splunk
diff --git a/‎data_sources/g_suite_drive.yml‎
Lines changed: 37 additions & 36 deletions b/‎data_sources/g_suite_drive.yml‎
Lines changed: 37 additions & 36 deletions
diff --git a/‎data_sources/g_suite_gmail.yml‎
Lines changed: 76 additions & 75 deletions b/‎data_sources/g_suite_gmail.yml‎
Lines changed: 76 additions & 75 deletions
@@ -1,48 +1,49 @@
 name: G Suite Drive
 id: 5f79120f-a235-4468-bd0d-55203758ac22
 version: 1
-date: '2024-07-18'
+date: "2024-07-18"
 author: Patrick Bareiss, Splunk
 description: Data source object for G Suite Drive
 source: http:gsuite
 sourcetype: gsuite:drive:json
 supported_TA:
-- name: Splunk Add-on for Google Workspace
-  url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.2
+  - name: Splunk Add-on for Google Workspace
+    url: https://splunkbase.splunk.com/app/5556
+    version: 3.0.3
 fields:
-- _time
-- email
-- host
-- index
-- ip_address
-- linecount
-- name
-- parameters.actor_is_collaborator_account
-- parameters.billable
-- parameters.doc_id
-- parameters.doc_title
-- parameters.doc_type
-- parameters.is_encrypted
-- parameters.new_value{}
-- parameters.old_value{}
-- parameters.old_visibility
-- parameters.originating_app_id
-- parameters.owner
-- parameters.owner_is_shared_drive
-- parameters.owner_is_team_drive
-- parameters.primary_event
-- parameters.target_user
-- parameters.visibility
-- parameters.visibility_change
-- punct
-- source
-- sourcetype
-- splunk_server
-- timestamp
-- type
-- unique_id
-example_log: '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
+  - _time
+  - email
+  - host
+  - index
+  - ip_address
+  - linecount
+  - name
+  - parameters.actor_is_collaborator_account
+  - parameters.billable
+  - parameters.doc_id
+  - parameters.doc_title
+  - parameters.doc_type
+  - parameters.is_encrypted
+  - parameters.new_value{}
+  - parameters.old_value{}
+  - parameters.old_visibility
+  - parameters.originating_app_id
+  - parameters.owner
+  - parameters.owner_is_shared_drive
+  - parameters.owner_is_team_drive
+  - parameters.primary_event
+  - parameters.target_user
+  - parameters.visibility
+  - parameters.visibility_change
+  - punct
+  - source
+  - sourcetype
+  - splunk_server
+  - timestamp
+  - type
+  - unique_id
+example_log:
+  '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
   true, "billable": true, "visibility_change": "none", "target_user": "alberto@internal_test_email.com",
   "old_value": ["none"], "new_value": ["can_edit"], "old_visibility": "private", "doc_id":
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "doc_type": "spreadsheet", "is_encrypted":
 
@@ -1,87 +1,88 @@
 name: G Suite Gmail
 id: 706c3978-41de-406b-b6e0-75bd01e12a5d
 version: 1
-date: '2024-07-18'
+date: "2024-07-18"
 author: Patrick Bareiss, Splunk
 description: Data source object for G Suite Gmail
 source: http:gsuite
 sourcetype: gsuite:gmail:bigquery
 supported_TA:
-- name: Splunk Add-on for Google Workspace
-  url: https://splunkbase.splunk.com/app/5556
-  version: 3.0.2
+  - name: Splunk Add-on for Google Workspace
+    url: https://splunkbase.splunk.com/app/5556
+    version: 3.0.3
 fields:
-- _time
-- action_type
-- attachment{}.file_extension_type
-- attachment{}.malware_family
-- attachment{}.sha256
-- connection_info.authenticated_domain{}.name
-- connection_info.authenticated_domain{}.type
-- connection_info.client_host_zone
-- connection_info.client_ip
-- connection_info.dkim_pass
-- connection_info.dmarc_pass
-- connection_info.dmarc_published_domain
-- connection_info.ip_geo_city
-- connection_info.ip_geo_country
-- connection_info.is_internal
-- connection_info.is_intra_domain
-- connection_info.smtp_in_connect_ip
-- connection_info.smtp_out_connect_ip
-- connection_info.smtp_out_remote_host
-- connection_info.smtp_reply_code
-- connection_info.smtp_response_reason
-- connection_info.smtp_tls_cipher
-- connection_info.smtp_tls_state
-- connection_info.smtp_tls_version
-- connection_info.smtp_user_agent_ip
-- connection_info.spf_pass
-- connection_info.tls_required_but_unavailable
-- description
-- destination{}.address
-- destination{}.rcpt_response
-- destination{}.selector
-- destination{}.service
-- destination{}.smime_decryption_success
-- destination{}.smime_extraction_success
-- destination{}.smime_parsing_success
-- destination{}.smime_signature_verification_success
-- eventtype
-- flattened_destinations
-- flattened_triggered_rule_info
-- host
-- index
-- is_policy_check_for_sender
-- is_spam
-- linecount
-- message_set{}.type
-- num_message_attachments
-- payload_size
-- punct
-- rfc2822_message_id
-- smime_content_type
-- smime_encrypt_message
-- smime_extraction_success
-- smime_packaging_success
-- smime_sign_message
-- smtp_relay_error
-- source
-- source.address
-- source.from_header_address
-- source.from_header_displayname
-- source.selector
-- source.service
-- sourcetype
-- spam_info
-- splunk_server
-- structured_policy_log_info
-- subject
-- tag
-- tag::eventtype
-- timestamp
-- upload_error_category
-example_log: '{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>",
+  - _time
+  - action_type
+  - attachment{}.file_extension_type
+  - attachment{}.malware_family
+  - attachment{}.sha256
+  - connection_info.authenticated_domain{}.name
+  - connection_info.authenticated_domain{}.type
+  - connection_info.client_host_zone
+  - connection_info.client_ip
+  - connection_info.dkim_pass
+  - connection_info.dmarc_pass
+  - connection_info.dmarc_published_domain
+  - connection_info.ip_geo_city
+  - connection_info.ip_geo_country
+  - connection_info.is_internal
+  - connection_info.is_intra_domain
+  - connection_info.smtp_in_connect_ip
+  - connection_info.smtp_out_connect_ip
+  - connection_info.smtp_out_remote_host
+  - connection_info.smtp_reply_code
+  - connection_info.smtp_response_reason
+  - connection_info.smtp_tls_cipher
+  - connection_info.smtp_tls_state
+  - connection_info.smtp_tls_version
+  - connection_info.smtp_user_agent_ip
+  - connection_info.spf_pass
+  - connection_info.tls_required_but_unavailable
+  - description
+  - destination{}.address
+  - destination{}.rcpt_response
+  - destination{}.selector
+  - destination{}.service
+  - destination{}.smime_decryption_success
+  - destination{}.smime_extraction_success
+  - destination{}.smime_parsing_success
+  - destination{}.smime_signature_verification_success
+  - eventtype
+  - flattened_destinations
+  - flattened_triggered_rule_info
+  - host
+  - index
+  - is_policy_check_for_sender
+  - is_spam
+  - linecount
+  - message_set{}.type
+  - num_message_attachments
+  - payload_size
+  - punct
+  - rfc2822_message_id
+  - smime_content_type
+  - smime_encrypt_message
+  - smime_extraction_success
+  - smime_packaging_success
+  - smime_sign_message
+  - smtp_relay_error
+  - source
+  - source.address
+  - source.from_header_address
+  - source.from_header_displayname
+  - source.selector
+  - source.service
+  - sourcetype
+  - spam_info
+  - splunk_server
+  - structured_policy_log_info
+  - subject
+  - tag
+  - tag::eventtype
+  - timestamp
+  - upload_error_category
+example_log:
+  '{"action_type": 10, "rfc2822_message_id": "<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC@mail.gmail.com>",
   "subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size":
   6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work",
   "selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname":