From 93aa7514013ce0bd92a0fc68594866b885721543 Mon Sep 17 00:00:00 2001
From: patel-bhavin <7771446+patel-bhavin@users.noreply.github.com>
Date: Thu, 24 Oct 2024 06:57:48 +0000
Subject: [PATCH] Updated TAs

---
 data_sources/sysmon_eventid_1.yml  | 78 +++++++++++++++---------------
 data_sources/sysmon_eventid_10.yml |  2 +-
 data_sources/sysmon_eventid_11.yml |  2 +-
 data_sources/sysmon_eventid_12.yml |  2 +-
 data_sources/sysmon_eventid_13.yml |  4 +-
 data_sources/sysmon_eventid_15.yml |  2 +-
 data_sources/sysmon_eventid_17.yml |  2 +-
 data_sources/sysmon_eventid_18.yml |  2 +-
 data_sources/sysmon_eventid_20.yml |  2 +-
 data_sources/sysmon_eventid_21.yml |  2 +-
 data_sources/sysmon_eventid_22.yml |  2 +-
 data_sources/sysmon_eventid_23.yml |  2 +-
 data_sources/sysmon_eventid_3.yml  |  2 +-
 data_sources/sysmon_eventid_5.yml  |  2 +-
 data_sources/sysmon_eventid_6.yml  |  2 +-
 data_sources/sysmon_eventid_7.yml  |  2 +-
 data_sources/sysmon_eventid_8.yml  |  2 +-
 data_sources/sysmon_eventid_9.yml  |  2 +-
 18 files changed, 57 insertions(+), 57 deletions(-)

diff --git a/data_sources/sysmon_eventid_1.yml b/data_sources/sysmon_eventid_1.yml
index b08464460d..80284e88ac 100644
--- a/data_sources/sysmon_eventid_1.yml
+++ b/data_sources/sysmon_eventid_1.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
@@ -111,45 +111,45 @@ fields:
 - user_id
 - vendor_product
 field_mappings:
-  - data_model: cim
-    data_set: Endpoint.Processes
-    mapping:
-      ProcessGuid: Processes.process_guid
-      ProcessId: Processes.process_id
-      Image: Processes.process_path
-      Image|endswith: Processes.process_name
-      CommandLine: Processes.process
-      CurrentDirectory: Processes.process_current_directory
-      User: Processes.user
-      IntegrityLevel: Processes.process_integrity_level
-      Hashes: Processes.process_hash
-      ParentProcessGuid: Processes.parent_process_guid
-      ParentProcessId: Processes.parent_process_id
-      ParentImage: Processes.parent_process_name
-      ParentCommandLine: Processes.parent_process
-      Computer: Processes.dest
-      OriginalFileName: Processes.original_file_name
+- data_model: cim
+  data_set: Endpoint.Processes
+  mapping:
+    ProcessGuid: Processes.process_guid
+    ProcessId: Processes.process_id
+    Image: Processes.process_path
+    Image|endswith: Processes.process_name
+    CommandLine: Processes.process
+    CurrentDirectory: Processes.process_current_directory
+    User: Processes.user
+    IntegrityLevel: Processes.process_integrity_level
+    Hashes: Processes.process_hash
+    ParentProcessGuid: Processes.parent_process_guid
+    ParentProcessId: Processes.parent_process_id
+    ParentImage: Processes.parent_process_name
+    ParentCommandLine: Processes.parent_process
+    Computer: Processes.dest
+    OriginalFileName: Processes.original_file_name
 convert_to_log_source:
-  - data_source: Windows Event Log Security 4688
-    mapping:
-      ProcessId: NewProcessId
-      Image: NewProcessName
-      Image|endswith: NewProcessName|endswith
-      CommandLine: Process_Command_Line
-      User: SubjectUserSid
-      ParentProcessId: ProcessId
-      ParentImage: ParentProcessName
-      ParentImage|endswith: ParentProcessName|endswith
-      Computer: Computer
-      OriginalFileName: NewProcessName|endswith
-  - data_source: Crowdstrike Process
-    mapping:
-      ProcessId: RawProcessId
-      Image: ImageFileName
-      CommandLine: CommandLine
-      User: UserSid
-      ParentProcessId: ParentProcessId
-      ParentImage: ParentBaseFileName
+- data_source: Windows Event Log Security 4688
+  mapping:
+    ProcessId: NewProcessId
+    Image: NewProcessName
+    Image|endswith: NewProcessName|endswith
+    CommandLine: Process_Command_Line
+    User: SubjectUserSid
+    ParentProcessId: ProcessId
+    ParentImage: ParentProcessName
+    ParentImage|endswith: ParentProcessName|endswith
+    Computer: Computer
+    OriginalFileName: NewProcessName|endswith
+- data_source: Crowdstrike Process
+  mapping:
+    ProcessId: RawProcessId
+    Image: ImageFileName
+    CommandLine: CommandLine
+    User: UserSid
+    ParentProcessId: ParentProcessId
+    ParentImage: ParentBaseFileName
 example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider\
   \ Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated\
   \ SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution\
diff --git a/data_sources/sysmon_eventid_10.yml b/data_sources/sysmon_eventid_10.yml
index b27ee17fa7..be7121e719 100644
--- a/data_sources/sysmon_eventid_10.yml
+++ b/data_sources/sysmon_eventid_10.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - CallTrace
diff --git a/data_sources/sysmon_eventid_11.yml b/data_sources/sysmon_eventid_11.yml
index 9395e9fdbd..e206bee06f 100644
--- a/data_sources/sysmon_eventid_11.yml
+++ b/data_sources/sysmon_eventid_11.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
index 130f6b5fbf..232ca47a23 100644
--- a/data_sources/sysmon_eventid_12.yml
+++ b/data_sources/sysmon_eventid_12.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_13.yml b/data_sources/sysmon_eventid_13.yml
index 3e08eaa473..ff0aa0690b 100644
--- a/data_sources/sysmon_eventid_13.yml
+++ b/data_sources/sysmon_eventid_13.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
@@ -102,7 +102,7 @@ field_mappings:
     ProcessGuid: Registry.process_guid
     ProcessId: Registry.process_id
     TargetObject: Registry.registry_path
-    Details: Registry.registry_value_data 
+    Details: Registry.registry_value_data
 example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
   Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>13</EventID><Version>2</Version><Level>4</Level><Task>13</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2021-07-12T08:11:04.548083500Z'/><EventRecordID>810987</EventRecordID><Correlation/><Execution
diff --git a/data_sources/sysmon_eventid_15.yml b/data_sources/sysmon_eventid_15.yml
index 4f294cdf46..335042f192 100644
--- a/data_sources/sysmon_eventid_15.yml
+++ b/data_sources/sysmon_eventid_15.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_17.yml b/data_sources/sysmon_eventid_17.yml
index 43bc1e998c..b1125bf4d3 100644
--- a/data_sources/sysmon_eventid_17.yml
+++ b/data_sources/sysmon_eventid_17.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_18.yml b/data_sources/sysmon_eventid_18.yml
index 6093ea2726..a1204b64f7 100644
--- a/data_sources/sysmon_eventid_18.yml
+++ b/data_sources/sysmon_eventid_18.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_20.yml b/data_sources/sysmon_eventid_20.yml
index c1f2309d03..dfcc795a12 100644
--- a/data_sources/sysmon_eventid_20.yml
+++ b/data_sources/sysmon_eventid_20.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_21.yml b/data_sources/sysmon_eventid_21.yml
index b813ae573b..89de93b9dc 100644
--- a/data_sources/sysmon_eventid_21.yml
+++ b/data_sources/sysmon_eventid_21.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_22.yml b/data_sources/sysmon_eventid_22.yml
index 553de9b48f..eee550143e 100644
--- a/data_sources/sysmon_eventid_22.yml
+++ b/data_sources/sysmon_eventid_22.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_23.yml b/data_sources/sysmon_eventid_23.yml
index e26a030729..ee91eb49d2 100644
--- a/data_sources/sysmon_eventid_23.yml
+++ b/data_sources/sysmon_eventid_23.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Archived
diff --git a/data_sources/sysmon_eventid_3.yml b/data_sources/sysmon_eventid_3.yml
index 8b4e47e79d..4a92e3fcd3 100644
--- a/data_sources/sysmon_eventid_3.yml
+++ b/data_sources/sysmon_eventid_3.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_5.yml b/data_sources/sysmon_eventid_5.yml
index 818d150bb4..2e8f6f0ab7 100644
--- a/data_sources/sysmon_eventid_5.yml
+++ b/data_sources/sysmon_eventid_5.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_6.yml b/data_sources/sysmon_eventid_6.yml
index a1d7faf0f9..33345ac58b 100644
--- a/data_sources/sysmon_eventid_6.yml
+++ b/data_sources/sysmon_eventid_6.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_7.yml b/data_sources/sysmon_eventid_7.yml
index 1489ba8474..2efd35e16d 100644
--- a/data_sources/sysmon_eventid_7.yml
+++ b/data_sources/sysmon_eventid_7.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_8.yml b/data_sources/sysmon_eventid_8.yml
index fb712bf9ba..5fc772500d 100644
--- a/data_sources/sysmon_eventid_8.yml
+++ b/data_sources/sysmon_eventid_8.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel
diff --git a/data_sources/sysmon_eventid_9.yml b/data_sources/sysmon_eventid_9.yml
index 75c7fde496..b93f6051cb 100644
--- a/data_sources/sysmon_eventid_9.yml
+++ b/data_sources/sysmon_eventid_9.yml
@@ -11,7 +11,7 @@ configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
   url: https://splunkbase.splunk.com/app/5709
-  version: 4.0.1
+  version: 4.0.2
 fields:
 - _time
 - Channel