splunk
diff --git a/‎contentctl/templates/data_sources/Sysmon_EventID.yml‎
Lines changed: 0 additions & 51 deletions b/‎contentctl/templates/data_sources/Sysmon_EventID.yml‎
Lines changed: 0 additions & 51 deletions
diff --git a/‎contentctl/templates/event_sources/Sysmon_EventID_1.yml‎ renamed to ‎contentctl/templates/data_sources/sysmon_eventid_1.yml‎
Lines changed: 50 additions & 1 deletion b/‎contentctl/templates/event_sources/Sysmon_EventID_1.yml‎ renamed to ‎contentctl/templates/data_sources/sysmon_eventid_1.yml‎
Lines changed: 50 additions & 1 deletion
@@ -1,7 +1,16 @@
 name: Sysmon EventID 1
 id: b375f4d1-d7ca-4bc0-9103-294825c0af17
+version: 1
+date: '2024-07-18'
 author: Patrick Bareiss, Splunk
-description: Event source object for Sysmon EventID 1
+description: Data source object for Sysmon EventID 1
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: xmlwineventlog
+separator: EventID
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709/
+  version: 4.0.0
 fields:
 - _time
 - Channel
@@ -100,6 +109,46 @@ fields:
 - user
 - user_id
 - vendor_product
+field_mappings:
+  - data_model: cim
+    data_set: Endpoint.Processes
+    mapping:
+      ProcessGuid: Processes.process_guid
+      ProcessId: Processes.process_id
+      Image: Processes.process_path
+      Image|endswith: Processes.process_name
+      CommandLine: Processes.process
+      CurrentDirectory: Processes.process_current_directory
+      User: Processes.user
+      IntegrityLevel: Processes.process_integrity_level
+      Hashes: Processes.process_hash
+      ParentProcessGuid: Processes.parent_process_guid
+      ParentProcessId: Processes.parent_process_id
+      ParentImage: Processes.parent_process_name
+      ParentCommandLine: Processes.parent_process
+      Computer: Processes.dest
+      OriginalFileName: Processes.original_file_name
+convert_to_log_source:
+  - data_source: Windows Event Log Security 4688
+    mapping:
+      ProcessId: NewProcessId
+      Image: NewProcessName
+      Image|endswith: NewProcessName|endswith
+      CommandLine: Process_Command_Line
+      User: SubjectUserSid
+      ParentProcessId: ProcessId
+      ParentImage: ParentProcessName
+      ParentImage|endswith: ParentProcessName|endswith
+      Computer: Computer
+      OriginalFileName: NewProcessName|endswith
+  - data_source: Crowdstrike Process
+    mapping:
+      ProcessId: RawProcessId
+      Image: ImageFileName
+      CommandLine: CommandLine
+      User: UserSid
+      ParentProcessId: ParentProcessId
+      ParentImage: ParentBaseFileName
 example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider\
   \ Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated\
   \ SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution\