diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml
index 743e34d3eb..440735d18e 100644
--- a/data_sources/asl_aws_cloudtrail.yml
+++ b/data_sources/asl_aws_cloudtrail.yml
@@ -1,9 +1,22 @@
 name: ASL AWS CloudTrail
 id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
-version: 1
-date: '2025-01-14'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for ASL AWS CloudTrail 
+description: Represents AWS API dataset data collection from Amazon Security Lake.
+mitre_components:
+- Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Storage Access
+- Instance Creation
+- Instance Deletion
+- Instance Start
+- Instance Stop
+- Instance Modification
+- Cloud Storage Creation
+- Cloud Storage Deletion
+- Cloud Service Enumeration
+- Cloud Storage Enumeration
 source: aws_asl
 sourcetype: aws:asl
 separator: api.operation
diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml
index c4f146026d..f6df73faea 100644
--- a/data_sources/aws_cloudfront.yml
+++ b/data_sources/aws_cloudfront.yml
@@ -1,9 +1,17 @@
 name: AWS Cloudfront
 id: 780086dc-2384-45b6-ade7-56cb00105464
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS Cloudfront
+description: Logs requests made to AWS CloudFront distributions, including details
+  on client access, response data, and performance metrics.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Response Content
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws
 sourcetype: aws:cloudfront:accesslogs
 supported_TA:
diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml
index af1afc59c0..1cdd7ac821 100644
--- a/data_sources/aws_cloudtrail.yml
+++ b/data_sources/aws_cloudtrail.yml
@@ -3,7 +3,7 @@ id: e8ace6db-1dbd-4c72-a1fb-334684619a38
 version: 1
 date: '2024-07-24'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail
+description: All AWS CloudTrail events
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
index ef4041930f..c8b978c277 100644
--- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml
+++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
@@ -1,12 +1,20 @@
 name: AWS CloudTrail AssumeRoleWithSAML
 id: 1e28f2a6-2db9-405f-b298-18734a293f77
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail AssumeRoleWithSAML
+description: Logs attempts to assume roles via SAML authentication in AWS, including
+  details of identity provider and role mapping.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Cloud Service Metadata
+- Instance Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: AssumeRoleWithSAML
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml
index 0ddc77ce93..441afb6cea 100644
--- a/data_sources/aws_cloudtrail_consolelogin.yml
+++ b/data_sources/aws_cloudtrail_consolelogin.yml
@@ -1,12 +1,20 @@
 name: AWS CloudTrail ConsoleLogin
 id: b68b3f26-bd21-4fa8-b593-616fe75ac0ae
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ConsoleLogin
+description: Logs attempts to sign in to the AWS Management Console, including successful
+  and failed login events.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: ConsoleLogin
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml
index 44fabed1bb..93ea12c92f 100644
--- a/data_sources/aws_cloudtrail_copyobject.yml
+++ b/data_sources/aws_cloudtrail_copyobject.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CopyObject
 id: 965083f4-64a8-403f-99cc-252e1a6bd3b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CopyObject
+description: Logs operations that copy objects within or between AWS S3 buckets, including
+  details of source and destination.
+mitre_components:
+- Cloud Storage Access
+- Cloud Storage Modification
+- Cloud Storage Metadata
+- Instance Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_values: CopyObject
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml
index 4834e03b5d..e32d68ce5f 100644
--- a/data_sources/aws_cloudtrail_createaccesskey.yml
+++ b/data_sources/aws_cloudtrail_createaccesskey.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateAccessKey
 id: 0460f7da-3254-4d90-b8c0-2ca657d0cea0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateAccessKey
+description: Logs the creation of new AWS access keys, including details of the associated
+  user and permissions.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateAccessKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml
index 8c2aa289b1..c6c31a41a3 100644
--- a/data_sources/aws_cloudtrail_createkey.yml
+++ b/data_sources/aws_cloudtrail_createkey.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateKey
 id: fcfc1593-b6b5-4a0f-91c5-3c395116a8b9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateKey
+description: Logs the creation of new AWS KMS keys, including details of key properties
+  and associated metadata.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- Instance Creation
+- Volume Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml
index 7f09482a94..243ad0b5c5 100644
--- a/data_sources/aws_cloudtrail_createloginprofile.yml
+++ b/data_sources/aws_cloudtrail_createloginprofile.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateLoginProfile
 id: 0024fdb1-0d62-4449-970a-746952cf80b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateLoginProfile
+description: Logs the creation of login profiles for IAM users, including associated
+  metadata and authentication settings.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateLoginProfile
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
index b9eb2d9e66..3f98c6329c 100644
--- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateNetworkAclEntry
 id: 45934028-10ec-4ab5-a7b1-a6349b833e67
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateNetworkAclEntry
+description: Logs the creation of new entries in a network ACL, including rules to
+  allow or deny specific network traffic.
+mitre_components:
+- Firewall Rule Modification
+- Network Connection Creation
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml
index 49b4ea9e54..88b3b2aeb7 100644
--- a/data_sources/aws_cloudtrail_createpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_createpolicyversion.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreatePolicyVersion
 id: f9f0f3da-37ec-4164-9ea0-0ae46645a86b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreatePolicyVersion
+description: Logs the creation of new versions of IAM policies, including changes
+  to permissions and attached roles or resources.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreatePolicyVersion
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml
index d8140341e4..0d724bfada 100644
--- a/data_sources/aws_cloudtrail_createsnapshot.yml
+++ b/data_sources/aws_cloudtrail_createsnapshot.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateSnapshot
 id: 514135a2-f4b2-4d32-8f31-d87824887f9f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateSnapshot
+description: Logs the creation of a new snapshot of a cloud resource, such as an Amazon
+  EBS volume, including details about the snapshot ID and resource type.
+mitre_components:
+- Snapshot Creation
+- Snapshot Metadata
+- Volume Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateSnapshot
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml
index 64c885e902..3db15c7370 100644
--- a/data_sources/aws_cloudtrail_createtask.yml
+++ b/data_sources/aws_cloudtrail_createtask.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateTask
 id: 6501e4fe-05b2-45f1-bd51-9e06a94fa7d9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateTask
+description: Logs the creation of a new task in AWS services, such as ECS, including
+  details about the task definition and resource allocation.
+mitre_components:
+- Scheduled Job Creation
+- Scheduled Job Metadata
+- Cloud Service Metadata
+- Instance Creation
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_name: CreateTask
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
index 579ea87956..f76f14d9c1 100644
--- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateVirtualMFADevice
 id: 13e6e952-0dad-4190-865c-fb5911725f7a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateVirtualMFADevice
+description: Logs the creation of a new virtual multi-factor authentication (MFA)
+  device, including details about the associated user and configuration.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Cloud Service Creation
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateVirtualMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
index bfef68070f..06d7103bfe 100644
--- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml
+++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeactivateMFADevice
 id: 7397a10b-1150-4de9-8062-a96454ae53b2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeactivateMFADevice
+description: Logs the deactivation of a multi-factor authentication (MFA) device,
+  including details about the associated user and the device.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeactivateMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
index 3998089a44..feeaa4fd66 100644
--- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail DeleteAccountPasswordPolicy
 id: b0730ac8-0992-4de8-b000-2c7d0fc7a67f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteAccountPasswordPolicy
+description: Logs the deletion of an account-level password policy in AWS, including
+  details about the account and policy being removed.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteAccountPasswordPolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml
index d7b436d019..8b11625dfe 100644
--- a/data_sources/aws_cloudtrail_deletealarms.yml
+++ b/data_sources/aws_cloudtrail_deletealarms.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteAlarms
 id: b0730ac8-0992-4de8-b000-2c7d0fc7a61f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Bhavin Patel, Splunk
-description: Data source object for AWS CloudTrail DeleteAlarms
+description: Logs the deletion of CloudWatch alarms, including details about the alarm
+  names and associated monitoring configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteAlarms
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml
index df3b6cea4e..1046a8b7db 100644
--- a/data_sources/aws_cloudtrail_deletedetector.yml
+++ b/data_sources/aws_cloudtrail_deletedetector.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteDetector
 id: 5d8bd475-c8bc-4447-b27f-efa508728b90
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteDetector
+description: Logs the deletion of an Amazon GuardDuty detector, including details
+  about the detector ID and associated configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Host Status
+- Application Log Content
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteDetector
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml
index f383f21440..e8e98628b6 100644
--- a/data_sources/aws_cloudtrail_deletegroup.yml
+++ b/data_sources/aws_cloudtrail_deletegroup.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteGroup
 id: c95308a4-a943-42ca-b112-f90a05c21bd3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteGroup
+description: Logs the deletion of an IAM group in AWS, including details about the
+  group name and its associated policies or members.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteGroup
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml
index 9e70698a5f..3f00e45f4d 100644
--- a/data_sources/aws_cloudtrail_deleteipset.yml
+++ b/data_sources/aws_cloudtrail_deleteipset.yml
@@ -1,12 +1,18 @@
 name: AWS CloudTrail DeleteIPSet
 id: ebdeeb63-77a0-4808-a6fe-549956731377
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteIPSet
+description: Logs the deletion of an IP set in AWS WAF or GuardDuty, including details
+  about the IP set ID and its associated configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Firewall Rule Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteIPSet
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml
index 936f52788a..8e4206a1fb 100644
--- a/data_sources/aws_cloudtrail_deleteloggroup.yml
+++ b/data_sources/aws_cloudtrail_deleteloggroup.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteLogGroup
 id: 60cf6a69-fa43-4a6c-8808-e9fb46bf387f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteLogGroup
+description: Logs the deletion of a CloudWatch log group, including details about
+  the log group name and associated resources.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteLogGroup
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml
index 591ea64693..66ce8c87ec 100644
--- a/data_sources/aws_cloudtrail_deletelogstream.yml
+++ b/data_sources/aws_cloudtrail_deletelogstream.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteLogStream
 id: 6f8bb808-89f8-465e-a34d-229df2f46402
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteLogStream
+description: Logs the deletion of a log stream within a CloudWatch log group, including
+  details about the stream name and associated log group.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteLogStream
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
index 7c0003f08b..860acf5cb3 100644
--- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
@@ -1,12 +1,18 @@
 name: AWS CloudTrail DeleteNetworkAclEntry
 id: a0dd0f10-cc03-425d-bd5a-e1e0d954b856
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteNetworkAclEntry
+description: Logs the deletion of a network ACL entry in AWS, including details about
+  the rule number and associated network ACL.
+mitre_components:
+- Firewall Rule Modification
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml
index 44cd10188c..1eb13dccc6 100644
--- a/data_sources/aws_cloudtrail_deletepolicy.yml
+++ b/data_sources/aws_cloudtrail_deletepolicy.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail DeletePolicy
 id: d190d23a-2c59-4a0e-9c55-a53ebef28ee5
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeletePolicy
+description: Logs the deletion of an IAM policy in AWS, including details about the
+  policy name and its associated roles or users.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeletePolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml
index 545fbcec9a..8cc54b2ae9 100644
--- a/data_sources/aws_cloudtrail_deleterule.yml
+++ b/data_sources/aws_cloudtrail_deleterule.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteRule
 id: b5760623-f3ca-492d-a372-d5c2b3567dfc
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteRule
+description: Logs the deletion of an event rule in AWS EventBridge, including details
+  about the rule name and its associated targets or schedules.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Scheduled Job Modification
+- Application Log Content
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteRule
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml
index 6b586a2a3e..6d802d417f 100644
--- a/data_sources/aws_cloudtrail_deletesnapshot.yml
+++ b/data_sources/aws_cloudtrail_deletesnapshot.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteSnapshot
 id: b0731ac8-0992-4de8-b000-2c7d0fc2a61f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Bhavin Patel, Splunk
-description: Data source object for AWS CloudTrail DeleteSnapshot
+description: Logs the deletion of a cloud resource snapshot, such as an Amazon EBS
+  snapshot, including details about the snapshot ID and associated resource.
+mitre_components:
+- Snapshot Deletion
+- Snapshot Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteSnapshot
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml
index 1555fafdac..1ab9032017 100644
--- a/data_sources/aws_cloudtrail_deletetrail.yml
+++ b/data_sources/aws_cloudtrail_deletetrail.yml
@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteTrail
 id: a5af09ff-07b6-4df6-92a0-2146bfe402c8
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteTrail
+description: Logs the deletion of an AWS CloudTrail trail, including details about
+  the trail name and its associated logging configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteTrail
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
index e03ef28b7d..4a7caa655b 100644
--- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail DeleteVirtualMFADevice
 id: 84a08d6b-3d59-4260-8cab-84278ada262f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteVirtualMFADevice
+description: Logs an event when a virtual Multi-Factor Authentication (MFA) device
+  is deleted in AWS CloudTrail.
+mitre_components:
+- User Account Authentication
+- User Account Deletion
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteVirtualMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml
index 2368ae2314..8386aa1d15 100644
--- a/data_sources/aws_cloudtrail_deletewebacl.yml
+++ b/data_sources/aws_cloudtrail_deletewebacl.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail DeleteWebACL
 id: 90da5f08-7961-4c29-8de8-01364982aadf
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteWebACL
+description: Logs an event when a Web Access Control List (WebACL) is deleted in AWS
+  CloudTrail.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteWebACL
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml
index ae72fb9931..4ad39a0e97 100644
--- a/data_sources/aws_cloudtrail_describeeventaggregates.yml
+++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail DescribeEventAggregates
 id: 7efe4afe-62ae-4f96-81d1-76598ea37fc2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DescribeEventAggregates
+description: Logs an event when aggregate details about AWS events are queried, often
+  for analysis.
+mitre_components:
+- Cloud Service Enumeration
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DescribeEventAggregates
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
index 79696cbffc..e91321536e 100644
--- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml
+++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
@@ -1,12 +1,18 @@
 name: AWS CloudTrail DescribeImageScanFindings
 id: 688ea789-9ba2-4970-90a2-17e541e273c9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DescribeImageScanFindings
+description: Logs an event when findings from an image vulnerability scan are described
+  using the DescribeImageScanFindings operation in AWS CloudTrail.
+mitre_components:
+- Image Metadata
+- Image Modification
+- Malware Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DescribeImageScanFindings
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -112,15 +118,15 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "accountId": "111111111111", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext":
   {"sessionIssuer": {"type": "Role", "principalId": "AKIAIOSFODNN7EXAMPLE", "arn":
   "arn:aws:iam::111111111111:role/aws-reserved/test/region/group", "accountId": "111111111111",
-  "userName": "test"}, "webIdFederationData": {}, "attributes": {"creationDate": "2021-08-11T09:42:53Z",
-  "mfaAuthenticated": "false"}}}, "eventTime": "2021-08-11T11:52:27Z", "eventSource":
-  "ecr.amazonaws.com", "eventName": "DescribeImageScanFindings", "awsRegion": "eu-central-1",
-  "sourceIPAddress": "154.16.165.133", "userAgent": "aws-internal/3 aws-sdk-java/1.11.1030
-  Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08
+  "userName": "test"}, "webIdFederationData" : {}, "attributes": {"creationDate":
+  "2021-08-11T09:42:53Z", "mfaAuthenticated": "false"}}}, "eventTime": "2021-08-11T11:52:27Z",
+  "eventSource": "ecr.amazonaws.com", "eventName": "DescribeImageScanFindings", "awsRegion":
+  "eu-central-1" , "sourceIPAddress": "154.16.165.133", "userAgent": "aws-internal/3
+  aws-sdk-java/1.11.1030 Linux/4.9.273-0.1.ac.226.84.332.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.302-b08
   java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/legacy", "requestParameters":
   {"repositoryName": "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
   "maxResults": 1000}, "responseElements": {"registryId": "111111111111", "repositoryName":
-  "devsecops/cat_dog_client", "imageId": {"imageDigest": "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
+  "devsecops/cat_dog_client", "imageId": {"imageDigest" : "sha256:a27d73188718a511a1ec1ec788826674b21e097f29873dde734a4dedfbfab1c6"},
   "imageScanStatus": {"status": "COMPLETE", "description": "The scan was completed
   successfully."}, "imageScanFindings": {"imageScanCompletedAt": "Aug 11, 2021, 11:30:16
   AM", "vulnerabilitySourceUpdatedAt": "Aug 11, 2021, 1:17:52 AM", "findings": [{"name":
@@ -376,7 +382,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   able to disclose sensitive information or cause a denial of service condition on
   the client system when a user connects to the server.", "uri": "https://security-tracker.debian.org/tracker/CVE-2019-17498",
   "severity": "LOW", "attributes": [{"key": "package_version", "value": "1.8.0-2.1"},
-  {"key": "package_name", "value": "libssh2"}, {"key": "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
+  {"key": "package_name", "value": "libssh2"}, {"key" : "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:N/A:P"},
   {"key": "CVSS2_SCORE", "value": "5.8"}]}, {"name": "CVE-2019-17543", "description":
   "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize),
   affecting applications that call LZ4_compress_fast with a large input. (This issue
@@ -409,7 +415,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "7.5"}]}, {"name":
   "CVE-2011-3374", "description": "It was found that apt-key in apt, all versions,
   do not correctly validate gpg keys with the master keyring, leading to a potential
-  man-in-the-middle attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-3374",
+  man-in-the-middle attack.", "uri" : "https://security-tracker.debian.org/tracker/CVE-2011-3374",
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
   "1.8.2.3"}, {"key": "package_name", "value": "apt"}, {"key": "CVSS2_VECTOR", "value":
   "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "4.3"}]}, {"name":
@@ -564,7 +570,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   other artifacts of the database as we know that a Kerberos database dump file contains
   trusted data.", "uri": "https://security-tracker.debian.org/tracker/CVE-2018-5709",
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
-  "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key": "CVSS2_VECTOR",
+  "1.17-3+deb10u1"}, {"key": "package_name", "value": "krb5"}, {"key" : "CVSS2_VECTOR",
   "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
   {"name": "CVE-2021-36222", "description": "ec_verify in kdc/kdc_preauth_ec.c in
   the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and
@@ -651,7 +657,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
   "1.1.32-2.2~deb10u1"}, {"key": "package_name", "value": "libxslt"}, {"key": "CVSS2_VECTOR",
   "value": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
-  {"name": "CVE-2009-4487", "description": "nginx 0.7.64 writes data to a log file
+  {"name": "CVE-2009-4487" , "description": "nginx 0.7.64 writes data to a log file
   without sanitizing non-printable characters, which might allow remote attackers
   to modify a window''s title, or possibly execute arbitrary commands or overwrite
   files, via an HTTP request containing an escape sequence for a terminal emulator.",
@@ -666,7 +672,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
   "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
   "CVSS2_VECTOR", "value": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, {"key": "CVSS2_SCORE", "value":
-  "4"}]}, {"name": "CVE-2015-3276", "description": "The nss_parse_ciphers function
+  "4"}]}, {"name": "CVE-2015-3276" , "description": "The nss_parse_ciphers function
   in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword
   mode cipher strings, which might cause a weaker than intended cipher to be used
   and allow remote attackers to have unspecified impact via unknown vectors.", "uri":
@@ -689,7 +695,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
   "2.4.47+dfsg-3+deb10u6"}, {"key": "package_name", "value": "openldap"}, {"key":
   "CVSS2_VECTOR", "value": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
-  "5"}]}, {"name": "CVE-2010-0928", "description": "OpenSSL 0.9.8i on the Gaisler
+  "5"}]}, {"name": "CVE-2010-0928" , "description": "OpenSSL 0.9.8i on the Gaisler
   Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation
   (FWE) algorithm for certain signature calculations, and does not verify the signature
   before providing it to a caller, which makes it easier for physically proximate
@@ -744,10 +750,10 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "2:8.39-12"}, {"key": "package_name", "value": "pcre3"}, {"key": "CVSS2_VECTOR",
   "value": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, {"key": "CVSS2_SCORE", "value": "7.8"}]},
   {"name": "CVE-2011-4116", "description": "_is_safe in the File::Temp module for
-  Perl does not properly handle symlinks.", "uri": "https://security-tracker.debian.org/tracker/CVE-2011-4116",
+  Perl does not properly handle symlinks.", "uri" : "https://security-tracker.debian.org/tracker/CVE-2011-4116",
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
-  "5.28.1-6+deb10u1"}, {"key": "package_name", "value": "perl"}, {"key": "CVSS2_VECTOR",
-  "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
+  "5.28.1-6+deb10u1"}, {"key": "package_name", "value": "perl"}, {"key": "CVSS2_VECTOR"
+  , "value": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, {"key": "CVSS2_SCORE", "value": "5"}]},
   {"name": "CVE-2019-19882", "description": "shadow 4.8, in certain circumstances
   affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain
   root access because setuid programs are misconfigured. Specifically, this affects
@@ -771,8 +777,8 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
   "value": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}, {"key": "CVSS2_SCORE", "value": "4.9"}]},
   {"name": "CVE-2013-4235", "description": "shadow: TOCTOU (time-of-check time-of-use)
-  race condition when copying and removing directory trees", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4235",
-  "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
+  race condition when copying and removing directory trees", "uri": "https://security-tracker.debian.org/tracker/CVE-2013-4235"
+  , "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
   "1:4.5-1.1"}, {"key": "package_name", "value": "shadow"}, {"key": "CVSS2_VECTOR",
   "value": "AV:L/AC:M/Au:N/C:N/I:P/A:P"}, {"key": "CVSS2_SCORE", "value": "3.3"}]},
   {"name": "CVE-2020-13529", "description": "An exploitable denial-of-service vulnerability
@@ -817,7 +823,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   {"name": "CVE-2021-20193", "description": "A flaw was found in the src/list.c of
   tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input
   file to tar to cause uncontrolled consumption of memory. The highest threat from
-  this vulnerability is to system availability.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-20193",
+  this vulnerability is to system availability." , "uri": "https://security-tracker.debian.org/tracker/CVE-2021-20193",
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
   "1.30+dfsg-6"}, {"key": "package_name", "value": "tar"}, {"key": "CVSS2_VECTOR",
   "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value": "4.3"}]},
@@ -839,19 +845,19 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c,
   as demonstrated by tiffdither.", "uri": "https://security-tracker.debian.org/tracker/CVE-2014-8130",
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
-  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff" }, {"key":
   "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
   "4.3"}]}, {"name": "CVE-2017-5563", "description": "LibTIFF version 4.0.7 is vulnerable
   to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution
-  via a crafted bmp image to tools/bmp2tiff.", "uri": "https://security-tracker.debian.org/tracker/CVE-2017-5563",
+  via a crafted bmp image to tools/bmp2tiff." , "uri": "https://security-tracker.debian.org/tracker/CVE-2017-5563",
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
-  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff" }, {"key":
   "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, {"key": "CVSS2_SCORE", "value":
   "6.8"}]}, {"name": "CVE-2020-35522", "description": "In LibTIFF, there is a memory
   malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort,
   resulting in a remote denial of service attack.", "uri": "https://security-tracker.debian.org/tracker/CVE-2020-35522",
   "severity": "INFORMATIONAL", "attributes": [{"key": "package_version", "value":
-  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff"}, {"key":
+  "4.1.0+git191117-2~deb10u2"}, {"key": "package_name", "value": "tiff" }, {"key":
   "CVSS2_VECTOR", "value": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, {"key": "CVSS2_SCORE", "value":
   "4.3"}]}, {"name": "CVE-2017-9117", "description": "In LibTIFF 4.0.7, the program
   processes BMP images without verifying that biWidth and biHeight in the bitmap-information
@@ -881,7 +887,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   comparison also didn''t include the ''issuer cert'' which a transfer can setto qualify
   how to verify the server certificate.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-22924",
   "severity": "UNDEFINED", "attributes": [{"key": "package_version", "value": "7.64.0-4+deb10u2"},
-  {"key": "package_name", "value": "curl"}]}, {"name": "CVE-2021-38115", "description":
+  {"key": "package_name", "value": "curl" }]}, {"name": "CVE-2021-38115", "description":
   "read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2
   allows remote attackers to cause a denial of service (out-of-bounds read) via a
   crafted TGA file.", "uri": "https://security-tracker.debian.org/tracker/CVE-2021-38115",
diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
index 376fecc828..0a63249da0 100644
--- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail GetAccountPasswordPolicy
 id: 439bdc53-6e4b-4cd7-b326-86c7317fd396
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail GetAccountPasswordPolicy
+description: Logs an event when a request is made to get the account password policy
+  in AWS CloudTrail.
+mitre_components:
+- User Account Authentication
+- User Account Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: GetAccountPasswordPolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml
index 27d29dea5d..2e9608547a 100644
--- a/data_sources/aws_cloudtrail_getobject.yml
+++ b/data_sources/aws_cloudtrail_getobject.yml
@@ -1,12 +1,18 @@
 name: AWS CloudTrail GetObject
 id: 5063cb10-84c0-44af-ade4-ab9ecad11dfe
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail GetObject
+description: Logs an event when a request is made to access an object stored in an
+  AWS S3 bucket.
+mitre_components:
+- Cloud Storage Access
+- Cloud Storage Metadata
+- Cloud Storage Enumeration
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: GetObject
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml
index fc6857d804..ca47e32ca9 100644
--- a/data_sources/aws_cloudtrail_getpassworddata.yml
+++ b/data_sources/aws_cloudtrail_getpassworddata.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail GetPasswordData
 id: 6ff2ce99-85b1-4c17-888a-56dbc3570671
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail GetPasswordData
+description: Logs an event when a request is made to retrieve the administrator password
+  of an EC2 instance.
+mitre_components:
+- Instance Metadata
+- User Account Authentication
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: GetPasswordData
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml
index b33710f139..d0fbf8d5a8 100644
--- a/data_sources/aws_cloudtrail_jobcreated.yml
+++ b/data_sources/aws_cloudtrail_jobcreated.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail JobCreated
 id: 6473289b-d097-4c86-a837-3cc5ae408155
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail JobCreated
+description: Logs an event when a new job is created in AWS CloudTrail.
+mitre_components:
+- Scheduled Job Creation
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: JobCreated
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml
index 813b021c40..156008b8c1 100644
--- a/data_sources/aws_cloudtrail_modifydbinstance.yml
+++ b/data_sources/aws_cloudtrail_modifydbinstance.yml
@@ -1,12 +1,18 @@
 name: AWS CloudTrail ModifyDBInstance
 id: bfa2912d-1a33-4b05-be46-543874d68241
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ModifyDBInstance
+description: Logs an event when a modification is made to an AWS database instance,
+  such as parameters or configurations.
+mitre_components:
+- Instance Modification
+- Cloud Service Modification
+- Instance Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: ModifyDBInstance
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml
index e73a70ec35..ab8bb25d87 100644
--- a/data_sources/aws_cloudtrail_modifyimageattribute.yml
+++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail ModifyImageAttribute
 id: 667c2115-8082-419e-b541-8150066bda4d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ModifyImageAttribute
+description: Logs an event when the attributes of an Amazon Machine Image (AMI) are
+  modified.
+mitre_components:
+- Image Modification
+- Image Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: ModifyImageAttribute
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
index 373a15ede9..0dec70fdf0 100644
--- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
+++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail ModifySnapshotAttribute
 id: 7e5aa947-3a0d-4ee5-b800-0c10b555da05
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ModifySnapshotAttribute
+description: Logs an event when modifications are made to the attributes of a snapshot
+  in AWS CloudTrail.
+mitre_components:
+- Snapshot Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: ModifySnapshotAttribute
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml
index 10765a8703..c531275617 100644
--- a/data_sources/aws_cloudtrail_putbucketacl.yml
+++ b/data_sources/aws_cloudtrail_putbucketacl.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail PutBucketAcl
 id: 28fffbfd-d98d-4a42-990b-b04ab47422eb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketAcl
+description: Logs an event when an ACL is set or modified for an S3 bucket in AWS
+  CloudTrail.
+mitre_components:
+- Cloud Storage Modification
+- Cloud Storage Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: PutBucketAcl
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
index c9d8491a16..aa74257621 100644
--- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml
+++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail PutBucketLifecycle
 id: 1c73e954-87b6-4bd7-ac6a-5db7c4082b22
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketLifecycle
+description: Logs an event when a lifecycle configuration is added to an S3 bucket
+  in AWS CloudTrail.
+mitre_components:
+- Cloud Storage Modification
+- Cloud Storage Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: PutBucketLifecycle
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml
index 50c9bb4051..0da2860b07 100644
--- a/data_sources/aws_cloudtrail_putbucketreplication.yml
+++ b/data_sources/aws_cloudtrail_putbucketreplication.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail PutBucketReplication
 id: 0e1362eb-e592-419f-8fa5-556d3a122417
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketReplication
+description: Logs an event when replication configurations are added or modified for
+  an S3 bucket.
+mitre_components:
+- Cloud Storage Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: PutBucketReplication
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml
index 4d928ee0d2..a0b031cda4 100644
--- a/data_sources/aws_cloudtrail_putbucketversioning.yml
+++ b/data_sources/aws_cloudtrail_putbucketversioning.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail PutBucketVersioning
 id: 17b2fc7d-c8ce-487c-8815-f9a65a09e980
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutBucketVersioning
+description: Logs an event when the bucket versioning state is modified in an AWS
+  S3 bucket.
+mitre_components:
+- Cloud Storage Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: PutBucketVersioning
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml
index 707c03fcf6..f5ba052aa0 100644
--- a/data_sources/aws_cloudtrail_putimage.yml
+++ b/data_sources/aws_cloudtrail_putimage.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail PutImage
 id: bb13f10d-0d8c-4fde-9136-b7cfd930e87c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutImage
+description: Logs an event when a container image is uploaded to a repository in AWS
+  CloudTrail.
+mitre_components:
+- Image Creation
+- Image Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: PutImage
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml
index 9b2786fadb..597af6e6cb 100644
--- a/data_sources/aws_cloudtrail_putkeypolicy.yml
+++ b/data_sources/aws_cloudtrail_putkeypolicy.yml
@@ -1,9 +1,10 @@
 name: AWS CloudTrail PutKeyPolicy
 id: 9c54c86b-43b9-4bb8-915d-6838beb7f07c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail PutKeyPolicy
+description: Logs changes made to AWS Key Management Service (KMS) key policies, including
+  updates and permission assignments.
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
@@ -94,6 +95,8 @@ fields:
 - vendor_account
 - vendor_product
 - vendor_region
+mitre_components:
+- Cloud Service Modification
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
   "AROAIJIESMXKGCJRCTPR6:pbareiss@splunk.local", "arn": "arn:aws:sts::111111111111:assumed-role/okta_adm_role/pbareiss@splunk.local",
   "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLK74OPBDR", "sessionContext":
diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
index 4ce1405960..fb1752d56b 100644
--- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail ReplaceNetworkAclEntry
 id: db0c240e-3754-40e4-86ef-cde018ee9f65
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ReplaceNetworkAclEntry
+description: Logs an event when a network ACL entry is replaced within the AWS CloudTrail.
+mitre_components:
+- Firewall Rule Modification
+- Cloud Service Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: ReplaceNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
index 9797971379..b8e4d54281 100644
--- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail SetDefaultPolicyVersion
 id: 06e0b5a0-8d36-485e-befc-4ae79d77ef6c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail SetDefaultPolicyVersion
+description: Logs an event when the default version of a resource policy in AWS is
+  set or changed.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: SetDefaultPolicyVersion
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml
index f285ce143e..00d6b018a9 100644
--- a/data_sources/aws_cloudtrail_stoplogging.yml
+++ b/data_sources/aws_cloudtrail_stoplogging.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail StopLogging
 id: c5de7c54-4809-4659-bf9f-3bacf8bdfd35
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail StopLogging
+description: Logs an event when a cloud service in AWS, such as CloudTrail, is deactivated
+  or stopped.
+mitre_components:
+- Cloud Service Disable
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: StopLogging
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
index de90a002fe..9c9fee7893 100644
--- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail UpdateAccountPasswordPolicy
 id: 35a8cc97-3600-40e1-a5d1-1c2ad5060be0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateAccountPasswordPolicy
+description: Logs an event when an AWS account's password policy is updated.
+mitre_components:
+- User Account Modification
+- Cloud Service Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: UpdateAccountPasswordPolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml
index 6978637a08..ee8d48a0d4 100644
--- a/data_sources/aws_cloudtrail_updateloginprofile.yml
+++ b/data_sources/aws_cloudtrail_updateloginprofile.yml
@@ -1,12 +1,16 @@
 name: AWS CloudTrail UpdateLoginProfile
 id: 1db79158-e5d3-4d35-9d3c-586e44e09f1c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateLoginProfile
+description: Logs an event when an IAM user's login profile is updated.
+mitre_components:
+- User Account Modification
+- User Account Authentication
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: UpdateLoginProfile
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml
index 2f2cd5b188..55fb18209d 100644
--- a/data_sources/aws_cloudtrail_updatesamlprovider.yml
+++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail UpdateSAMLProvider
 id: e5eb628d-711e-499c-87d9-8fa5dee419ec
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateSAMLProvider
+description: Logs an event when a SAML provider is updated in AWS.
+mitre_components:
+- Cloud Service Modification
+- User Account Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: UpdateSAMLProvider
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -96,7 +101,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "AROAYTOGP2RLKFUVAQAIJ:rodsoto@rodsoto.onmicrosoft.com", "arn": "arn:aws:sts::111111111111:assumed-role/rodonmicrotestrole/rodsoto@rodsoto.onmicrosoft.com",
   "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLMZGPIW6C", "sessionContext":
   {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLKFUVAQAIJ", "arn":
-  "arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId": "111111111111",
+  "arn:aws:iam::111111111111:role/rodonmicrotestrole", "accountId" : "111111111111",
   "userName": "rodonmicrotestrole"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
   "false", "creationDate": "2021-01-20T03:10:32Z"}}}, "eventTime": "2021-01-20T03:12:39Z",
   "eventSource": "iam.amazonaws.com", "eventName": "UpdateSAMLProvider", "awsRegion":
diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml
index f22ec6b7ba..33813ccfec 100644
--- a/data_sources/aws_cloudtrail_updatetrail.yml
+++ b/data_sources/aws_cloudtrail_updatetrail.yml
@@ -1,12 +1,17 @@
 name: AWS CloudTrail UpdateTrail
 id: d5b7a1eb-711a-4c96-aa93-235fe3c8a939
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail UpdateTrail
+description: Logs an event when an AWS CloudTrail trail is updated, typically involving
+  changes to settings or configuration.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: UpdateTrail
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
diff --git a/data_sources/aws_cloudwatchlogs_vpcflow.yml b/data_sources/aws_cloudwatchlogs_vpcflow.yml
index b20242046f..535431134a 100644
--- a/data_sources/aws_cloudwatchlogs_vpcflow.yml
+++ b/data_sources/aws_cloudwatchlogs_vpcflow.yml
@@ -1,12 +1,16 @@
 name: AWS CloudWatchLogs VPCflow
 id: 38a34fc4-e128-4478-a8f4-7835d51d5135
-version: 1
+version: 2
 author: Bhavin Patel, Splunk
-date: '2024-07-18'
-description: Data source object for AWS CloudWatchLogs VPCflow
+date: '2025-01-23'
+description: Logs an event when network traffic flow information such as source and
+  destination IPs, ports, protocol, and action (allow/deny) is captured for VPC in
+  AWS.
+mitre_components:
+- Network Traffic Flow
+- Network Connection Creation
 source: aws_cloudwatchlogs_vpcflow
 sourcetype: aws:cloudwatchlogs:vpcflow
-separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   version: 7.9.0
diff --git a/data_sources/aws_security_hub.yml b/data_sources/aws_security_hub.yml
index 5d4d52b2e7..c5ff1ade29 100644
--- a/data_sources/aws_security_hub.yml
+++ b/data_sources/aws_security_hub.yml
@@ -1,9 +1,15 @@
 name: AWS Security Hub
 id: b02bfbf3-294f-478e-99a1-e24b8c692d7e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS Security Hub
+description: Logs an event when AWS Security Hub identifies potential security risks
+  or deviations from configured best practices across AWS accounts.
+mitre_components:
+- Cloud Service Metadata
+- Cloud Service Enumeration
+- Cloud Service Modification
+- Cloud Service Disable
 source: aws_securityhub_finding
 sourcetype: aws:securityhub:finding
 supported_TA:
diff --git a/data_sources/azure_active_directory.yml b/data_sources/azure_active_directory.yml
index 5acf9c76b5..20f8362da1 100644
--- a/data_sources/azure_active_directory.yml
+++ b/data_sources/azure_active_directory.yml
@@ -3,7 +3,7 @@ id: 51ca21e5-bda2-4652-bb29-27c7bc18a81c
 version: 1
 date: '2024-07-18'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory
+description: All Azure Active Directory events
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
diff --git a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
index 9db213655d..034f25fb98 100644
--- a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
+++ b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
@@ -1,13 +1,20 @@
 name: Azure Active Directory Add app role assignment to service principal
 id: 8b2e84cd-6db0-47e9-badc-75c17df1995f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add app role assignment
-  to service principal
+description: Logs the addition of an application role assignment to a service principal
+  in Azure Active Directory, including details about the role, service principal,
+  and the user or process performing the action.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Add app role assignment to service principal
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml
index c62d91a8c2..579bd563b7 100644
--- a/data_sources/azure_active_directory_add_member_to_role.yml
+++ b/data_sources/azure_active_directory_add_member_to_role.yml
@@ -1,12 +1,20 @@
 name: Azure Active Directory Add member to role
 id: 1660d196-127f-4678-81b2-472d51711b07
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add member to role
+description: Logs the addition of a member to a directory role in Azure Active Directory,
+  including details about the role, the member added, and the user or process performing
+  the action.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Add member to role
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml
index 6e3b00d39a..fb97560390 100644
--- a/data_sources/azure_active_directory_add_owner_to_application.yml
+++ b/data_sources/azure_active_directory_add_owner_to_application.yml
@@ -1,12 +1,20 @@
 name: Azure Active Directory Add owner to application
 id: e895ed56-7be4-4b3a-b782-ecd0f594ec4c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add owner to application
+description: Logs the addition of an owner to an application in Azure Active Directory,
+  including details about the application, the owner added, and the user or process
+  performing the action.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Add owner to application
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml
index 798a1dd0c9..c3d937cb44 100644
--- a/data_sources/azure_active_directory_add_service_principal.yml
+++ b/data_sources/azure_active_directory_add_service_principal.yml
@@ -1,12 +1,20 @@
 name: Azure Active Directory Add service principal
 id: fd89d337-e4c0-4162-ad13-bca36f096fe6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add service principal
+description: Logs the creation of a new service principal in Azure Active Directory,
+  including details about the service principal, associated application, and the user
+  or process performing the action.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- User Account Metadata
+- Active Directory Object Creation
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Add service principal
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml
index 2cb8e93738..01badc54df 100644
--- a/data_sources/azure_active_directory_add_unverified_domain.yml
+++ b/data_sources/azure_active_directory_add_unverified_domain.yml
@@ -1,12 +1,19 @@
 name: Azure Active Directory Add unverified domain
 id: d4c01fb1-3b88-46d3-bd12-9b9e256450f7
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Add unverified domain
+description: Logs the addition of an unverified domain to Azure Active Directory,
+  including details about the domain name and the user or process performing the action.
+mitre_components:
+- Domain Registration
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Add unverified domain
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml
index 9464b69c7a..4bc104a119 100644
--- a/data_sources/azure_active_directory_consent_to_application.yml
+++ b/data_sources/azure_active_directory_consent_to_application.yml
@@ -1,12 +1,20 @@
 name: Azure Active Directory Consent to application
 id: 4c5d6c49-53e3-4980-a4de-c63e26291ed0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Consent to application
+description: Logs user or admin consent to an application's permissions in Azure Active
+  Directory, including details about the application, granted permissions, and the
+  consenting user or process.
+mitre_components:
+- User Account Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Consent to application
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml
index 2b1fd79f79..72d6e69e4c 100644
--- a/data_sources/azure_active_directory_disable_strong_authentication.yml
+++ b/data_sources/azure_active_directory_disable_strong_authentication.yml
@@ -1,12 +1,18 @@
 name: Azure Active Directory Disable Strong Authentication
 id: 8f31966d-c496-496d-8837-f7fd11f31255
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Disable Strong Authentication
+description: Logs an event when strong authentication methods are disabled in Azure
+  Active Directory.
+mitre_components:
+- User Account Authentication
+- User Account Modification
+- Cloud Service Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Disable Strong Authentication
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml
index 710007e9f8..5d5105fbcb 100644
--- a/data_sources/azure_active_directory_enable_account.yml
+++ b/data_sources/azure_active_directory_enable_account.yml
@@ -1,12 +1,17 @@
 name: Azure Active Directory Enable account
 id: cb49f3cd-04ad-415c-a5ed-9b27b2829fa7
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Enable account
+description: Logs an event when an Azure Active Directory account is enabled.
+mitre_components:
+- User Account Modification
+- User Account Authentication
+- User Account Metadata
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Enable account
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml
index ebb0a4dea9..a7f115be50 100644
--- a/data_sources/azure_active_directory_invite_external_user.yml
+++ b/data_sources/azure_active_directory_invite_external_user.yml
@@ -1,12 +1,18 @@
 name: Azure Active Directory Invite external user
 id: d3818bd5-f283-4518-8b67-df19240c3e40
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Invite external user
+description: Logs an event when an external user is invited to join an Azure Active
+  Directory tenant.
+mitre_components:
+- Active Directory Object Creation
+- User Account Creation
+- User Account Authentication
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Invite external user
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml
index 1247baa3b5..9e2eacf0f5 100644
--- a/data_sources/azure_active_directory_reset_password_(by_admin).yml
+++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml
@@ -1,12 +1,18 @@
 name: Azure Active Directory Reset password (by admin)
 id: dcd0e4dc-68f8-4b77-a66f-89c57b3afa6b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Reset password (by admin)
+description: Logs an event when an admin resets a user's password in Azure Active
+  Directory.
+mitre_components:
+- User Account Authentication
+- User Account Modification
+- Active Directory Object Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Reset password (by admin)
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml
index 07fbd4945f..939da08d9f 100644
--- a/data_sources/azure_active_directory_set_domain_authentication.yml
+++ b/data_sources/azure_active_directory_set_domain_authentication.yml
@@ -1,12 +1,18 @@
 name: Azure Active Directory Set domain authentication
 id: e7bcdab9-908c-40ab-ba38-5db54fa87750
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Set domain authentication
+description: Logs an event when the authentication method for a domain in Azure Active
+  Directory is set or modified.
+mitre_components:
+- Active Directory Object Modification
+- User Account Authentication
+- Cloud Service Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Set domain authentication
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml
index 71e28dc986..4b8e5c152f 100644
--- a/data_sources/azure_active_directory_sign_in_activity.yml
+++ b/data_sources/azure_active_directory_sign_in_activity.yml
@@ -1,12 +1,18 @@
 name: Azure Active Directory Sign-in activity
 id: f9ed0a3a-9e20-4198-a035-d0a29593fbe0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Sign-in activity
+description: Logs an event when a user attempts to sign into Azure Active Directory,
+  capturing authentication details and outcomes.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Sign-in activity
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml
index 821d432ecf..e82edafcca 100644
--- a/data_sources/azure_active_directory_update_application.yml
+++ b/data_sources/azure_active_directory_update_application.yml
@@ -1,12 +1,18 @@
 name: Azure Active Directory Update application
 id: 2c08188a-ba25-496e-87c7-803cf28b6c90
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Update application
+description: Logs an event when an application in Azure Active Directory is updated,
+  such as changes to its settings or permissions.
+mitre_components:
+- Service Modification
+- User Account Modification
+- Cloud Service Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Update application
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml
index 6d43b471e6..54dd3ca2a9 100644
--- a/data_sources/azure_active_directory_update_authorization_policy.yml
+++ b/data_sources/azure_active_directory_update_authorization_policy.yml
@@ -1,12 +1,18 @@
 name: Azure Active Directory Update authorization policy
 id: c5b7ffcd-73d8-4fe5-afd8-b1218d715c0c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Update authorization policy
+description: Logs an event when an authorization policy is updated in Azure Active
+  Directory.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Active Directory Object Modification
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Update authorization policy
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml
index 4efa2a3816..26951a9695 100644
--- a/data_sources/azure_active_directory_update_user.yml
+++ b/data_sources/azure_active_directory_update_user.yml
@@ -1,12 +1,16 @@
 name: Azure Active Directory Update user
 id: 5495c90a-047c-4b8e-b2fe-1db6282d3872
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory Update user
+description: Logs an event when a user account is updated in Azure Active Directory.
+mitre_components:
+- User Account Modification
+- User Account Metadata
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: Update user
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml
index f7bef825fe..3a2ba69d86 100644
--- a/data_sources/azure_active_directory_user_registered_security_info.yml
+++ b/data_sources/azure_active_directory_user_registered_security_info.yml
@@ -1,13 +1,17 @@
 name: Azure Active Directory User registered security info
 id: b63240de-8a01-4ba8-8987-89d18d4b375d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Active Directory User registered security
-  info
+description: Logs an event when a user registers or updates their security information
+  in Azure Active Directory.
+mitre_components:
+- User Account Modification
+- User Account Metadata
 source: Azure AD
 sourcetype: azure:monitor:aad
 separator: operationName
+separator_value: User registered security info
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
index 8e30686b23..65f6f7e767 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
@@ -1,13 +1,17 @@
 name: Azure Audit Create or Update an Azure Automation account
 id: 2ab182e7-feda-4249-9418-32710b55a885
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Audit Create or Update an Azure Automation
-  account
+description: Logs an event when an Azure Automation account is created or updated.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Modification
+- Cloud Service Metadata
 source: mscs:azure:audit
 sourcetype: mscs:azure:audit
 separator: operationName.localizedValue
+separator_value: Create or Update an Azure Automation account
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
index 024427c038..f9de2d68b5 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
@@ -1,13 +1,17 @@
 name: Azure Audit Create or Update an Azure Automation Runbook
 id: 2bd83221-7a8b-436f-9b2b-efa1d44d009e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Audit Create or Update an Azure Automation
-  Runbook
+description: Logs an event when a new Azure Automation Runbook is created or an existing
+  one is updated.
+mitre_components:
+- Scheduled Job Modification
+- Scheduled Job Creation
 source: mscs:azure:audit
 sourcetype: mscs:azure:audit
 separator: operationName.localizedValue
+separator_value: Create or Update an Azure Automation Runbook
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
index 35fccd817e..6668b0a88d 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
@@ -1,13 +1,17 @@
 name: Azure Audit Create or Update an Azure Automation webhook
 id: 575faeb2-09d0-4849-b1f6-eae241f26ff2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Azure Audit Create or Update an Azure Automation
-  webhook
+description: Logs an event when a webhook is created or updated in Azure Automation.
+mitre_components:
+- Scheduled Job Modification
+- Cloud Service Modification
+- Scheduled Job Metadata
 source: mscs:azure:audit
 sourcetype: mscs:azure:audit
 separator: operationName.localizedValue
+separator_value: Create or Update an Azure Automation webhook
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
diff --git a/data_sources/bro.yml b/data_sources/bro.yml
deleted file mode 100644
index 72d2cd5415..0000000000
--- a/data_sources/bro.yml
+++ /dev/null
@@ -1,9 +0,0 @@
-name: Bro
-id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
-version: 1
-date: '2024-07-18'
-author: Patrick Bareiss, Splunk
-description: Data source object for Bro
-source: bro:http:json
-sourcetype: bro:http:json
-supported_TA: []
diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml
new file mode 100644
index 0000000000..1d8e4110c3
--- /dev/null
+++ b/data_sources/bro_conn.yml
@@ -0,0 +1,15 @@
+name: Bro conn
+id: c5a7e93b-2172-45a7-a7e9-3b217255a7f5
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs network connection metadata captured by Zeek (formerly Bro), including
+  details such as source and destination IPs, ports, connection state, and protocol.
+mitre_components:
+- Network Connection Creation
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
+source: bro:conn:json
+sourcetype: bro:conn:json
+supported_TA: []
diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml
new file mode 100644
index 0000000000..b4deae7a6c
--- /dev/null
+++ b/data_sources/bro_dns.yml
@@ -0,0 +1,16 @@
+name: Bro dns
+id: a4576cbf-06cc-4ed0-976c-bf06ccaed011
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs DNS queries and responses captured by Zeek (formerly Bro), including
+  details such as queried domains, resolved IPs, query types, and response codes.
+mitre_components:
+- Active DNS
+- Passive DNS
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+source: bro:dns:json
+sourcetype: bro:dns:json
+supported_TA: []
diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml
new file mode 100644
index 0000000000..20121d2067
--- /dev/null
+++ b/data_sources/bro_files.yml
@@ -0,0 +1,17 @@
+name: Bro files
+id: f72d34d0-3495-4826-ad34-d03495782633
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs metadata about files transferred over the network captured by Zeek
+  (formerly Bro), including details such as file names, hashes, MIME types, and transfer
+  protocols.
+mitre_components:
+- File Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
+source: bro:files:json
+sourcetype: bro:files:json
+supported_TA: []
diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml
new file mode 100644
index 0000000000..e8e25150dc
--- /dev/null
+++ b/data_sources/bro_http.yml
@@ -0,0 +1,16 @@
+name: Bro http
+id: c5d9612b-0ffd-44d3-8247-3cf3486ec5e2
+version: 3
+date: '2025-01-23'
+author: Patrick Bareiss, Splunk
+description: Logs HTTP traffic analyzed by Zeek (formerly Bro), including details
+  such as request methods, URLs, user agents, response codes, and headers.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Content
+- Response Metadata
+- Application Log Content
+source: bro:http:json
+sourcetype: bro:http:json
+supported_TA: []
diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml
new file mode 100644
index 0000000000..2b9669bac3
--- /dev/null
+++ b/data_sources/bro_loaded_scripts.yml
@@ -0,0 +1,15 @@
+name: Bro loaded_scripts
+id: 81e08a21-a735-42b1-a08a-21a73582b1bf
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs details about the scripts loaded by Zeek (formerly Bro) during initialization,
+  including script names and paths.
+mitre_components:
+- Application Log Content
+- Configuration Modification
+- Script Execution
+- OS API Execution
+source: bro:loaded_scripts:json
+sourcetype: bro:loaded_scripts:json
+supported_TA: []
diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml
new file mode 100644
index 0000000000..727dfc5bfa
--- /dev/null
+++ b/data_sources/bro_ntp.yml
@@ -0,0 +1,15 @@
+name: Bro ntp
+id: 3f64a544-47a4-4958-a4a5-4447a47958df
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs Network Time Protocol (NTP) activity captured by Zeek (formerly
+  Bro), including details such as NTP requests, responses, and server metadata.
+mitre_components:
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+source: bro:ntp:json
+sourcetype: bro:ntp:json
+supported_TA: []
diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml
new file mode 100644
index 0000000000..316e75d352
--- /dev/null
+++ b/data_sources/bro_ocsp.yml
@@ -0,0 +1,16 @@
+name: Bro ocsp
+id: d20909ab-70be-409a-8909-ab70be609af1
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs Online Certificate Status Protocol (OCSP) activity captured by Zeek
+  (formerly Bro), including details such as certificate validation requests and responses.
+mitre_components:
+- Certificate Registration
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+source: bro:ocsp:json
+sourcetype: bro:ocsp:json
+supported_TA: []
diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml
new file mode 100644
index 0000000000..b138786a0f
--- /dev/null
+++ b/data_sources/bro_ssl.yml
@@ -0,0 +1,16 @@
+name: Bro ssl
+id: 22c637eb-f62e-41f0-8637-ebf62e11f0a8
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs SSL/TLS handshake and session details captured by Zeek (formerly
+  Bro), including certificates, cipher suites, and session information.
+mitre_components:
+- Certificate Registration
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+source: bro:ssl:json
+sourcetype: bro:ssl:json
+supported_TA: []
diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml
new file mode 100644
index 0000000000..4d46c68d74
--- /dev/null
+++ b/data_sources/bro_weird.yml
@@ -0,0 +1,16 @@
+name: Bro weird
+id: e03762c5-c4b8-44e3-b762-c5c4b8e4e3b6
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs anomalous or unexpected network behaviors identified by Zeek (formerly
+  Bro), including protocol violations and unusual traffic patterns.
+mitre_components:
+- Network Traffic Flow
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+- Host Status
+source: bro:weird:json
+sourcetype: bro:weird:json
+supported_TA: []
diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml
new file mode 100644
index 0000000000..3f23109ebd
--- /dev/null
+++ b/data_sources/bro_x509.yml
@@ -0,0 +1,16 @@
+name: Bro x509
+id: e8792367-64b0-47e9-b923-6764b0f7e936
+version: 2
+date: '2025-01-23'
+author: Jacob Delgado, SnapAttack
+description: Logs details about X.509 certificates observed in network traffic captured
+  by Zeek (formerly Bro), including certificate fields, validity periods, and issuers.
+mitre_components:
+- Certificate Registration
+- Network Traffic Content
+- Response Metadata
+- Application Log Content
+- Host Status
+source: bro:x509:json
+sourcetype: bro:x509:json
+supported_TA: []
diff --git a/data_sources/circleci.yml b/data_sources/circleci.yml
index 9dfcb06b20..dc231daca7 100644
--- a/data_sources/circleci.yml
+++ b/data_sources/circleci.yml
@@ -1,9 +1,16 @@
 name: CircleCI
 id: 34ad06fc-a296-4ab5-8315-2f07714948e3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for CircleCI
+description: Logs activities related to CI/CD pipelines executed in CircleCI, including
+  job execution, workflow progress, and configuration changes.
+mitre_components:
+- Scheduled Job Execution
+- Scheduled Job Metadata
+- Application Log Content
+- Configuration Modification
+- Host Status
 source: circleci
 sourcetype: circleci
 supported_TA:
diff --git a/data_sources/crowdstrike_processrollup2.yml b/data_sources/crowdstrike_processrollup2.yml
index 83b05821b9..a038a6273f 100644
--- a/data_sources/crowdstrike_processrollup2.yml
+++ b/data_sources/crowdstrike_processrollup2.yml
@@ -1,12 +1,21 @@
 name: CrowdStrike ProcessRollup2
 id: cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for CrowdStrike ProcessRollup2
+description: Logs process-related activities captured by CrowdStrike, including process
+  creation, termination, and metadata such as hashes, parent processes, and command-line
+  arguments.
+mitre_components:
+- Process Creation
+- Process Termination
+- Process Metadata
+- Command Execution
+- OS API Execution
 source: crowdstrike
 sourcetype: crowdstrike:events:sensor
 separator: event_simpleName
+separator_value: ProcessRollup2
 supported_TA:
 - name: Splunk Add-on for CrowdStrike FDR
   url: https://splunkbase.splunk.com/app/5579
diff --git a/data_sources/crushftp.yml b/data_sources/crushftp.yml
index 7c3f19a528..597fda30f8 100644
--- a/data_sources/crushftp.yml
+++ b/data_sources/crushftp.yml
@@ -1,9 +1,16 @@
 name: CrushFTP
 id: 8a42ace5-e4c8-4653-80cf-1b8e7e6024ef
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for CrushFTP
+description: Logs activities related to file transfers and user interactions in CrushFTP,
+  including file uploads, downloads, user authentication, and session details.
+mitre_components:
+- File Access
+- File Metadata
+- User Account Authentication
+- Logon Session Metadata
+- Network Traffic Content
 source: crushftp
 sourcetype: crushftp:sessionlogs
 supported_TA: []
diff --git a/data_sources/g_suite_drive.yml b/data_sources/g_suite_drive.yml
index 0b3b02e79e..dac656446b 100644
--- a/data_sources/g_suite_drive.yml
+++ b/data_sources/g_suite_drive.yml
@@ -1,9 +1,16 @@
 name: G Suite Drive
 id: 5f79120f-a235-4468-bd0d-55203758ac22
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for G Suite Drive
+description: Logs activities related to Google Drive in G Suite, including file creation,
+  modification, sharing, and access details.
+mitre_components:
+- File Access
+- File Creation
+- File Modification
+- Cloud Storage Access
+- Cloud Storage Metadata
 source: http:gsuite
 sourcetype: gsuite:drive:json
 supported_TA:
diff --git a/data_sources/g_suite_gmail.yml b/data_sources/g_suite_gmail.yml
index 7f628c7174..1d698151df 100644
--- a/data_sources/g_suite_gmail.yml
+++ b/data_sources/g_suite_gmail.yml
@@ -1,9 +1,15 @@
 name: G Suite Gmail
 id: 706c3978-41de-406b-b6e0-75bd01e12a5d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for G Suite Gmail
+description: Logs Gmail activities in G Suite, including email sending, receiving,
+  and access details, as well as potential security-related events.
+mitre_components:
+- Application Log Content
+- User Account Metadata
+- Email Metadata
+- Cloud Service Metadata
 source: http:gsuite
 sourcetype: gsuite:gmail:bigquery
 supported_TA:
diff --git a/data_sources/github.yml b/data_sources/github.yml
index 2c5c88084d..eaeabb40ed 100644
--- a/data_sources/github.yml
+++ b/data_sources/github.yml
@@ -1,9 +1,16 @@
 name: GitHub
 id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for GitHub
+description: Logs activities on GitHub repositories, including push events, pull requests,
+  issue creation, and user authentication events.
+mitre_components:
+- User Account Authentication
+- Configuration Modification
+- Application Log Content
+- User Account Metadata
+- Scheduled Job Metadata
 source: github
 sourcetype: aws:firehose:json
 supported_TA:
diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml
index 11f79d2ad5..702959eef7 100644
--- a/data_sources/google_workspace_login_failure.yml
+++ b/data_sources/google_workspace_login_failure.yml
@@ -1,12 +1,19 @@
 name: Google Workspace login_failure
 id: cabec7cf-4008-4899-b47e-39c34a9a1255
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Google Workspace login_failure
+description: Logs failed login attempts to Google Workspace accounts, including details
+  about the user, IP address, and reason for failure.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
 source: gws:reports:admin
 sourcetype: gws:reports:admin
 separator: event.name
+separator_value: login_failure
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml
index 4a2bd0308c..3ad47e3299 100644
--- a/data_sources/google_workspace_login_success.yml
+++ b/data_sources/google_workspace_login_success.yml
@@ -1,12 +1,19 @@
 name: Google Workspace login_success
 id: bffe8013-9cdf-4fe6-9c1b-6784391a4951
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Google Workspace login_success
+description: Logs successful login attempts to Google Workspace accounts, including
+  details about the user, IP address, and session metadata.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
 source: gws:reports:admin
 sourcetype: gws:reports:admin
 separator: event.name
+separator_value: login_success
 supported_TA:
 - name: Splunk Add-on for Google Workspace
   url: https://splunkbase.splunk.com/app/5556
diff --git a/data_sources/ivanti_vtm_audit.yml b/data_sources/ivanti_vtm_audit.yml
index 0bdb54223a..31e1bdc95e 100644
--- a/data_sources/ivanti_vtm_audit.yml
+++ b/data_sources/ivanti_vtm_audit.yml
@@ -1,9 +1,16 @@
 name: Ivanti VTM Audit
 id: b04be6e5-2002-4a49-8722-52285635b8f5
-version: 1
-date: '2024-08-19'
+version: 2
+date: '2025-01-23'
 author: Michael Haag, Splunk
-description: Data source object for Ivanti Virtual Traffic Manager (vTM)
+description: Logs administrative and operational activities in Ivanti Virtual Traffic
+  Manager (VTM), including configuration changes, user actions, and system events.
+mitre_components:
+- Configuration Modification
+- Application Log Content
+- User Account Metadata
+- Host Status
+- Service Modification
 source: ivanti_vtm
 sourcetype: ivanti_vtm_audit
 supported_TA: []
@@ -16,4 +23,5 @@ fields:
 - AUTH
 - USER
 - GROUP
-example_log: '[19/Aug/2024:19:41:22 +0000]    USER=!!ABSENT!! GROUP=!!ABSENT!!        AUTH=!!ABSENT!! IP=!!ABSENT!!   OPERATION=adduser       MODUSER=newadmin        MODGROUP=admin'
+example_log: '[19/Aug/2024:19:41:22 +0000]    USER=!!ABSENT!! GROUP=!!ABSENT!!        AUTH=!!ABSENT!!
+  IP=!!ABSENT!!   OPERATION=adduser       MODUSER=newadmin        MODGROUP=admin'
diff --git a/data_sources/kubernetes_audit.yml b/data_sources/kubernetes_audit.yml
index 9ca3815448..7553357ea4 100644
--- a/data_sources/kubernetes_audit.yml
+++ b/data_sources/kubernetes_audit.yml
@@ -1,9 +1,17 @@
 name: Kubernetes Audit
 id: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Kubernetes Audit
+description: Logs activities within a Kubernetes cluster, including API server requests,
+  resource access, configuration changes, and user authentication events.
+mitre_components:
+- Pod Metadata
+- Pod Modification
+- Cluster Metadata
+- User Account Authentication
+- Configuration Modification
+- Application Log Content
 source: kubernetes
 sourcetype: _json
 supported_TA: []
diff --git a/data_sources/kubernetes_falco.yml b/data_sources/kubernetes_falco.yml
index 568d4be771..f5f7cf1762 100644
--- a/data_sources/kubernetes_falco.yml
+++ b/data_sources/kubernetes_falco.yml
@@ -1,9 +1,17 @@
 name: Kubernetes Falco
 id: 23c0eeed-840a-4711-a41b-6819c1ffbba5
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Kubernetes Falco
+description: Logs suspicious or anomalous activities within a Kubernetes environment
+  detected by Falco, including system calls, file access, and network activity.
+mitre_components:
+- File Access
+- Network Traffic Content
+- Process Creation
+- Process Modification
+- Application Log Content
+- Host Status
 source: kubernetes
 sourcetype: kube:container:falco
 supported_TA: []
diff --git a/data_sources/linux_auditd_add_user.yml b/data_sources/linux_auditd_add_user.yml
index c1d4736a2e..4fce4de435 100644
--- a/data_sources/linux_auditd_add_user.yml
+++ b/data_sources/linux_auditd_add_user.yml
@@ -1,11 +1,20 @@
 name: Linux Auditd Add User
 id: 30f79353-e1d2-4585-8735-1e0359559f3f
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
 author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Add User Type
+description: Logs activities related to the addition of a new user account on a Linux
+  system, including details about the username, UID, and the process initiating the
+  action.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- OS API Execution
+- Application Log Content
 source: /var/log/audit/audit.log
 sourcetype: linux:audit
+separator: type
+separator_value: ADD_USER
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
@@ -30,4 +39,6 @@ fields:
 - UID
 - AUID
 - ID
-example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000 ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1 addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'
+example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000
+  ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1
+  addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'
diff --git a/data_sources/linux_auditd_execve.yml b/data_sources/linux_auditd_execve.yml
index 0752725a0f..c9f6bac6aa 100644
--- a/data_sources/linux_auditd_execve.yml
+++ b/data_sources/linux_auditd_execve.yml
@@ -1,11 +1,20 @@
 name: Linux Auditd Execve
 id: 9ef6364d-cc67-480e-8448-3306829a6a24
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
 author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Execve Type
+description: Logs the execution of processes on a Linux system, including details
+  about the executed command, arguments, and the initiating process.
+mitre_components:
+- Command Execution
+- Process Creation
+- Process Metadata
+- OS API Execution
+- Application Log Content
 source: /var/log/audit/audit.log
 sourcetype: linux:audit
+separator: type
+separator_value: EXECVE
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
@@ -16,4 +25,5 @@ fields:
 - type
 - msg
 - argc
-example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" a2="./prog"'
+example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so"
+  a2="./prog"'
diff --git a/data_sources/linux_auditd_path.yml b/data_sources/linux_auditd_path.yml
index 03703ad47b..27ecc36cab 100644
--- a/data_sources/linux_auditd_path.yml
+++ b/data_sources/linux_auditd_path.yml
@@ -1,11 +1,20 @@
 name: Linux Auditd Path
 id: 3d86125c-0496-4a5a-aae3-0d355a4f3d7d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
 author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Path Type
+description: Logs file system access events on a Linux system, including details about
+  file paths, permissions, and associated processes.
+mitre_components:
+- File Access
+- File Metadata
+- Process Metadata
+- OS API Execution
+- Application Log Content
 source: /var/log/audit/audit.log
 sourcetype: linux:audit
+separator: type
+separator_value: PATH
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
@@ -30,4 +39,6 @@ fields:
 - cap_frootid
 - OUID
 - OGID
-example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'
+example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~"
+  inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0
+  cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'
diff --git a/data_sources/linux_auditd_proctitle.yml b/data_sources/linux_auditd_proctitle.yml
index 4831ba4585..bd4b0ce319 100644
--- a/data_sources/linux_auditd_proctitle.yml
+++ b/data_sources/linux_auditd_proctitle.yml
@@ -1,9 +1,17 @@
 name: Linux Auditd Proctitle
 id: 5a25984a-2789-400a-858b-d75c923e06b1
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
 author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Proctitle Type
+description: Logs the full command-line arguments of a process execution on a Linux
+  system, providing visibility into the executed command and its parameters.
+mitre_components:
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
+separator: type
+separator_value: PROCTITLE
 source: /var/log/audit/audit.log
 sourcetype: linux:audit
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
diff --git a/data_sources/linux_auditd_service_stop.yml b/data_sources/linux_auditd_service_stop.yml
index 151da0bdca..e44ecf9e3e 100644
--- a/data_sources/linux_auditd_service_stop.yml
+++ b/data_sources/linux_auditd_service_stop.yml
@@ -1,9 +1,18 @@
 name: Linux Auditd Service Stop
 id: 0643483c-bc62-455c-8d6e-1630e5f0e00d
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
 author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Service Stop Type
+description: Logs events related to the stoppage of a service on a Linux system, including
+  details about the service name, the process initiating the stop, and associated
+  timestamps.
+mitre_components:
+- Service Modification
+- Service Metadata
+- OS API Execution
+- Application Log Content
+separator: type
+separator_value: SERVICE_STOP
 source: /var/log/audit/audit.log
 sourcetype: linux:audit
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
@@ -28,4 +37,6 @@ fields:
 - res
 - UID
 - AUID
-example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'
+example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295
+  ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd"
+  hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'
diff --git a/data_sources/linux_auditd_syscall.yml b/data_sources/linux_auditd_syscall.yml
index 73a300e2be..dcc8e48779 100644
--- a/data_sources/linux_auditd_syscall.yml
+++ b/data_sources/linux_auditd_syscall.yml
@@ -1,11 +1,19 @@
 name: Linux Auditd Syscall
 id: 4dff7047-0d43-4096-bb3f-b756c889bbad
-version: 1
-date: '2024-08-08'
+version: 2
+date: '2025-01-23'
 author: Teoderick Contreras, Splunk
-description: Data source object for Linux Auditd Syscall Type
+description: Logs system calls made by processes on a Linux system, including details
+  about the syscall number, arguments, return values, and associated process metadata.
+mitre_components:
+- OS API Execution
+- Process Metadata
+- Application Log Content
+- Host Status
 source: /var/log/audit/audit.log
 sourcetype: linux:audit
+separator: type
+separator_value: syscall
 configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
@@ -20,7 +28,7 @@ fields:
 - success
 - exit
 - a1
-- a2 
+- a2
 - a3
 - items
 - ppid
@@ -51,4 +59,9 @@ fields:
 - EGID
 - SGID
 - FSGID
-example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
+example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59
+  success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2
+  ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
+  tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64
+  SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root"
+  EGID="root" SGID="root" FSGID="root"'
diff --git a/data_sources/linux_secure.yml b/data_sources/linux_secure.yml
index cd08575aa2..77d0e1f105 100644
--- a/data_sources/linux_secure.yml
+++ b/data_sources/linux_secure.yml
@@ -1,9 +1,16 @@
 name: Linux Secure
 id: 9a47d88b-1b17-49ce-a0ef-b440ddbd98bb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Linux Secure
+description: Logs authentication and authorization events on a Linux system, including
+  login attempts, SSH connections, and privilege escalation activities.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
 source: /var/log/secure
 sourcetype: linux_secure
 supported_TA: []
diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml
index 3fd9ba4555..4f6665ecbc 100644
--- a/data_sources/ms365_defender_incident_alerts.yml
+++ b/data_sources/ms365_defender_incident_alerts.yml
@@ -1,9 +1,16 @@
 name: MS365 Defender Incident Alerts
 id: 12345678-90ab-cdef-1234-567890abcdef
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Bhavin Patel, Splunk
-description: Data source object for MS365 Defender Incident Alerts
+description: Logs security incidents and correlated alerts in Microsoft 365 Defender,
+  including details about affected assets, threat types, and remediation steps.
+mitre_components:
+- Host Status
+- User Account Metadata
+- Application Log Content
+- Malware Metadata
+- Active Directory Object Access
 source: ms365_defender_incident_alerts
 sourcetype: ms365:defender:incident:alerts
 supported_TA:
diff --git a/data_sources/ms_defender_atp_alerts.yml b/data_sources/ms_defender_atp_alerts.yml
index 92d4452143..f7429f3de6 100644
--- a/data_sources/ms_defender_atp_alerts.yml
+++ b/data_sources/ms_defender_atp_alerts.yml
@@ -1,9 +1,16 @@
 name: MS Defender ATP Alerts
 id: 38f034ed-1598-46c8-95e8-14edf01fdf5d
-version: 1
-date: '2024-10-30'
+version: 2
+date: '2025-01-23'
 author: Bryan Pluta, Bhavin Patel, Splunk
-description: Data source object for Microsoft Defender ATP Alerts
+description: Logs security alerts generated by Microsoft Defender for Endpoint, including
+  information about detected threats, impacted devices, and recommended actions.
+mitre_components:
+- Host Status
+- Malware Metadata
+- Process Metadata
+- User Account Metadata
+- Application Log Content
 source: ms_defender_atp_alerts
 sourcetype: ms:defender:atp:alerts
 supported_TA:
diff --git a/data_sources/nginx_access.yml b/data_sources/nginx_access.yml
index 87238e5c67..c7b491e28c 100644
--- a/data_sources/nginx_access.yml
+++ b/data_sources/nginx_access.yml
@@ -1,9 +1,16 @@
 name: Nginx Access
 id: c716a418-eab3-4df5-9dff-5420174e3068
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Nginx Access
+description: Logs HTTP/S access events on an Nginx server, including details such
+  as client IP, request method, URI, response status, and user agent.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Application Log Content
+- User Account Metadata
 source: /var/log/nginx/access.log
 sourcetype: nginx:plus:kv
 supported_TA: []
diff --git a/data_sources/o365.yml b/data_sources/o365.yml
index 8102ea7c9f..36c3c9bc2a 100644
--- a/data_sources/o365.yml
+++ b/data_sources/o365.yml
@@ -1,9 +1,16 @@
 name: O365
 id: b32de97d-0074-4cca-853c-db22c392b6c0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365.
+description: Logs management activities in Microsoft 365, including administrative
+  actions, user activities, and configuration changes across various services.
+mitre_components:
+- User Account Metadata
+- Cloud Service Modification
+- Application Log Content
+- Configuration Modification
+- Active Directory Object Modification
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
diff --git a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
index 89ececa0d0..d97086d833 100644
--- a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
+++ b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml
@@ -1,12 +1,19 @@
 name: O365 Add app role assignment grant to user.
 id: ce1d7849-a1d2-47fd-b6eb-d7ef854a860c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add app role assignment grant to user.
+description: Logs the assignment of an application role grant to a user in Microsoft
+  365, including details about the role, user, and application involved.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Add app role assignment grant to user.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
index 365604ba84..250a21a230 100644
--- a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
+++ b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml
@@ -1,12 +1,20 @@
 name: O365 Add app role assignment to service principal.
 id: 785ba57a-ba7b-474e-97c8-9474e6e00b3a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add app role assignment to service principal.
+description: Logs the assignment of an application role to a service principal in
+  Microsoft 365, including details about the role, service principal, and application
+  involved.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Add app role assignment to service principal.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_mailboxpermission.yml b/data_sources/o365_add_mailboxpermission.yml
index c4869abc7a..191c1d0e6b 100644
--- a/data_sources/o365_add_mailboxpermission.yml
+++ b/data_sources/o365_add_mailboxpermission.yml
@@ -1,12 +1,20 @@
 name: O365 Add-MailboxPermission
 id: 9c0babdb-bb15-449e-abba-0a9cdb3fc061
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add-MailboxPermission
+description: Logs the addition of mailbox permissions in Microsoft 365, including
+  details about the mailbox, granted permissions, and the user or administrator performing
+  the action.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Add-MailboxPermission
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_member_to_role_.yml b/data_sources/o365_add_member_to_role_.yml
index c2403e0b25..29145e6d5b 100644
--- a/data_sources/o365_add_member_to_role_.yml
+++ b/data_sources/o365_add_member_to_role_.yml
@@ -1,12 +1,19 @@
 name: O365 Add member to role.
 id: 8b949f7c-4b5d-404f-9694-d7403c4ec096
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add member to role.
+description: Logs the addition of a member to a role in Microsoft 365, including details
+  about the role, the added member, and the user or administrator performing the action.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Cloud Service Modification
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Add member to role.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_owner_to_application_.yml b/data_sources/o365_add_owner_to_application_.yml
index fdeccc791b..dd7f2632d4 100644
--- a/data_sources/o365_add_owner_to_application_.yml
+++ b/data_sources/o365_add_owner_to_application_.yml
@@ -1,12 +1,20 @@
 name: O365 Add owner to application.
 id: da012cbf-af6e-40ee-a1ba-32a5f8da8f8a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add owner to application.
+description: Logs the addition of an owner to an application in Microsoft 365, including
+  details about the application, the new owner, and the user or administrator performing
+  the action.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Cloud Service Modification
+- Cloud Service Metadata
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Add owner to application.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_add_service_principal_.yml b/data_sources/o365_add_service_principal_.yml
index ae338dcc71..8f4af7e270 100644
--- a/data_sources/o365_add_service_principal_.yml
+++ b/data_sources/o365_add_service_principal_.yml
@@ -1,12 +1,19 @@
 name: O365 Add service principal.
 id: 9c1ef9f5-bc30-4a47-a1bd-cb34484ee778
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Add service principal.
+description: Logs the addition of a new service principal in Microsoft 365, including
+  details about the associated application and the action initiator.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- User Account Metadata
+- Active Directory Object Creation
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Add service principal.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_change_user_license_.yml b/data_sources/o365_change_user_license_.yml
index 17222c9261..d26262857c 100644
--- a/data_sources/o365_change_user_license_.yml
+++ b/data_sources/o365_change_user_license_.yml
@@ -1,12 +1,19 @@
 name: O365 Change user license.
 id: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Change user license.
+description: Logs changes to user licenses in Microsoft 365, including additions,
+  removals, or updates to service plans associated with a user account.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Cloud Service Modification
+- Configuration Modification
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Change user license.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_consent_to_application_.yml b/data_sources/o365_consent_to_application_.yml
index 4b96c68d96..5698a08a0d 100644
--- a/data_sources/o365_consent_to_application_.yml
+++ b/data_sources/o365_consent_to_application_.yml
@@ -1,12 +1,20 @@
 name: O365 Consent to application.
 id: 0a15a464-ef51-4614-9a07-a216eb9817db
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Consent to application.
+description: Logs user or administrator consent to an application's permissions in
+  Microsoft 365, including details about the application, granted permissions, and
+  the consenting user or process.
+mitre_components:
+- User Account Modification
+- Cloud Service Modification
+- Cloud Service Metadata
+- Configuration Modification
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Consent to application.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_disable_strong_authentication_.yml b/data_sources/o365_disable_strong_authentication_.yml
index 53f37fa0ab..8682551f6c 100644
--- a/data_sources/o365_disable_strong_authentication_.yml
+++ b/data_sources/o365_disable_strong_authentication_.yml
@@ -1,12 +1,20 @@
 name: O365 Disable Strong Authentication.
 id: 235381c4-382a-4183-b818-a51c3ce12187
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Disable Strong Authentication.
+description: Logs the disabling of strong authentication (e.g., multi-factor authentication)
+  for a user or group in Microsoft 365, including details about the affected accounts
+  and the action initiator.
+mitre_components:
+- User Account Modification
+- Group Modification
+- Configuration Modification
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Disable Strong Authentication.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_mailitemsaccessed.yml b/data_sources/o365_mailitemsaccessed.yml
index d2bad265dc..e1c6afc695 100644
--- a/data_sources/o365_mailitemsaccessed.yml
+++ b/data_sources/o365_mailitemsaccessed.yml
@@ -1,12 +1,19 @@
 name: O365 MailItemsAccessed
 id: 3d5188eb-341a-4b46-9caa-aade4047d027
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 MailItemsAccessed
+description: Logs access to mailbox items in Microsoft 365, including details about
+  the user accessing the items, the accessed content, and the method of access.
+mitre_components:
+- File Access
+- User Account Metadata
+- Application Log Content
+- Active Directory Object Access
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: MailItemsAccessed
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_modifyfolderpermissions.yml b/data_sources/o365_modifyfolderpermissions.yml
index bf6d9f1855..77b5ee58cf 100644
--- a/data_sources/o365_modifyfolderpermissions.yml
+++ b/data_sources/o365_modifyfolderpermissions.yml
@@ -1,12 +1,19 @@
 name: O365 ModifyFolderPermissions
 id: 0a8c1080-68c2-46d7-8324-2e7d97bb6e2f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 ModifyFolderPermissions
+description: Logs modifications to folder permissions in Microsoft 365, including
+  updates to access levels, user assignments, and sharing settings.
+mitre_components:
+- User Account Modification
+- File Access
+- Active Directory Object Modification
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: ModifyFolderPermissions
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_set_company_information_.yml b/data_sources/o365_set_company_information_.yml
index d40cca2fcb..7348172690 100644
--- a/data_sources/o365_set_company_information_.yml
+++ b/data_sources/o365_set_company_information_.yml
@@ -1,12 +1,19 @@
 name: O365 Set Company Information.
 id: 06c6d576-f032-41e3-b15d-80a434ce13d8
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Set Company Information.
+description: Logs updates to organizational settings and company information in Microsoft
+  365, including changes to contact details, branding, and configuration policies.
+mitre_components:
+- Cloud Service Modification
+- Configuration Modification
+- Cloud Service Metadata
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Set Company Information.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_set_mailbox.yml b/data_sources/o365_set_mailbox.yml
index 30ebad4b33..2cf75ed058 100644
--- a/data_sources/o365_set_mailbox.yml
+++ b/data_sources/o365_set_mailbox.yml
@@ -1,12 +1,19 @@
 name: O365 Set-Mailbox
 id: db798c5c-928c-4972-bb42-e5f90e35865f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Set-Mailbox
+description: Logs changes to mailbox properties in Microsoft 365, including updates
+  to permissions, storage quotas, and configuration settings.
+mitre_components:
+- User Account Modification
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Set-Mailbox
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_update_application_.yml b/data_sources/o365_update_application_.yml
index f78faf1948..4e9728c9e5 100644
--- a/data_sources/o365_update_application_.yml
+++ b/data_sources/o365_update_application_.yml
@@ -1,12 +1,19 @@
 name: O365 Update application.
 id: 62159133-911b-4c63-9e30-a6a8c89195ca
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Update application.
+description: Logs updates made to applications in Microsoft 365, including changes
+  to configurations, permissions, and role assignments.
+mitre_components:
+- Cloud Service Modification
+- Configuration Modification
+- Cloud Service Metadata
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Update application.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_update_authorization_policy_.yml b/data_sources/o365_update_authorization_policy_.yml
index b53bce2417..1c0d97242a 100644
--- a/data_sources/o365_update_authorization_policy_.yml
+++ b/data_sources/o365_update_authorization_policy_.yml
@@ -1,12 +1,19 @@
 name: O365 Update authorization policy.
 id: d40e6a20-4d64-404c-8351-2caae8228d34
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Update authorization policy.
+description: Logs changes to authorization policies in Microsoft 365, including updates
+  to access controls, permissions, and security settings.
+mitre_components:
+- Cloud Service Modification
+- Configuration Modification
+- User Account Metadata
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Update authorization policy.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_update_user_.yml b/data_sources/o365_update_user_.yml
index 5497544e68..c9d47f5456 100644
--- a/data_sources/o365_update_user_.yml
+++ b/data_sources/o365_update_user_.yml
@@ -1,12 +1,19 @@
 name: O365 Update user.
 id: a05fd01e-34d9-4233-9089-11272416b531
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 Update user.
+description: Logs updates to user account properties in Microsoft 365, including changes
+  to roles, permissions, and profile information.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: Update user.
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_userloggedin.yml b/data_sources/o365_userloggedin.yml
index 540450b496..4e5fbdcea2 100644
--- a/data_sources/o365_userloggedin.yml
+++ b/data_sources/o365_userloggedin.yml
@@ -1,12 +1,19 @@
 name: O365 UserLoggedIn
 id: ed29c8c4-4053-419c-b133-16abf2a1c4c9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 UserLoggedIn
+description: Logs successful login events by users in Microsoft 365, including details
+  about the user account, IP address, and session metadata.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: UserLoggedIn
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/o365_userloginfailed.yml b/data_sources/o365_userloginfailed.yml
index b03d5032ae..1a571c469a 100644
--- a/data_sources/o365_userloginfailed.yml
+++ b/data_sources/o365_userloginfailed.yml
@@ -1,12 +1,19 @@
 name: O365 UserLoginFailed
 id: 6099b33d-d581-43ed-8401-911862590361
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for O365 UserLoginFailed
+description: Logs failed login attempts by users in Microsoft 365, including details
+  about the user account, IP address, and reason for failure.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
 source: o365
 sourcetype: o365:management:activity
 separator: Operation
+separator_value: UserLoginFailed
 supported_TA:
 - name: Splunk Add-on for Microsoft Office 365
   url: https://splunkbase.splunk.com/app/4055
diff --git a/data_sources/okta.yml b/data_sources/okta.yml
index 816d155e23..3d83e462b9 100644
--- a/data_sources/okta.yml
+++ b/data_sources/okta.yml
@@ -1,9 +1,16 @@
 name: Okta
 id: ec26febe-e760-4981-bbee-72e107c7b9d2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Okta
+description: Logs authentication and administrative activities captured by Okta, including
+  user login attempts, session management, and configuration changes.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Configuration Modification
+- Application Log Content
 source: Okta
 sourcetype: OktaIM2:log
 supported_TA:
diff --git a/data_sources/osquery.yml b/data_sources/osquery.yml
index 7244b5e8ce..b14df40563 100644
--- a/data_sources/osquery.yml
+++ b/data_sources/osquery.yml
@@ -1,9 +1,16 @@
 name: osquery
 id: 7ec4d7c8-c1d0-423a-9169-261f6adb74c0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for osquery
+description: Logs system queries performed using osquery, including details about
+  processes, file access, network activity, and system configurations.
+mitre_components:
+- Process Metadata
+- File Access
+- Network Traffic Content
+- Host Status
+- Application Log Content
 source: osquery
 sourcetype: osquery:results
 supported_TA: []
diff --git a/data_sources/palo_alto_network_threat.yml b/data_sources/palo_alto_network_threat.yml
index 37d07f372d..10e7c74e79 100644
--- a/data_sources/palo_alto_network_threat.yml
+++ b/data_sources/palo_alto_network_threat.yml
@@ -1,9 +1,16 @@
 name: Palo Alto Network Threat
 id: 375c2b0e-d216-41ad-9406-200464595209
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Palo Alto Network Threat
+description: Logs detected threats identified by Palo Alto Networks devices, including
+  details about malware, intrusion attempts, and malicious network activity.
+mitre_components:
+- Malware Metadata
+- Network Traffic Content
+- Network Traffic Flow
+- Application Log Content
+- Host Status
 source: pan:threat
 sourcetype: pan:threat
 supported_TA:
diff --git a/data_sources/palo_alto_network_traffic.yml b/data_sources/palo_alto_network_traffic.yml
index 7f42b934b2..09515ca80d 100644
--- a/data_sources/palo_alto_network_traffic.yml
+++ b/data_sources/palo_alto_network_traffic.yml
@@ -1,9 +1,16 @@
 name: Palo Alto Network Traffic
 id: 182a83bc-c31a-4817-8c7a-263744cec52a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Palo Alto Network Traffic
+description: Logs network traffic events captured by Palo Alto Networks devices, including
+  details about sessions, protocols, and source and destination IPs.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Response Metadata
+- Application Log Content
 source: screenconnect_palo_traffic
 sourcetype: pan:traffic
 supported_TA:
diff --git a/data_sources/pingid.yml b/data_sources/pingid.yml
index 1342a8c5d5..bde7518b61 100644
--- a/data_sources/pingid.yml
+++ b/data_sources/pingid.yml
@@ -1,9 +1,16 @@
 name: PingID
 id: 17890675-61c1-40bd-a88e-6a8e9e246b43
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for PingID
+description: Logs authentication and multi-factor authentication (MFA) events managed
+  by PingID, including user logins, device enrollments, and MFA challenges.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
+- Host Status
 source: XmlWinEventLog:Security
 sourcetype: XmlWinEventLog
 supported_TA: []
diff --git a/data_sources/powershell_installed_iis_modules.yml b/data_sources/powershell_installed_iis_modules.yml
index a27822830a..ddb49cbdf7 100644
--- a/data_sources/powershell_installed_iis_modules.yml
+++ b/data_sources/powershell_installed_iis_modules.yml
@@ -1,9 +1,15 @@
 name: Powershell Installed IIS Modules
 id: 4f2ccf42-3503-4417-a684-bfccf7f0d7b4
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Powershell Installed IIS Modules
+description: Logs the list of installed IIS modules retrieved using PowerShell, including
+  details about their names and statuses.
+mitre_components:
+- Service Metadata
+- Configuration Modification
+- OS API Execution
+- Application Log Content
 source: powershell://AppCmdModules
 sourcetype: Pwsh:InstalledIISModules
 supported_TA: []
diff --git a/data_sources/powershell_script_block_logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
index 8333b3c4b2..99f3ace10f 100644
--- a/data_sources/powershell_script_block_logging_4104.yml
+++ b/data_sources/powershell_script_block_logging_4104.yml
@@ -1,11 +1,20 @@
 name: Powershell Script Block Logging 4104
 id: 5cfd0c72-d989-47a0-92f9-6edc6f8d3564
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Powershell Script Block Logging 4104
+description: Logs detailed content of PowerShell script blocks as they are executed,
+  including the full command text and context for the execution.
+mitre_components:
+- Script Execution
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
 source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
 sourcetype: xmlwineventlog
+separator: EventID
+separator_value: 4104
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/powershell_sip_inventory.yml b/data_sources/powershell_sip_inventory.yml
index dc02c04217..884298d261 100644
--- a/data_sources/powershell_sip_inventory.yml
+++ b/data_sources/powershell_sip_inventory.yml
@@ -1,9 +1,15 @@
 name: Powershell SIP Inventory
 id: 5ef5cb5d-1fa8-4567-b48f-27317662cd73
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Powershell SIP Inventory
+description: Logs the inventory of System Integrity Policies (SIP) on a system retrieved
+  via PowerShell, including details about policy configurations and statuses.
+mitre_components:
+- Configuration Modification
+- Host Status
+- Application Log Content
+- OS API Execution
 source: powershell://SubjectInterfacePackage
 sourcetype: PwSh:SubjectInterfacePackage
 supported_TA: []
diff --git a/data_sources/splunk.yml b/data_sources/splunk.yml
index 59728f1060..3358a2e210 100644
--- a/data_sources/splunk.yml
+++ b/data_sources/splunk.yml
@@ -1,9 +1,16 @@
 name: Splunk
 id: d8a2c791-460b-4756-a8e5-ecade77b21e3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Splunk
+description: Logs user interface access events for Splunk, including details about
+  user actions, accessed resources, and authentication information.
+mitre_components:
+- User Account Authentication
+- User Account Metadata
+- Application Log Content
+- Configuration Modification
+- Logon Session Metadata
 source: splunkd_ui_access.log
 sourcetype: splunkd_ui_access
 supported_TA: []
diff --git a/data_sources/splunk_stream_http.yml b/data_sources/splunk_stream_http.yml
index 29db818262..f099678d49 100644
--- a/data_sources/splunk_stream_http.yml
+++ b/data_sources/splunk_stream_http.yml
@@ -1,9 +1,16 @@
 name: Splunk Stream HTTP
 id: b0070a33-92ed-49e5-8f38-576cdf300710
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Splunk Stream HTTP
+description: Logs HTTP traffic captured by Splunk Stream, including details such as
+  request methods, URLs, headers, response codes, and client-server interactions.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Content
+- Response Metadata
+- Application Log Content
 source: stream:http
 sourcetype: stream:http
 supported_TA:
diff --git a/data_sources/splunk_stream_ip.yml b/data_sources/splunk_stream_ip.yml
index d722002f17..ec1c7a15fb 100644
--- a/data_sources/splunk_stream_ip.yml
+++ b/data_sources/splunk_stream_ip.yml
@@ -1,9 +1,16 @@
 name: Splunk Stream IP
 id: c96f5906-f601-4f32-a26c-482535159bc2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Splunk Stream IP
+description: Logs IP traffic captured by Splunk Stream, including details about source
+  and destination IPs, protocols, and packet metadata.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Response Metadata
+- Application Log Content
 source: stream:ip
 sourcetype: stream:ip
 supported_TA:
diff --git a/data_sources/splunk_stream_tcp.yml b/data_sources/splunk_stream_tcp.yml
index 685c0f6931..f9de165e7c 100644
--- a/data_sources/splunk_stream_tcp.yml
+++ b/data_sources/splunk_stream_tcp.yml
@@ -1,9 +1,16 @@
 name: Splunk Stream TCP
 id: 4b1233d1-f80a-4da1-ab27-a5b10ea8a4ce
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Splunk Stream TCP
+description: Logs TCP traffic captured by Splunk Stream, including details about source
+  and destination IPs, ports, connection states, and packet-level metadata.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Response Metadata
+- Application Log Content
 source: stream:tcp
 sourcetype: stream:tcp
 supported_TA:
diff --git a/data_sources/suricata.yml b/data_sources/suricata.yml
index 6ad1b8e80c..9aaf522008 100644
--- a/data_sources/suricata.yml
+++ b/data_sources/suricata.yml
@@ -1,9 +1,16 @@
 name: Suricata
 id: 64b245d4-a4d1-4865-a718-c83d3b939f2e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Suricata
+description: Logs network traffic and security events detected by Suricata, including
+  details about connections, protocol metadata, and potential threats.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Network Connection Creation
+- Malware Metadata
+- Application Log Content
 source: suricata
 sourcetype: suricata
 supported_TA: []
diff --git a/data_sources/sysmon_eventid_1.yml b/data_sources/sysmon_eventid_1.yml
index 80284e88ac..eca6d1c0a5 100644
--- a/data_sources/sysmon_eventid_1.yml
+++ b/data_sources/sysmon_eventid_1.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 1
 id: b375f4d1-d7ca-4bc0-9103-294825c0af17
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 1
+description: Logs the creation of a new process, including details such as process
+  ID, parent process, command line arguments, and hashes of the executable.
+mitre_components:
+- Process Creation
+- Process Metadata
+- Command Execution
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 1
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
@@ -150,23 +157,22 @@ convert_to_log_source:
     User: UserSid
     ParentProcessId: ParentProcessId
     ParentImage: ParentBaseFileName
-example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider\
-  \ Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated\
-  \ SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution\
-  \ ProcessID='2912' ThreadID='3424'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-6764986.attackrange.local</Computer><Security\
-  \ UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2020-10-08\
-  \ 11:03:46.615</Data><Data Name='ProcessGuid'>{96128EA2-F212-5F7E-E400-000000007F01}</Data><Data\
-  \ Name='ProcessId'>2296</Data><Data Name='Image'>C:\\Windows\\System32\\cmd.exe</Data><Data\
-  \ Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows\
-  \ Command Processor</Data><Data Name='Product'>Microsoft\xAE Windows\xAE Operating\
-  \ System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data\
-  \ Name='CommandLine'>\"C:\\Windows\\system32\\cmd.exe\" /c \"reg save HKLM\\sam\
-  \ %%temp%%\\sam &amp; reg save HKLM\\system %%temp%%\\system &amp; reg save HKLM\\\
-  security %%temp%%\\security\" </Data><Data Name='CurrentDirectory'>C:\\Users\\ADMINI~1\\\
-  AppData\\Local\\Temp\\</Data><Data Name='User'>ATTACKRANGE\\Administrator</Data><Data\
-  \ Name='LogonGuid'>{96128EA2-F210-5F7E-ACD4-080000000000}</Data><Data Name='LogonId'>0x8d4ac</Data><Data\
-  \ Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data\
-  \ Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data\
-  \ Name='ParentProcessGuid'>{96128EA2-F211-5F7E-DF00-000000007F01}</Data><Data Name='ParentProcessId'>4624</Data><Data\
-  \ Name='ParentImage'>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</Data><Data\
-  \ Name='ParentCommandLine'>\"powershell.exe\" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==</Data></EventData></Event>"
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2020-10-08T11:03:46.617920300Z'/><EventRecordID>4522</EventRecordID><Correlation/><Execution
+  ProcessID='2912' ThreadID='3424'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>win-dc-6764986.attackrange.local</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2020-10-08
+  11:03:46.615</Data><Data Name='ProcessGuid'>{96128EA2-F212-5F7E-E400-000000007F01}</Data><Data
+  Name='ProcessId'>2296</Data><Data Name='Image'>C:\Windows\System32\cmd.exe</Data><Data
+  Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>Windows
+  Command Processor</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data
+  Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>Cmd.Exe</Data><Data
+  Name='CommandLine'>"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %%temp%%\sam
+  &amp; reg save HKLM\system %%temp%%\system &amp; reg save HKLM\security %%temp%%\security"
+  </Data><Data Name='CurrentDirectory'>C:\Users\ADMINI~1\AppData\Local\Temp\</Data><Data
+  Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{96128EA2-F210-5F7E-ACD4-080000000000}</Data><Data
+  Name='LogonId'>0x8d4ac</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>High</Data><Data
+  Name='Hashes'>MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A</Data><Data
+  Name='ParentProcessGuid'>{96128EA2-F211-5F7E-DF00-000000007F01}</Data><Data Name='ParentProcessId'>4624</Data><Data
+  Name='ParentImage'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
+  Name='ParentCommandLine'>"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==</Data></EventData></Event>
diff --git a/data_sources/sysmon_eventid_10.yml b/data_sources/sysmon_eventid_10.yml
index be7121e719..844e023f1a 100644
--- a/data_sources/sysmon_eventid_10.yml
+++ b/data_sources/sysmon_eventid_10.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 10
 id: 659cd5a8-148a-4c59-ade1-05f41ac1b096
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 10
+description: Logs events where one process accesses another process, typically for
+  memory reads or injections, including details about the source and target processes.
+mitre_components:
+- Process Access
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 10
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_11.yml b/data_sources/sysmon_eventid_11.yml
index e206bee06f..a9c4b7bb78 100644
--- a/data_sources/sysmon_eventid_11.yml
+++ b/data_sources/sysmon_eventid_11.yml
@@ -1,12 +1,20 @@
 name: Sysmon EventID 11
 id: f3db9179-f4f5-416d-bc03-39f4d4ff699e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 11
+description: Logs the creation of a new file, including details about the file path,
+  hash information, and associated process metadata.
+mitre_components:
+- File Creation
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 11
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_12.yml b/data_sources/sysmon_eventid_12.yml
index 232ca47a23..b1fe5f0b54 100644
--- a/data_sources/sysmon_eventid_12.yml
+++ b/data_sources/sysmon_eventid_12.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 12
 id: 3ef28798-8eaa-4fd2-b074-6f36d08a1b33
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 12
+description: Logs the creation of a new registry key, including details about the
+  key name, registry path, and associated process metadata.
+mitre_components:
+- Windows Registry Key Creation
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 12
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_13.yml b/data_sources/sysmon_eventid_13.yml
index ff0aa0690b..e586cf23e2 100644
--- a/data_sources/sysmon_eventid_13.yml
+++ b/data_sources/sysmon_eventid_13.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 13
 id: 19cd00ee-f65f-48ca-bb08-64aac28638ce
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 13
+description: Logs changes to a registry key, including details about the modified
+  key, value, and associated process.
+mitre_components:
+- Windows Registry Key Modification
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 13
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_15.yml b/data_sources/sysmon_eventid_15.yml
index 335042f192..e679fb1ad9 100644
--- a/data_sources/sysmon_eventid_15.yml
+++ b/data_sources/sysmon_eventid_15.yml
@@ -1,12 +1,20 @@
 name: Sysmon EventID 15
 id: 95785e02-93b4-47e2-81f1-be326295348e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 15
+description: Logs the creation of a new file stream, including details about the file
+  stream's hash, path, and associated process metadata.
+mitre_components:
+- File Creation
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 15
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_17.yml b/data_sources/sysmon_eventid_17.yml
index b1125bf4d3..b871828540 100644
--- a/data_sources/sysmon_eventid_17.yml
+++ b/data_sources/sysmon_eventid_17.yml
@@ -1,12 +1,15 @@
 name: Sysmon EventID 17
 id: 08924246-c8e8-4c95-a9fc-633c43cc82df
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 17
+description: Sysmon EventID 17 logs details about the detection of a named pipe.
+mitre_components:
+- Named Pipe Metadata
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 17
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_18.yml b/data_sources/sysmon_eventid_18.yml
index a1204b64f7..f3b7854c2f 100644
--- a/data_sources/sysmon_eventid_18.yml
+++ b/data_sources/sysmon_eventid_18.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 18
 id: 37eb3554-214e-4e66-af10-c3ffc5b8ca82
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 18
+description: Logs the connection to a named pipe, including details about the pipe
+  name, source and destination processes, and communication direction.
+mitre_components:
+- Named Pipe Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 18
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_20.yml b/data_sources/sysmon_eventid_20.yml
index dfcc795a12..3ea5d1f3f9 100644
--- a/data_sources/sysmon_eventid_20.yml
+++ b/data_sources/sysmon_eventid_20.yml
@@ -1,9 +1,15 @@
 name: Sysmon EventID 20
 id: aeee5374-3203-4286-b744-a8cc4ad1cd7e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 20
+description: Logs WMI (Windows Management Instrumentation) consumer activity, including
+  details about the WMI event consumer, associated process, and event data.
+mitre_components:
+- WMI Creation
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
diff --git a/data_sources/sysmon_eventid_21.yml b/data_sources/sysmon_eventid_21.yml
index 89de93b9dc..8caa81e1bc 100644
--- a/data_sources/sysmon_eventid_21.yml
+++ b/data_sources/sysmon_eventid_21.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 21
 id: 304384bc-715e-4958-988b-a8051a91349a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 21
+description: Logs activity related to the association of a WMI event consumer with
+  a filter, including details about the consumer, filter, and associated process.
+mitre_components:
+- WMI Creation
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 21
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_22.yml b/data_sources/sysmon_eventid_22.yml
index eee550143e..c8c1f78cdd 100644
--- a/data_sources/sysmon_eventid_22.yml
+++ b/data_sources/sysmon_eventid_22.yml
@@ -1,12 +1,20 @@
 name: Sysmon EventID 22
 id: 911538b2-eba7-4d3e-85e8-d82d380c37bf
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 22
+description: Logs DNS query events, including details about the queried domain, source
+  IP, query type, and response data.
+mitre_components:
+- Passive DNS
+- Active DNS
+- Network Traffic Content
+- Network Traffic Flow
+- Application Log Content
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 22
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_23.yml b/data_sources/sysmon_eventid_23.yml
index ee91eb49d2..7dc515f54a 100644
--- a/data_sources/sysmon_eventid_23.yml
+++ b/data_sources/sysmon_eventid_23.yml
@@ -1,12 +1,20 @@
 name: Sysmon EventID 23
 id: 5ea2721d-f60c-4f48-a047-47d514e327c3
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 23
+description: Logs the deletion of a file, including details about the file path, associated
+  process, and the time of deletion.
+mitre_components:
+- File Deletion
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 23
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_3.yml b/data_sources/sysmon_eventid_3.yml
index 4a92e3fcd3..b548310e17 100644
--- a/data_sources/sysmon_eventid_3.yml
+++ b/data_sources/sysmon_eventid_3.yml
@@ -1,12 +1,20 @@
 name: Sysmon EventID 3
 id: 01d84dff-4e26-422c-9389-6a579ee6e75b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 3
+description: Logs details of network connections initiated by processes, including
+  source and destination IPs, ports, protocols, and the associated process metadata.
+mitre_components:
+- Network Connection Creation
+- Network Traffic Flow
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 3
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_5.yml b/data_sources/sysmon_eventid_5.yml
index 2e8f6f0ab7..946a3c0551 100644
--- a/data_sources/sysmon_eventid_5.yml
+++ b/data_sources/sysmon_eventid_5.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 5
 id: 556471bf-44fa-44e6-97e2-eb25416aeb6d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 5
+description: Logs the termination of a process, including details about the process
+  name, process ID, parent process, and associated metadata.
+mitre_components:
+- Process Termination
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 5
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_6.yml b/data_sources/sysmon_eventid_6.yml
index 33345ac58b..c9d0d5d247 100644
--- a/data_sources/sysmon_eventid_6.yml
+++ b/data_sources/sysmon_eventid_6.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 6
 id: eadc297a-c20c-45a1-8fac-74ad54019767
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 6
+description: Logs the loading of a driver into the kernel or user mode, including
+  details about the driver name, file path, and associated process metadata.
+mitre_components:
+- Driver Load
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 6
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_7.yml b/data_sources/sysmon_eventid_7.yml
index 2efd35e16d..8c5dcd335e 100644
--- a/data_sources/sysmon_eventid_7.yml
+++ b/data_sources/sysmon_eventid_7.yml
@@ -1,12 +1,20 @@
 name: Sysmon EventID 7
 id: 45512fa5-4d55-4088-9d51-f4dedc16fdff
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 7
+description: Logs the loading of an image (module) into a process, including details
+  about the image name, file path, and hash information.
+mitre_components:
+- Module Load
+- Process Metadata
+- File Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 7
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_8.yml b/data_sources/sysmon_eventid_8.yml
index 5fc772500d..bb8b3a983b 100644
--- a/data_sources/sysmon_eventid_8.yml
+++ b/data_sources/sysmon_eventid_8.yml
@@ -1,12 +1,19 @@
 name: Sysmon EventID 8
 id: df7a786c-ade0-48f0-8596-26f10d169f7d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 8
+description: Logs the creation of a new thread in a process, including details about
+  the thread ID, start address, and source process.
+mitre_components:
+- Process Modification
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 8
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_eventid_9.yml b/data_sources/sysmon_eventid_9.yml
index b93f6051cb..ba5499ae5b 100644
--- a/data_sources/sysmon_eventid_9.yml
+++ b/data_sources/sysmon_eventid_9.yml
@@ -1,12 +1,20 @@
 name: Sysmon EventID 9
 id: ae4a6a24-9b8c-4386-a7ac-677d7ad5bf09
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon EventID 9
+description: Logs the access of raw disk data by a process, including details about
+  the disk name, process ID, and process metadata.
+mitre_components:
+- Drive Access
+- File Metadata
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
 sourcetype: xmlwineventlog
 separator: EventID
+separator_value: 9
 configuration: https://github.com/SwiftOnSecurity/sysmon-config
 supported_TA:
 - name: Splunk Add-on for Sysmon
diff --git a/data_sources/sysmon_for_linux_eventid_1.yml b/data_sources/sysmon_for_linux_eventid_1.yml
index 9ee369f5b8..e8c72edc4e 100644
--- a/data_sources/sysmon_for_linux_eventid_1.yml
+++ b/data_sources/sysmon_for_linux_eventid_1.yml
@@ -1,12 +1,20 @@
 name: Sysmon for Linux EventID 1
 id: 93643652-30fe-4941-a1f7-6454f2948660
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon for Linux EventID 1
+description: Logs process creation events on Linux systems, including details about
+  the process name, process ID, command line arguments, and parent process ID.
+mitre_components:
+- Process Creation
+- Command Execution
+- Process Metadata
+- OS API Execution
+- Application Log Content
 source: Syslog:Linux-Sysmon/Operational
 sourcetype: sysmon:linux
 separator: EventID
+separator_value: 1
 supported_TA:
 - name: Splunk Add-on for Sysmon for Linux
   url: https://splunkbase.splunk.com/app/6652
diff --git a/data_sources/sysmon_for_linux_eventid_11.yml b/data_sources/sysmon_for_linux_eventid_11.yml
index 8276870f8a..e06d9f1fe6 100644
--- a/data_sources/sysmon_for_linux_eventid_11.yml
+++ b/data_sources/sysmon_for_linux_eventid_11.yml
@@ -1,9 +1,16 @@
 name: Sysmon for Linux EventID 11
 id: 14672fed-235a-411f-8062-ace9696fb2af
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Sysmon for Linux EventID 11
+description: Logs the creation of a new file on a Linux system, including details
+  about the file path, file type, and associated process.
+mitre_components:
+- File Creation
+- File Metadata
+- Process Metadata
+- OS API Execution
+- Application Log Content
 source: Syslog:Linux-Sysmon/Operational
 sourcetype: sysmon:linux
 separator: EventID
diff --git a/data_sources/windows_active_directory_admon.yml b/data_sources/windows_active_directory_admon.yml
index cfeb4c831e..cb22e42655 100644
--- a/data_sources/windows_active_directory_admon.yml
+++ b/data_sources/windows_active_directory_admon.yml
@@ -1,9 +1,16 @@
 name: Windows Active Directory Admon
 id: 22bbf4e4-d313-43c1-98ee-808b8775519d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Active Directory Admon
+description: Logs administrative actions within Active Directory, including user and
+  group modifications, permission changes, and policy updates.
+mitre_components:
+- Active Directory Object Modification
+- Group Modification
+- User Account Modification
+- Configuration Modification
+- Application Log Content
 source: ActiveDirectory
 sourcetype: ActiveDirectory
 supported_TA:
diff --git a/data_sources/windows_defender_alerts.yml b/data_sources/windows_defender_alerts.yml
index 83a470bf4b..9d3269c287 100644
--- a/data_sources/windows_defender_alerts.yml
+++ b/data_sources/windows_defender_alerts.yml
@@ -1,67 +1,79 @@
 name: Windows Defender Alerts
 id: 91738e9e-d112-41c9-b91b-e5868d8993d7
-version: 1
-date: '2024-09-24'
+version: 2
+date: '2025-01-23'
 author: Gowthamaraj Rajendran
-description: Data source object for Windows Defender alerts
+description: Logs security alerts generated by Windows Defender, including details
+  about detected threats, impacted files, and recommended actions for remediation.
+mitre_components:
+- Malware Metadata
+- File Access
+- Process Metadata
+- Application Log Content
+- Host Status
 source: eventhub://windowsdefenderlogs
 sourcetype: mscs:azure:eventhub:defender:advancedhunting
 separator: AlertId
 supported_TA:
-  - name: Splunk add on for Microsoft Defender Advanced Hunting
-    url: https://splunkbase.splunk.com/app/5518
-    version: 1.4.1
+- name: Splunk add on for Microsoft Defender Advanced Hunting
+  url: https://splunkbase.splunk.com/app/5518
+  version: 1.4.1
 fields:
-  - _time
-  - AlertId
-  - TenantId
-  - OperationName
-  - Category
-  - Timestamp
-  - EntityType
-  - EvidenceRole
-  - SHA1
-  - SHA256
-  - RemoteIP
-  - LocalIP
-  - RemoteUrl
-  - AccountName
-  - AccountDomain
-  - AccountSid
-  - AccountObjectId
-  - DeviceId
-  - ThreatFamily
-  - EvidenceDirection
-  - AdditionalFields
-  - MachineGroup
-  - NetworkMessageId
-  - ServiceSource
-  - FileName
-  - FolderPath
-  - ProcessCommandLine
-  - EmailSubject
-  - ApplicationId
-  - Application
-  - DeviceName
-  - FileSize
-  - RegistryKey
-  - RegistryValueName
-  - RegistryValueData
-  - AccountUpn
-  - OAuthApplicationId
-  - Categories
-  - Title
-  - AttackTechniques
-  - DetectionSource
-  - Severity
-example_log: '{"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123", "operationName": "Publish", 
-  "category": "AdvancedHunting-AlertEvidence", "properties": {"Timestamp": "2024-04-14T19:59:59.1549925Z", "AlertId": "dc25", 
-  "EntityType": "CloudResource", "EvidenceRole": "Impacted", "SHA1": null, "SHA256": null, "RemoteIP": null, "LocalIP": null, 
-  "RemoteUrl": null, "AccountName": null, "AccountDomain": null, "AccountSid": null, "AccountObjectId": null, "DeviceId": null, 
-  "ThreatFamily": null, "EvidenceDirection": null, "AdditionalFields": "{\"ResourceId\":\"/subscriptions/1-2-3-4/resourceGroups/pluginframework/
-  providers/Microsoft.Compute/virtualMachines/phantom-identity\",\"ResourceType\":\"Virtual Machine\",\"ResourceName\":\"phantom-identity\",\"Asset\":true,\"
-  Type\":\"azure-resource\",\"Role\":0,\"MergeByKey\":\"abcd=\",\"MergeByKeyHex\":\"1234\"}", "MachineGroup": null, "NetworkMessageId": null, "ServiceSource": 
-  "Microsoft Defender for Cloud", "FileName": null, "FolderPath": null, "ProcessCommandLine": null, "EmailSubject": null, "ApplicationId": null, "Application": 
-  null, "DeviceName": null, "FileSize": null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null, "AccountUpn": null, "OAuthApplicationId": 
-  null, "Categories": "[\"InitialAccess\"]", "Title": "Suspicious authentication activity", "AttackTechniques": "", "DetectionSource": "DefenderForServers", 
-  "Severity": "High"}, "Tenant": "DefaultTenant"}'
+- _time
+- AlertId
+- TenantId
+- OperationName
+- Category
+- Timestamp
+- EntityType
+- EvidenceRole
+- SHA1
+- SHA256
+- RemoteIP
+- LocalIP
+- RemoteUrl
+- AccountName
+- AccountDomain
+- AccountSid
+- AccountObjectId
+- DeviceId
+- ThreatFamily
+- EvidenceDirection
+- AdditionalFields
+- MachineGroup
+- NetworkMessageId
+- ServiceSource
+- FileName
+- FolderPath
+- ProcessCommandLine
+- EmailSubject
+- ApplicationId
+- Application
+- DeviceName
+- FileSize
+- RegistryKey
+- RegistryValueName
+- RegistryValueData
+- AccountUpn
+- OAuthApplicationId
+- Categories
+- Title
+- AttackTechniques
+- DetectionSource
+- Severity
+example_log: '{"time": "2024-06-14T20:12:23.3360383Z", "tenantId": "abced-c7ee-abce-1123-123",
+  "operationName": "Publish", "category": "AdvancedHunting-AlertEvidence", "properties":
+  {"Timestamp": "2024-04-14T19:59:59.1549925Z", "AlertId": "dc25", "EntityType": "CloudResource",
+  "EvidenceRole": "Impacted", "SHA1": null, "SHA256": null, "RemoteIP": null, "LocalIP":
+  null, "RemoteUrl": null, "AccountName": null, "AccountDomain": null, "AccountSid":
+  null, "AccountObjectId": null, "DeviceId": null, "ThreatFamily": null, "EvidenceDirection":
+  null, "AdditionalFields": "{\"ResourceId\":\"/subscriptions/1-2-3-4/resourceGroups/pluginframework/
+  providers/Microsoft.Compute/virtualMachines/phantom-identity\",\"ResourceType\":\"Virtual
+  Machine\",\"ResourceName\":\"phantom-identity\",\"Asset\":true,\" Type\":\"azure-resource\",\"Role\":0,\"MergeByKey\":\"abcd=\",\"MergeByKeyHex\":\"1234\"}",
+  "MachineGroup": null, "NetworkMessageId": null, "ServiceSource": "Microsoft Defender
+  for Cloud", "FileName": null, "FolderPath": null, "ProcessCommandLine": null, "EmailSubject":
+  null, "ApplicationId": null, "Application": null, "DeviceName": null, "FileSize":
+  null, "RegistryKey": null, "RegistryValueName": null, "RegistryValueData": null,
+  "AccountUpn": null, "OAuthApplicationId": null, "Categories": "[\"InitialAccess\"]",
+  "Title": "Suspicious authentication activity", "AttackTechniques": "", "DetectionSource":
+  "DefenderForServers", "Severity": "High"}, "Tenant": "DefaultTenant"}'
diff --git a/data_sources/windows_event_log_application_2282.yml b/data_sources/windows_event_log_application_2282.yml
index eb6fc6d136..01b723d773 100644
--- a/data_sources/windows_event_log_application_2282.yml
+++ b/data_sources/windows_event_log_application_2282.yml
@@ -1,9 +1,15 @@
 name: Windows Event Log Application 2282
 id: 4490537e-5e0c-46f7-9209-f56f852aa237
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Application 2282
+description: Logs an event in IIS when a module DLL fails to load due to a configuration
+  issue, including details about the module and error message.
+mitre_components:
+- Service Modification
+- Configuration Modification
+- Application Log Content
+- Service Metadata
 source: XmlWinEventLog:Application
 sourcetype: XmlWinEventLog
 separator: EventCode
diff --git a/data_sources/windows_event_log_application_3000.yml b/data_sources/windows_event_log_application_3000.yml
index 87b847e9bc..a3dcec0bda 100644
--- a/data_sources/windows_event_log_application_3000.yml
+++ b/data_sources/windows_event_log_application_3000.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Application 3000
 id: 3911945d-9222-408d-b851-9b1bce4c2d24
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Application 3000
+description: Logs the termination of a process, including details about the process,
+  its termination code, and timestamp.
+mitre_components:
+- Process Termination
+- Process Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Application
 sourcetype: XmlWinEventLog
 separator: EventCode
+separator_value: 3000
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_capi2_70.yml b/data_sources/windows_event_log_capi2_70.yml
index b604bbe548..cc9a329fac 100644
--- a/data_sources/windows_event_log_capi2_70.yml
+++ b/data_sources/windows_event_log_capi2_70.yml
@@ -1,12 +1,20 @@
 name: Windows Event Log CAPI2 70
 id: 821de0a6-c5b4-491b-a27e-187552792817
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log CAPI2 70
+description: This event log records events related to cryptographic operations, including
+  the deletion and export of certificates.
+mitre_components:
+- Certificate Registration
+- Process Metadata
+- Application Log Content
+- OS API Execution
+- Host Status
 source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 70
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_capi2_81.yml b/data_sources/windows_event_log_capi2_81.yml
index 376d347618..e6641f83f8 100644
--- a/data_sources/windows_event_log_capi2_81.yml
+++ b/data_sources/windows_event_log_capi2_81.yml
@@ -1,12 +1,20 @@
 name: Windows Event Log CAPI2 81
 id: 463ff898-8135-4c0e-811e-f8629dfc5027
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log CAPI2 81
+description: Logs an error when attempting to verify the digital signature of a file,
+  including details about the file path, signature failure, and the process involved.
+mitre_components:
+- File Access
+- File Metadata
+- Malware Metadata
+- Application Log Content
+- Process Metadata
 source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 81
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_certificateservicesclient_1007.yml b/data_sources/windows_event_log_certificateservicesclient_1007.yml
index aecc0bf864..edc911da2a 100644
--- a/data_sources/windows_event_log_certificateservicesclient_1007.yml
+++ b/data_sources/windows_event_log_certificateservicesclient_1007.yml
@@ -1,12 +1,20 @@
 name: Windows Event Log CertificateServicesClient 1007
 id: c51444e3-479d-4c4a-b111-e8276a3acf39
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log CertificateServicesClient 1007
+description: Logs the export of a certificate from the local certificate store, including
+  details about the certificate thumbprint, subject names, and the process involved.
+mitre_components:
+- Certificate Registration
+- Certificate Metadata
+- Process Metadata
+- Application Log Content
+- User Account Metadata
 source: XmlWinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
 sourcetype: XmlWinEventLog
 separator: EventCode
+separator_value: 1007
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1121.yml b/data_sources/windows_event_log_defender_1121.yml
index e06fcfddca..c1185da5d8 100644
--- a/data_sources/windows_event_log_defender_1121.yml
+++ b/data_sources/windows_event_log_defender_1121.yml
@@ -1,12 +1,18 @@
 name: Windows Event Log Defender 1121
 id: 84a254c5-7900-4b52-a324-a176adb7c11d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 1121
+description: Logs an event when a Windows Defender attack surface reduction rule fires
+  in block mode.
+mitre_components:
+- Application Log Content
+- Host Status
+- Process Creation
 source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 1121
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1122.yml b/data_sources/windows_event_log_defender_1122.yml
index 669bbb0047..708c4a09aa 100644
--- a/data_sources/windows_event_log_defender_1122.yml
+++ b/data_sources/windows_event_log_defender_1122.yml
@@ -1,12 +1,18 @@
 name: Windows Event Log Defender 1122
 id: 4a2d0499-f489-4557-82f4-f357025cf3e7
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 1122
+description: Logs an event when a process attempts to load a DLL that is blocked by
+  an attack surface reduction rule.
+mitre_components:
+- Application Log Content
+- Process Creation
+- Module Load
 source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 1122
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_1129.yml b/data_sources/windows_event_log_defender_1129.yml
index 1227f6efa2..b5117c2fb1 100644
--- a/data_sources/windows_event_log_defender_1129.yml
+++ b/data_sources/windows_event_log_defender_1129.yml
@@ -1,12 +1,18 @@
 name: Windows Event Log Defender 1129
 id: 0572e119-a48a-4c70-bc58-90e453edacd2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 1129
+description: Logs an event when a user overrides a security policy set by an Attack
+  Surface Reduction rule in Microsoft Defender.
+mitre_components:
+- User Account Authentication
+- Security Policy Modification
+- Application Log Content
 source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 1129
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_defender_5007.yml b/data_sources/windows_event_log_defender_5007.yml
index 598ccc1740..7d43da8579 100644
--- a/data_sources/windows_event_log_defender_5007.yml
+++ b/data_sources/windows_event_log_defender_5007.yml
@@ -1,9 +1,12 @@
 name: Windows Event Log Defender 5007
 id: 27f18792-8d95-4871-8853-874b7faf023f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Defender 5007
+description: Logs an event when Windows Defender antimalware settings are modified.
+mitre_components:
+- Service Modification
+- Service Metadata
 source: WinEventLog:Microsoft-Windows-Windows Defender/Operational
 sourcetype: xmlwineventlog
 separator: EventCode
diff --git a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
index d17981dc1f..c0b00aad8d 100644
--- a/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
+++ b/data_sources/windows_event_log_microsoft_windows_terminalservices_rdpclient_1024.yml
@@ -1,9 +1,13 @@
 name: Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
 id: 2490537e-5e0c-46f7-9209-f56f852aa217
-version: 1
-date: '2024-11-21'
+version: 2
+date: '2025-01-23'
 author: Michael Haag, Splunk
-description: Data source object for Windows Event Microsoft Windows TerminalServices RDPClient 1024
+description: Logs an event when a Remote Desktop Protocol (RDP) client successfully
+  connects to a remote host.
+mitre_components:
+- Network Connection Creation
+- Logon Session Creation
 source: WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational
 sourcetype: WinEventLog
 separator: EventCode
@@ -43,19 +47,9 @@ fields:
 - sourcetype
 - tag
 - user
-example_log:
-  11/21/2024 06:09:16 PM
-  LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational
-  EventCode=1024
-  EventType=4
-  ComputerName=ar-win-5.attackrange.local
-  User=NOT_TRANSLATED
-  Sid=S-1-5-21-1731938146-2314223186-1848411941-500
-  SidType=0
-  SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore
-  Type=Information
-  RecordNumber=95
-  Keywords=None
-  TaskCategory=Connection Sequence
-  OpCode=This event is raised during the connection process
-  Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57)
\ No newline at end of file
+example_log: 11/21/2024 06:09:16 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational
+  EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED
+  Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore
+  Type=Information RecordNumber=95 Keywords=None TaskCategory=Connection Sequence
+  OpCode=This event is raised during the connection process Message=RDP ClientActiveX
+  is trying to connect to the server (34.221.50.57)
diff --git a/data_sources/windows_event_log_printservice_316.yml b/data_sources/windows_event_log_printservice_316.yml
index 66896969fe..a13491e365 100644
--- a/data_sources/windows_event_log_printservice_316.yml
+++ b/data_sources/windows_event_log_printservice_316.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Printservice 316
 id: 12f0be8b-22c0-4fdf-9468-b7ccca824d1d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Printservice 316
+description: Logs an event when printer drivers are installed or updated on the system.
+mitre_components:
+- Driver Load
+- Driver Metadata
 source: WinEventLog:Microsoft-Windows-PrintService/Admin
 sourcetype: WinEventLog
 separator: EventCode
+separator_value: 316
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_printservice_808.yml b/data_sources/windows_event_log_printservice_808.yml
index bc9a09f66d..2f1c1363e4 100644
--- a/data_sources/windows_event_log_printservice_808.yml
+++ b/data_sources/windows_event_log_printservice_808.yml
@@ -1,12 +1,18 @@
 name: Windows Event Log Printservice 808
 id: e3a26785-4389-4830-8d7b-3dad4252719e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Printservice 808
+description: Logs an event when the print spooler service fails to load a printer
+  plug-in module.
+mitre_components:
+- Module Load
+- Application Log Content
+- Service Metadata
 source: WinEventLog:Microsoft-Windows-PrintService/Admin
 sourcetype: WinEventLog
 separator: EventCode
+separator_value: 808
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
index 1081028aa2..17e1e81b90 100644
--- a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
+++ b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log RemoteConnectionManager 1149
 id: 08f9edb4-f95f-40be-b1dd-bc3a1cd95aaf
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log RemoteConnectionManager 1149
+description: Logs an event when a Remote Desktop Service session is initialized.
+mitre_components:
+- Network Connection Creation
+- Logon Session Creation
+- Logon Session Metadata
 source: WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
 sourcetype: wineventlog
 separator: EventCode
+separator_value: 1149
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_1100.yml b/data_sources/windows_event_log_security_1100.yml
index 1e2404f690..f926bde8c2 100644
--- a/data_sources/windows_event_log_security_1100.yml
+++ b/data_sources/windows_event_log_security_1100.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 1100
 id: 2a25dafa-691e-4cb2-ae59-07a48867ed9a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 1100
+description: Logs an event when the event logging service has shut down.
+mitre_components:
+- Host Status
+- System Configuration Changes
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 1100
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_1102.yml b/data_sources/windows_event_log_security_1102.yml
index 0646f5ad48..d66920335f 100644
--- a/data_sources/windows_event_log_security_1102.yml
+++ b/data_sources/windows_event_log_security_1102.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log Security 1102
 id: 8db7b91a-6d7a-40e7-bfac-06f8e901a9cb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 1102
+description: Logs an event when the audit log is cleared.
+mitre_components:
+- User Account Modification
+- Logon Session Metadata
+- File Deletion
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 1102
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4624.yml b/data_sources/windows_event_log_security_4624.yml
index 4f02eeb290..823b6f2dee 100644
--- a/data_sources/windows_event_log_security_4624.yml
+++ b/data_sources/windows_event_log_security_4624.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log Security 4624
 id: 08682968-0366-4882-9559-fe4fe018a846
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4624
+description: Logs an event when an account successfully logs on to a system.
+mitre_components:
+- Logon Session Creation
+- User Account Authentication
+- Logon Session Metadata
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4624
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4625.yml b/data_sources/windows_event_log_security_4625.yml
index 3928d3b9d6..5fdd9b3c21 100644
--- a/data_sources/windows_event_log_security_4625.yml
+++ b/data_sources/windows_event_log_security_4625.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4625
 id: 365a02c2-7d18-4baf-b76e-d90c20bbe6ed
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4625
+description: Logs an event when an account fails to log on to a system.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4625
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4627.yml b/data_sources/windows_event_log_security_4627.yml
index dbb7cc5c55..85b2053016 100644
--- a/data_sources/windows_event_log_security_4627.yml
+++ b/data_sources/windows_event_log_security_4627.yml
@@ -1,12 +1,18 @@
 name: Windows Event Log Security 4627
 id: e35c7b9a-b451-4084-95a5-43b7f8965cac
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4627
+description: Logs an event when a successful account logon occurs and displays the
+  list of groups the logged-on account belongs to.
+mitre_components:
+- Logon Session Creation
+- Group Metadata
+- User Account Authentication
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4627
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4648.yml b/data_sources/windows_event_log_security_4648.yml
index 26445ed64d..41b1ea111d 100644
--- a/data_sources/windows_event_log_security_4648.yml
+++ b/data_sources/windows_event_log_security_4648.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log Security 4648
 id: 6a367f8b-1ee0-463d-94a7-029757c6cd02
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4648
+description: Logged when an account logon is attempted by a process by explicitly
+  specifying the credentials of that account
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4648
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4662.yml b/data_sources/windows_event_log_security_4662.yml
index 1970056294..e7ab4e16cb 100644
--- a/data_sources/windows_event_log_security_4662.yml
+++ b/data_sources/windows_event_log_security_4662.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log Security 4662
 id: f3c2cd64-0b5f-4013-8201-35dc03828ec6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4662
+description: Logs an event when a user accessed an object within the Active Directory,
+  such as creating, modifying, or deleting it
+mitre_components:
+- Active Directory Object Access
+- Active Directory Object Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4662
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4663.yml b/data_sources/windows_event_log_security_4663.yml
index 78a84369d9..0a9d7bc423 100644
--- a/data_sources/windows_event_log_security_4663.yml
+++ b/data_sources/windows_event_log_security_4663.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log Security 4663
 id: 5d6dca8c-dad9-494f-a321-ef2b0b92fbf4
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4663
+description: Logs an event when a user or process tried to access a file, directory,
+  registry key, or other system object on the computer
+mitre_components:
+- File Access
+- File Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4663
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4672.yml b/data_sources/windows_event_log_security_4672.yml
index 69d9996108..b56a07aae1 100644
--- a/data_sources/windows_event_log_security_4672.yml
+++ b/data_sources/windows_event_log_security_4672.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log Security 4672
 id: 43f189b6-369d-4a32-a34c-57e0d38d92f1
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4672
+description: Logs an event when a user with administrative privileges logs on to a
+  system.
+mitre_components:
+- Logon Session Creation
+- User Account Authentication
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4672
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4688.yml b/data_sources/windows_event_log_security_4688.yml
index 8f0a3e3a57..11371fe6ff 100644
--- a/data_sources/windows_event_log_security_4688.yml
+++ b/data_sources/windows_event_log_security_4688.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4688
 id: d195eb26-a81c-45ed-aeb3-25792e8a985a
-version: 2
-date: '2024-09-26'
+version: 3
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4688
+description: Logs the creation of a new process
+mitre_components:
+- Process Creation
+- Command Execution
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4688
 configuration: Enabling Windows event log process command line logging via group policy
   object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
 supported_TA:
diff --git a/data_sources/windows_event_log_security_4698.yml b/data_sources/windows_event_log_security_4698.yml
index 0aa1b8ab6a..27406cada2 100644
--- a/data_sources/windows_event_log_security_4698.yml
+++ b/data_sources/windows_event_log_security_4698.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4698
 id: 32c06703-02d3-47ec-8856-b0dc3045866c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4698
+description: Logs an event when a new scheduled task is created
+mitre_components:
+- Scheduled Job Creation
+- Scheduled Job Metadata
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4698
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4699.yml b/data_sources/windows_event_log_security_4699.yml
index a0184e87ef..dc83e20aa6 100644
--- a/data_sources/windows_event_log_security_4699.yml
+++ b/data_sources/windows_event_log_security_4699.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4699
 id: 4727dead-d063-4333-9ddd-59823a416aff
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4699
+description: Logs an event when a scheduled task is deleted from the system.
+mitre_components:
+- Scheduled Job Metadata
+- Scheduled Job Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4699
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4703.yml b/data_sources/windows_event_log_security_4703.yml
index 6d914bbc8c..972a05a8d9 100644
--- a/data_sources/windows_event_log_security_4703.yml
+++ b/data_sources/windows_event_log_security_4703.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4703
 id: e256673b-16e8-4b74-b7aa-9eed6ce67072
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4703
+description: Logs an event when a token right is adjusted on a Windows system.
+mitre_components:
+- User Account Modification
+- Process Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4703
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4719.yml b/data_sources/windows_event_log_security_4719.yml
index 07f7261f0d..37a72cc312 100644
--- a/data_sources/windows_event_log_security_4719.yml
+++ b/data_sources/windows_event_log_security_4719.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4719
 id: 954033e6-dd05-4775-a1f2-1f19632f4420
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4719
+description: Logs an event when a system audit policy is modified on a Windows system.
+mitre_components:
+- Service Modification
+- User Account Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4719
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4720.yml b/data_sources/windows_event_log_security_4720.yml
index bbed05f0b9..ddd763d21b 100644
--- a/data_sources/windows_event_log_security_4720.yml
+++ b/data_sources/windows_event_log_security_4720.yml
@@ -1,12 +1,15 @@
 name: Windows Event Log Security 4720
 id: 7ef1c9e5-691b-48c2-811b-eba91d2d2f1d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4720
+description: Logs an event when a new user account is created on a Windows system.
+mitre_components:
+- User Account Creation
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4720
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4724.yml b/data_sources/windows_event_log_security_4724.yml
index 1960e64264..133f957f91 100644
--- a/data_sources/windows_event_log_security_4724.yml
+++ b/data_sources/windows_event_log_security_4724.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4724
 id: 117fe51f-93f8-4589-8e8b-c6b7b7154c7d
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4724
+description: Logs an event when an attempt is made to reset an account's password,
+  whether successful or not.
+mitre_components:
+- User Account Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4724
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4725.yml b/data_sources/windows_event_log_security_4725.yml
index 62a49da0e5..129eafcb4f 100644
--- a/data_sources/windows_event_log_security_4725.yml
+++ b/data_sources/windows_event_log_security_4725.yml
@@ -1,12 +1,15 @@
 name: Windows Event Log Security 4725
 id: 31fd887d-0d14-44cc-bb64-80063a9f2968
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4725
+description: Logs an event when a user account has been disabled in Active Directory.
+mitre_components:
+- User Account Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4725
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4726.yml b/data_sources/windows_event_log_security_4726.yml
index feb818c007..201285eee9 100644
--- a/data_sources/windows_event_log_security_4726.yml
+++ b/data_sources/windows_event_log_security_4726.yml
@@ -1,12 +1,15 @@
 name: Windows Event Log Security 4726
 id: 0b56dcd7-0f72-4a05-9226-d6059781737b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4726
+description: Logs an event when a user account is deleted from Active Directory.
+mitre_components:
+- User Account Deletion
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4726
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4732.yml b/data_sources/windows_event_log_security_4732.yml
index 574c3dd7aa..5cab030eb0 100644
--- a/data_sources/windows_event_log_security_4732.yml
+++ b/data_sources/windows_event_log_security_4732.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4732
 id: b0d61c5d-aefe-486a-9152-de45cc10fbb4
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4732
+description: Logs an event when a member is added to a security-enabled local group
+  on a Windows system.
+mitre_components:
+- Group Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4732
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4738.yml b/data_sources/windows_event_log_security_4738.yml
index 7ee6af3b45..45a903eb05 100644
--- a/data_sources/windows_event_log_security_4738.yml
+++ b/data_sources/windows_event_log_security_4738.yml
@@ -1,12 +1,16 @@
 name: Windows Event Log Security 4738
 id: cb85709b-101e-41a9-bb60-d2108f79dfbd
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4738
+description: Logs an event when a user account's properties, such as permissions or
+  memberships, are modified on a Windows system.
+mitre_components:
+- User Account Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4738
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4739.yml b/data_sources/windows_event_log_security_4739.yml
index 4ac66f85a9..30b07c99ee 100644
--- a/data_sources/windows_event_log_security_4739.yml
+++ b/data_sources/windows_event_log_security_4739.yml
@@ -1,12 +1,17 @@
 name: Windows Event Log Security 4739
 id: c1e0442a-8a97-405d-baf2-057c5d68cd9a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4739
+description: Logs an event when a domain policy, such as account or lockout policy,
+  is modified in Active Directory or local security settings.
+mitre_components:
+- Group Modification
+- Active Directory Object Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4739
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4741.yml b/data_sources/windows_event_log_security_4741.yml
index 2d112fb492..8729366be5 100644
--- a/data_sources/windows_event_log_security_4741.yml
+++ b/data_sources/windows_event_log_security_4741.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4741
 id: ef87257f-e7d1-4856-abae-097b2cfdcdb4
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4741
+description: Logs the creation of a new computer account in Active Directory, including
+  details about the account name, domain, and the user performing the action.
+mitre_components:
+- Active Directory Object Creation
+- User Account Metadata
+- Application Log Content
+- Configuration Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4741
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4742.yml b/data_sources/windows_event_log_security_4742.yml
index 042c75ef93..34b90b0f8a 100644
--- a/data_sources/windows_event_log_security_4742.yml
+++ b/data_sources/windows_event_log_security_4742.yml
@@ -1,9 +1,15 @@
 name: Windows Event Log Security 4742
 id: ea830adf-5450-489a-bcdc-fb8d2cbe674c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4742
+description: Logs changes to the properties of a computer account in Active Directory,
+  including details about the modified attributes and the user performing the action.
+mitre_components:
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
+- Configuration Modification
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
diff --git a/data_sources/windows_event_log_security_4768.yml b/data_sources/windows_event_log_security_4768.yml
index 474534451e..c391a51cfe 100644
--- a/data_sources/windows_event_log_security_4768.yml
+++ b/data_sources/windows_event_log_security_4768.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4768
 id: 4a5fd6ed-66bd-4f34-bc74-51c00c73c298
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4768
+description: Logs Kerberos pre-authentication requests, including details about the
+  user account, authentication type, and client IP address.
+mitre_components:
+- User Account Authentication
+- Active Directory Credential Request
+- Logon Session Metadata
+- User Account Metadata
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4768
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4769.yml b/data_sources/windows_event_log_security_4769.yml
index d8694a1dea..d8c0cf195b 100644
--- a/data_sources/windows_event_log_security_4769.yml
+++ b/data_sources/windows_event_log_security_4769.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4769
 id: 358d5520-f40b-4fa2-b799-966c030cb731
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4769
+description: Logs Kerberos service ticket requests, including details about the requesting
+  user, target service, and client IP address.
+mitre_components:
+- Active Directory Credential Request
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4769
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4771.yml b/data_sources/windows_event_log_security_4771.yml
index f31e4b50fe..7b6e030b23 100644
--- a/data_sources/windows_event_log_security_4771.yml
+++ b/data_sources/windows_event_log_security_4771.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4771
 id: 418debbb-adf3-48ec-9efd-59d45f8861e5
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4771
+description: Logs failed Kerberos pre-authentication attempts, including details about
+  the user account, client IP, and failure reason.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4771
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4776.yml b/data_sources/windows_event_log_security_4776.yml
index e6ea80b2c5..59ae2a4748 100644
--- a/data_sources/windows_event_log_security_4776.yml
+++ b/data_sources/windows_event_log_security_4776.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4776
 id: 1da9092a-c795-4a26-ace8-d43855524e96
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4776
+description: Logs NTLM authentication attempts, including details about the account
+  name, authentication status, and the originating workstation.
+mitre_components:
+- User Account Authentication
+- Logon Session Metadata
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4776
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4781.yml b/data_sources/windows_event_log_security_4781.yml
index b807a5a1d9..2e6adff3c4 100644
--- a/data_sources/windows_event_log_security_4781.yml
+++ b/data_sources/windows_event_log_security_4781.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4781
 id: 9732ffe7-ebce-4557-865c-1725a0f633cb
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4781
+description: Logs changes made to the name of a computer account, including the old
+  and new names and the user performing the action.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4781
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4794.yml b/data_sources/windows_event_log_security_4794.yml
index f3ea14b1c1..eae36c7c52 100644
--- a/data_sources/windows_event_log_security_4794.yml
+++ b/data_sources/windows_event_log_security_4794.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4794
 id: ec7da74f-274a-4bde-aa0e-15c68aca0426
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4794
+description: Logs attempts to set the Directory Services Restore Mode (DSRM) administrator
+  password, including details about the account name and the user performing the action.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: null
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4798.yml b/data_sources/windows_event_log_security_4798.yml
index 0d64c1b297..c0fed04acf 100644
--- a/data_sources/windows_event_log_security_4798.yml
+++ b/data_sources/windows_event_log_security_4798.yml
@@ -1,9 +1,15 @@
 name: Windows Event Log Security 4798
 id: 29e97f72-eb2e-400e-b0c9-81277547e43b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4798
+description: Logs an enumeration of local group membership on a system, including
+  details about the groups queried and the account performing the action.
+mitre_components:
+- Group Enumeration
+- Group Metadata
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
diff --git a/data_sources/windows_event_log_security_4876.yml b/data_sources/windows_event_log_security_4876.yml
index 4d978151e4..2340e3fb35 100644
--- a/data_sources/windows_event_log_security_4876.yml
+++ b/data_sources/windows_event_log_security_4876.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4876
 id: 4a78722a-9cd9-44e8-b010-dffad5c7f170
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4876
+description: Logs the result of a cryptographic operation, including details about
+  the key, algorithm used, and whether the operation succeeded or failed.
+mitre_components:
+- Certificate Registration
+- User Account Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4876
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4886.yml b/data_sources/windows_event_log_security_4886.yml
index 3c82a3eb85..bf7533d343 100644
--- a/data_sources/windows_event_log_security_4886.yml
+++ b/data_sources/windows_event_log_security_4886.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4886
 id: c5abd97d-b468-451f-bd65-b4f97efa4ecc
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4886
+description: Logs the deletion of a cryptographic key container, including details
+  about the key container name and the user performing the action.
+mitre_components:
+- Certificate Registration
+- User Account Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4886
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_4887.yml b/data_sources/windows_event_log_security_4887.yml
index 39f5cbb7cc..0bac032d6b 100644
--- a/data_sources/windows_event_log_security_4887.yml
+++ b/data_sources/windows_event_log_security_4887.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 4887
 id: 994c7b19-a623-4231-9818-f00e453b9a75
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 4887
+description: Logs cryptographic operations performed by a Windows system, including
+  details about the certificate or key used and the operation type.
+mitre_components:
+- Certificate Registration
+- User Account Metadata
+- Application Log Content
+- OS API Execution
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4887
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5136.yml b/data_sources/windows_event_log_security_5136.yml
index 9e685b1960..1cc73e726e 100644
--- a/data_sources/windows_event_log_security_5136.yml
+++ b/data_sources/windows_event_log_security_5136.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 5136
 id: 7ba3737e-231e-455d-824e-cd077749f835
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5136
+description: Logs modifications made to an Active Directory object, including details
+  about the object name, type, and the changes applied.
+mitre_components:
+- Active Directory Object Modification
+- Active Directory Object Access
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 5136
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5137.yml b/data_sources/windows_event_log_security_5137.yml
index aef4beca13..b7da687fc2 100644
--- a/data_sources/windows_event_log_security_5137.yml
+++ b/data_sources/windows_event_log_security_5137.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 5137
 id: 64ed7bb1-9c3c-4355-ac08-b506ec3b053e
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5137
+description: Logs the creation of a new Active Directory object, including details
+  about the object name, type, and the user performing the action.
+mitre_components:
+- Active Directory Object Creation
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 5137
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5140.yml b/data_sources/windows_event_log_security_5140.yml
index 0687f2ebb5..537ad5db65 100644
--- a/data_sources/windows_event_log_security_5140.yml
+++ b/data_sources/windows_event_log_security_5140.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 5140
 id: 93e0ca09-e4b8-4da6-872a-d0127c4d2b22
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5140
+description: Logs access to a network share, including details about the user, share
+  path, and the access type.
+mitre_components:
+- Network Share Access
+- File Access
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 5140
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5141.yml b/data_sources/windows_event_log_security_5141.yml
index 07f144b980..cc5825f11b 100644
--- a/data_sources/windows_event_log_security_5141.yml
+++ b/data_sources/windows_event_log_security_5141.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 5141
 id: eafb35fa-f034-4be3-8508-d9173a73c0a1
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5141
+description: Logs the deletion of an Active Directory object, including details about
+  the object name, type, and the user performing the action.
+mitre_components:
+- Active Directory Object Deletion
+- Active Directory Object Modification
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 5141
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_security_5145.yml b/data_sources/windows_event_log_security_5145.yml
index 1d6560e36e..aadb0c15ea 100644
--- a/data_sources/windows_event_log_security_5145.yml
+++ b/data_sources/windows_event_log_security_5145.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log Security 5145
 id: 0746479b-7b82-4d7e-8811-0b35da00f798
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log Security 5145
+description: Logs detailed information about access to a network share, including
+  the user, share path, accessed file, and access permissions.
+mitre_components:
+- Network Share Access
+- File Access
+- User Account Metadata
+- Application Log Content
 source: XmlWinEventLog:Security
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 5145
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4720.yml b/data_sources/windows_event_log_system_4720.yml
index d930d69759..de3cea6a37 100644
--- a/data_sources/windows_event_log_system_4720.yml
+++ b/data_sources/windows_event_log_system_4720.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log System 4720
 id: f01d4758-05c8-4ac4-a9a5-33500dd5eb6c
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 4720
+description: Logs the creation of a new user account, including details about the
+  account name, associated domain, and the account performing the action.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Active Directory Object Creation
+- Application Log Content
 source: XmlWinEventLog:System
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4720
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4726.yml b/data_sources/windows_event_log_system_4726.yml
index 706432fb4e..2a4c9d93e3 100644
--- a/data_sources/windows_event_log_system_4726.yml
+++ b/data_sources/windows_event_log_system_4726.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log System 4726
 id: 05e6b2df-b50e-441b-8ac8-565f2e80d62f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 4726
+description: Logs the deletion of a user account, including details about the account
+  name, associated domain, and the account performing the action.
+mitre_components:
+- User Account Deletion
+- User Account Metadata
+- Active Directory Object Modification
+- Application Log Content
 source: XmlWinEventLog:System
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4726
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_4728.yml b/data_sources/windows_event_log_system_4728.yml
index 906b7cd67d..bf93ff45f0 100644
--- a/data_sources/windows_event_log_system_4728.yml
+++ b/data_sources/windows_event_log_system_4728.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log System 4728
 id: 4549f0ac-3df9-4bfb-bea5-1459690c8040
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 4728
+description: Logs the addition of a user to a security-enabled group, including details
+  about the group name, user account, and associated domain.
+mitre_components:
+- Group Modification
+- Group Metadata
+- User Account Metadata
+- Active Directory Object Modification
 source: XmlWinEventLog:System
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 4728
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7036.yml b/data_sources/windows_event_log_system_7036.yml
index 2b5c6845fa..2d84bd44d8 100644
--- a/data_sources/windows_event_log_system_7036.yml
+++ b/data_sources/windows_event_log_system_7036.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log System 7036
 id: a6e9b34f-1507-4fa1-a4ba-684d1b676a34
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 7036
+description: Logs state changes of a Windows service, including details about the
+  service name and its new state (e.g., started or stopped).
+mitre_components:
+- Service Metadata
+- OS API Execution
+- Application Log Content
+- Host Status
 source: XmlWinEventLog:System
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 7036
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7040.yml b/data_sources/windows_event_log_system_7040.yml
index 9a669d6262..0f26b121a0 100644
--- a/data_sources/windows_event_log_system_7040.yml
+++ b/data_sources/windows_event_log_system_7040.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log System 7040
 id: 91738e9e-d112-41c9-b91b-e5868d8993d9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 7040
+description: Logs changes to the start type of a Windows service, including details
+  about the service name, old start type, and new start type.
+mitre_components:
+- Service Modification
+- Service Metadata
+- OS API Execution
+- Application Log Content
 source: XmlWinEventLog:System
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 7040
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_system_7045.yml b/data_sources/windows_event_log_system_7045.yml
index 335efef1a8..87c78b1a51 100644
--- a/data_sources/windows_event_log_system_7045.yml
+++ b/data_sources/windows_event_log_system_7045.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log System 7045
 id: 614dedc8-8a14-4393-ba9b-6f093cbcd293
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log System 7045
+description: Logs the successful installation of a new Windows service, including
+  details about the service name, executable path, and service type.
+mitre_components:
+- Service Creation
+- Service Metadata
+- OS API Execution
+- Process Metadata
 source: XmlWinEventLog:System
 sourcetype: xmlwineventlog
 separator: EventCode
+separator_value: 7045
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_event_log_taskscheduler_200.yml b/data_sources/windows_event_log_taskscheduler_200.yml
index 979e053f1d..2348f6b3f8 100644
--- a/data_sources/windows_event_log_taskscheduler_200.yml
+++ b/data_sources/windows_event_log_taskscheduler_200.yml
@@ -1,12 +1,19 @@
 name: Windows Event Log TaskScheduler 200
 id: f8c777f8-e88a-4bba-ae8a-79b250212f23
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows Event Log TaskScheduler 200
+description: Logs the successful registration of a new scheduled task in Windows Task
+  Scheduler, including task details and configurations.
+mitre_components:
+- Scheduled Job Creation
+- Scheduled Job Metadata
+- Service Creation
+- OS API Execution
 source: WinEventLog:Microsoft-Windows-TaskScheduler/Operational
 sourcetype: wineventlog
 separator: EventCode
+separator_value: 200
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/data_sources/windows_iis.yml b/data_sources/windows_iis.yml
index a78d2107dd..b1e3d0539e 100644
--- a/data_sources/windows_iis.yml
+++ b/data_sources/windows_iis.yml
@@ -1,9 +1,15 @@
 name: Windows IIS
 id: 469335b3-b6ad-49e2-bbe6-47e15c1464a7
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows IIS
+description: Logs changes to IIS server configuration, including updates to settings,
+  modules, authentication methods, and site bindings.
+mitre_components:
+- Service Modification
+- Cloud Service Modification
+- Configuration Modification
+- Application Log Content
 source: IIS:Configuration:Operational
 sourcetype: IIS:Configuration:Operational
 separator: EventID
diff --git a/data_sources/windows_iis_29.yml b/data_sources/windows_iis_29.yml
index 7657e0c52c..9ab6d3794a 100644
--- a/data_sources/windows_iis_29.yml
+++ b/data_sources/windows_iis_29.yml
@@ -1,12 +1,19 @@
 name: Windows IIS 29
 id: 1d99ddd7-7fec-4dea-bf4f-1f4906142328
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for Windows IIS 29
+description: Logs modifications to IIS server authentication settings, including updates
+  to client certificate requirements and authentication methods.
+mitre_components:
+- Service Modification
+- Configuration Modification
+- Certificate Registration
+- Application Log Content
 source: IIS:Configuration:Operational
 sourcetype: IIS:Configuration:Operational
 separator: EventID
+separator_value: 29
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml
index b50a17a3f6..43c8417a22 100644
--- a/detections/network/detect_outbound_ldap_traffic.yml
+++ b/detections/network/detect_outbound_ldap_traffic.yml
@@ -1,7 +1,7 @@
 name: Detect Outbound LDAP Traffic
 id: 5e06e262-d7cd-4216-b2f8-27b437e18458
-version: 4
-date: '2024-11-15'
+version: 5
+date: '2025-01-23'
 author: Bhavin Patel, Johan Bjerke, Splunk
 status: production
 type: Hunting
@@ -13,7 +13,10 @@ description: The following analytic identifies outbound LDAP traffic to external
   this to access sensitive directory information, leading to data breaches or further
   network compromise.
 data_source:
-- Bro
+- Bro conn
+- Palo Alto Network Traffic
+- Splunk Stream TCP
+- Splunk Stream IP
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic
   where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip