-connect/connectors/elastic-sink.json
     ```
 
 > You can now see we have a connector sending data to Elastic. Lets head over to Elastic to verify that its getting in.
diff --git a/instructions/01-introduction.md b/instructions/01-introduction.md
index bd20ab3..38bd7f8 100644
--- a/instructions/01-introduction.md
+++ b/instructions/01-introduction.md
@@ -21,4 +21,9 @@ This lab environment is a network of Docker containers. There is a Splunk event
 
 ## What next?
 
-Go to 
\ No newline at end of file
+- For a comprehensive, end-to-end demo, go to the [Executive Demonstration](./00-executive-demo.ms)
+- To explore different use cases, see the other small hands-on labs:
+  - [Analyze Syslog Data in Real Time with ksqlDB](./instructions/02-syslog.md)
+  - [Calculate Hourly Bandwidth Usage By Host with ksqlDB](./instructions/03-bandwidth.md)
+  - [Match Hostnames in a Watchlist Against Streaming DNS Data](./instructions/04-watchlist.md)
+  - [Filter SSL Transactions and Enrich with Geospatial Data](./instructions/05-ssl.md)
\ No newline at end of file
diff --git a/instructions/02-syslog.md b/instructions/02-syslog.md
index a190a8d..92f6784 100644
--- a/instructions/02-syslog.md
+++ b/instructions/02-syslog.md
@@ -20,6 +20,13 @@ The Syslog connector is listening on port 5140/UDP.
 
 0. Open Confluent Control Center by launching a new tab for port `9021` (see [Gitpod tips](./gitpod-tips.md) if running in Gitpod).
 
+1. If it's not running already, create the syslog connector:
+   - Navigate to the connect cluster in Confluent Control Center.
+   - Select "add connector"
+   - Select "SyslogSourceConnector"
+   - Set `syslog.listener` to `UDP` and `syslog.port` to `5140`.
+   - Submit the connector.
+
 1.  Go to the ksqlDB editor in Create a stream from the syslog data with the following ksqlDB query:
 
     ```sql
diff --git a/instructions/04-watchlist.md b/instructions/04-watchlist.md
index f93b2f6..bc69ac2 100644
--- a/instructions/04-watchlist.md
+++ b/instructions/04-watchlist.md
@@ -20,9 +20,9 @@ id,dateadded,domain,source
 ```
 To ingest this CSV file into a new topic and automatically create a schema for that topic, start a new Spooldir connector to watch for this source.  If you have CLI access, you can run:
 ```
-./scripts/submit_adhosts_spooldir.sh
+./scripts/submit-connector.sh kafka-connect/connectors/spooldir-source-adhosts.json
 ```
-Or you can upload the ```./scripts/adhosts_spooldir.json``` file by clicking "Upload connector config file" from within the Confluent Control Center UI.
+Or you can upload the ```kafka-connect/connectors/spooldir-source-adhosts.json``` file by clicking "Upload connector config file" from within the Confluent Control Center UI.
 
 Once this is started, or if it had already been started, the `ad_hosts.csv` file moves to:
 ```
diff --git a/instructions/appendix.md b/instructions/appendix.md
index 9d16965..444d1d8 100644
--- a/instructions/appendix.md
+++ b/instructions/appendix.md
@@ -10,16 +10,26 @@
 
 ### Configuring the demo environment
 
-- Running a really big pcap [optional]
-  - The packet capture file included in this repository features DNS exfiltration (among other things), but will repeat itself after a few minutes.  This can be tiresome during a live demo or workshop.
-  - Run ```python3 scripts/get_pcap.py``` script to download a 1GB/1hr playback pcap.
+1. Run ```python3 scripts/get_pcap.py``` script to download a 1GB/1hr playback pcap.
  
 
-- Configure Control Center's ksqlDB advertised listener
-  - You need to advertise the correct hostname for the ksqlDB server to ensure that the ksqlDB editor in Confluent Control Center can communicate with the ksqlDB server. 
-  - In the `docker-compose.yml` file, change the value of  `CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL` to `http://localhost:8088` if running locally, or to whatever the public DNS hostname is for your EC2 instance.
+1. Configure Control Center's ksqlDB advertised listener
+    - You need to advertise the correct hostname for the ksqlDB server to ensure that the ksqlDB editor in Confluent Control Center can communicate with the ksqlDB server. 
+    - In the `docker-compose.yml` file, change the value of  `CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL` to `http://localhost:8088` if running locally, or to whatever the public DNS hostname is for your VM instance.
   
 ### Starting the demo
-- Run ```docker-compose up -d```
+
+To run the demo without automatically submitting connectors, run
+```bash
+docker-compose up -d
+```
+
+If you would like to run it with connectors submitted automatically, run
+```bash
+docker-compose \
+  -f docker-compose.yml \
+  -f kafka-connect/submit-connectors.yml \
+    up -d
+```
 
 If you are using sudo with docker-compose then you will likely need to use the -E option to sudo so it inherits your environmental variables so the last command will become ```sudo -E docker-compose up -d```
diff --git a/kafka-connect/Dockerfile b/kafka-connect/Dockerfile
new file mode 100644
index 0000000..658a671
--- /dev/null
+++ b/kafka-connect/Dockerfile
@@ -0,0 +1,8 @@
+FROM confluentinc/cp-server-connect-base:latest
+
+# Install connectors
+RUN confluent-hub install --no-prompt confluentinc/kafka-connect-elasticsearch:latest && \
+    confluent-hub install --no-prompt splunk/kafka-connect-splunk:latest && \
+    confluent-hub install --no-prompt confluentinc/kafka-connect-splunk-s2s:latest && \
+    confluent-hub install --no-prompt jcustenborder/kafka-connect-spooldir:latest && \
+    confluent-hub install --no-prompt confluentinc/kafka-connect-syslog:latest
\ No newline at end of file
diff --git a/kafka-connect/connectors/elastic-sink.json b/kafka-connect/connectors/elastic-sink.json
new file mode 100644
index 0000000..856c61d
--- /dev/null
+++ b/kafka-connect/connectors/elastic-sink.json
@@ -0,0 +1,17 @@
+{
+    "name": "ElasticsearchSinkConnectorConnector_0",
+    "config": {
+      "name": "ElasticsearchSinkConnectorConnector_0",
+      "connector.class": "io.confluent.connect.elasticsearch.ElasticsearchSinkConnector",
+      "key.converter": "org.apache.kafka.connect.storage.StringConverter",
+      "value.converter": "org.apache.kafka.connect.json.JsonConverter",
+      "key.converter.schemas.enable": "false",
+      "value.converter.schemas.enable": "false",
+      "tasks.max": "1",
+      "topics": "RICH_DNS",
+      "connection.url": "http://elasticsearch:9200",
+      "key.ignore": "true",
+      "schema.ignore": "true",
+      "type.name": "_doc"
+    }
+  }
\ No newline at end of file
diff --git a/kafka-connect/connectors/splunk-s2s-source.json b/kafka-connect/connectors/splunk-s2s-source.json
new file mode 100644
index 0000000..99eaf2e
--- /dev/null
+++ b/kafka-connect/connectors/splunk-s2s-source.json
@@ -0,0 +1,17 @@
+{
+    "name": "splunk-s2s-source",
+    "config": {
+      "connector.class": "io.confluent.connect.splunk.s2s.SplunkS2SSourceConnector",
+      "topics": "splunk-s2s-events",
+      "splunk.s2s.port":"9997",
+      "kafka.topic":"splunk-s2s-events",
+      "key.converter":"org.apache.kafka.connect.storage.StringConverter",
+      "value.converter":"org.apache.kafka.connect.json.JsonConverter",
+      "key.converter.schemas.enable":"false",
+      "value.converter.schemas.enable":"false",
+      "errors.log.enable": false,
+      "errors.log.include.messages": false,
+      "confluent.topic.bootstrap.servers":"broker:29092",
+      "confluent.topic.replication.factor":"1"
+    }
+  }
\ No newline at end of file
diff --git a/kafka-connect/connectors/splunk-sink.json b/kafka-connect/connectors/splunk-sink.json
new file mode 100644
index 0000000..5353419
--- /dev/null
+++ b/kafka-connect/connectors/splunk-sink.json
@@ -0,0 +1,16 @@
+{
+    "name": "SPLUNKSINK",
+    "config": {
+      "confluent.topic.bootstrap.servers": "broker:29092",
+      "name": "SPLUNKSINK",
+      "connector.class": "com.splunk.kafka.connect.SplunkSinkConnector",
+      "tasks.max": "1",
+      "key.converter": "org.apache.kafka.connect.storage.StringConverter",
+      "value.converter": "org.apache.kafka.connect.storage.StringConverter",
+      "topics": "CISCO_ASA",
+      "splunk.hec.token": "ef16f05f-40e0-4108-a644-5323e02aaa44",
+      "splunk.hec.uri": "https://splunk:8090",
+      "splunk.hec.ssl.validate.certs": "false",
+      "splunk.hec.json.event.formatted": "true"
+    }
+  }
\ No newline at end of file
diff --git a/scripts/adhosts_spooldir.json b/kafka-connect/connectors/spooldir-source-adhosts.json
similarity index 100%
rename from scripts/adhosts_spooldir.json
rename to kafka-connect/connectors/spooldir-source-adhosts.json
diff --git a/kafka-connect/connectors/spooldir-source-csv.json b/kafka-connect/connectors/spooldir-source-csv.json
new file mode 100644
index 0000000..681b2df
--- /dev/null
+++ b/kafka-connect/connectors/spooldir-source-csv.json
@@ -0,0 +1,15 @@
+{
+	"name": "csv_spooldir",
+	"config": {
+	  "name": "csv_spooldir",
+		"connector.class": "com.github.jcustenborder.kafka.connect.spooldir.SpoolDirCsvSourceConnector",
+		"tasks.max": "1",
+		"topic": "urlhaus",
+		"input.path": "/var/spooldir/urlhaus/csv_input",
+		"finished.path": "/var/spooldir/urlhaus/csv_finished",
+		"error.path": "/var/spooldir/urlhaus/csv_errors",
+	  "input.file.pattern": ".*\\.csv$",
+    "schema.generation.enabled": true,
+    "csv.first.row.as.header": true
+	}
+}
\ No newline at end of file
diff --git a/scripts/syslog_source.sh b/kafka-connect/connectors/syslog-source.json
old mode 100755
new mode 100644
similarity index 64%
rename from scripts/syslog_source.sh
rename to kafka-connect/connectors/syslog-source.json
index a727c28..4405fc6
--- a/scripts/syslog_source.sh
+++ b/kafka-connect/connectors/syslog-source.json
@@ -1,7 +1,3 @@
-#!/bin/bash
-
-HEADER="Content-Type: application/json"
-DATA=$( cat << EOF
 {
 	"name": "syslog",
 	"config": {
@@ -12,8 +8,4 @@ DATA=$( cat << EOF
 		"confluent.topic.bootstrap.servers": "broker:29092",
 		"confluent.topic.replication.factor": "1"
 	}
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
+}
\ No newline at end of file
diff --git a/kafka-connect/submit-connectors.yml b/kafka-connect/submit-connectors.yml
new file mode 100644
index 0000000..5eb480b
--- /dev/null
+++ b/kafka-connect/submit-connectors.yml
@@ -0,0 +1,20 @@
+---
+# Add this as an override to submit connectors.
+# ex: docker-compose -f docker-compose.yml -f kafka-connect/sumbit-connectors.yml up -d
+version: '3'
+services:
+  submit-connectors:
+    image: confluentinc/cp-server-connect-base:latest
+    hostname: submit-connectors
+    container_name: submit-connectors
+    depends_on:
+      connect:
+        condition: service_healthy
+    volumes:
+      - ./scripts/submit-connector.sh:/usr/bin/submit-connector.sh
+      - ./kafka-connect/connectors:/connectors
+    command:
+      - bash
+      - -c
+      - |
+        for connector in /connectors/*.json; do submit-connector.sh $${connector} connect; done
\ No newline at end of file
diff --git a/ksql-extension/bert-ksql-udf-asn.jar b/ksqlDB/ksql-extension/bert-ksql-udf-asn.jar
similarity index 100%
rename from ksql-extension/bert-ksql-udf-asn.jar
rename to ksqlDB/ksql-extension/bert-ksql-udf-asn.jar
diff --git a/ksql-extension/ksql-udf-geoip.jar b/ksqlDB/ksql-extension/ksql-udf-geoip.jar
similarity index 100%
rename from ksql-extension/ksql-udf-geoip.jar
rename to ksqlDB/ksql-extension/ksql-udf-geoip.jar
diff --git a/ksqldb_scripts/create_zeek_conn_stream.sql b/ksqlDB/queries/create_zeek_conn_stream.sql
similarity index 100%
rename from ksqldb_scripts/create_zeek_conn_stream.sql
rename to ksqlDB/queries/create_zeek_conn_stream.sql
diff --git a/ksqldb_scripts/create_zeek_dhcp_stream.sql b/ksqlDB/queries/create_zeek_dhcp_stream.sql
similarity index 100%
rename from ksqldb_scripts/create_zeek_dhcp_stream.sql
rename to ksqlDB/queries/create_zeek_dhcp_stream.sql
diff --git a/ksqldb_scripts/create_zeek_dns_stream.sql b/ksqlDB/queries/create_zeek_dns_stream.sql
similarity index 100%
rename from ksqldb_scripts/create_zeek_dns_stream.sql
rename to ksqlDB/queries/create_zeek_dns_stream.sql
diff --git a/ksqldb_scripts/create_zeek_http_stream.sql b/ksqlDB/queries/create_zeek_http_stream.sql
similarity index 100%
rename from ksqldb_scripts/create_zeek_http_stream.sql
rename to ksqlDB/queries/create_zeek_http_stream.sql
diff --git a/ksqldb_scripts/create_zeek_ssl_stream.sql b/ksqlDB/queries/create_zeek_ssl_stream.sql
similarity index 100%
rename from ksqldb_scripts/create_zeek_ssl_stream.sql
rename to ksqlDB/queries/create_zeek_ssl_stream.sql
diff --git a/ksqldb_scripts/create_zeek_x509_stream.sql b/ksqlDB/queries/create_zeek_x509_stream.sql
similarity index 100%
rename from ksqldb_scripts/create_zeek_x509_stream.sql
rename to ksqlDB/queries/create_zeek_x509_stream.sql
diff --git a/ksqldb_scripts/select_rich_ssl_stream.sql b/ksqlDB/queries/select_rich_ssl_stream.sql
similarity index 100%
rename from ksqldb_scripts/select_rich_ssl_stream.sql
rename to ksqlDB/queries/select_rich_ssl_stream.sql
diff --git a/pcaps/zeek_streamer.pcap b/pcaps/zeek_streamer.pcap
deleted file mode 100644
index 5189ae8..0000000
Binary files a/pcaps/zeek_streamer.pcap and /dev/null differ
diff --git a/scripts/edit-docker-compose.sh b/scripts/edit-docker-compose.sh
deleted file mode 100755
index 68fa854..0000000
--- a/scripts/edit-docker-compose.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-# Dumb script to edit a template file and replace the ksqldb-server line
-
-# This is a neat trick to find out the public hostname of your EC2 host
-PUBLIC_HOSTNAME=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
-
-
-DEFAULT_COMPOSE="docker-compose.yml"
-DOCKER_COMPOSE_FILE="${1:-$DEFAULT_COMPOSE}"
-
-
-# Run this if you want to (have to) run Confluent Control Center on port 80 and ksqldb server (REST API) on port 443 with no encryption
-#/bin/sed -i -e 's/      CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL: \"http:\/\/localhost:8088\"/      CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL: \"http:\/\/'$PUBLIC_HOSTNAME':443\"/' -e 's/      - "9021:9021"/      - "80:9021"/' -e 's/      - "8088:8088"/      - "443:8088"/' $DOCKER_COMPOSE_FILE > /home/ubuntu/cp-siem/docker-compose.yml
-
-
-# Run this if you are sane and can run these services on their default ports (9021 for Confluent Control Center and 8088 for ksqlDB)
-/bin/sed -i -e 's/      CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL: .*$/      CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL: \"http:\/\/'$PUBLIC_HOSTNAME':8088\"/' $DOCKER_COMPOSE_FILE
diff --git a/scripts/get_pcap.py b/scripts/get_pcap.py
index eb4ea85..50ce63d 100644
--- a/scripts/get_pcap.py
+++ b/scripts/get_pcap.py
@@ -5,7 +5,8 @@
 # TODO: pull the bucket/object values from a config file
 
 print("Renaming existing zeek_streamer.pcap file")
-os.rename('./pcaps/zeek_streamer.pcap', './pcaps/zeek_streamer.pcap.bak')
+if os.path.exists('./pcaps/zeek_streamer.pcap'):
+    os.rename('./pcaps/zeek_streamer.pcap', './pcaps/zeek_streamer.pcap.bak')
 
 url = 'https://bhayes-pcaps.s3.us-east-2.amazonaws.com/garage-2020-10-18.pcap'
 headers = {'Host': 'bhayes-pcaps.s3.us-east-2.amazonaws.com'}
diff --git a/scripts/run-ksql-query.sh b/scripts/run-ksql-query.sh
index 95f5ce9..ec1f41d 100644
--- a/scripts/run-ksql-query.sh
+++ b/scripts/run-ksql-query.sh
@@ -7,10 +7,11 @@
 
 # This script takes a ksqlDB query file and executes it within 
 # a ksqldb-cli container run with docker-compose,
-# assuming the query file has been mounted in the /tmp directory of the container.
+# assuming the query file has been mounted in the /queries directory of the container.
 
+QUERY=$(basename $1)
 docker-compose exec ksqldb-cli bash -c " cat <<EOF
-RUN SCRIPT '/tmp/$1';
+RUN SCRIPT '/queries/$QUERY';
 exit ;
 EOF
 "
\ No newline at end of file
diff --git a/scripts/sigma-dns.properties b/scripts/sigma-dns.properties
deleted file mode 100755
index 3e95096..0000000
--- a/scripts/sigma-dns.properties
+++ /dev/null
@@ -1,11 +0,0 @@
-application.id=zeek-rules-streams-app
-bootstrap.server=broker:29092
-schema.registry=http://schema-registry:8081
-data.topic=dns
-output.topic=dns-detection
-field.mapping.file=/tmp/config/splunk-zeek.yml
-sigma.rules.topic=sigma-rules
-sigma.rule.filter.product=zeek
-sigma.rule.filter.service=dns
-#sigma.rule.filter.title=Domain User Enumeration Network Recon 01
-#sigma.rule.filter.list=/Users/mpeacock/Development/KafkaSigma/kafka-sigma-streams/src/config/sigma_titles.txt
\ No newline at end of file
diff --git a/scripts/sigma-http.properties b/scripts/sigma-http.properties
deleted file mode 100755
index e61efa9..0000000
--- a/scripts/sigma-http.properties
+++ /dev/null
@@ -1,10 +0,0 @@
-application.id=operation-rules-streams-app
-bootstrap.server=127.0.0.1:9092
-data.topic=http
-output.topic=http-detection
-field.mapping.file=config/splunk-zeek.yml
-sigma.rules.topic=sigma-rules
-sigma.rule.filter.product=zeek
-sigma.rule.filter.service=http
-sigma.rule.filter.title=Simple Http
-#sigma.rule.filter.list=config/sigma_titles.txt
\ No newline at end of file
diff --git a/scripts/sigma_titles.txt b/scripts/sigma_titles.txt
deleted file mode 100755
index 5afb468..0000000
--- a/scripts/sigma_titles.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Possible Windows Executable Download Without Matching Mime Type
-Executable from Webdav
-Possible Data Collection related to Office Docs and Email Archives and PDFs
-Domain User Enumeration Network Recon 01
\ No newline at end of file
diff --git a/scripts/splunk-zeek.yml b/scripts/splunk-zeek.yml
deleted file mode 100755
index aabdc03..0000000
--- a/scripts/splunk-zeek.yml
+++ /dev/null
@@ -1,470 +0,0 @@
-title: Splunk Zeek sourcetype mappings
-order: 20
-backends:
-  - splunk
-  - splunkxml
-  - corelight_splunk
-logsources:
-  zeek-category-accounting:
-    category: accounting
-    rewrite:
-      product: zeek
-      service: syslog
-  zeek-category-firewall:
-    category: firewall
-    rewrite:
-      product: zeek
-      service: conn
-  zeek-category-dns:
-    category: dns
-    rewrite:
-      product: zeek
-      service: dns
-  zeek-category-proxy:
-    category: proxy
-    rewrite:
-      product: zeek
-      service: http
-  zeek-category-webserver:
-    category: webserver
-    rewrite:
-      product: zeek
-      service: http
-  zeek-conn:
-    product: zeek
-    service: conn
-    rewrite:
-      product: zeek
-      service: conn
-  zeek-conn_long:
-    product: zeek
-    service: conn_long
-    conditions:
-      sourcetype: 'bro:conn_long:json'
-  zeek-dce_rpc:
-    product: zeek
-    service: dce_rpc
-    conditions:
-      sourcetype: 'bro:dce_rpc:json'
-  zeek-dns:
-    product: zeek
-    service: dns
-    conditions:
-      sourcetype: 'bro:dns:json'
-  zeek-dnp3:
-    product: zeek
-    service: dnp3
-    conditions:
-      sourcetype: 'bro:dnp3:json'
-  zeek-dpd:
-    product: zeek
-    service: dpd
-    conditions:
-      sourcetype: 'bro:dpd:json'
-  zeek-files:
-    product: zeek
-    service: files
-    conditions:
-      sourcetype: 'bro:files:json'
-  zeek-ftp:
-    product: zeek
-    service: ftp
-    conditions:
-      sourcetype: 'bro:ftp:json'
-  zeek-gquic:
-    product: zeek
-    service: gquic
-    conditions:
-      sourcetype: 'bro:gquic:json'
-  zeek-http:
-    product: zeek
-    service: http
-    conditions:
-      sourcetype: 'bro:http:json'
-  zeek-http2:
-    product: zeek
-    service: http2
-    conditions:
-      sourcetype: 'bro:http2:json'
-  zeek-intel:
-    product: zeek
-    service: intel
-    conditions:
-      sourcetype: 'bro:intel:json'
-  zeek-irc:
-    product: zeek
-    service: irc
-    conditions:
-      sourcetype: 'bro:irc:json'
-  zeek-kerberos:
-    product: zeek
-    service: kerberos
-    conditions:
-      sourcetype: 'bro:kerberos:json'
-  zeek-known_certs:
-    product: zeek
-    service: known_certs
-    conditions:
-      sourcetype: 'bro:known_certs:json'
-  zeek-known_hosts:
-    product: zeek
-    service: known_hosts
-    conditions:
-      sourcetype: 'bro:known_hosts:json'
-  zeek-known_modbus:
-    product: zeek
-    service: known_modbus
-    conditions:
-      sourcetype: 'bro:known_modbus:json'
-  zeek-known_services:
-    product: zeek
-    service: known_services
-    conditions:
-      sourcetype: 'bro:known_services:json'
-  zeek-modbus:
-    product: zeek
-    service: modbus
-    conditions:
-      sourcetype: 'bro:modbus:json'
-  zeek-modbus_register_change:
-    product: zeek
-    service: modbus_register_change
-    conditions:
-      sourcetype: 'bro:modbus_register_change:json'
-  zeek-mqtt_connect:
-    product: zeek
-    service: mqtt_connect
-    conditions:
-      sourcetype: 'bro:mqtt_connect:json'
-  zeek-mqtt_publish:
-    product: zeek
-    service: mqtt_publish
-    conditions:
-      sourcetype: 'bro:mqtt_publish:json'
-  zeek-mqtt_subscribe:
-    product: zeek
-    service: mqtt_subscribe
-    conditions:
-      sourcetype: 'bro:mqtt_subscribe:json'
-  zeek-mysql:
-    product: zeek
-    service: mysql
-    conditions:
-      sourcetype: 'bro:mysql:json'
-  zeek-notice:
-    product: zeek
-    service: notice
-    conditions:
-      sourcetype: 'bro:notice:json'
-  zeek-ntlm:
-    product: zeek
-    service: ntlm
-    conditions:
-      sourcetype: 'bro:ntlm:json'
-  zeek-ntp:
-    product: zeek
-    service: ntp
-    conditions:
-      sourcetype: 'bro:ntp:json'
-  zeek-ocsp:
-    product: zeek
-    service: ntp
-    conditions:
-      sourcetype: 'bro:ocsp:json'
-  zeek-pe:
-    product: zeek
-    service: pe
-    conditions:
-      sourcetype: 'bro:pe:json'
-  zeek-pop3:
-    product: zeek
-    service: pop3
-    conditions:
-      sourcetype: 'bro:pop3:json'
-  zeek-radius:
-    product: zeek
-    service: radius
-    conditions:
-      sourcetype: 'bro:radius:json'
-  zeek-rdp:
-    product: zeek
-    service: rdp
-    conditions:
-      sourcetype: 'bro:rdp:json'
-  zeek-rfb:
-    product: zeek
-    service: rfb
-    conditions:
-      sourcetype: 'bro:rfb:json'
-  zeek-sip:
-    product: zeek
-    service: sip
-    conditions:
-      sourcetype: 'bro:sip:json'
-  zeek-smb_files:
-    product: zeek
-    service: smb_files
-    conditions:
-      sourcetype: 'bro:smb_files:json'
-  zeek-smb_mapping:
-    product: zeek
-    service: smb_mapping
-    conditions:
-      sourcetype: 'bro:smb_mapping:json'
-  zeek-smtp:
-    product: zeek
-    service: smtp
-    conditions:
-      sourcetype: 'bro:smtp:json'
-  zeek-smtp_links:
-    product: zeek
-    service: smtp_links
-    conditions:
-      sourcetype: 'bro:smtp_links:json'
-  zeek-snmp:
-    product: zeek
-    service: snmp
-    conditions:
-      sourcetype: 'bro:snmp:json'
-  zeek-socks:
-    product: zeek
-    service: socks
-    conditions:
-      sourcetype: 'bro:socks:json'
-  zeek-software:
-    product: zeek
-    service: software
-    conditions:
-      sourcetype: 'bro:software:json'
-  zeek-ssh:
-    product: zeek
-    service: ssh
-    conditions:
-      sourcetype: 'bro:ssh:json'
-  zeek-ssl:
-    product: zeek
-    service: ssl
-    conditions:
-      sourcetype: 'bro:ssl:json'
-  zeek-tls: # In case people call it TLS even though log is called ssl
-    product: zeek
-    service: tls
-    conditions:
-      sourcetype: 'bro:ssl:json'
-  zeek-syslog:
-    product: zeek
-    service: syslog
-    conditions:
-      sourcetype: 'bro:syslog:json'
-  zeek-tunnel:
-    product: zeek
-    service: tunnel
-    conditions:
-      sourcetype: 'bro:tunnel:json'
-  zeek-traceroute:
-    product: zeek
-    service: traceroute
-    conditions:
-      sourcetype: 'bro:traceroute:json'
-  zeek-weird:
-    product: zeek
-    service: weird
-    conditions:
-      sourcetype: 'bro:weird:json'
-  zeek-x509:
-    product: zeek
-    service: x509
-    conditions:
-      sourcetype: 'bro:x509:json'
-  zeek-ip_search:
-    product: zeek
-    service: network
-    conditions:
-      sourcetype:
-        - 'bro:conn:json'
-        - 'bro:conn_long:json'
-        - 'bro:dce_rpc:json'
-        - 'bro:dhcp:json'
-        - 'bro:dnp3:json'
-        - 'bro:dns:json'
-        - 'bro:ftp:json'
-        - 'bro:gquic:json'
-        - 'bro:http:json'
-        - 'bro:irc:json'
-        - 'bro:kerberos:json'
-        - 'bro:modbus:json'
-        - 'bro:mqtt_connect:json'
-        - 'bro:mqtt_publish:json'
-        - 'bro:mqtt_subscribe:json'
-        - 'bro:mysql:json'
-        - 'bro:ntlm:json'
-        - 'bro:ntp:json'
-        - 'bro:radius:json'
-        - 'bro:rfb:json'
-        - 'bro:sip:json'
-        - 'bro:smb_files:json'
-        - 'bro:smb_mapping:json'
-        - 'bro:smtp:json'
-        - 'bro:smtp_links:json'
-        - 'bro:snmp:json'
-        - 'bro:socks:json'
-        - 'bro:ssh:json'
-        - 'bro:ssl:json'
-        - 'bro:tunnel:json'
-        - 'bro:weird:json'
-fieldmappings:
-  # All Logs Applied Mapping & Taxonomy
-  mike: query
-  dst_ip: id.resp_h
-  dst_port: id.resp_p
-  network_protocol: proto
-  src_ip: id.orig_h
-  src_port: id.orig_p
-  # DNS matching Taxonomy & DNS Category
-  answer: answers
-  #question_length: # Does not exist in open source version
-  record_type: qtype_name
-  #parent_domain: # Does not exist in open source version
-  # HTTP matching Taxonomy & Web/Proxy Category
-  cs-bytes: request_body_len
-  cs-cookie: cookie
-  r-dns: host
-  sc-bytes: response_body_len
-  sc-status: status_code
-  c-uri: uri
-  c-uri-extension: uri
-  c-uri-query: uri
-  c-uri-stem: uri
-  c-useragent: user_agent
-  cs-host: host
-  cs-method: method
-  cs-referrer: referrer
-  cs-version: version
-  # Few other variations of names from zeek source itself
-  id_orig_h: id.orig_h
-  id_orig_p: id.orig_p
-  id_resp_h: id.resp_h
-  id_resp_p: id.resp_p
-  # Temporary one off rule name fields
-  agent.version: version
-  c-cookie: cookie
-  c-ip: id.orig_h
-  cs-uri: uri
-  clientip: id.orig_h
-  clientIP: id.orig_h
-  dest_domain:
-    - query
-    - host
-    - server_name
-  dest_ip: id.resp_h
-  dest_port: id.resp_p
-  #TODO:WhatShouldThisBe?==dest:
-  #TODO:WhatShouldThisBe?==destination:
-  #TODO:WhatShouldThisBe?==Destination:
-  destination.hostname:
-    - query
-    - host
-    - server_name
-  DestinationAddress: id.resp_h
-  DestinationHostname:
-    - host
-    - query
-    - server_name
-  DestinationIp: id.resp_h
-  DestinationIP: id.resp_h
-  DestinationPort: id.resp_p
-  dst-ip: id.resp_h
-  dstip: id.resp_h
-  dstport: id.resp_p
-  Host:
-    - host
-    - query
-    - server_name
-  HostVersion: http.version
-  http_host:
-    - host
-    - query
-    - server_name
-  http_uri: uri
-  http_url: uri
-  http_user_agent: user_agent
-  http.request.url-query-params: uri
-  HttpMethod: method
-  in_url: uri
-  # parent_domain: # Not in open source zeek
-  post_url_parameter: uri
-  Request Url: uri
-  request_url: uri
-  request_URL: uri
-  RequestUrl: uri
-  #response: status_code
-  resource.url: uri
-  resource.URL: uri
-  sc_status: status_code
-  sender_domain:
-    - query
-    - server_name
-  service.response_code: status_code
-  source: id.orig_h
-  SourceAddr: id.orig_h
-  SourceAddress: id.orig_h
-  SourceIP: id.orig_h
-  SourceIp: id.orig_h
-  SourceNetworkAddress: id.orig_h
-  SourcePort: id.orig_p
-  srcip: id.orig_h
-  Status: status_code
-  status: status_code
-  url: uri
-  URL: uri
-  url_query: uri
-  url.query: uri
-  uri_path: uri
-  user_agent: user_agent
-  user_agent.name: user_agent
-  user-agent: user_agent
-  User-Agent: user_agent
-  useragent: user_agent
-  UserAgent: user_agent
-  User Agent: user_agent
-  web_dest:
-    - host
-    - query
-    - server_name
-  web.dest:
-    - host
-    - query
-    - server_name
-  Web.dest:
-    - host
-    - query
-    - server_name
-  web.host:
-    - host
-    - query
-    - server_name
-  Web.host:
-    - host
-    - query
-    - server_name
-  web_method: method
-  Web_method: method
-  web.method: method
-  Web.method: method
-  web_src: id.orig_h
-  web_status: status_code
-  Web_status: status_code
-  web.status: status_code
-  Web.status: status_code
-  web_uri: uri
-  web_url: uri
-  # Most are in ECS, but for things not using Elastic - these need renamed
-  destination.ip: id.resp_h
-  destination.port: id.resp_p
-  http.request.body.content: post_body
-  source.domain:
-    - host
-    - query
-    - server_name
-  source.ip: id.orig_h
-  source.port: id.orig_p
diff --git a/scripts/startKafkaConnectComponents.sh b/scripts/startKafkaConnectComponents.sh
deleted file mode 100755
index a289ed5..0000000
--- a/scripts/startKafkaConnectComponents.sh
+++ /dev/null
@@ -1,116 +0,0 @@
-#!/bin/bash
-echo "Installing connector plugins"
-confluent-hub install --no-prompt confluentinc/kafka-connect-elasticsearch:latest
-confluent-hub install --no-prompt splunk/kafka-connect-splunk:latest
-confluent-hub install --no-prompt confluentinc/kafka-connect-splunk-s2s:latest
-confluent-hub install --no-prompt jcustenborder/kafka-connect-spooldir:latest
-confluent-hub install --no-prompt confluentinc/kafka-connect-syslog:latest
-#
-echo "Launching Kafka Connect worker"
-/etc/confluent/docker/run &
-#
-echo "waiting 2 minutes for things to stabilise"
-sleep 120
-echo "Starting the s2s conector"
-
-HEADER="Content-Type: application/json"
-DATA=$(
-  cat <<EOF
-{
-  "name": "splunk-s2s-source",
-  "config": {
-    "connector.class": "io.confluent.connect.splunk.s2s.SplunkS2SSourceConnector",
-    "topics": "splunk-s2s-events",
-    "splunk.s2s.port":"9997",
-    "kafka.topic":"splunk-s2s-events",
-    "key.converter":"org.apache.kafka.connect.storage.StringConverter",
-    "value.converter":"org.apache.kafka.connect.json.JsonConverter",
-    "key.converter.schemas.enable":"false",
-    "value.converter.schemas.enable":"false",
-    "errors.log.enable": false,
-    "errors.log.include.messages": false,
-    "confluent.topic.bootstrap.servers":"broker:29092",
-    "confluent.topic.replication.factor":"1"
-  }
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
-
-echo "Starting the Spluk sink connector"
-
-HEADER="Content-Type: application/json"
-DATA=$(
-  cat <<EOF
-{
-  "name": "SPLUNKSINK",
-  "config": {
-    "confluent.topic.bootstrap.servers": "broker:29092",
-    "name": "SPLUNKSINK",
-    "connector.class": "com.splunk.kafka.connect.SplunkSinkConnector",
-    "tasks.max": "1",
-    "key.converter": "org.apache.kafka.connect.storage.StringConverter",
-    "value.converter": "org.apache.kafka.connect.storage.StringConverter",
-    "topics": "CISCO_ASA",
-    "splunk.hec.token": "ef16f05f-40e0-4108-a644-5323e02aaa44",
-    "splunk.hec.uri": "https://splunk:8090",
-    "splunk.hec.ssl.validate.certs": "false",
-    "splunk.hec.json.event.formatted": "true"
-  }
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
-
-echo "Starting the Syslog connector"
-
-HEADER="Content-Type: application/json"
-DATA=$(
-  cat <<EOF
-{
-	"name": "syslog",
-	"config": {
-		"tasks.max": "1",
-		"connector.class": "io.confluent.connect.syslog.SyslogSourceConnector",
-		"syslog.port": "5140",
-		"syslog.listener": "UDP",
-		"confluent.topic.bootstrap.servers": "broker:29092",
-		"confluent.topic.replication.factor": "1"
-	}
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
-
-echo "Starting the Spooldir connector for urlhaus csv data"
-
-HEADER="Content-Type: application/json"
-DATA=$(
-  cat <<EOF
-{
-	"name": "csv_spooldir",
-	"config": {
-	  "name": "csv_spooldir",
-		"connector.class": "com.github.jcustenborder.kafka.connect.spooldir.SpoolDirCsvSourceConnector",
-		"tasks.max": "1",
-		"topic": "urlhaus",
-		"input.path": "/var/spooldir/urlhaus/csv_input",
-		"finished.path": "/var/spooldir/urlhaus/csv_finished",
-		"error.path": "/var/spooldir/urlhaus/csv_errors",
-	  "input.file.pattern": ".*\\.csv$",
-    "schema.generation.enabled": true,
-    "csv.first.row.as.header": true
-	}
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
-
-
-
-echo "Sleeping forever"
-sleep infinity
diff --git a/scripts/startKafkaConnectDemo.sh b/scripts/startKafkaConnectDemo.sh
deleted file mode 100755
index 2a42906..0000000
--- a/scripts/startKafkaConnectDemo.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-echo "Installing connector plugins"
-confluent-hub install --no-prompt confluentinc/kafka-connect-elasticsearch:latest
-confluent-hub install --no-prompt splunk/kafka-connect-splunk:latest
-confluent-hub install --no-prompt confluentinc/kafka-connect-splunk-s2s:latest
-confluent-hub install --no-prompt jcustenborder/kafka-connect-spooldir:latest
-confluent-hub install --no-prompt confluentinc/kafka-connect-syslog:latest
-#
-echo "Launching Kafka Connect worker"
-/etc/confluent/docker/run &
-#
-echo "waiting 2 minutes for things to stabilise"
-sleep 120
-
-echo "Starting the Spooldir connector for urlhaus csv data"
-/tmp/scripts/submit_adhosts_spooldir.sh
-
-echo "Sleeping forever"
-sleep infinity
diff --git a/scripts/submit-connector.sh b/scripts/submit-connector.sh
new file mode 100755
index 0000000..049784a
--- /dev/null
+++ b/scripts/submit-connector.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Submits a Kafka Connect connector.
+# Takes a json file as input.
+# ex: ./submit-connector.sh /path/to/my-connector.json
+
+# Optionally add a second parameter to specify the connect host.
+# ex: ./submit-connector.sh /path/to/my-connector.json my-connect-hostname
+
+
+HEADER="Content-Type: application/json"
+CONNECT_HOST=$2
+CONNECT_HOST="${CONNECT_HOST:-localhost}"
+
+echo -e "\nsubmitting connector $1\n"
+echo -e "connecting to host $CONNECT_HOST\n"
+
+curl -X POST -H "${HEADER}" --data "@$1" http://$CONNECT_HOST:8083/connectors
\ No newline at end of file
diff --git a/scripts/submit_adhosts_spooldir.sh b/scripts/submit_adhosts_spooldir.sh
deleted file mode 100755
index f830660..0000000
--- a/scripts/submit_adhosts_spooldir.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-HEADER="Content-Type: application/json"
-
-# if we have /var/spooldir then we know we are running from a container
-if [ -d /var/spooldir/ ]
-then
-    if [ ! -e /var/spooldir/ad_hosts/csv_input/ad_servers.csv ]
-    then
-	cp /var/spooldir/ad_hosts/csv_finished/ad_servers.csv /var/spooldir/ad_hosts/csv_input/ad_servers.csv
-    fi
-    curl -X POST -H "${HEADER}" -d "@/tmp/scripts/adhosts_spooldir.json" http://localhost:8083/connectors
-elif [ ! -e spooldir/ad_hosts/csv_input/ad_servers.csv ]
-then
-    cp spooldir/ad_hosts/csv_finished/ad_servers.csv spooldir/ad_hosts/csv_input/ad_servers.csv
-    curl -X POST -H "${HEADER}" -d "@scripts/adhosts_spooldir.json" http://localhost:8083/connectors
-fi
-    
-
diff --git a/scripts/submit_elastic_sink.sh b/scripts/submit_elastic_sink.sh
deleted file mode 100755
index cfc6448..0000000
--- a/scripts/submit_elastic_sink.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-
-HEADER="Content-Type: application/json"
-DATA=$( cat << EOF
-{
-  "name": "ElasticsearchSinkConnectorConnector_0",
-  "config": {
-    "name": "ElasticsearchSinkConnectorConnector_0",
-    "connector.class": "io.confluent.connect.elasticsearch.ElasticsearchSinkConnector",
-    "key.converter": "org.apache.kafka.connect.storage.StringConverter",
-    "value.converter": "org.apache.kafka.connect.json.JsonConverter",
-    "key.converter.schemas.enable": "false",
-    "value.converter.schemas.enable": "false",
-    "tasks.max": "1",
-    "topics": "RICH_DNS",
-    "connection.url": "http://elasticsearch:9200",
-    "key.ignore": "true",
-    "schema.ignore": "true",
-    "type.name": "_doc"
-  }
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
-
diff --git a/scripts/submit_s2s_source.sh b/scripts/submit_s2s_source.sh
deleted file mode 100755
index b281b8d..0000000
--- a/scripts/submit_s2s_source.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-
-HEADER="Content-Type: application/json"
-DATA=$( cat << EOF
-{
-  "name": "splunk-s2s-source",
-  "config": {
-    "connector.class": "io.confluent.connect.splunk.s2s.SplunkS2SSourceConnector",
-    "topics": "splunk-s2s-events",
-    "splunk.s2s.port":"9997",
-    "kafka.topic":"splunk-s2s-events",
-    "key.converter":"org.apache.kafka.connect.storage.StringConverter",
-    "value.converter":"org.apache.kafka.connect.json.JsonConverter",
-    "key.converter.schemas.enable":"false",
-    "value.converter.schemas.enable":"false",  
-    "confluent.topic.bootstrap.servers":"broker:29092",
-    "confluent.topic.replication.factor":"1"
-  }
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
diff --git a/scripts/submit_splunk_sink.sh b/scripts/submit_splunk_sink.sh
deleted file mode 100755
index 9388491..0000000
--- a/scripts/submit_splunk_sink.sh
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/bash
-
-
-echo "Starting the Splunk Sink connector - HEC Formatted"
-
-HEADER="Content-Type: application/json"
-DATA=$( cat << EOF
-{
-  "name": "SPLUNKSINK_HEC",
-  "config": {
-    "confluent.topic.bootstrap.servers": "broker:29092",
-    "name": "SPLUNKSINK_HEC",
-    "connector.class": "com.splunk.kafka.connect.SplunkSinkConnector",
-    "tasks.max": "1",
-    "key.converter": "org.apache.kafka.connect.storage.StringConverter",
-    "value.converter": "org.apache.kafka.connect.storage.StringConverter",
-    "topics": "CISCO_ASA_FILTER_106023",
-    "splunk.hec.token": "3bca5f4c-1eff-4eee-9113-ea94c284478a",
-    "splunk.hec.uri": "https://splunk:8090",
-    "splunk.hec.ssl.validate.certs": "false",
-    "splunk.hec.json.event.formatted": "true"
-  }
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
-
-echo "Starting the Splunk Sink connector - Raw"
-
-HEADER="Content-Type: application/json"
-DATA=$( cat << EOF
-{
-  "name": "SPLUNKSINK_RAW",
-  "config": {
-    "confluent.topic.bootstrap.servers": "broker:29092",
-    "name": "SPLUNKSINK_RAW",
-    "connector.class": "com.splunk.kafka.connect.SplunkSinkConnector",
-    "tasks.max": "1",
-    "key.converter": "org.apache.kafka.connect.storage.StringConverter",
-    "value.converter": "org.apache.kafka.connect.storage.StringConverter",
-    "topics": "AGGREGATOR",
-    "splunk.hec.token": "3bca5f4c-1eff-4eee-9113-ea94c284478b",
-    "splunk.hec.uri": "https://splunk:8090",
-    "splunk.hec.ssl.validate.certs": "false",
-    "splunk.hec.json.event.formatted": "false"
-  }
-}
-EOF
-)
-
-curl -X POST -H "${HEADER}" --data "${DATA}" http://localhost:8083/connectors
diff --git a/sigma-rules/zeek_dns_exfiltration.yaml b/sigma/rules/zeek_dns_exfiltration.yaml
old mode 100755
new mode 100644
similarity index 100%
rename from sigma-rules/zeek_dns_exfiltration.yaml
rename to sigma/rules/zeek_dns_exfiltration.yaml
diff --git a/sigma-rules/zeek_dns_exfiltration_time.yaml b/sigma/rules/zeek_dns_exfiltration_time.yaml
old mode 100755
new mode 100644
similarity index 100%
rename from sigma-rules/zeek_dns_exfiltration_time.yaml
rename to sigma/rules/zeek_dns_exfiltration_time.yaml
diff --git a/config/sigma-dns.properties b/sigma/sigma-dns.properties
old mode 100755
new mode 100644
similarity index 100%
rename from config/sigma-dns.properties
rename to sigma/sigma-dns.properties
diff --git a/config/sigma-http.properties b/sigma/sigma-http.properties
old mode 100755
new mode 100644
similarity index 100%
rename from config/sigma-http.properties
rename to sigma/sigma-http.properties
diff --git a/config/sigma_titles.txt b/sigma/sigma_titles.txt
old mode 100755
new mode 100644
similarity index 100%
rename from config/sigma_titles.txt
rename to sigma/sigma_titles.txt
diff --git a/config/splunk-zeek.yml b/sigma/splunk-zeek.yml
old mode 100755
new mode 100644
similarity index 100%
rename from config/splunk-zeek.yml
rename to sigma/splunk-zeek.yml
diff --git a/splunk-add-on-for-cisco-asa_410.tgz b/splunk-add-on-for-cisco-asa_410.tgz
deleted file mode 100644
index 5febe16..0000000
Binary files a/splunk-add-on-for-cisco-asa_410.tgz and /dev/null differ
diff --git a/default.yml b/splunk/default.yml
similarity index 100%
rename from default.yml
rename to splunk/default.yml
diff --git a/splunk-eventgen/appserver/static/splunk-lab.png b/splunk/splunk-eventgen/appserver/static/splunk-lab.png
similarity index 100%
rename from splunk-eventgen/appserver/static/splunk-lab.png
rename to splunk/splunk-eventgen/appserver/static/splunk-lab.png
diff --git a/splunk-eventgen/default/app.conf b/splunk/splunk-eventgen/default/app.conf
similarity index 100%
rename from splunk-eventgen/default/app.conf
rename to splunk/splunk-eventgen/default/app.conf
diff --git a/splunk-eventgen/default/data/ui/nav/default.xml b/splunk/splunk-eventgen/default/data/ui/nav/default.xml
similarity index 100%
rename from splunk-eventgen/default/data/ui/nav/default.xml
rename to splunk/splunk-eventgen/default/data/ui/nav/default.xml
diff --git a/splunk-eventgen/default/data/ui/views/README b/splunk/splunk-eventgen/default/data/ui/views/README
similarity index 100%
rename from splunk-eventgen/default/data/ui/views/README
rename to splunk/splunk-eventgen/default/data/ui/views/README
diff --git a/splunk-eventgen/default/data/ui/views/tailreader_check.xml b/splunk/splunk-eventgen/default/data/ui/views/tailreader_check.xml
similarity index 100%
rename from splunk-eventgen/default/data/ui/views/tailreader_check.xml
rename to splunk/splunk-eventgen/default/data/ui/views/tailreader_check.xml
diff --git a/splunk-eventgen/default/data/ui/views/welcome.xml b/splunk/splunk-eventgen/default/data/ui/views/welcome.xml
similarity index 100%
rename from splunk-eventgen/default/data/ui/views/welcome.xml
rename to splunk/splunk-eventgen/default/data/ui/views/welcome.xml
diff --git a/splunk-eventgen/default/eventgen.conf b/splunk/splunk-eventgen/default/eventgen.conf
similarity index 83%
rename from splunk-eventgen/default/eventgen.conf
rename to splunk/splunk-eventgen/default/eventgen.conf
index d67184c..2c5d2d6 100644
--- a/splunk-eventgen/default/eventgen.conf
+++ b/splunk/splunk-eventgen/default/eventgen.conf
@@ -4,9 +4,6 @@ count = -1
 timeMultiple = 1.5
 sampletype = raw
 outputMode = tcpout
-# outputMode = s2s
-# splunkHost = kafka-connect
-# splunkPort = 9997
 source = udp:514
 host = NETWORK_FW
 index = main
diff --git a/splunk-eventgen/metadata/default.meta b/splunk/splunk-eventgen/metadata/default.meta
similarity index 100%
rename from splunk-eventgen/metadata/default.meta
rename to splunk/splunk-eventgen/metadata/default.meta
diff --git a/splunk-eventgen/metadata/local.meta b/splunk/splunk-eventgen/metadata/local.meta
similarity index 100%
rename from splunk-eventgen/metadata/local.meta
rename to splunk/splunk-eventgen/metadata/local.meta
diff --git a/splunk-eventgen/samples/cisco_asa.sample b/splunk/splunk-eventgen/samples/cisco_asa.sample
similarity index 100%
rename from splunk-eventgen/samples/cisco_asa.sample
rename to splunk/splunk-eventgen/samples/cisco_asa.sample
diff --git a/splunk-eventgen/samples/external_ips.sample b/splunk/splunk-eventgen/samples/external_ips.sample
similarity index 100%
rename from splunk-eventgen/samples/external_ips.sample
rename to splunk/splunk-eventgen/samples/external_ips.sample
diff --git a/splunk-eventgen/samples/nginx.sample b/splunk/splunk-eventgen/samples/nginx.sample
similarity index 100%
rename from splunk-eventgen/samples/nginx.sample
rename to splunk/splunk-eventgen/samples/nginx.sample
diff --git a/splunk-eventgen/samples/synthetic_ips.sample b/splunk/splunk-eventgen/samples/synthetic_ips.sample
similarity index 100%
rename from splunk-eventgen/samples/synthetic_ips.sample
rename to splunk/splunk-eventgen/samples/synthetic_ips.sample
diff --git a/splunk-search/local/inputs.conf b/splunk/splunk-search/local/inputs.conf
similarity index 100%
rename from splunk-search/local/inputs.conf
rename to splunk/splunk-search/local/inputs.conf
diff --git a/splunk-uf1/local/inputs.conf b/splunk/splunk-uf1/local/inputs.conf
similarity index 100%
rename from splunk-uf1/local/inputs.conf
rename to splunk/splunk-uf1/local/inputs.conf
diff --git a/splunk-uf1/local/outputs.conf b/splunk/splunk-uf1/local/outputs.conf
similarity index 100%
rename from splunk-uf1/local/outputs.conf
rename to splunk/splunk-uf1/local/outputs.conf
diff --git a/duo.yml b/spooldir/duo.yml
similarity index 77%
rename from duo.yml
rename to spooldir/duo.yml
index 20757f3..ca893c0 100644
--- a/duo.yml
+++ b/spooldir/duo.yml
@@ -1,7 +1,7 @@
 ---
 # Add this as an override to produce duo data
-# ex: docker-compose -f docker-compose.yml -f duo.yml up -d
-version: '2'
+# ex: docker-compose -f docker-compose.yml -f spooldir/duo.yml up -d
+version: '3'
 services:
   duo:
     image: confluentinc/cp-server-connect-base:latest
diff --git a/unbaked.yml b/unbaked.yml
deleted file mode 100644
index a62c5ad..0000000
--- a/unbaked.yml
+++ /dev/null
@@ -1,304 +0,0 @@
----
-version: '2'
-services:
-  zookeeper:
-    image: confluentinc/cp-zookeeper:latest
-    hostname: zookeeper
-    container_name: zookeeper
-    ports:
-      - "2181:2181"
-    environment:
-      ZOOKEEPER_CLIENT_PORT: 2181
-      ZOOKEEPER_TICK_TIME: 2000
-
-  broker:
-    image: confluentinc/cp-server:latest
-    hostname: broker
-    container_name: broker
-    depends_on:
-      - zookeeper
-    ports:
-      - "9092:9092"
-      - "9101:9101"
-    environment:
-      KAFKA_BROKER_ID: 1
-      KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181'
-      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
-      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://broker:29092,PLAINTEXT_HOST://localhost:9092
-      KAFKA_METRIC_REPORTERS: io.confluent.metrics.reporter.ConfluentMetricsReporter
-      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
-      KAFKA_AUTO_CREATE_TOPICS_ENABLE: "true"
-      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
-      KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 1
-      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
-      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
-      KAFKA_JMX_PORT: 9101
-      KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: http://schema-registry:8081
-      CONFLUENT_METRICS_REPORTER_BOOTSTRAP_SERVERS: broker:29092
-      CONFLUENT_METRICS_REPORTER_TOPIC_REPLICAS: 1
-      CONFLUENT_METRICS_ENABLE: 'true'
-      CONFLUENT_SUPPORT_CUSTOMER_ID: 'anonymous'
-
-  schema-registry:
-    image: confluentinc/cp-schema-registry:latest
-    hostname: schema-registry
-    container_name: schema-registry
-    depends_on:
-      - broker
-    ports:
-      - "8081:8081"
-    environment:
-      SCHEMA_REGISTRY_HOST_NAME: schema-registry
-      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: 'broker:29092'
-
-  connect:
-    image: confluentinc/cp-server-connect-base:latest
-    hostname: connect
-    container_name: connect
-    user: root
-    depends_on:
-      - broker
-      - schema-registry
-    ports:
-      - "8083:8083"
-      - "9997:9997"
-      - "5140:5140/udp"
-    environment:
-      CONNECT_BOOTSTRAP_SERVERS: 'broker:29092'
-      CONNECT_REST_ADVERTISED_HOST_NAME: connect
-      CONNECT_REST_PORT: 8083
-      CONNECT_GROUP_ID: compose-connect-group
-      CONNECT_CONFIG_STORAGE_TOPIC: _docker-connect-configs
-      CONNECT_OFFSET_STORAGE_TOPIC: _docker-connect-offsets
-      CONNECT_STATUS_STORAGE_TOPIC: _docker-connect-status
-      CONNECT_CONFIG_STORAGE_REPLICATION_FACTOR: 1
-      CONNECT_OFFSET_STORAGE_REPLICATION_FACTOR: 1
-      CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1
-      CONNECT_OFFSET_FLUSH_INTERVAL_MS: 10000
-      CONNECT_KEY_CONVERTER: org.apache.kafka.connect.storage.StringConverter
-      # CONNECT_KEY_CONVERTER: io.confluent.connect.avro.AvroConverter
-      # ^^ From Johnny's docker-compose.yml file
-      CONNECT_VALUE_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
-      CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_URL: http://schema-registry:8081
-      CONNECT_INTERNAL_KEY_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
-      CONNECT_INTERNAL_VALUE_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
-      CONNECT_KEY_CONVERTER_SCHEMAS_ENABLE: "false"
-      CONNECT_VALUE_CONVERTER_SCHEMAS_ENABLE: "false"
-      # CLASSPATH required due to CC-2422
-      CLASSPATH: /usr/share/java/monitoring-interceptors/monitoring-interceptors-latest.jar
-      CONNECT_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
-      CONNECT_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"
-      CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components"
-      CONNECT_LOG4J_LOGGERS: org.apache.zookeeper=ERROR,org.I0Itec.zkclient=ERROR,org.reflections=ERROR
-    volumes:
-      - ./spooldir/:/var/spooldir/
-      - ./scripts/:/tmp/scripts/
-    command:
-      - /tmp/scripts/startKafkaConnectDemo.sh
-  control-center:
-    image: confluentinc/cp-enterprise-control-center:latest
-    hostname: control-center
-    container_name: control-center
-    user: root
-    depends_on:
-      - broker
-      - schema-registry
-      - connect
-      - ksqldb-server
-    ports:
-      - "9021:9021"
-    environment:
-      CONTROL_CENTER_BOOTSTRAP_SERVERS: 'broker:29092'
-      CONTROL_CENTER_CONNECT_CONNECT-DEFAULT_CLUSTER: 'connect:8083'
-      CONTROL_CENTER_KSQL_KSQLDB1_URL: "http://ksqldb-server:8088"
-      CONTROL_CENTER_KSQL_KSQLDB1_ADVERTISED_URL: "http://ec2-44-200-26-58.compute-1.amazonaws.com:8088"
-      CONTROL_CENTER_SCHEMA_REGISTRY_URL: "http://schema-registry:8081"
-      CONTROL_CENTER_REPLICATION_FACTOR: 1
-      CONTROL_CENTER_INTERNAL_TOPICS_PARTITIONS: 1
-      CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_PARTITIONS: 1
-      CONFLUENT_METRICS_TOPIC_REPLICATION: 1
-      PORT: 9021
-
-  ksqldb-server:
-    image: confluentinc/cp-ksqldb-server:latest
-    hostname: ksqldb-server
-    container_name: ksqldb-server
-    depends_on:
-      - broker
-      - connect
-    ports:
-      - "8088:8088"
-    volumes:
-      - ./ksql-extension:/etc/ksql-extension/
-      - ./mmdb:/opt/mmdb/
-    environment:
-      KSQL_CONFIG_DIR: "/etc/ksql"
-      KSQL_KSQL_EXTENSION_DIR: "/etc/ksql-extension"
-      KSQL_KSQL_FUNCTIONS_GETGEOFORIP_GEOCITY_DB_PATH: /opt/mmdb/GeoLite2-City.mmdb
-      KSQL_KSQL_FUNCTIONS_GETASNFORIP_GEOCITY_DB_PATH: /opt/mmdb/GeoLite2-ASN.mmdb
-      KSQL_BOOTSTRAP_SERVERS: "broker:29092"
-      KSQL_HOST_NAME: ksqldb-server
-      KSQL_LISTENERS: "http://0.0.0.0:8088"
-      KSQL_CACHE_MAX_BYTES_BUFFERING: 0
-      KSQL_KSQL_SCHEMA_REGISTRY_URL: "http://schema-registry:8081"
-      KSQL_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
-      KSQL_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"
-      KSQL_KSQL_CONNECT_URL: "http://connect:8083"
-      KSQL_KSQL_HIDDEN_TOPICS: '^_.*'
-      KSQL_KSQL_LOGGING_PROCESSING_STREAM_AUTO_CREATE: "true"
-      KSQL_KSQL_LOGGING_PROCESSING_TOPIC_AUTO_CREATE: "true"
-
-  ksqldb-cli:
-    image: confluentinc/cp-ksqldb-cli:latest
-    container_name: ksqldb-cli
-    depends_on:
-      - broker
-      - connect
-      - ksqldb-server
-    entrypoint: /bin/sh
-    tty: true
-    volumes:
-      - ./ksqldb_scripts:/ksqldb_scripts
-
-  zeek-streamer:
-    image: bertisondocker/zeek-tcpreplay-kafka:latest
-    container_name: zeek-streamer
-    depends_on:
-      - broker
-      - connect
-      - control-center
-      - ksqldb-server
-    hostname: zeek-streamer
-    entrypoint: /init_dummy.sh
-    volumes:
-      - ./pcaps:/pcaps
-      - ./local.zeek:/usr/local/zeek/share/zeek/site/local.zeek
-      - ./send-to-kafka.zeek:/usr/local/zeek/share/zeek/site/send-to-kafka.zeek
-    cap_add:
-      - NET_ADMIN
-
-  elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.0
-    container_name: elasticsearch
-    #restart: always
-    ports:
-      - 9200:9200
-      - 9300:9300
-    environment:
-      discovery.type: "single-node"
-      ES_JAVA_OPTS: "-Xms1g -Xmx1g"
-      cluster.name: "elasticsearch-cp-demo"
-
-  kibana:
-      image: docker.elastic.co/kibana/kibana-oss:7.10.0
-      container_name: kibana
-      restart: always
-      depends_on:
-        - elasticsearch
-      ports:
-        - 5601:5601
-      environment:
-        NEWSFEED_ENABLED: 'false'
-        TELEMETRY_OPTIN: 'false'
-        TELEMETRY_ENABLED: 'false'
-        SERVER_MAXPAYLOADBYTES: 4194304
-        KIBANA_AUTOCOMPLETETIMEOUT: 3000
-        KIBANA_AUTOCOMPLETETERMINATEAFTER: 2500000
-
-  splunk:
-    image: splunk/splunk:latest
-    container_name: splunk
-    hostname: splunk
-    environment:
-      - SPLUNK_START_ARGS=--accept-license
-      - SPLUNK_PASSWORD
-      - SPLUNK_APPS_URL=https://raw.githubusercontent.com/JohnnyMirza/confluent_splunk_demo/main/splunk-add-on-for-cisco-asa_410.tgz
-    ports:
-      - 8000:8000
-      - 8090:8090
-    volumes:
-      - ./default.yml:/tmp/defaults/default.yml
-      - $PWD/splunk-search/:/opt/splunk/etc/apps/splunk-search/
-
-  splunk_uf1:
-      image: splunk/universalforwarder:latest
-      hostname: splunk_uf1
-      container_name: splunk_uf1
-      depends_on:
-        - connect
-      environment:
-        - SPLUNK_START_ARGS=--accept-license
-        - SPLUNK_PASSWORD=dingdong
-        - SPLUNK_APPS_URL=https://raw.githubusercontent.com/JohnnyMirza/confluent_splunk_demo/main/splunk-add-on-for-cisco-asa_410.tgz
-      volumes:
-        - $PWD/splunk-uf1/:/opt/splunkforwarder/etc/apps/splunk-uf1/
-      ports:
-        - 3333:3333
-
-  splunk_eventgen:
-    image: guilhemmarchand/splunk-eventgen:latest
-    container_name: splunk_eventgen
-    restart: unless-stopped
-    user: 'root'
-    volumes:
-      - $PWD/splunk-eventgen/:/opt/splunk-eventgen
-    ports:
-      - 6379:6379
-      - 9500:9500
-    depends_on:
-      - splunk_uf1
-    command: 'splunk_eventgen -v generate /opt/splunk-eventgen/default/eventgen.conf'
-
-  cyber-sigma-streams:
-    image: michaelpeacock/confluent-sigma:v2_1
-    container_name: cyber-sigma-streams
-    depends_on:
-      - broker
-      - connect
-      - control-center
-      - ksqldb-server
-    hostname: cyber-sigma-streams
-    volumes:
-      - $PWD/scripts/:/tmp/config
-    command:
-      - bash
-      - -c
-      - |
-        echo "Starting Streams app...java -cp sigma-streams-1.0-fat.jar io.confluent.sigmarules.SigmaStreamsApp -c /tmp/config/sigma-dns.properties"
-        cd /tmp
-        java -cp sigma-streams-1.0-fat.jar io.confluent.sigmarules.SigmaStreamsApp -c /tmp/config/sigma-dns.properties
-        sleep infinity
-
-  cyber-sigma-regex-ui:
-    image: michaelpeacock/confluent-sigma-regex-ui:v2_1
-    container_name: cyber-sigma-regex-ui
-    depends_on:
-      - broker
-      - connect
-      - control-center
-      - ksqldb-server
-    hostname: cyber-sigma-regex-ui
-    ports:
-      - 8080:8080
-    environment:
-      kafka_bootstrapAddress: 'broker:29092'
-      kafka_schemaRegistry: 'http://schema-registry:8081'
-      kafka_sigma_rules_topic: 'sigma-rules'
-      confluent_regex_applicationID: 'regex-application'
-      confluent_regex_inputTopic: 'splunk-s2s-events'
-      confluent_regex_ruleTopic: 'regex-rules'
-      confluent_regex_filterField: 'sourcetype'
-      confluent_regex_regexField: 'event'
-
-  duo:
-    image: confluentinc/cp-server-connect-base:latest
-    hostname: duo
-    container_name: duo
-    user: root
-    depends_on:
-      - broker
-    volumes:
-      - ./spooldir/:/var/spooldir/
-      - ./scripts/:/tmp/scripts/
-    command:
-      - /tmp/scripts/produceDuoData.sh
diff --git a/local.zeek b/zeek/local.zeek
similarity index 100%
rename from local.zeek
rename to zeek/local.zeek
diff --git a/send-to-kafka.zeek b/zeek/send-to-kafka.zeek
similarity index 100%
rename from send-to-kafka.zeek
rename to zeek/send-to-kafka.zeek