splunk
diff --git a/‎contentctl.yml‎
Lines changed: 8 additions & 8 deletions b/‎contentctl.yml‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎data_sources/palo_alto_network_threat.yml‎
Lines changed: 5 additions & 5 deletions b/‎data_sources/palo_alto_network_threat.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎data_sources/palo_alto_network_traffic.yml‎
Lines changed: 5 additions & 5 deletions b/‎data_sources/palo_alto_network_traffic.yml‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎data_sources/suricata.yml‎
Lines changed: 223 additions & 7 deletions b/‎data_sources/suricata.yml‎
Lines changed: 223 additions & 7 deletions
diff --git a/‎data_sources/windows_event_log_security_4756.yml‎
Lines changed: 18 additions & 0 deletions b/‎data_sources/windows_event_log_security_4756.yml‎
Lines changed: 18 additions & 0 deletions
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.24.0
+  version: 5.25.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -93,11 +93,11 @@ apps:
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-iis_130.tgz
 - uid: 4242
-  title: TA for Suricata
+  title: CCX Add-on for Suricata
   appid: SPLUNK_TA_FOR_SURICATA
-  version: 2.3.4
+  version: 1.0.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-suricata_234.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ccx-add-on-for-suricata_101.tgz
 - uid: 5466
   title: TA for Zeek
   appid: SPLUNK_TA_FOR_ZEEK
@@ -123,11 +123,11 @@ apps:
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-wire-data_816.tgz
 - uid: 2757
-  title: Palo Alto Networks Add-on for Splunk
-  appid: PALO_ALTO_NETWORKS_ADD_ON_FOR_SPLUNK
-  version: 8.1.3
+  title: Splunk Add-on for Palo Alto Networks
+  appid: SPLUNK_ADD_ON_FOR_PALO_ALTO_NETWORKS
+  version: 3.0.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/palo-alto-networks-add-on-for-splunk_813.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-palo-alto-networks_301.tgz
 - uid: 3865
   title: Zscaler Technical Add-On for Splunk
   appid: Zscaler_CIM
 
@@ -1,7 +1,7 @@
 name: Palo Alto Network Threat
 id: 375c2b0e-d216-41ad-9406-200464595209
-version: 2
-date: '2025-01-23'
+version: 4
+date: '2026-03-31'
 author: Patrick Bareiss, Splunk
 description: Logs detected threats identified by Palo Alto Networks devices, including
   details about malware, intrusion attempts, and malicious network activity.
@@ -11,12 +11,12 @@ mitre_components:
 - Network Traffic Flow
 - Application Log Content
 - Host Status
-source: pan:threat
+source: not_applicable
 sourcetype: pan:threat
 supported_TA:
 - name: Palo Alto Networks Add-on
-  url: https://splunkbase.splunk.com/app/2757
-  version: 8.1.3
+  url: https://splunkbase.splunk.com/app/7523
+  version: 3.0.1
 field_mappings:
 - data_model: cim
   data_set: Web
 
@@ -1,7 +1,7 @@
 name: Palo Alto Network Traffic
 id: 182a83bc-c31a-4817-8c7a-263744cec52a
-version: 2
-date: '2025-01-23'
+version: 4
+date: '2026-03-31'
 author: Patrick Bareiss, Splunk
 description: Logs network traffic events captured by Palo Alto Networks devices, including
   details about sessions, protocols, and source and destination IPs.
@@ -11,12 +11,12 @@ mitre_components:
 - Network Connection Creation
 - Response Metadata
 - Application Log Content
-source: screenconnect_palo_traffic
+source: not_applicable
 sourcetype: pan:traffic
 supported_TA:
 - name: Palo Alto Networks Add-on
-  url: https://splunkbase.splunk.com/app/2757
-  version: 8.1.3
+  url: https://splunkbase.splunk.com/app/7523
+  version: 3.0.1
 fields:
 - _time
 - date_hour
 
@@ -1,7 +1,7 @@
 name: Suricata
 id: 64b245d4-a4d1-4865-a718-c83d3b939f2e
-version: 2
-date: '2025-01-23'
+version: 3
+date: '2026-03-26'
 author: Patrick Bareiss, Splunk
 description: Logs network traffic and security events detected by Suricata, including
   details about connections, protocol metadata, and potential threats.
@@ -11,12 +11,12 @@ mitre_components:
 - Network Connection Creation
 - Malware Metadata
 - Application Log Content
-source: suricata
+source: not_applicable
 sourcetype: suricata
 supported_TA:
-- name: Splunk TA for Suricata
-  url: https://splunkbase.splunk.com/app/2760
-  version: 2.3.3
+- name: CCX Add-on for Suricata
+  url: https://splunkbase.splunk.com/app/6994
+  version: 1.0.1
 field_mappings:
 - data_model: cim
   data_set: Web
@@ -30,7 +30,31 @@ field_mappings:
     src_ip: Web.src
 fields:
 - _time
+- action
+- alert_gid
+- alert_rev
+- alert.action
+- alert.category
+- alert.gid
+- alert.metadata.created_at{}
+- alert.metadata.former_category{}
+- alert.metadata.signature_severity{}
+- alert.metadata.updated_at{}
+- alert.rev
+- alert.severity
+- alert.signature
+- alert.signature_id
+- answer
+- app
 - app_proto
+- body
+- bytes
+- bytes_in
+- bytes_out
+- capture_kernel_drops
+- capture_kernel_packets
+- category
+- cookie
 - date_hour
 - date_mday
 - date_minute
@@ -39,9 +63,106 @@ fields:
 - date_wday
 - date_year
 - date_zone
+- decoder_avg_pkt_size
+- decoder_bytes
+- decoder_erspan
+- decoder_ethernet
+- decoder_gre
+- decoder_icmpv4
+- decoder_invalid
+- decoder_ipraw_invalid_ip_version
+- decoder_ipv4
+- decoder_ipv4_in_ipv6
+- decoder_ipv6
+- decoder_ipv6_in_ipv6
+- decoder_ltnull_pkt_too_small
+- decoder_ltnull_unspported_type
+- decoder_max_pkt_size
+- decoder_mpls
+- decoder_null
+- decoder_pkts
+- decoder_ppp
+- decoder_pppoe
+- decoder_raw
+- decoder_sctp
+- decoder_ssl
+- decoder_tcp
+- decoder_teredo
+- decoder_udp
+- decoder_vlan
+- decoder_vlan_qinq
+- decoer_icmpv6
+- defrag_ipv4_fragments
+- defrag_ipv4_reassembled
+- defrag_ipv4_timeouts
+- defrag_ipv6_fragments
+- defrag_ipv6_reassembled
+- defrag_max_frag_hits
+- description
+- dest
 - dest_ip
 - dest_port
+- detect_alert
+- dfrag_ipv6_timeouts
+- dns_memcap_global
+- dns_memcap_state
+- dns_memuse
+- dns.aa
+- dns.answers{}.rdata
+- dns.answers{}.rrname
+- dns.answers{}.rrtype
+- dns.answers{}.ttl
+- dns.authorities{}.rrname
+- dns.authorities{}.rrtype
+- dns.authorities{}.soa.expire
+- dns.authorities{}.soa.minimum
+- dns.authorities{}.soa.mname
+- dns.authorities{}.soa.refresh
+- dns.authorities{}.soa.retry
+- dns.authorities{}.soa.rname
+- dns.authorities{}.soa.serial
+- dns.authorities{}.ttl
+- dns.flags
+- dns.grouped.A{}
+- dns.id
+- dns.opcode
+- dns.qr
+- dns.ra
+- dns.rcode
+- dns.rd
+- dns.rrname
+- dns.rrtype
+- dns.tx_id
+- dns.type
+- dns.version
+- duration
+- dvc
+- endtime
 - event_type
+- eventtype
+- field
+- file_rx_id
+- file_size
+- file_state
+- file_stored
+- file_tx_id
+- fileinfo.filename
+- fileinfo.gaps
+- fileinfo.size
+- fileinfo.state
+- fileinfo.stored
+- fileinfo.tx_id
+- filename
+- flow_emerg_mode_entered
+- flow_emerg_mode_over
+- flow_id
+- flow_memcap
+- flow_memuse
+- flow_mgr_closed_pruned
+- flow_mgr_est_pruned
+- flow_mgr_new_pruned
+- flow_spare
+- flow_tcp_reuse
 - flow.age
 - flow.alerted
 - flow.bytes_toclient
@@ -52,18 +173,100 @@ fields:
 - flow.reason
 - flow.start
 - flow.state
-- flow_id
 - host
+- http_content_type
+- http_memcap
+- http_memuse
+- http_method
+- http_protocol
+- http_referrer
+- http_user_agent
+- http.hostname
+- http.http_content_type
+- http.http_method
+- http.http_port
+- http.http_user_agent
+- http.length
+- http.protocol
+- http.redirect
+- http.request_headers{}.name
+- http.request_headers{}.value
+- http.response_headers{}.name
+- http.response_headers{}.value
+- http.status
+- http.url
+- http.xff
+- ids_type
 - in_iface
 - index
 - linecount
+- message_type
+- packets_in
+- packets_out
+- pcap_cnt
+- pkt_src
+- product
 - proto
 - punct
+- query
+- reason
+- reply_code
+- severity
+- severity_id
+- signature
 - source
 - sourcetype
 - splunk_server
+- splunk_server_group
+- src
 - src_ip
 - src_port
+- ssh_client_software
+- ssh_client_version
+- ssh_server_software
+- ssh_server_version
+- ssl_issuer_common_name
+- ssl_publickey
+- ssl_server_name_indication
+- ssl_subject_common_name
+- ssl_version
+- starttime
+- state
+- status
+- stream_3whs_ack_in_wrong_dir
+- stream_3whs_async_wrong_seq
+- stream_3whs_right_seq_wrong_ack_evasion
+- suricata_signature_id
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tcp_ack
+- tcp_cwr
+- tcp_ecn
+- tcp_fin
+- tcp_flag
+- tcp_flag_hex
+- tcp_flag_hex_to_client
+- tcp_flag_hex_to_server
+- tcp_flag_to_client
+- tcp_flag_to_server
+- tcp_invalid_checksum
+- tcp_memuse
+- tcp_no_flow
+- tcp_pseudo
+- tcp_pseudo_failed
+- tcp_psh
+- tcp_reassembly_gap
+- tcp_reassembly_memuse
+- tcp_rst
+- tcp_segment_memcap_drop
+- tcp_sessions
+- tcp_ssn_memcap_drop
+- tcp_state
+- tcp_stream_depth_reached
+- tcp_syn
+- tcp_synack
 - tcp.ack
 - tcp.fin
 - tcp.psh
@@ -75,4 +278,17 @@ fields:
 - timeendpos
 - timestamp
 - timestartpos
+- transaction_id
+- transport
+- ttl
+- tx_id
+- type
+- uptime
+- url
+- url_domain
+- vendor
+- vendor_gid
+- vendor_product
+- vendor_rev
+- vendor_sid
 example_log: '{"timestamp":"2023-10-17T01:24:52.149017+0000","flow_id":721124494649885,"in_iface":"ens5","event_type":"flow","src_ip":"192.0.2.1","src_port":30880,"dest_ip":"192.0.2.2","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":640,"bytes_toclient":660,"start":"2023-10-17T01:20:23.829981+0000","end":"2023-10-17T01:22:11.831172+0000","age":108,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}'
@@ -0,0 +1,18 @@
+name: Windows Event Log Security 4756
+id: b0093058-0cb6-4c73-a95b-fb0f3541e88c
+version: 1
+date: '2026-03-23'
+author: Nasreddine Bencherchali, Splunk
+description: Data source object for Windows Event Log Security 4756
+source: XmlWinEventLog:Security
+sourcetype: XmlWinEventLog
+separator: EventCode
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 9.1.2
+fields:
+- _time
+output_fields:
+- dest
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}' /> <EventID>4756</EventID> <Version>0</Version> <Level>0</Level> <Task>13826</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime='2019-03-20T17:08:41.465560800Z' /> <EventRecordID>4405437</EventRecordID> <Correlation /> <Execution ProcessID='704' ThreadID='2584' /> <Channel>Security</Channel> <Computer>atc-win-2k16.atc.local</Computer> <Security /> </System><EventData><Data Name='MemberName'>CN=demouser,CN=Users,DC=atc,DC=local</Data> <Data Name='MemberSid'>S-1-5-21-2245550993-2690282630-2861202560-18603</Data> <Data Name='TargetUserName'>Enterprise Admins</Data> <Data Name='TargetDomainName'>ATC</Data> <Data Name='TargetSid'>S-1-5-21-2245550993-2622282683-2531201460-519</Data> <Data Name='SubjectUserSid'>S-1-5-21-2245550993-2622282683-2531201460-500</Data> <Data Name='SubjectUserName'>test_user</Data> <Data Name='SubjectDomainName'>ATC</Data> <Data Name='SubjectLogonId'>0x109a6c</Data> <Data Name='PrivilegeList'>-</Data> </EventData></Event>