splunk
diff --git a/‎app_template/default/data/ui/nav/default.xml‎
Lines changed: 4 additions & 2 deletions b/‎app_template/default/data/ui/nav/default.xml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎data_sources/crowdstrike_processrollup2.yml‎
Lines changed: 1 addition & 0 deletions b/‎data_sources/crowdstrike_processrollup2.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎data_sources/nginx_access.yml‎
Lines changed: 15 additions & 1 deletion b/‎data_sources/nginx_access.yml‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎data_sources/palo_alto_network_threat.yml‎
Lines changed: 10 additions & 0 deletions b/‎data_sources/palo_alto_network_threat.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎data_sources/palo_alto_network_traffic.yml‎
Lines changed: 10 additions & 0 deletions b/‎data_sources/palo_alto_network_traffic.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎data_sources/suricata.yml‎
Lines changed: 15 additions & 1 deletion b/‎data_sources/suricata.yml‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎data_sources/sysmon_eventid_1.yml‎
Lines changed: 1 addition & 1 deletion b/‎data_sources/sysmon_eventid_1.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎data_sources/sysmon_eventid_11.yml‎
Lines changed: 1 addition & 0 deletions b/‎data_sources/sysmon_eventid_11.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎data_sources/sysmon_eventid_12.yml‎
Lines changed: 8 additions & 0 deletions b/‎data_sources/sysmon_eventid_12.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎data_sources/sysmon_eventid_13.yml‎
Lines changed: 4 additions & 1 deletion b/‎data_sources/sysmon_eventid_13.yml‎
Lines changed: 4 additions & 1 deletion
@@ -2,6 +2,8 @@
   <view name="escu_summary" default="true"/>
   <view name="feedback"/>
   <view name="search"/>
-  <view name="dashboards"/>
-  <a href="http://docs.splunk.com/Documentation/ESSOC">Docs</a>
+  <collection label="Dashboards">
+    <view source="unclassified" match="__"/>
+  </collection>
+  <a href="https://docs.splunk.com/Documentation/ESCU">Docs</a>
 </nav>
@@ -96,6 +96,7 @@ field_mappings:
   mapping:
     CommandLine: Processes.process
     ImageFileName: Processes.process_path
+    ImageFileName|endswith: Processes.process_name
     ParentBaseFileName: Processes.parent_process_name
     ParentProcessId: Processes.parent_process_id
     RawProcessId: Processes.process_id
 
@@ -6,7 +6,21 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Nginx Access
 source: /var/log/nginx/access.log
 sourcetype: nginx:plus:kv
-supported_TA: []
+supported_TA:
+- name: Splunk Add-on for NGINX
+  url: https://splunkbase.splunk.com/app/3258
+  version: 3.3.0
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    server: Web.dest
+    http_method: Web.http_method
+    http_user_agent: Web.http_user_agent
+    status: Web.status
+    uri_path: Web.url
+    url_length: Web.url_length
+    src_ip: Web.src
 fields:
 - _time
 - action
 
@@ -10,6 +10,16 @@ supported_TA:
 - name: Palo Alto Networks Add-on
   url: https://splunkbase.splunk.com/app/2757
   version: 8.1.3
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    dest: Web.dest
+    http_method: Web.http_method
+    http_user_agent: Web.http_user_agent
+    url: Web.url
+    url_length: Web.url_length
+    src: Web.src
 fields:
 - _time
 - date_hour
 
@@ -29,6 +29,16 @@ fields:
 - splunk_server
 - timeendpos
 - timestartpos
+field_mappings:
+- data_model: cim
+  data_set: All_Traffic
+  mapping:
+    app: All_Traffic.app
+    action: All_Traffic.action
+    dest_ip: All_Traffic.dest_ip
+    dest_port: All_Traffic.dest_port
+    src_ip: All_Traffic.src_ip
+    src_port: All_Traffic.src_port
 example_log: 577 <14>1 2024-02-22T12:33:50-05:00 PALO220.ATTACK_RANGE.LAN - - - -
   1,2024/02/22 12:33:50,012801036556,TRAFFIC,end,2305,2024/02/22 12:33:50,192.168.1.205,147.28.146.44,201.17.96.104,147.28.146.44,No_Vuln_Filtering_OUT,,,screenconnect,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,splunk_range,2024/02/22
   12:33:50,14740,1,50624,443,11024,443,0x40005e,tcp,allow,7419,6609,810,25,2024/02/22
 
@@ -6,7 +6,21 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Suricata
 source: suricata
 sourcetype: suricata
-supported_TA: []
+supported_TA:
+- name: Splunk TA for Suricata
+  url: https://splunkbase.splunk.com/app/2760
+  version: 2.3.3
+field_mappings:
+- data_model: cim
+  data_set: Web
+  mapping:
+    http.hostname: Web.dest
+    http.http_method: Web.http_method
+    http.http_user_agent: Web.http_user_agent
+    http.status: Web.status
+    http.url: Web.url
+    http.length: Web.url_length
+    src_ip: Web.src
 fields:
 - _time
 - app_proto
 
@@ -125,7 +125,7 @@ field_mappings:
     Hashes: Processes.process_hash
     ParentProcessGuid: Processes.parent_process_guid
     ParentProcessId: Processes.parent_process_id
-    ParentImage: Processes.parent_process_name
+    ParentImage|endswith: Processes.parent_process_name
     ParentCommandLine: Processes.parent_process
     Computer: Processes.dest
     OriginalFileName: Processes.original_file_name
 
@@ -92,6 +92,7 @@ field_mappings:
     ProcessGuid: Filesystem.process_guid
     ProcessId: Filesystem.process_id
     TargetFilename: Filesystem.file_path
+    TargetFilename|endswith: Filesystem.file_name
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>11</EventID><Version>2</Version><Level>4</Level><Task>11</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2023-02-08T13:01:11.065939500Z'/><EventRecordID>7712490</EventRecordID><Correlation/><Execution
 
@@ -87,6 +87,14 @@ fields:
 - timestartpos
 - user_id
 - vendor_product
+field_mappings:
+- data_model: cim
+  data_set: Endpoint.Registry
+  mapping:
+    Computer: Registry.dest
+    ProcessGuid: Registry.process_guid
+    ProcessId: Registry.process_id
+    TargetObject: Registry.registry_path
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>12</EventID><Version>2</Version><Level>4</Level><Task>12</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2021-07-12T08:10:32.607068200Z'/><EventRecordID>1055579</EventRecordID><Correlation/><Execution
 
@@ -102,7 +102,10 @@ field_mappings:
     ProcessGuid: Registry.process_guid
     ProcessId: Registry.process_id
     TargetObject: Registry.registry_path
-    Details: Registry.registry_value_data
+    Details|in: Registry.registry_value_data
+    action: Registry.action
+    TargetObject|startswith: Registry.registry_key_name
+    TargetObject|endswith: Registry.registry_value_name
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2021-07-12T08:11:04.548083500Z'/><EventRecordID>810987</EventRecordID><Correlation/><Execution