From 17436e62657f995c586dbbb9e3efe3f26507c07d Mon Sep 17 00:00:00 2001
From: admingit <pamphile.jocelyn@gmail.com>
Date: Fri, 26 Jan 2024 10:21:41 +0100
Subject: [PATCH] add_app&addon

---
 .../default/indexes.conf                      |  163 +-
 deployment-apps/Splunk_TA_windows/.DS_Store   |  Bin 0 -> 6148 bytes
 .../README/transforms.conf.spec               |    6 +
 deployment-apps/Splunk_TA_windows/THIRDPARTY  |   61 +
 deployment-apps/Splunk_TA_windows/VERSION     |    2 +
 .../Splunk_TA_windows/app.manifest            |   75 +
 .../appserver/static/appIcon.png              |  Bin 0 -> 3348 bytes
 .../appserver/static/appLogo.png              |  Bin 0 -> 4785 bytes
 .../bin/Invoke-MonitoredScript.ps1            |   89 +
 deployment-apps/Splunk_TA_windows/bin/log.py  |  120 +
 .../Splunk_TA_windows/bin/netsh_address.bat   |    5 +
 .../bin/powershell/2012r2-health.ps1          |   58 +
 .../bin/powershell/2012r2-repl-stats.ps1      |   17 +
 .../bin/powershell/2012r2-siteinfo.ps1        |   74 +
 .../bin/powershell/dns-health.ps1             |  114 +
 .../bin/powershell/dns-zoneinfo.ps1           |   79 +
 .../generate_windows_update_logs.ps1          |   20 +
 .../bin/powershell/nt6-health.ps1             |  170 ++
 .../bin/powershell/nt6-repl-stat.ps1          |    1 +
 .../bin/powershell/nt6-siteinfo.ps1           |   41 +
 .../bin/powershell/windows_bios_data.ps1      |    5 +
 .../Splunk_TA_windows/bin/runpowershell.cmd   |   14 +
 .../bin/user_account_control_property.py      |  112 +
 .../bin/win_installed_apps.bat                |   67 +
 .../bin/win_listening_ports.bat               |   50 +
 .../bin/win_timesync_configuration.bat        |   21 +
 .../bin/win_timesync_status.bat               |   28 +
 .../Splunk_TA_windows/default/app.conf        |   28 +
 .../Splunk_TA_windows/default/eventtypes.conf |  761 +++++++
 .../Splunk_TA_windows/default/inputs.conf     |  442 ++++
 .../Splunk_TA_windows/default/macros.conf     |   38 +
 .../Splunk_TA_windows/default/props.conf      | 1946 +++++++++++++++++
 .../Splunk_TA_windows/default/tags.conf       |  674 ++++++
 .../Splunk_TA_windows/default/transforms.conf | 1445 ++++++++++++
 .../Splunk_TA_windows/default/wmi.conf        |  152 ++
 .../default/workflow_actions.conf             |   50 +
 .../Splunk_TA_windows/local/inputs.conf       |   29 +
 .../lookups/dns_recordclass_lookup.csv        |    8 +
 .../lookups/msad_group_type.csv               |    5 +
 .../lookups/msdhcp_signatures.csv             |   80 +
 .../lookups/object_category_850.csv           |    2 +
 .../Splunk_TA_windows/lookups/status_850.csv  |    2 +
 .../Splunk_TA_windows/lookups/user_types.csv  |    2 +
 .../lookups/vendor_actions.csv                |   11 +
 .../lookups/windows_actions.csv               |   18 +
 .../lookups/windows_apps.csv                  |   21 +
 .../lookups/windows_audit_changes_860.csv     |   65 +
 .../lookups/windows_dns_action_lookup.csv     |   43 +
 .../lookups/windows_dns_query_type_lookup.csv |    4 +
 .../windows_endpoint_port_transport.csv       |    3 +
 .../windows_endpoint_service_service_name.csv |    9 +
 .../windows_endpoint_service_service_type.csv |    6 +
 .../lookups/windows_eventtypes.csv            |    7 +
 .../lookups/windows_privileges.csv            |   29 +
 .../lookups/windows_severities.csv            |    7 +
 .../lookups/windows_signatures_860.csv        |  540 +++++
 .../windows_signatures_substatus_850.csv      |   41 +
 .../lookups/windows_start_mode_lookup.csv     |    6 +
 .../lookups/windows_timesync_actions.csv      |    3 +
 .../lookups/windows_update_statii.csv         |   10 +
 .../windows_wineventlog_change_action_860.csv |   25 +
 ...s_wineventlog_change_object_fields_860.csv |   52 +
 .../lookups/wmi_user_account_status.csv       |    3 +
 .../lookups/wmi_version_range.csv             |    2 +
 ...hange_audit_and_account_management_860.csv |   51 +
 .../lookups/xmlsecurity_eventcode_action.csv  |  362 +++
 ...mlsecurity_eventcode_action_multiinput.csv |  197 ++
 ...xmlsecurity_eventcode_errorcode_action.csv |  557 +++++
 .../Splunk_TA_windows/metadata/default.meta   |    5 +
 .../Splunk_TA_windows/splunkbase.manifest     |  349 +++
 .../Splunk_TA_windows/static/appIcon.png      |  Bin 0 -> 3348 bytes
 .../Splunk_TA_windows/static/appIconAlt.png   |  Bin 0 -> 3348 bytes
 .../static/appIconAlt_2x.png                  |  Bin 0 -> 6738 bytes
 .../Splunk_TA_windows/static/appIconLg.png    |  Bin 0 -> 6738 bytes
 .../Splunk_TA_windows/static/appIconLg_2x.png |  Bin 0 -> 15057 bytes
 .../Splunk_TA_windows/static/appIcon_2x.png   |  Bin 0 -> 6738 bytes
 76 files changed, 9481 insertions(+), 1 deletion(-)
 create mode 100644 deployment-apps/Splunk_TA_windows/.DS_Store
 create mode 100644 deployment-apps/Splunk_TA_windows/README/transforms.conf.spec
 create mode 100644 deployment-apps/Splunk_TA_windows/THIRDPARTY
 create mode 100644 deployment-apps/Splunk_TA_windows/VERSION
 create mode 100644 deployment-apps/Splunk_TA_windows/app.manifest
 create mode 100644 deployment-apps/Splunk_TA_windows/appserver/static/appIcon.png
 create mode 100644 deployment-apps/Splunk_TA_windows/appserver/static/appLogo.png
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/log.py
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/netsh_address.bat
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/dns-health.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/runpowershell.cmd
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/user_account_control_property.py
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/win_installed_apps.bat
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/win_listening_ports.bat
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/win_timesync_configuration.bat
 create mode 100644 deployment-apps/Splunk_TA_windows/bin/win_timesync_status.bat
 create mode 100644 deployment-apps/Splunk_TA_windows/default/app.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/eventtypes.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/inputs.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/macros.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/props.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/tags.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/transforms.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/wmi.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/default/workflow_actions.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/local/inputs.conf
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/msad_group_type.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/object_category_850.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/status_850.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/user_types.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/vendor_actions.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_actions.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_apps.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_audit_changes_860.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_eventtypes.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_privileges.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_severities.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_signatures_860.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_update_statii.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_860.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_860.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/wmi_version_range.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_860.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv
 create mode 100644 deployment-apps/Splunk_TA_windows/metadata/default.meta
 create mode 100644 deployment-apps/Splunk_TA_windows/splunkbase.manifest
 create mode 100644 deployment-apps/Splunk_TA_windows/static/appIcon.png
 create mode 100644 deployment-apps/Splunk_TA_windows/static/appIconAlt.png
 create mode 100644 deployment-apps/Splunk_TA_windows/static/appIconAlt_2x.png
 create mode 100644 deployment-apps/Splunk_TA_windows/static/appIconLg.png
 create mode 100644 deployment-apps/Splunk_TA_windows/static/appIconLg_2x.png
 create mode 100644 deployment-apps/Splunk_TA_windows/static/appIcon_2x.png

diff --git a/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf b/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf
index 9963df42..4a616eb5 100755
--- a/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf
+++ b/deployment-apps/02-M-TIC_idx_indexes_base/default/indexes.conf
@@ -92,4 +92,165 @@ repFactor = auto
 #maxHotBuckets = 10
 
 [wineventlog]
-#maxHotBuckets = 10
\ No newline at end of file
+#maxHotBuckets = 10
+
+# Overview. Below you will find the basic indexes.conf settings for
+# setting up your indexes in Splunk. We separate into different indexes 
+# to allow for performance (in some cases) or data isolation in others. 
+# All indexes come preconfigured with a relatively short retention period 
+# that should work for everyone, but if you have more disk space, we 
+# encourage (and usually see) longer retention periods, particularly 
+# for security customers.
+
+# Endpoint Indexes used for Splunk Security Essentials. 
+# If you have the sources, other standard indexes we recommend include:
+# epproxy - Local Proxy Activity
+
+[epav]
+coldPath = $SPLUNK_DB/epav/colddb
+homePath = $SPLUNK_DB/epav/db
+thawedPath = $SPLUNK_DB/epav/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[epfw]
+coldPath = $SPLUNK_DB/epnet/colddb
+homePath = $SPLUNK_DB/epnet/db
+thawedPath = $SPLUNK_DB/epnet/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[ephids]
+coldPath = $SPLUNK_DB/epmon/colddb
+homePath = $SPLUNK_DB/epmon/db
+thawedPath = $SPLUNK_DB/epmon/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[epintel]
+coldPath = $SPLUNK_DB/epweb/colddb
+homePath = $SPLUNK_DB/epweb/db
+thawedPath = $SPLUNK_DB/epweb/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[oswin]
+coldPath = $SPLUNK_DB/oswin/colddb
+homePath = $SPLUNK_DB/oswin/db
+thawedPath = $SPLUNK_DB/oswin/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[oswinsec]
+coldPath = $SPLUNK_DB/oswinsec/colddb
+homePath = $SPLUNK_DB/oswinsec/db
+thawedPath = $SPLUNK_DB/oswinsec/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[oswinscript]
+coldPath = $SPLUNK_DB/oswinscript/colddb
+homePath = $SPLUNK_DB/oswinscript/db
+thawedPath = $SPLUNK_DB/oswinscript/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[oswinperf]
+coldPath = $SPLUNK_DB/oswinperf/colddb
+homePath = $SPLUNK_DB/oswinperf/db
+thawedPath = $SPLUNK_DB/oswinperf/thaweddb
+frozenTimePeriodInSecs = 604800 
+#7 days
+
+[osnix]
+coldPath = $SPLUNK_DB/osnix/colddb
+homePath = $SPLUNK_DB/osnix/db
+thawedPath = $SPLUNK_DB/osnix/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[osnixsec]
+coldPath = $SPLUNK_DB/osnixsec/colddb
+homePath = $SPLUNK_DB/osnixsec/db
+thawedPath = $SPLUNK_DB/osnixsec/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[osnixscript]
+coldPath = $SPLUNK_DB/osnixscript/colddb
+homePath = $SPLUNK_DB/osnixscript/db
+thawedPath = $SPLUNK_DB/osnixscript/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[osnixperf]
+coldPath = $SPLUNK_DB/osnixperf/colddb
+homePath = $SPLUNK_DB/osnixperf/db
+thawedPath = $SPLUNK_DB/osnixperf/thaweddb
+frozenTimePeriodInSecs = 604800 
+#7 days
+
+# Network Indexes used for Splunk Security Essentials
+# If you have the sources, other standard indexes we recommend include:
+# netauth - for network authentication sources
+# netflow - for netflow data
+# netids - for dedicated IPS environments
+# netipam - for IPAM systems
+# netnlb - for non-web server load balancer data (e.g., DNS, SMTP, SIP, etc.)
+# netops - for general network system data (such as Cisco iOS non-netflow logs)
+# netvuln - for Network Vulnerability Data
+
+[netdns]
+coldPath = $SPLUNK_DB/netdns/colddb
+homePath = $SPLUNK_DB/netdns/db
+thawedPath = $SPLUNK_DB/netdns/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[mail]
+coldPath = $SPLUNK_DB/mail/colddb
+homePath = $SPLUNK_DB/mail/db
+thawedPath = $SPLUNK_DB/mail/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[netfw]
+coldPath = $SPLUNK_DB/netfw/colddb
+homePath = $SPLUNK_DB/netfw/db
+thawedPath = $SPLUNK_DB/netfw/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[netops]
+coldPath = $SPLUNK_DB/netops/colddb
+homePath = $SPLUNK_DB/netops/db
+thawedPath = $SPLUNK_DB/netops/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[netproxy]
+coldPath = $SPLUNK_DB/netproxy/colddb
+homePath = $SPLUNK_DB/netproxy/db
+thawedPath = $SPLUNK_DB/netproxy/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+[netvpn]
+coldPath = $SPLUNK_DB/netvpn/colddb
+homePath = $SPLUNK_DB/netvpn/db
+thawedPath = $SPLUNK_DB/netvpn/thaweddb
+frozenTimePeriodInSecs = 2592000
+#30 days
+
+
+# Splunk Security Essentials doesn't have examples of Application Security, 
+# but if you want to ingest those logs, here are the recommended indexes:
+# appwebint - Internal WebApp Access Logs
+# appwebext - External WebApp Access Logs
+# appwebintrp - Internal-facing Web App Load Balancers
+# appwebextrp - External-facing Web App Load Balancers
+# appwebcdn - CDN logs for your website
+# appdbserver - Database Servers
+# appmsgserver - Messaging Servers
+# appint - App Servers for internal-facing apps 
+# appext - App Servers for external-facing apps 
\ No newline at end of file
diff --git a/deployment-apps/Splunk_TA_windows/.DS_Store b/deployment-apps/Splunk_TA_windows/.DS_Store
new file mode 100644
index 0000000000000000000000000000000000000000..a0df72195a04cc6446f0215be796cc99e33c30dc
GIT binary patch
literal 6148
zcmeHK+iDX*82%?&lTE4^P(cK7!P`(9Tg2c^ngbZnD%nyIm6&bPx^%l6vYSQ-f!wRF
z;46r?zK6bxSNhGNusiW^XN%0g%zShB{@Iyt=deRWtT`Rlh$=*6BXG3Jh<;(bo`)67
zsglb;CfYcr0fpq#0gYDJrobp*6gY1R@U?ppt9FcMozm+!rlcE0`(6-v;P4G%8)5y2
zFr<h|$}h%hpU?@9HIGl4N1i<F4q=wXZfdL|4bj#CTAxy&_kz9qGuxZRW7X#`-Z=2%
zWMktS%jK;Lg`#cSYxXPmO*C_pK{Ab-gUJh?+l`{YJ53L~J%2RoSFX0AFd6vaXd)c^
z;RuwM&-`#0&6?3P9LB=el@)fWRO(l5%;%f+t*TS2-MhP}I`i7r=KZQuuh$lfl6~#=
zod>=CQE(ha?=c1#!>%dplEPE?fP|*Pi8~2{C_F?B_p<2`b*V)i+94OQt7-Zjob<OU
zLdgiv5i}iBoMq>Dt7*24nJ}URUtov;)c9XDet~-E!#1_)F?F)sd`sh&(_GBCgx>1k
zIR9Dmxk52|9iZ<aM&O}Oe9rx4zFN1mRtoUqV@faw_p`mUxZ-IA%Ct)lp>PjldWw<t
zkbj=_5$oY&YCRNb4=VKVJ-YOSb~H9$3u!j8XKZTr*=uLq5A%AXfKlN5DZuv!2Z3Wl
z;Zma5IuMB~0MJ6QFr@jf0{3wgHWV%;q6WsKD^R*Jb;V%P9p#SVH54u-N_S%F^1;-b
znYy7c@piQD2s*KbL=zhYi~?B&@-kcD=YQw-_y4Su$r%NV0{@i)%xb&sCWfTW)|J8W
wv(`a)jlhlbmJ)>vB6S>#1V4(eBM3vC!xO-U!lgu%z|4<;kikSofq$yNPnaC{3jhEB

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/README/transforms.conf.spec b/deployment-apps/Splunk_TA_windows/README/transforms.conf.spec
new file mode 100644
index 00000000..8ddba4e7
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/README/transforms.conf.spec
@@ -0,0 +1,6 @@
+[user_account_control_property]
+python.version = {default|python|python2|python3}
+* For Splunk 8.0.x and Python scripts only, selects which Python version to use.
+* Either "default" or "python" select the system-wide default Python version.
+* Optional.
+* Default: not set; uses the system-wide Python version.
diff --git a/deployment-apps/Splunk_TA_windows/THIRDPARTY b/deployment-apps/Splunk_TA_windows/THIRDPARTY
new file mode 100644
index 00000000..73053b21
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/THIRDPARTY
@@ -0,0 +1,61 @@
+================================================================================
+================================================================================
+
+          Third-Party Software for splunk-add-on-for-microsoft-windows
+
+--------------------------------------------------------------------------------
+
+The following 3rd-party software packages may be used by or distributed with splunk-add-on-for-microsoft-windows. Any information relevant to third-party vendors listed below are collected using common, reasonable means.
+
+Date generated: 2023-8-2
+
+Revision ID: c9bc8d87d1c4dbd6a12e48965c4ccce720073fbb
+
+================================================================================
+================================================================================
+
+
+
+
+================================================================================
+
+                                Declared License
+
+================================================================================
+
+No declared license found for splunk-add-on-for-microsoft-windows
+
+
+
+
+================================================================================
+
+                              First Party Licenses
+
+================================================================================
+
+No licenses found
+
+
+
+
+
+================================================================================
+
+                                  Dependencies
+
+================================================================================
+
+
+
+
+================================================================================
+                                    License
+
+================================================================================
+
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+Report Generated by FOSSA on 2023-8-2
diff --git a/deployment-apps/Splunk_TA_windows/VERSION b/deployment-apps/Splunk_TA_windows/VERSION
new file mode 100644
index 00000000..530ee76e
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/VERSION
@@ -0,0 +1,2 @@
+8.8.0
+8.8.0
\ No newline at end of file
diff --git a/deployment-apps/Splunk_TA_windows/app.manifest b/deployment-apps/Splunk_TA_windows/app.manifest
new file mode 100644
index 00000000..b4fdf381
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/app.manifest
@@ -0,0 +1,75 @@
+{
+  "dependencies": null,
+  "incompatibleApps": {
+    "Splunk_TA_microsoft_ad": "<=1.0.0",
+    "Splunk_TA_microsoft_dns": "<=1.0.1"
+  },
+  "info": {
+    "author": [
+      {
+        "name": "Splunk, Inc.",
+        "email": null,
+        "company": null
+      }
+    ],
+    "classification": {
+      "categories": [
+        "IT Operations",
+        "Utilities",
+        "Security, Fraud & Compliance"
+      ],
+      "developmentStatus": "Production/Stable",
+      "intendedAudience": "IT Professionals"
+    },
+    "commonInformationModels": {
+      "Application_State": "==4.15.0",
+      "Authentication": "==4.18.0",
+      "Change": "==4.18.0",
+      "Change_Analysis": "==4.15.0",
+      "Compute_Inventory": "==4.15.0",
+      "Endpoint": "==4.18.0",
+      "Event_Signatures": "==4.18.0",
+      "Network_Sessions": "==4.15.0",
+      "Performance": "==4.15.0",
+      "Updates": "==4.15.0",
+      "Vulnerabilities": "==4.15.0"
+    },
+    "description": "Splunk Add-on for Microsoft Windows",
+    "id": {
+      "group": null,
+      "name": "Splunk_TA_windows",
+      "version": "8.8.0"
+    },
+    "license": {
+      "name": null,
+      "text": "LICENSES/LicenseRef-Splunk-8-2021.txt",
+      "uri": null
+    },
+    "privacyPolicy": {
+      "name": null,
+      "text": null,
+      "uri": null
+    },
+    "releaseDate": null,
+    "releaseNotes": {
+      "name": "README",
+      "text": "./README.txt",
+      "uri": "http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes"
+    },
+    "title": "Splunk Add-on for Microsoft Windows"
+  },
+  "inputGroups": null,
+  "platformRequirements": null,
+  "schemaVersion": "2.0.0",
+  "supportedDeployments": [
+    "_standalone",
+    "_distributed",
+    "_search_head_clustering"
+  ],
+  "targetWorkloads": [
+    "_search_heads",
+    "_forwarders",
+    "_indexers"
+  ],
+  "tasks": null
+}
\ No newline at end of file
diff --git a/deployment-apps/Splunk_TA_windows/appserver/static/appIcon.png b/deployment-apps/Splunk_TA_windows/appserver/static/appIcon.png
new file mode 100644
index 0000000000000000000000000000000000000000..88f67e7257157937dd747b21af2c7af4d3432386
GIT binary patch
literal 3348
zcma)<2{=@HAIGO|3uDQ?moauRW5!r!EEzL)(?znh&=`Y>S<H;>RYdl!8)Zv)O(+#g
zWeN4h;963WrLIC_DM?ACYw*rUx9(H#a-QdZ&j0++@B8^J|K)j3it}Du5ugGP004;C
z+hJXKPc?oM*v7k$1M>2Ck4+3$TPr}-eWjPY7eShx7XttglH|8dfPz9f0ANcT$<34L
ziE}~`sALG<kLpW=M38AbYXHD30>$f+iA+2wf*ed?pd!q{>lP?ppFa!*gVs%$LFQmj
zoHGbRr4vDh5ClXYYykv;KxTA5f0QfMW<$<<GY1DUnKTp>8Xg`F2{(XH=>bp}5{ZQB
z!=Z4v9?wFL5lLa<BlIW?)i02*94wJRpp$4!5|sktbMd~^P^LK;%y;zHwGk(ohQs~k
zio)2)i<coZ0#Ad&Ao@@;8TvCNgXv2A7UWNr47W%c5$Z~0P($eiBF|j)XCNlY|37f}
zU)DqTnT%KO{~q^WHQ}Xf#<RxZP*@_J6h`#3p;O80g`wf;3?e^BbMV(FzgO{v>uI7$
z6b2JdArS4c7CaJ!MDjx+;0A_<L<B+)hQQ<X5HL7W&&1cjM2~1fz!MGqktW6nLo?_P
z^1sc&2HlTJ2qhCK%niC9k8Xo8wt>Nn5&Fh(eIpYX3=K2FV6aGxwK38dV}n3^C4VRV
zMmB@~knZ{-`!e@mYw@E~0~0Hl3DO3Qurfr#VAh5va5&c5NZ$sIHa37EOnB*RaKA~v
zbNc0*{g0K}z#{(__B-hh*k9?S01^csjQ!@CKN0_5slG(^6U29J_-hTtGvQ4Gp1*M{
zU}n%C#=f)XF;N&g5znO3-Kf-H3pD>c067OznN&s~l?K9KKyZB+0;Gk*6G#;Pp!RzC
z{wCVsnL+ux^t)aA<w#f`<(&x@K%VmJ`C<VqA0g%d00O)1v1m6>LALwBV5I=*)v4>X
zwX+{a+pA^=!tAn#heIF~)nLr4j6lcD*ks4uodkOl8WbXKC$KeTyIOpNB~Zf7%x!X$
zbQdNvFy7%}mYl#<R@)KNOx&ws`@);Gw{LxdN97Amb88KDnTnR~*xOOG(pR{)-1m8^
z&|rG4teQJPx}68bJlb!U6~AMGuC%=@PO#bG<blq!_$x9h#$C>C@+H47Lp2)Du10fg
zde`di-%{fATaQ~kzNd3$oBaOJM#n%FJ88l1oKY|^UcuEea<dvRUH8qH;x%qGBy()p
zt2Q%SDurtxZaK*f$@$})UvX<=8>OkD<Td8_zpNwkdRaT(Z<U=N=HybsN*4+%#0Xn^
z+MBu$Pg!gwQlsC`;Ehh93ynJ(Kb+84DF|V4th*An$!-xLC-ubEymU`ax0B!VR&V5%
zz|%036(6G&VHc@nv5MdonRh}{j-CsZ<7j_n#Qe+Vkl7DP!W!(B`Dzt^xu$r%{z#)p
zPS7v9OO^nt$jL25?Vz@sV{8A=CJeptn5syh?L4ggnl?RU+oiGcP)bm@d+}gHd?qor
z>_gKDeF=ij>}J;ON~^pKfzzsO(Sp#_0@Jc1q!ErIK4{>gZodm;R6RbYq*FLt=_xz`
z?|-RNCH5vcdr;f?f|yc@yO3~{cy)WrFS*@kR`i3;aZNNFGxw#4g*t%QQTg^U99J=d
z(3WsjEJdhH80n_I{~>$U6Z=H#s<^gDfvfu9WRKc$y@Cq~rB12$u!;H7*26mwd1GT=
zAGlDO;*i*RRxR~OnwV^Od4%l90zzRCBXId~lduZ1r+SOL3fxDdMZyh?7LmCQ?h<3u
zMPJ^N!p}P2GRSnVv?bS%;;)|}L?29z7wm?(c(~)e)EBZX-N<n|FDG_S3urHAh85ic
zp0KhIF~|sr^0}K5OI69$I|4x_7SMM4&#&0il|-O>-b*qOOh;LNZ}z=cw*ymOw-05m
z$u+vA)s^>+akBTcPH(@Hi8<d<)^k9-uK$JWh>mY>y}EivH};A`<AJ2$5cyLBuhC7@
zk;CQj2QS%oPU>j29iH;d(w-mj%^EfWN6*M5?nobdalE4@FF($u$Je7(Fra2uD1v*9
za>H<rHZ?@S$8<B~X3TV$k53<H(qD2s28os^sKozjd+L3EK+CDB#MZsK192Vais^}{
zme`|LrOU3zKJUHbczOWV1kEh>RE*vewYA)9N`ZN1m36qHJ2B(NXVHn#ikdpsj=Ef#
z2Zx@=#W)?puCZ+2_NOS1-F>6!B6*p8^OMGdU32V9zsAU#n=XrsCcq40L|T_$*i}7i
z9WS28;Jh*16he(7JTa=snmZOE{4t}X_LAa|tVYQ7Pu(W<L1J@yJ10~lN*iR|(e2F>
zx?7VRYTV!#O=5TKxi0(o;nA*&gg*<mE!MGN^tbyauEs1+RiF08sZ@H5XDhGhy4PM_
zYCTvD_UUA491uF3c0@Z;HvjhBo2CRUDIvehGUVR5PQ^&4(Y&$Ff8L%0CH^@vd?y?r
zZl3z4%3EotNv5qL>Nle*S6qK?@%=kVRRyXu&qlT<q`Kuu&)|1rnu|*&_PdnRsyJEB
z()~d$e^yGJ>2_0WkOGejls&ctH)svUP&w9>tZFM(=V-k-?xR!>^#1s(9#erJyxijE
zzVpcRp;ayr-XMH`bxx$|Sh;L&fXzb*#qxy;1qb==nF}>9{kX5$#`+77j_2i{v)MPA
z^tLa><)1O{+QPLu;AM<mx$RJ2+aS%B#UAa{_*hOC+<VU_pmk$1HTqqW$sfk)cYGR7
zFkZx{ZQgd=OQzXV;Bvk+2PofD9^2Nn^U9U7wkHgG6fCRg{uO771-E4qCv@ht*3^8@
zc>khL$x}x=-N~6=${2TG)=tgU)3dPSDS_&{FeP1Bd`u)?T5^cGcf6Vq0L!h<Ok4Xb
z?LVF43>mIptQK18ZJ_>gE7K32k<!rZ=~=|i*xD$WJyTh!ktI5EC*|{`yqQdD?5t;+
z%f9GUTjkmz8KK_@>S{obhwh<(Yc$C>{vD?)EFO9r#Gkv&vUABWOo;vSEv10kese%;
zhLeI48K`Y^Q6#mxeta&6)2zv+nP*^18z5JTY(pb74e!h4FkS>^h*)ZFPM{~k4H8k!
z%8jmRXD1C2Z!U%is>=>KKa!LD-~t!=gWG9|y>QV9*OlFH@?cp0l-|(-@rQKeq=upC
zU{YX4<%2<VeHJNM&w3xLROQJ9A#Hq(c{eQOibHYBw(Mi?G>dW44{opu!lItZ&)jm7
zOw0~hM%}C_B@5(-gIl{6?&8k*FDdVRwop?Q7n2rNgfe2)L({HW>71cw*0tZbI8^_L
zGl-4-X!_1+l}$mf9C}TBwh5OfE)+js!r5*2mbj@z+2b0z_qI-7a%?pB_f+p5;1*U>
zbNWZovzv;nBs8}vD@rX{o3YTyWWlao{_o}5mf*{>#<t0$^_oTspYvWcd>B_tKL5lc
zIDw|woFCd$@y_OX@_dq3)FzeRRjj1Lj%kd)w^tvY-CgJ7n=5*r9kF;ySxMbO6gc;h
zF+7GA^IcP`4>&5Z<j80`6EdYdF<G9@&F*t>F+hUZ3iHu<@$u9!r}(@CpUFc<s#aC{
zRXn6cm4uCnYA|uMe~{I)>2B=Fg_FrqdA%=kBAy$Mgrzk)B^`T~cd-KKdJyu|Mjc69
zJ7iSpg*e@kExF_R!reX#xw;ZAD2JC!y<w5_rKesu=18=G#zDEpQ#VvEXiMp*zTGYk
jrax`GyestT{v~MTSw^BnV~!X9SH<3XFSg3+NZh{xjo5?@

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/appserver/static/appLogo.png b/deployment-apps/Splunk_TA_windows/appserver/static/appLogo.png
new file mode 100644
index 0000000000000000000000000000000000000000..3ba5de6b7cd006b3842cdc6955b13075ebb3723b
GIT binary patch
literal 4785
zcmXw-bx;&g*Tz@SC6<)#6ak5)6ai@|VFi{&=_Qx$SVTG`MUZYJmJShFx*JitV*%+{
z8p+T1{a*h#_nf(N?(@vtIWuSG7oiDJCMKjO1ONcUsw#@w0Kh%&zx5M*oWG}HSdh-&
zMBuEV=LP_fbp9vq^*R+<{Jo@efBDuO>SX2aW$J1Pkh5?yvt(6uFhy8uTbf#UyYyR1
z0RRuBRTbrQkj8rkUhXj1r7vais7}7h0T7=ZrXQ3;sY*-E1Ki?=-_Pe{%l{<Hn*TXV
zHXuNj^*&j=EY2u@PJqZTpXSC!ctCXLb>Yuz$*Y!|#a>KHym;V7nb<~o&A!Bj<dxl3
z#zEHA{wv%3WIx0R%Z~u7woW381V2=|m8{6JDUgq@pw4}a$Qmd$6!0i-H_0*W-j9F}
zbX68f3!@q$IdoVsZqg9N(oP}WFCt{hy;qYF2Oj_0uhz~RY=EM;%vOL<FN0_Qul?3_
z!0BH%<znV`T|Jx4>+$k8m2!E^f<)b!d6z&9YBMkYBloDMRZC^wJ5@szvGXlYi~egh
zA1OKERHMsvMCv%}xgQ~^d`g_gXFu&x?06GaWm4JxIoGC_rT!*+WH}Oj^Lf3p`xFr^
z*LWs{o75E9_}`b+*jbOgOanjE|NHoc#0TG864RG!JaI9X`M$i`7T%Qq#RMi4_7d~_
zXRG*i%pX&(>$$-?besa{<7F(?O{eUONnkt9QAtZ?_VyHc?EB0@^)(-t(EDYBQd+(y
zvq6sz#uv8h^hy&tO3_f?U@lPg12s%RGP*i89=Vm+-(IX-N{joQ{LJ^tagj^PlXmTg
zLG82tzz`|V^IksM_a&QsRJ(GR7m=Yw5U@H*E{_Wm6OD8L-h-nhjBioy)vpbI+s$}h
z;@NnkqSLe<ee^}8%$#-DE!BDzP|wfx+B<eTP*{!a$NugD4RU*!vlU!S0rGvFYqSM%
z+H^bpX5X!am9YDlR1AzD#Bd^R!wE#FmDh9^;-G5`pt8q{K~=W1#Vry}vS<meP>c45
zh&u-Pa=)*!a~(rehx_$k?PYEhh9eHvKjeFp(w`dkGGD|$bsri(UpZ4?Zat_O`Mgfb
z@a!h$kDVK2kq{z%y@EY-knqlJ0LG+!<Glrd?cEYOI>Gxlua%pno$~L>s-emGOwByt
zlba<!r!KpDDUk~v1g;mMH>Tz&{-}k|K1Y)Y-Elw9nI<b<{S;^hs;5*-{r;6a4g)zE
zDe;8j&-t$p6bEWW;8i$CdL(zG>>;30{`}0Pqgw~7cpr6pXb8o@>@@K%V~g!nzRKRP
zAzgBj8GR&Lm;5dTu41BnmJ04%3!MuOx!%o{<^nR8&!{C&eBB$*jJvJz4(=@;-A&c)
z$*i<<vfsg$QPkSW1Y+En8e+ZOTrwL@N46*JSW$sX(Nup}78TNKBvR$M&1mD_okU1@
z2z4>UUEE|-1c%+$luMG;yAJxPVBhxTo-dCqG~q>AdN!OeR-Iy<0CP<n6wePkL<X(*
zPV3u4h_R>2)RdR%$VSt=!m*?>WwA(;^UQwGq~7_ML|{y|<1Tn!&-vvNCu#IhFeiKC
zeCZN?YUZi2R2Z2VH52z!`|<nj%gp)jddqw1b6t8oH`j@)^1R@zU1j`|EHaAn94SFA
zZ#5l8Ir6j>LO(5<5~D;F=$BU!gb}>z)G9zy<q|Rc+$XdIO4#_1)^RMqf=F;YhaRXX
z2JwhN12m!vfU(kanlulPNOBIYVFFznJlqqUo}ve?;}Zx#bj*_n07DgcVue^nytCoR
zMi2P6B?08QVT~1k0Jg<X!&T^P=la(-Di@#QpYwm`)AVM%NDFsL2#Uku_JrMaKr3X8
z{K&h#Saw)1k8&~9$8IcEi`<3bf%7`Efjnjck-ej`0E@t5qdVHBBssL1>$mGU`jKOP
zf!<>8G6hYqpC@(<@&;R+m2{=m+Tu=DD=(p&vm>Ln4!SgHK5C}+zclGfC?yfbVcx|D
z>;#6ftsp+c>~!6h+&4!>POgP2ow|N7Ef88G2_ww%DGm~^|CE9g0H5vpL>s`v1}rRM
z2UHYIhYSErR=av&D_wk?vhp2mUGyO(6-8jCfQal`VdFxwr%;Zb>61y#YVD@_B9}<^
z_V9rsPZODb8U->42po!3p_$P{JQB+T@9KPlc~m2lb+&@YXC7M6#sKOcvqRQb`l`w(
zcZ*)}M7(L3gb@DB`dVeHN1N22Ia~3na%k1$K>XOp#&qj@N9S(%p;N^BtF1=C7{6eB
zqjzUN1+F|XvqU6wUZ+4lz8iEiHjRr3%@r9DI+c&reM~JUJ#LKr`OUu3W#c9LF|Xq}
zlSC5mii8fgKdJeR{bS?Ko^(P1%w$vzO-<1RzmH(4kW(p|DgIsl685kuUDUUsd&eyZ
z8r7;J^wD?UYGACq(ewI*^`sv1>8&~1enIs%q#PpNce;+%*zxOrEQ~VTg)%`CQo_s>
zyDw(drm(}nR`JfjKxHCw+RIn$$K%!$7i_&{`G5tIg-i5n6CJB^b#MVsaeE<;rR$@l
zIPnbjhlwm=VnUA?OSXkUKpnLQ>Rv-S)(Dj^><N(}QD5lgvgMC>cv;nq#EF=a<I~G|
z?KGnKnmO*0`gT8`GCVco79{c(tHy2**R&!G5Hg2VTMF8wQH+^X>F1gS#($SamHW+8
zlEa%hO&!p|vY3`4`S+@9q+NU@D~m*r=L#{)U6QT8KAe*H3~7qL77?0VgQXYq=4G{3
z82p|&;xsp72W@`|d$sogkwoHc>3S0u6KFqQ_9wr-{m@6S5$EcXu5NB30`Fc*v+%u}
z0xj>&&(dc+A3~G>JynQSa>j=Qk|iK+*9o=|uaopTN2kcZ3Y$r)unL<DKNFuP;hvlF
zF?8}n^0bKtAEh&`7#p{Ey~O;41LQ-Kie#A@KY_(8m4o35*TN8JOBF%xTeojH!}2r=
zV<ke++|1q7ujbbetNQWjaFtFWRKh(lvM^Xyy?SCrE!?6`yx)DQo~0lNQ>oF*+}{6z
zRk3sNcl$(%(Nq`i8y*XTY_Ag4n)Q?pghxl9B?D->H}#`l@mtLdLwBQZ@ubq+P0O5}
zQIv}*JW;T#n)25;7t2PVHSBOl=W|_@;|q7&i4tNUjH>r`Smb<iLsuOinVc*96y-3?
zYyKR?N7!3dxukwV(7Djg`Fh&xWo8G-GFd|qC5_JGFoCL!LV(W8Hz|K7-9=e@O1!J#
z+>~X+Ecgp9;F3~ao{c_=Oo7%*fu>WoEgp2ps!41xN)83cdgWBgjIQ;obJ*^em<W{e
zwi_`}=L|Re=0iSB8p<k!sy%`hmBvsFf*BW{6GvARcfbItB^vvL0+t1KdxXbiqz^Xy
z6%EK5s6G(nb?tm^3+Kb<_&V?wxz})}CUeQaKJ#>6d~P>2sjCvgZOD9;g9S5W+4v}R
ztK~B`2<UIt*^fo&b365Yh^fs)nxpu1_kJ3gUzw7H;(5n6W9g-4@)4~VG26+I2M6tW
zU)5T)YctNCQ5kNozraT(R6KF+@H0=v`*?!4JTtlHbH>7^670A`<|-P8S5vgBqDM3l
z8tFm^c$?VR0Z<yXexKi3O+Y4c2}jDyl1bn*`?{xqLhU!9On_Zp6z4B79BPn7@X=-y
zp>1xg8JuN}!&hw?M+M8Fq<&rWUX306ifS4okSuCcoW9m2c>|_NeAcr(E=-Xd8G^A+
z8Z_F{Z|o=<GVsj4!!_6)K1N2VAc*OoLgu|JJI_e<kVVu)4<d$V$2l@epp||)XAwD@
z?|D~r+U?Odbf^72KfW_x7H}6bc6l|CD28#e1ihc0E@u3K)ww#}b+T)^Bng(9F-FFu
zNi(IwA}gK8k21k|%k!}%UrxNT{;-LjVwbflr@pqNbdPO)Yg0j~5bC{&xRSv|Zhvu>
zJKH_LRrTzjLa$&cy~E3~@3{jbRmtV4Rw?1yoJyzc`>e`H#$hAN>p<p;Z!F*Z8u9av
zAtU$_wqN_AT-(!&WK-#);&l|gd-r?tXe6y|X%q6|=t4|aBLDu3xIUl&O`cPnD=Z(t
zrl{<p0phA@V<mbv$O|;$&qxDtJl2vA%{x?^nw{{|)X?)ZK@0M40gTTXyjb5;S7^jm
z(=cc4=sM1z*irlu>_n|B7K!hfXtRFgY9VR%m49cf;hOF}-nL)#Ri*44m6lbdpo`Zg
zs@FyamfU!^f1k=X79<H~{8@CC{3Pb-T6WCbvDRmlJ!ykeGetS?7Zc}OQt^<hCec}4
zR|g4<9cFUHBo$uB78_R_#o-*Y=&5hTgAwC?*VyN>T2<bVC>vO81tYrZfoS6^n_Pb(
zZG{M7L4VrfD2mgKE{Vg6UW?ir!otA-5w#OjK}KPf>O8ZzFCjHyNqzM%ICad&o_w_K
zLKhgLomQ0LhQ4p2`}qLxonL+}iK;J+QD!@|Yvh-X);cVa8^{E%)7HCOx%HUBCTFSE
zbK4%CnUFvv&{x;7J_3tN9{a|KN*cPI(V}_cKi?@xJB@MQ*Qhz-1SeG;j8UHj+YNm2
z_{2xFpvF(h99G<I(g#WxauS&JUKa>S?R7k1I^s3G2q~mi;0}G}Xv-Q?^WzO6X=lP0
zywE!7I>z{yrd!{FgT1;7akQdm{ANqD52uVT;K@UVEj*}QhKaAG(kzZzv~QiLDB{hY
z&<;rq_?({SI@{*dO5<|O!_lANnqc&p7I)<Q489ULJbNRy1iw`(>KbQ}YAq*@g6%_S
z@(n^lLxj7B8{Wo<$SvXuZ&P8d*aR8F<)a3qY!Dgu@nvv0lxU%=k3T#F7OIZ~5r(a0
zd5TF+u>OYNnj3e3W6j=3qW-g#(lR651_9XwNOR1wJ|GftfwmE!&k0yM5tcz$3*ANU
zd12oXI|pHsgHs2e;WbeN(}0IiKXbI^23vjZR#;egn?UDmbk;X61T3@%`!A5wDLnkM
z?p<}tSs@o?8ZU^Zov-q^2uT%ej)S52oe_AZwj&-{NVL+1F4@^YzIT_X@3x-QrM9^3
zioFW9!)^VmhWFzZm_x(CV}m++X~C<X!fZUfvqeY063k%YKh#7k9KpwBwGP)UEVTDL
zhz>XI8@g(Bt-g2_m*Qo9q~}psv`NCU+?|J?`$&HJ1II*y#1rs4tzguBSP3B=KRW1>
zKPY#-qYneB;qvRk@9g;$q7aH{C#h=;i8DAe=m99FoPyql=>b{o*l4>Vn&5cEDm?*Q
z`<wt&;7FNus%~V|gBnro#M+()u%yy&^f}*HvZAz&e|ZPD!S_ANG*|0`0vV-^EDH>V
z(SSa6tO+KGgKdXq9E1ey#-|75s$wwx$2U>uY^u^&J(^0tAZ3)f*MTL2=QqctM0rYP
zcxUfS%W6z|LrUTFT9;4DfhG~uWo71$pIf3bBV~8>nWW4TO(9&w+Bb`P*pNCMdYNcj
z9_hQE|Hm#~9Vu{k(uNOfNeX?|_CbC~H&W<G|8rM!H!P5Puc+tQx<7u6Jd<hRCvB1=
z#qFE{p8LijpZc;1T?T|CgSH^GJ<;k&U|33^Vuo3UoVKN&y0n$Xb-3k3+yGErF7)ge
za-D>9zqX=1wOWwz4e$~L4GmHt2#g9vnT}oQQ_^URI6#RKK<wv9{TMajcWs?5v9~g-
zeaUhobA^0F3gi_Zm+G3Y4e&?uv6_(j0+WqI-x_hgn;#Ey-QILN&G@<;bYF$!<^tJ;
zW0kEE?FGaIJFcO1aEI9y=Xo|=r<o`=ou_+JAPXH&x@Jxq<A^@-u&~jGFX=<XSnGD{
zLrmN2S<H@jS>;qDA^w7W=pfLq1&?)sqg>4xHL(kmiCzsnhq?YcHwu{T2n=p^EK}yU
z7W*r~92`#OqWicnJArF|p~u%&HNT&ukF!+eyF`16d+LIJMh?R||CP+`=hCp6?lU)e
zMCGpevw7Cj1gka?A|k&(G~7+U8N84^3#-RwJlAWlEA*rFk-bi6xow^wZL4tjiJ(>G
zD@pZ115%^(i!)apBNVfs6p0D*cbn(f{%oUKVkHdSf&8q;*}!wZPGarXHbCa*xanS5
zi3goWR2AodB_^s?pS2b#r(dqiV=|4lLf+q#pD1Ax=beMcp=p7=?QI{St)SPE53588
z9Zap&^bb#aF~1SjHqViN1S|9n+v}}<7+{pKj?H+El7C_t^0P+&LKDA-xJh50_)q*J
zB?@nDOa6hC?(7?le@ukL|MuB}C~n$4QW5xb*VBXlVUsr3lWm!Q^yT+vt^el#Fv}p`
s)LrpEq27u+=s%&4{)dA96T&(%LfEM6pO0Yw;wFIVONe5HJUr<C00cfaK>z>%

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1 b/deployment-apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1
new file mode 100644
index 00000000..002ac5b4
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/Invoke-MonitoredScript.ps1
@@ -0,0 +1,89 @@
+<#
+    .SYNOPSIS
+        & .\Invoke-MonitoredScript.ps1 "MyScript.ps1"
+
+    .DESCRIPTION
+        Outputs additional Splunk events related to the running and
+        errors in the script.
+#>
+[CmdletBinding()]
+param(
+    #Command to execute.
+    [Parameter(Position=0, Mandatory=$true)]
+    [ValidateNotNullOrEmpty()]
+    [string] $Command,
+
+	# Splunk Sourcetype Prefix for generated events
+    [Parameter()]
+    [ValidateNotNull()]
+    [string] $SourceTypePrefix="Powershell:",
+
+	# Maximum number of errors to convert into events
+    [Parameter()]
+    [ValidateRange(0, 100)]
+    [int] $MaxErrorCount
+)
+
+$WrappedScriptExecutionSummary= New-Object -TypeName PSObject -Property (
+    [ordered]@{
+        SplunkSourceType="$($SourceTypePrefix)ScriptExecutionSummary";
+        Identity=[guid]::NewGuid().ToString();
+        InvocationLine=$MyInvocation.Line;
+        TerminatingError=$false; ErrorCount=0; Elapsed=""
+    })
+$originalLocation = Get-Location
+
+try
+{
+    Set-Location (Split-Path -Parent $MyInvocation.MyCommand.Definition)
+    $ScriptStopWatch = [System.Diagnostics.Stopwatch]::StartNew()
+    $Error.Clear()
+    Invoke-Expression $Command
+}
+catch
+{
+    $WrappedScriptExecutionSummary.TerminatingError = $true;
+}
+finally
+{
+    Set-Location $originalLocation
+    $WrappedScriptExecutionSummary.Elapsed = $ScriptStopWatch.Elapsed.ToString("hh\:mm\:ss\.fff")
+    $WrappedScriptExecutionSummary.ErrorCount = $Error.Count
+
+    if ($Error.Count -gt 0) {
+        $ei = $Error.Count - 1
+        if ($PSBoundParameters.ContainsKey('MaxErrorCount')) {
+            if ($MaxErrorCount -lt $Error.Count) {
+                $ei = $MaxErrorCount - 1
+            }
+            # Always emit terminating errors
+            if ($ei -eq -1 -and $WrappedScriptExecutionSummary.TerminatingError) {
+                $ei = 1
+            }
+        }
+
+        for(; $ei -ge 0; $ei--) {
+            $errorRecord = New-Object -TypeName PSObject -Property (
+                [ordered]@{
+                    SplunkSourceType="$($SourceTypePrefix)ScriptExecutionErrorRecord";
+                    ParentIdentity=$WrappedScriptExecutionSummary.Identity;
+                    ErrorIndex=$ei;
+                    ErrorMessage=$Error[$ei].ToString();
+                    PositionMessage=$Error[$ei].InvocationInfo.PositionMessage;
+                    CategoryInfo=$Error[$ei].CategoryInfo.ToString();
+                    FullyQualifiedErrorId=$Error[$ei].FullyQualifiedErrorId
+                })
+
+            if ($Error[$ei].Exception -ne $null) {
+                Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name Exception -Value $Error[$ei].Exception.ToString()
+                if ($Error[$ei].Exception.InnerException -ne $null) {
+                    Add-Member -InputObject $errorRecord -MemberType NoteProperty -Name InnerException -Value $Error[$ei].Exception.InnerException.ToString()
+                }
+            }
+
+            Write-Output $errorRecord
+        }
+    }
+
+    Write-Output $WrappedScriptExecutionSummary
+}
diff --git a/deployment-apps/Splunk_TA_windows/bin/log.py b/deployment-apps/Splunk_TA_windows/bin/log.py
new file mode 100644
index 00000000..4c6d156c
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/log.py
@@ -0,0 +1,120 @@
+#
+# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+#
+#
+import logging
+import logging.handlers as handlers
+import os
+import os.path as op
+import time
+
+try:
+    from splunk.clilib.bundle_paths import make_splunkhome_path
+except ImportError:
+    from splunk.appserver.mrsparkle.lib.util import make_splunkhome_path
+
+logging.Formatter.converter = time.gmtime
+
+__LOG_FORMAT__ = (
+    "%(asctime)s +0000 log_level=%(levelname)s, pid=%(process)d, "
+    "tid=%(threadName)s, file=%(filename)s, "
+    "func_name=%(funcName)s, code_line_no=%(lineno)d | %(message)s"
+)
+
+
+class Log(object):
+    def __init__(self, namespace=None, default_level=logging.INFO):
+        self._loggers = {}
+        self._default_level = default_level
+        if namespace is None:
+            namespace = self._get_appname_from_path(op.abspath(__file__))
+
+        if namespace:
+            namespace = namespace.lower()
+        self._namespace = namespace
+
+    def get_logger(self, name, level=None, maxBytes=25000000, backupCount=5):
+        """
+        Set up a default logger.
+
+        :param name: The log file name.
+        :param level: The logging level.
+        :param maxBytes: The maximum log file size before rollover.
+        :param backupCount: The number of log files to retain.
+        """
+
+        # Strip ".py" from the log file name if auto-generated by a script.
+        if level is None:
+            level = self._default_level
+
+        name = self._get_log_name(name)
+        if name in self._loggers:
+            return self._loggers[name]
+
+        logger = logging.getLogger(name)
+
+        logfile = make_splunkhome_path(["var", "log", "splunk", name])
+        handler_exists = any(
+            [True for h in logger.handlers if h.baseFilename == logfile]
+        )
+        if not handler_exists:
+            file_handler = handlers.RotatingFileHandler(
+                logfile, mode="a", maxBytes=maxBytes, backupCount=backupCount
+            )
+            formatter = logging.Formatter(__LOG_FORMAT__)
+            file_handler.setFormatter(formatter)
+            logger.addHandler(file_handler)
+            logger.setLevel(level)
+            logger.propagate = False
+
+        self._loggers[name] = logger
+        return logger
+
+    def set_level(self, level, name=None):
+        """
+        Change the log level of the logging
+
+        :param level: the level of the logging to be setLevel
+        :param name: the name of the logging to set, in case it is not set,
+                     all the loggers will be affected
+        """
+
+        if name is not None:
+            name = self._get_log_name(name)
+            logger = self._loggers.get(name)
+            if logger is not None:
+                logger.setLevel(level)
+        else:
+            self._default_level = level
+            for logger in self._loggers.values():
+                logger.setLevel(level)
+
+    def _get_log_name(self, name):
+        if name.endswith(".py"):
+            name = name.replace(".py", "")
+
+        if self._namespace:
+            name = "{}_{}.log".format(self._namespace, name)
+        else:
+            name = "{}.log".format(name)
+        return name
+
+    def _get_appname_from_path(self, absolute_path):
+        absolute_path = op.normpath(absolute_path)
+        parts = absolute_path.split(os.path.sep)
+        parts.reverse()
+        for key in ("apps", "slave-apps", "master-apps"):
+            try:  # nosemgrep: gitlab.bandit.B112
+                idx = parts.index(key)
+            except ValueError:
+                continue
+            else:
+                try:  # nosemgrep: gitlab.bandit.B110
+                    if parts[idx + 1] == "etc":
+                        return parts[idx - 1]
+                except IndexError:
+                    pass
+                continue
+        # return None
+        return "-"
diff --git a/deployment-apps/Splunk_TA_windows/bin/netsh_address.bat b/deployment-apps/Splunk_TA_windows/bin/netsh_address.bat
new file mode 100644
index 00000000..3860296f
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/netsh_address.bat
@@ -0,0 +1,5 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+netsh interface ip show address
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1
new file mode 100644
index 00000000..e3859654
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-health.ps1
@@ -0,0 +1,58 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+$ServerName = $env:ComputerName
+
+$DomainController = Get-ADDomainController -Identity $ServerName
+$Domain 		  = Get-ADDomain -Identity $DomainController.Domain
+$Forest			  = Get-ADForest -Identity $DomainController.Forest
+$ReplicationSite  = Get-ADReplicationSite -Identity $DomainController.Site
+$Computer		  = Get-ADComputer -Identity $ServerName -Properties *
+$RootDSE		  = Get-ADRootDSE -Server $ServerName
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+
+$ISTG 		  = ($DomainController.NTDSSettingsObjectDN -eq $ReplicationSite.InterSiteTopologyGenerator)
+$SYSVOL 	  = (Get-SMBShare SYSVOL -ErrorAction SilentlyContinue)
+Try {
+    $DnsRegister  = [System.Net.Dns]::GetHostByName($DomainController.HostName)
+} Catch {
+    # The Catch will set $DnsRegister = $null if the GetHostByName fails for some reason
+}
+$SchemaVersion= Get-ADObject -Filter * -SearchScope Base -Properties objectVersion `
+			-SearchBase $RootDSE.schemaNamingContext
+$DCWeight	  = (Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters").GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100
+}
+$FSMORoles 	= ($DomainController | Select -Expand OperationMasterRoles | %{ $_.ToString().Replace("Master","") } )
+
+$SvcRunning	= @(Get-Service $RequiredServices | ? Status -eq "Running" | select -expand Name)
+$SvcStopped	= @(Get-Service $RequiredServices | ? Status -ne "Running" | select -expand Name)
+$ProcsOK	= (($SvcStopped.Count -eq 0) -or ($SvcStopped.Count -eq 1 -and ($SvcStopped[0] -eq "ntfrs" -or $SvcStopped[0] -eq "dfsr")))
+
+New-Object PSObject -Property @{
+	Server			= $DomainController.Name
+	DomainDNSName	= $DomainController.Domain
+	DomainNetBIOSName = $Domain.NetBIOSName
+	DomainLevel		= $Domain.DomainMode
+	Site			= $DomainController.Site
+	ForestName		= $DomainController.Forest
+	ForestLevel		= $Forest.ForestMode
+	Created			= $Computer.whenCreated
+	Changed			= $Computer.whenChanged
+	GlobalCatalog	= $DomainController.IsGlobalCatalog
+	RODC			= $DomainController.IsReadOnly
+	Enabled			= $DomainController.Enabled
+	HighestUSN		= $RootDSE.highestCommittedUSN
+	SchemaVersion	= $SchemaVersion.objectVersion
+	DCWeight		= $DCWeight
+	IsIntersiteTopologyGenerator = $ISTG
+	OperatingSystem	= $DomainController.OperatingSystem
+	ServicePack		= $DomainController.OperatingSystemServicePack
+	OSVersion		= $DomainController.OperatingSystemVersion
+	FSMORoles		= $FSMORoles -join " "
+	ServicesRunning	= $SvcRunning -join ","
+	ServicesNotRunning = $SvcStopped -join ","
+	ProcsOK			= $ProcsOK
+	SYSVOLShare		= ($SYSVOL -ne $null)
+	DNSRegister		= ($DnsRegister -ne $null)
+}
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1
new file mode 100644
index 00000000..d6d92815
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-repl-stats.ps1
@@ -0,0 +1,17 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+
+Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
+	$src_host = Get-ADObject -Filter * -SearchBase $_.Partner.Replace("CN=NTDS Settings,","") `
+				-SearchScope Base -Properties dNSHostName
+
+	New-Object PSObject -Property @{
+		LastAttemptedSync	= $_.LastReplicationAttempt
+		LastSuccessfulSync	= $_.LastReplicationSuccess
+		type			= "ReplicationEvent"
+		usn			= $_.LastChangeUsn
+		src_host		= $src_host.dNSHostName
+		Result			= $_.LastReplicationResult
+		transport		= $_.IntersiteTransportType
+		naming_context		= $_.Partition
+	}
+}
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1
new file mode 100644
index 00000000..d1310811
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/2012r2-siteinfo.ps1
@@ -0,0 +1,74 @@
+Import-Module ActiveDirectory -ErrorAction SilentlyContinue
+#
+# Get the Information about this site
+#
+$ServerName = $env:ComputerName
+
+$DC 	= Get-ADDomainController -Identity $ServerName
+$Site	= Get-ADReplicationSite -Identity $DC.Site
+$Object = Get-ADObject -Filter * -SearchScope base -Properties * `
+		-SearchBase $Site.DistinguishedName
+
+$Location 	= if ($Object.location -eq $null) { "" } else { $Object.location }
+$ISTG	  	= Get-ADDomainController -Filter `
+			'NTDSSettingsObjectDN -eq $Site.IntersiteTopologyGenerator'
+$SiteLinks 	= Get-ADReplicationSiteLink -Filter 'SitesIncluded -eq $Site' -Properties *
+$AdjacentSites 	= ($SiteLinks | Select -Expand SitesIncluded | `
+			Where-Object { $_ -ne $Site.DistinguishedName } | `
+			Sort-Object | Get-Unique | `
+			Foreach-Object { Get-ADReplicationSite $_ } )
+$Subnets	= Get-ADReplicationSubnet -Filter 'Site -eq $Site'
+
+########################################################################
+#
+# SITE
+#
+$SiteInfo = @(
+	"Type=`"Site`""
+	"ForestName=`"$($DC.Forest)`""
+	"Site=`"$($Object.CN)`""
+	"Location=`"$Location`""
+	"IntersiteTopologyGenerator=`"$($ISTG.HostName)`""
+)
+$AdjacentSites | %{ $SiteLink += "AdjacentSite=`"$($_.Name)`"" }
+$SiteLinks     | %{ $SiteInfo += "SiteLink=`"$($_.Name)`"" }
+$Subnets       | %{ $SiteInfo += "Subnet=`"$($_.Name)`"" }
+Write-Output ($SiteInfo -join " ")
+#
+########################################################################
+#
+# SITELINK
+#
+$SiteLinks | %{
+	# These values are not stored in the object unless you change them
+	$cost 		= if ($_.Cost -eq $null) { 100 } else { $_.Cost }
+	$options 	= if ($_.options -eq $null) { 0 } else { $_.options }
+	$replInterval	= if ($_.replInterval -eq $null) { 180 * 60 } else { $_.replInterval * 60 }
+	$notifications	= if ($options -band 0x01) { "True" } else { "False" }
+	$reciprocal 	= if ($options -band 0x02) { "True" } else { "False" }
+	$compression	= if ($options -band 0x04) { "False" } else { "True" }
+
+	$SiteLink = @(
+		"Type=`"SiteLink`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Cost=`"$($_.Cost)`""
+		"DataCompressionEnabled=$compression"
+		"NotificationEnabled=$notifications"
+		"ReciprocalReplicationEnabled=$reciprocal"
+		"TransportType=$($_.InterSiteTransportProtocol)"
+		"ReplicationIntervalSecs=$replInterval"
+	)
+	Write-Output ($SiteLink -join " ")
+}
+
+$Subnets | Foreach-Object {
+	$Subnet = @(
+		"Type=`"Subnet`""
+		"ForestName=`"$($DC.Forest)`""
+		"Name=`"$($_.Name)`""
+		"Site=`"$($Site.Name)`""
+		"Location=`"$($_.Location)`""
+	)
+	Write-Output ($Subnet -join " ")
+}
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/dns-health.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/dns-health.ps1
new file mode 100644
index 00000000..a996c57b
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/dns-health.ps1
@@ -0,0 +1,114 @@
+#
+# Determine the health and statistics of this Microsoft DNS Server
+#
+$Output = New-Object System.Collections.ArrayList
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+write-host -NoNewline ""$Date
+
+# Name of Server
+$ServerName = $env:ComputerName
+write-host -NoNewline ""Server=`"$ServerName`"
+
+#
+# Windows Version and Build #
+#
+$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
+$OS = $WindowsInfo.GetValue("ProductName")
+$OSSP = $WindowsInfo.GetValue("CSDVersion")
+$WinVer = $WindowsInfo.GetValue("CurrentVersion")
+$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
+$OSVER = "$WinVer ($WinBuild)"
+
+write-host -NoNewline ""OperatingSystem=`"$OS`"
+write-host -NoNewline ""ServicePack=`"$OSSP`"
+write-host -NoNewline ""OSVersion=`"$OSVER`"
+
+#
+# Required Processes Running
+#		DNS Dnscache w32time
+#
+$RequiredServices = @( "DNS", "Dnscache", "w32time" )
+$srvr = @()
+$srvnr = @()
+foreach ($srv in $RequiredServices) {
+	$status = (Get-Service $srv).Status
+	if ($status -eq "Running") {
+		$srvr += $srv
+	} else {
+		$srvnr += $srv
+	}
+}
+
+$ProcsOK = "False"
+if ($srvnr.Count -eq 0) {
+	$ProcsOK = "True"
+}
+
+$ServicesRunning = [string]::join(',', $srvr)
+$ServicesNotRunning = [string]::join(',', $srvnr)
+write-host -NoNewline ""ServicesRunning=`"$ServicesRunning`" ServicesNotRunning=`"$ServicesNotRunning`" ProcsOK=`"$ProcsOK`"
+
+#
+# Settings for this DNS Server
+#
+$dnsInfo = Get-WmiObject -Namespace "root\MicrosoftDNS" -Class MicrosoftDNS_Server -ComputerName $ServerName
+
+# See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682725(v=vs.85).aspx for details
+write-host -NoNewline "" Name=`"$($dnsInfo.Name)`"
+write-host -NoNewline "" Version=`"$($dnsInfo.Version)`"
+write-host -NoNewline "" LogLevel=`"$($dnsInfo.LogLevel)`"
+write-host -NoNewline "" LogFilePath=`"$($dnsInfo.LogFilePath)`"
+write-host -NoNewline "" LogFileMaxSize=`"$($dnsInfo.LogFileMaxSize)`"
+write-host -NoNewline "" LogIPFilterList=`"$($dnsInfo.LogIPFilterList)`"
+write-host -NoNewline "" EventLogLevel=`"$($dnsInfo.EventLogLevel)`"
+write-host -NoNewline "" RpcProtocol=`"$($dnsInfo.RpcProtocol)`"
+write-host -NoNewline "" NameCheckFlag=`"$NameCheckFlag`"
+write-host -NoNewline "" AddressAnswerLimit=`"$($dnsInfo.AddressAnswerLimit)`"
+write-host -NoNewline "" RecursionRetry=`"$($dnsInfo.RecursionRetry)`"
+write-host -NoNewline "" RecursionTimeout=`"$($dnsInfo.RecursionTimeout)`"
+write-host -NoNewline "" DsPollingInterval=`"$($dnsInfo.DsPollingInterval)`"
+write-host -NoNewline "" DsTombstoneInteval=`"$($dnsInfo.DsTombstoneInteval)`"
+write-host -NoNewline "" MaxCacheTTL=`"$($dnsInfo.MaxCacheTTL)`"
+write-host -NoNewline "" MaxNegativeCacheTTL=`"$($dnsInfo.MaxNegativeCacheTTL)`"
+write-host -NoNewline "" SendPort=`"$($dnsInfo.SendPort)`"
+write-host -NoNewline "" XfrConnectTimeout=`"$($dnsInfo.XfrConnectTimeout)`"
+write-host -NoNewline "" BootMethod=`"$($dnsInfo.BootMethod)`"
+write-host -NoNewline "" AllowUpdate=`"$($dnsInfo.AllowUpdate)`"
+write-host -NoNewline "" UpdateOptions=`"$($dnsInfo.UpdateOptions)`"
+write-host -NoNewline "" DsAvailable=`"$($dnsInfo.DsAvailable)`"
+write-host -NoNewline "" DisableAutoReverseZones=`"$($dnsInfo.DisableAutoReverseZones)`"
+write-host -NoNewline "" AutoCacheUpdate=`"$($dnsInfo.AutoCacheUpdate)`"
+write-host -NoNewline "" NoRecursion=`"$($dnsInfo.NoRecursion)`"
+write-host -NoNewline "" RoundRobin=`"$($dnsInfo.RoundRobin)`"
+write-host -NoNewline "" LocalNetPriority=`"$($dnsInfo.LocalNetPriority)`"
+write-host -NoNewline "" StrictFileParsing=`"$($dnsInfo.StrictFileParsing)`"
+write-host -NoNewline "" LooseWildcarding=`"$($dnsInfo.LooseWildcarding)`"
+write-host -NoNewline "" BindSecondaries=`"$($dnsInfo.BindSecondaries)`"
+write-host -NoNewline "" WriteAuthorityNS=`"$($dnsInfo.WriteAuthorityNS)`"
+write-host -NoNewline "" ForwardDelegations=`"$($dnsInfo.ForwardDelegations)`"
+write-host -NoNewline "" SecureResponses=`"$($dnsInfo.SecureResponses)`"
+write-host -NoNewline "" DisjointNets=`"$($dnsInfo.DisjointNets)`"
+write-host -NoNewline "" AutoConfigFileZones=`"$($dnsInfo.AutoConfigFileZones)`"
+write-host -NoNewline "" ScavengingInterval=`"$($dnsInfo.ScavengingInterval)`"
+write-host -NoNewline "" DefaultRefreshInterval=`"$($dnsInfo.DefaultRefreshInterval)`"
+write-host -NoNewline "" DefaultNoRefreshInterval=`"$($dnsInfo.DefaultNoRefreshInterval)`"
+write-host -NoNewline "" DefaultAgingState=`"$($dnsInfo.DefaultAgingState)`"
+write-host -NoNewline "" EDnsCacheTimeout=`"$($dnsInfo.EDnsCacheTimeout)`"
+write-host -NoNewline "" EnableEDnsProbes=`"$($dnsInfo.EnableEDnsProbes)`"
+write-host -NoNewline "" EnableDnsSec=`"$($dnsInfo.EnableDnsSec)`"
+write-host -NoNewline "" ForwardingTimeout=`"$($dnsInfo.ForwardingTimeout)`"
+write-host -NoNewline "" IsSlave=`"$($dnsInfo.IsSlave)`"
+write-host -NoNewline "" EnableDirectoryPartitions=`"$($dnsInfo.EnableDirectoryPartitions)`"
+write-host -NoNewline "" Started=`"$($dnsInfo.Started)`"
+write-host -NoNewline "" StartMode=`"$($dnsInfo.StartMode)`"
+write-host -NoNewline "" Status=`"$($dnsInfo.Status)`"
+
+foreach ($ip in $dnsInfo.Forwarders) {
+	write-host -NoNewline "" Forwarder=`"$ip`"
+}
+foreach ($ip in $dnsInfo.ServerAddresses) {
+	write-host -NoNewline "" ServerAddress=`"$ip`"
+}
+foreach ($ip in $dnsInfo.ListenAddresses) {
+	write-host "" ListenAddress=`"$ip`"
+}
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1
new file mode 100644
index 00000000..5beadae3
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/dns-zoneinfo.ps1
@@ -0,0 +1,79 @@
+#
+# DNS Zone Information
+#
+function Get-WmiCount($a) {
+	if ($a -eq $Null) {
+		$cnt = 0
+	} elseif ($a.GetType().Name -eq "ManagementObject") {
+		$cnt = 1
+	} else {
+		$cnt = $a.Length
+	}
+
+	$cnt
+}
+
+function Output-Zoneinfo($Zone) {
+	#$Output = New-Object System.Collections.ArrayList
+	$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+    write-host -NoNewline $Date Zone=`"$($Zone.Name)`" Aging=`"$($Zone.Aging)`" AllowUpdate=`"$($Zone.AllowUpdate)`" AutoCreated=`"$($Zone.AutoCreated)`" AvailForScavengeTime=`"$($Zone.AvailForScavengeTime)`" Caption=`"$($Zone.Caption)`" ContainerName=`"$($Zone.ContainerName)`" DataFile=`"$($Zone.DataFile)`" DnsServerName=`"$($Zone.DnsServerName)`" DsIntegrated=`"$($Zone.DsIntegrated)`" ForwarderSlave=`"$($Zone.ForwarderSlave)`" ForwarderTimeout=`"$($Zone.ForwarderTimeout)`" LastSuccessfulSoaCheck=`"$($Zone.LastSuccessfulSoaCheck)`" LastSuccessfulXfr=`"$($Zone.LastSuccessfulXfr)`" NoRefreshInterval=`"$($Zone.NoRefreshInterval)`" Notify=`"$($Zone.Notify)`" Paused=`"$($Zone.Paused)`" RefreshInterval=`"$($Zone.RefreshInterval)`" Reverse=`"$($Zone.Reverse)`" SecureSecondaries=`"$($Zone.SecureSecondaries)`" Shutdown=`"$($Zone.Shutdown)`" Status=`"$($Zone.Status)`" UseWins=`"$($Zone.UseWins)`" ZoneType=`"$($Zone.ZoneType)`"
+
+	# Some information on the zone itself - # record by type and total
+	$ZoneName = $Zone.Name
+
+	$SOA  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SOAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$SOAlen = Get-WmiCount($SOA)
+	write-host -NoNewline ""SOA=$SOAlen
+
+	$NS   = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_NSType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$NSlen = Get-WmiCount($NS)
+	write-host -NoNewline ""NS=$NSlen
+
+	$A    = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$Alen = Get-WmiCount($A)
+	write-host -NoNewline ""A=$Alen
+
+	$AAAA = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_AAAAType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$AAAAlen = Get-WmiCount($AAAA)
+	write-host -NoNewline ""AAAA=$AAAAlen
+
+	$CNAME= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_CNAMEType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$CNAMElen = Get-WmiCount($CNAME)
+	write-host -NoNewline ""CNAME=$CNAMElen
+
+	$MX   = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_MXType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$MXlen = Get-WmiCount($MX)
+	write-host -NoNewline ""MX=$MXlen
+
+	$SRV  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_SRVType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$SRVlen = Get-WmiCount($SRV)
+	write-host -NoNewline ""SRV=$SRVlen
+
+	$HINFO= Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_HINFOType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$HINFOlen = Get-WmiCount($HINFO)
+	write-host -NoNewline ""HINFO=$HINFOlen
+
+	$TXT  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_TXTType -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$TXTlen = Get-WmiCount($TXT)
+	write-host -NoNewline ""TXT=$TXTlen
+
+	$RR  = Get-WmiObject -namespace "root\MicrosoftDNS" -class MicrosoftDNS_ResourceRecord -ComputerName $env:ComputerName -Filter "DomainName = '$ZoneName'"
+	$TotalRecords = Get-WmiCount($RR)
+	write-host ""TotalRecords=$TotalRecords
+
+}
+
+#
+# Main Program
+#
+$ServerName = $env:ComputerName
+$Scope = New-Object Management.ManagementScope("\\$ServerName\root\MicrosoftDNS")
+$Path = New-Object Management.ManagementPath("MicrosoftDNS_Zone")
+$Options = New-Object Management.ObjectGetOptions($Null, [System.TimeSpan]::MaxValue, $True)
+
+$ZoneClass = New-Object Management.ManagementClass($Scope, $Path, $Options)
+$Zones = Get-WMIObject -Computer $ServerName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Zone"
+$OutputEncoding = [Text.Encoding]::UTF8
+Foreach ($Zone in $Zones) {
+	Output-ZoneInfo($Zone)
+}
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1
new file mode 100644
index 00000000..8dc2101c
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/generate_windows_update_logs.ps1
@@ -0,0 +1,20 @@
+## This script generates WindowsUpdate.Log using Get-WindowsUpdateLog in $SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate
+## It monitors the WindowsUpdate.log from $SplunkHome\var\log\Splunk_TA_windows\
+
+Set-Variable -Name "LogFolder" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate"
+Set-Variable -Name "MonitoredLogFile" -Value "$SplunkHome\var\log\Splunk_TA_windows\WindowsUpdate.log"
+
+if (!(Test-Path -Path $LogFolder )) {
+	New-Item -ItemType directory -Path $LogFolder
+}
+
+Get-WindowsUpdateLog -LogPath $LogFolder\WindowsUpdate.log
+
+if ([System.IO.File]::Exists("$MonitoredLogFile")) {
+	Get-Content "$LogFolder\WindowsUpdate.log" | Set-Content -Path "$MonitoredLogFile"
+}
+else {
+Copy-Item -Path "$LogFolder\WindowsUpdate.log" -Destination "$MonitoredLogFile"
+}
+
+exit
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1
new file mode 100644
index 00000000..fc450e52
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-health.ps1
@@ -0,0 +1,170 @@
+#
+# Determine the health and statistics of this Active Directory Controller
+#
+$Output = New-Object System.Collections.ArrayList
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+[void]$Output.Add($Date)
+
+# Name of Server
+$ServerName = $env:ComputerName
+[void]$Output.Add("Server=""$ServerName""")
+$BSSN = "\\" + $ServerName
+
+# Domain Information
+
+$S_DS_AD_DOM = [System.DirectoryServices.ActiveDirectory.Domain]::getComputerDomain()
+$WMI_CS      = (Get-WmiObject Win32_ComputerSystem)
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+
+$DomainDNSName = $WMI_CS.Domain
+$DomainNetBIOSName = $WMI_DOMAIN.DomainName
+$DomainLevel   = $S_DS_AD_DOM.DomainMode
+[void]$Output.Add("DomainDNSName=`"$DomainDNSName`"");
+[void]$Output.Add("DomainNetBIOSName=`"$DomainNetBIOSName`"");
+[void]$Output.Add("DomainLevel=`"$DomainLevel`"");
+
+# Site Information
+$SiteName = $WMI_DOMAIN.ClientSiteName
+[void]$Output.Add("Site=`"$SiteName`"");
+
+# Forest Information
+$ForestName = $S_DS_AD_DOM.Forest.Name
+$ForestLevel = $S_DS_AD_DOM.Forest.ForestMode
+[void]$Output.Add("ForestName=`"$ForestName`"");
+[void]$Output.Add("ForestLevel=`"$ForestLevel`"");
+
+# Domain Controller Flags
+$IsRO = "False"
+$IsEnabled = "False"
+$IsGC = "False"
+$USN = "Unknown"
+$MyName = ($env:ComputerName + "." + $DomainDNSName).ToLower()
+if ($WMI_DOMAIN.Status -eq "OK") {
+	$MyDC = $S_DS_AD_DOM.DomainControllers | Where-Object { $_.Name.ToLower() -eq $MyName.ToLower() }
+	if ($MyDC) {
+		if ($MyDC.IsGlobalCatalog()) {
+			$IsGC = "True"
+		}
+		$USN = $MyDC.HighestCommittedUsn
+		$IsEnabled = "True"
+
+		$entry = $MyDC.getDirectoryEntry()
+		[void]$Output.Add("Created=`"$($entry.whenCreated)`"")
+		[void]$Output.Add("Changed=`"$($entry.whenChanged)`"")
+
+		$DN = $entry.Path
+		$ServerEntry = [ADSI]"$DN"
+		$ServerEntry.GetInfoEx(@("msDS-IsRODC"),0)
+		$IsRO = $ServerEntry."msDS-IsRODC"
+	}
+}
+[void]$Output.Add("GlobalCatalog=`"$IsGC`"")
+[void]$Output.Add("RODC=`"$IsRO`"")
+[void]$Output.Add("Enabled=`"$IsEnabled`"")
+[void]$Output.Add("HighestUSN=`"$USN`"")
+
+$SchemaInfo = Get-Item "HKLM:System\CurrentControlSet\Services\NTDS\Parameters"
+$SchemaVersion = $SchemaInfo.GetValue("Schema Version")
+[void]$Output.Add("SchemaVersion=$SchemaVersion")
+
+$NetLogonParams = Get-Item "HKLM:System\CurrentControlSet\Services\Netlogon\Parameters"
+$DCWeight = $NetLogonParams.GetValue("LdapSrvWeight", $null)
+if (!$DCWeight -or $DCWeight -eq $null -or $DCWeight -eq "") {
+	$DCWeight = 100	# This is the default value
+}
+[void]$Output.Add("DCWeight=$DCWeight")
+
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+
+# Is this host a BridgeHead Server?
+# Field BridgeheadServer (Collection of DirectoryServer objects - check to see if we are listed and set IsBridgeHeadServer=True/False accordingly)
+
+# Is this host a Intersite Topology Generator
+if ($SiteInfoObj.IntersiteTopologyGenerator.Name -and ($SiteInfoObj.IntersiteTopologyGenerator.Name -eq $ServerName -or $SiteInfoObj.IntersiteTopologyGenerator.Name.ToLower() -eq $MyName)) {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"True`"")
+} else {
+	[void]$Output.Add("IsIntersiteTopologyGenerator=`"False`"")
+}
+
+
+#
+# Windows Version and Build #
+#
+$WindowsInfo = Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion"
+$OS = $WindowsInfo.GetValue("ProductName")
+$OSSP = $WindowsInfo.GetValue("CSDVersion")
+$WinVer = $WindowsInfo.GetValue("CurrentVersion")
+$WinBuild = $WindowsInfo.GetValue("CurrentBuildNumber")
+$OSVER = "$WinVer ($WinBuild)"
+
+[void]$Output.Add("OperatingSystem=""$OS""")
+[void]$Output.Add("ServicePack=""$OSSP""")
+[void]$Output.Add("OSVersion=""$OSVER""")
+
+#
+# FSMO Roles (Schema, DomainNaming, Infrastructure, RIDMaster, PDC)
+#
+$aFSMO = @()
+if ($MyDC -and $MyDC.Roles) {
+	foreach ($role in $MyDC.Roles) {
+		switch ($role) {
+			"SchemaRole"			{ $aFSMO += "Schema" }
+			"NamingRole"			{ $aFSMO += "DomainNaming" }
+			"InfrastructureRole"	{ $aFSMO += "Infrastructure" }
+			"PdcRole"				{ $aFSMO += "PDCEmulator" }
+			"RidRole"				{ $aFSMO += "RIDMaster" }
+		}
+	}
+}
+$FSMORoles = [string]::join(' ', $aFSMO)
+[void]$Output.Add("FSMORoles=""$FSMORoles""")
+
+#
+# Required Processes Running
+#		FRS, DFS-R, Net Logon, KDC, W32Time, ISMSERV
+#
+$RequiredServices = @( "ntfrs", "dfsr", "netlogon", "kdc", "w32time", "ismserv" )
+$srvr = @()
+$srvnr = @()
+foreach ($srv in $RequiredServices) {
+	$status = (Get-Service $srv).Status
+	if ($status -eq "Running") {
+		$srvr += $srv
+	} else {
+		$srvnr += $srv
+	}
+}
+# Note that the only case that ProcsOK == True is when there is ONE service
+# that isn't running - You need one replication services (ntfrs or dfsr) but
+# not both
+$ProcsOK = "False"
+if (($srvnr.Count -eq 0) -or ($srvnr.Count -eq 1 -and ($srvnr[0] -eq "ntfrs" -or $srvnr[0] -eq "dfsr"))) {
+	$ProcsOK = "True"
+}
+$ServicesRunning = [string]::join(',', $srvr)
+$ServicesNotRunning = [string]::join(',', $srvnr)
+[void]$Output.Add("ServicesRunning=""$ServicesRunning""")
+[void]$Output.Add("ServicesNotRunning=""$ServicesNotRunning""")
+[void]$Output.Add("ProcsOK=""$ProcsOK""")
+
+#
+# Look for Common Problems
+#		SYSVOL is shared out
+#		DC is registered in DNS
+#
+$SysvolShare = (Get-WmiObject Win32_Share|Where-Object { $_.Name -eq "SYSVOL" })
+if ($SysvolShare) {
+	[void]$Output.Add("SYSVOLShare=""True""")
+} else {
+	[void]$Output.Add("SYSVOLShare=""False""")
+}
+
+$DNSEntry = ([System.Net.DNS]::GetHostEntry($ServerName))
+if ($DNSEntry) {
+	[void]$Output.Add("DNSRegister=""True""")
+} else {
+	[void]$Output.Add("DNSRegister=""False""")
+}
+
+# Output the final string
+Write-Host ($output -join " ")
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1
new file mode 100644
index 00000000..54e90897
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-repl-stat.ps1
@@ -0,0 +1 @@
+## Global Variables ##

$DomainControllerName   = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name

## Functions ##

function Get-ADSite
{

	[CmdletBinding(
		ConfirmImpact="Low",
		DefaultParameterSetName="Name"
	)]
	
	Param (
		[Parameter(Mandatory=$true,Position=0,ValueFromPipeline=$true,ParameterSetName="Name")]
		[ValidateNotNullOrEmpty()]
		[string] $Name,
		
		[Parameter(Mandatory=$true,ParameterSetName="All")]
		[switch] $All,
		
		[Parameter(Mandatory=$true,ParameterSetName="Current")]
		[switch] $Current,
		
		[Parameter(Mandatory=$true,ParameterSetName="ByIPAddress")]
		[System.Net.IPAddress] $IPAddress,
		
		[Parameter(Mandatory=$false)]
		[ValidateScript({
			if (-not $_.Contains("."))
			{
				throw "The Name must be a FQDN"
			}
			return $true
		})]
		[string] $Server
	)
 
	begin {
		$script:ctx = $null
		try
		{
			if (-not $Server)
			{
				$script:Server = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name
				$script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server)
			}
			else
			{
				$script:Server = $Server
				$script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server)
			}
		}
		catch [Exception]
		{
			Write-Error $_
			return
		}
	}
 
	process {
		$site = $null
		try
		{
			switch ($pscmdlet.ParameterSetName)
			{
				"name"
				{
					[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($script:ctx, $name)
				}
            }
		}
		catch [Exception]
		{
			Write-Error -Exception $_.Exception -Message "Could not get the site / sites"
		}
    }
	
	end { }
}

function GetSingleDomainController
{
	param(
		[Parameter(Mandatory=$true)]
		[ValidateScript({
			if (-not $_.Contains("."))
			{
				throw "The Name must be a FQDN"
			}
			return $true
		})]
		[string] $DomainControllerName
	)
	
	$rootDSE = [adsi]"LDAP://$script:server/rootDSE"

	$ds = New-Object System.DirectoryServices.DirectorySearcher
	$ds.SearchRoot = "LDAP://$script:server/CN=Sites,$($rootDSE.configurationNamingContext)"
	$ds.Filter = "(&(objectclass=server)(dNSHostName=$DomainControllerName))"

	try
	{
		$serverDn = $ds.FindOne().GetDirectoryEntry().DistinguishedName.Value
		$siteDn = $serverDn.Substring($serverDn.IndexOf("CN=Servers") + 11, $serverDn.IndexOf("CN=Sites") - ($serverDn.IndexOf("CN=Servers") + 12))
		$siteName = $siteDn.Substring(3)
	}
	catch [Exception]
	{
		throw "Could not find domain controller in $($ds.SearchRoot.DistinguishedName): $($_.Exception.Message)"
	}

	try
	{
		$dc = (Get-ADSite -Name $siteName -Server $script:Server).Servers | Where-Object { $_.Name -eq $DomainControllerName }
        if (-not $dc)
		{
			throw "The server $DomainControllerName cannot be found"
		}
		$dc
	}
	catch [Exception]
	{
		throw "Cannot read servers from site $siteName : ($_.Exception.Message)"
	}
}

function Get-Type
{
	param(
    	[Parameter(Position=0,Mandatory=$true)]
		[string] $GenericType,
		
		[Parameter(Position=1,Mandatory=$true)]
		[string[]] $T
    )

	$Types = $T -as [type[]]
	
	try
	{
		$generic = [type]($GenericType + '`' + $Types.Count)
		$generic.MakeGenericType($Types)
	}
	catch [Exception]
	{
		throw New-Object System.Exception("Cannot create generic type", $_.Exception)
	}
}


function Get-ADReplicationLink
{
	[CmdletBinding()]
	
	param(		
		[Parameter(Mandatory=$true,ParameterSetName="AllDCsInSite",ValueFromPipelineByPropertyName=$true)]
		[string] $SiteName,
		
		[Parameter(Mandatory=$true,ParameterSetName="AllDCsInForest")]
		[switch] $AllDCsInForest,
		
		[Parameter(Mandatory=$true,ParameterSetName="AllDCsInDomain")]
		[switch] $AllDCsInDomain,
		
		[Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
		[ValidateScript({
			if (-not $_.Contains("."))
			{
				throw "The Name must be a FQDN"
			}
			return $true
		})]
		[string] $DomainName,
		
		[Parameter(Position=0,Mandatory=$false,ValueFromPipelineByPropertyName=$true,ParameterSetName="DcByName")]
		[ValidateScript({
			if (-not $_.Contains("."))
			{
				throw "The Name must be a FQDN"
			}
			return $true
		})]
		[Alias("DCName")]
		[string[]] $DomainControllerName,
		
		[Parameter(Position=0,Mandatory=$false,ValueFromPipelineByPropertyName=$true)]
		[Alias("NC")]
		[string] $NamingContext,
		
		[Parameter(Mandatory=$false)]
		[switch] $ErrorsOnly,
		
		[Parameter(Mandatory=$false)]
		[string] $Server
	)
	
	begin {
		$global:tempDestinationServer = $null
		$script:ctx = $null
		try
		{
			if (-not $Server)
			{
				$script:Server = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController().Name
				$script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server)
				
				$script:serverObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().FindDomainController()
			}
			else
			{
				$script:Server = $Server
				$script:ctx = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("DirectoryServer", $script:Server)
				
				$script:serverObject = GetSingleDomainController -DomainControllerName $Server
			}
		}
		catch [Exception]
		{
			Write-Error $_
			return
		}
	}
 
	process {
		$dcList = New-Object System.Collections.ArrayList
			foreach ($DomainController in $DomainControllerName)
			{
				[Void]$dcList.Add((GetSingleDomainController -DomainControllerName $DomainController))
			}
		
		foreach ($dc in $dcList)
		{
            foreach ($partition in $dc.Partitions)
			{
				$repNeighbors = $dc.GetReplicationNeighbors($partition)
				if ($ErrorsOnly)
				{
					$repNeighbors = $repNeighbors | Where-Object { $_.LastSyncResult -ne 0 }
				}
				
				foreach ($repNeighbor in $repNeighbors)
				{
					$repInfo = New-Object (Get-Type -GenericType System.Collections.Generic.List -T System.Management.Automation.PSObject)
                    $repNeighbor = $repNeighbor | Add-Member -MemberType NoteProperty -Name DestinationServer -Value $dc.Name -PassThru
					$repInfo.Add([psobject]$repNeighbor)
                    $repInfo | ForEach-Object {
                        $repl = new-object System.Collections.ArrayList
                        $currtime = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
                        $repltime = get-date  -format "yyyy-MM-dd HH:mm:ss zzz" -date $($_.LastAttemptedSync)
                        [void]$repl.add($currtime);
                        [void]$repl.add("LastAttemptedSync=`"$repltime`"")
                        [void]$repl.add("type=`"ReplicationEvent`"")
                        [void]$repl.add("usn=$($_.UsnLastObjectChangeSynced)")
                        [void]$repl.add("src_host=`"$($_.SourceServer)`"")
                        [void]$repl.add("Result=`"$($_.LastSyncResult)`"")
                        [void]$repl.add("transport=`"$($_.TransportType)`"")
                        [void]$repl.add("naming_context=`"$($repNeighbor.PartitionName)`"")
                        Write-Host ($repl -join " ") 
                    }
 				}

			}
		}

    }
	
	end { }
}

## Call The functions ##

Get-ADReplicationlink $DomainControllerName
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1
new file mode 100644
index 00000000..1bb0f5b9
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/nt6-siteinfo.ps1
@@ -0,0 +1,41 @@
+#
+# Determine and output information about the Site the server is a member of
+#
+
+$ServerName = $env:ComputerName
+$BSSN = "\\" + $ServerName
+$WMI_DOMAIN	 = Get-WmiObject Win32_NTDomain | Where-Object {$_.DomainControllerName -eq $BSSN}
+$SiteName = $WMI_DOMAIN.ClientSiteName
+$ForestName = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Name
+
+$Date = Get-Date -format 'yyyy-MM-ddTHH:mm:sszzz'
+$SiteInfoObj = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest().Sites | Where-Object { $_.Name -eq $SiteName }
+$ISTG = $SiteInfoObj.IntersiteTopologyGenerator.Name
+
+
+write-host  $Date Type=`"Site`" ForestName=`"$ForestName`" Site=`"$SiteName`" Location=`"$($SiteInfoObj.Location)`" -NoNewline
+$SiteInfoObj.AdjacentSites | Foreach-Object { write-host AdjacentSite=`"$($_.Name)`" -NoNewline }
+write-host IntersiteTopologyGenerator=`"$ISTG`" -NoNewline
+$SiteInfoObj.SiteLinks | Foreach-Object { write-host "" SiteLink=`"$($_.Name)`" -NoNewline }
+$SiteInfoObj.Subnets | Foreach-Object { write-host "" Subnet=`"$($_.Name)`" -nonewline }
+
+write-host #Needed to print a newline for next object
+
+#
+# Output Information about Site Links in this site
+#
+$SiteInfoObj.SiteLinks | Foreach-Object {
+    write-host $Date Type=`"SiteLink`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Cost=$($_.Cost) DataCompressionEnabled=$($_.DataCompressionEnabled) NotificationEnabled=$($_.NotificationEnabled) ReciprocalReplicationEnabled=$($_.ReciprocalReplicationEnabled) TransportType=$($_.TransportType) ReplicationIntervalSecs=$($_.ReplicationInterval.TotalSeconds) -NoNewLine
+	foreach ($site in $_.Sites) {
+		write-host ""Site=`"$($site.Name)`" -NoNewLine
+	}
+}
+Write-Host  #similar to above
+
+#
+# Output Information about Subnets in this site
+#
+
+$SiteInfoObj.Subnets | Foreach-Object {
+    write-Host $Date Type=`"Subnet`" ForestName=`"$ForestName`" Name=`"$($_.Name)`" Site=`"$SiteName`" Location=`"$($_.Location)`"
+}
diff --git a/deployment-apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1 b/deployment-apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1
new file mode 100644
index 00000000..f92ad9ae
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/powershell/windows_bios_data.ps1
@@ -0,0 +1,5 @@
+## This script fetches the Windows machine BIOS data using Get-WmiObject cmdlet
+
+$bios_data = Get-WmiObject -class win32_bios | format-list -property * | Out-String
+$bios_data = $bios_data.Trim()
+$bios_data -replace '(.*?)\s:(.*)', '$1 = $2'
diff --git a/deployment-apps/Splunk_TA_windows/bin/runpowershell.cmd b/deployment-apps/Splunk_TA_windows/bin/runpowershell.cmd
new file mode 100644
index 00000000..2118a5d9
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/runpowershell.cmd
@@ -0,0 +1,14 @@
+@ECHO OFF
+
+:: ######################################################
+:: #
+:: # Splunk for Microsoft Windows
+:: #
+:: # Copyright (C) 2021 Splunk, Inc.
+:: # All Rights Reserved
+:: #
+:: ######################################################
+
+set SplunkApp=Splunk_TA_windows
+
+%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionPolicy RemoteSigned -command ". '%SPLUNK_HOME%\etc\apps\%SplunkApp%\bin\powershell\%1'"
diff --git a/deployment-apps/Splunk_TA_windows/bin/user_account_control_property.py b/deployment-apps/Splunk_TA_windows/bin/user_account_control_property.py
new file mode 100644
index 00000000..969c28c4
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/user_account_control_property.py
@@ -0,0 +1,112 @@
+#
+# SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+# SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+#
+#
+import csv
+import sys
+import log
+import logging
+
+# Map for possible property flags
+property_flags = {
+    "1": "SCRIPT",
+    "2": "ACCOUNTDISABLE",
+    "8": "HOMEDIR_REQUIRED",
+    "16": "LOCKOUT",
+    "32": "PASSWD_NOTREQD",
+    "64": "PASSWD_CANT_CHANGE",
+    "128": "ENCRYPTED_TEXT_PWD_ALLOWED",
+    "256": "TEMP_DUPLICATE_ACCOUNT",
+    "512": "NORMAL_ACCOUNT",
+    "2048": "INTERDOMAIN_TRUST_ACCOUNT",
+    "4096": "WORKSTATION_TRUST_ACCOUNT",
+    "8192": "SERVER_TRUST_ACCOUNT",
+    "65536": "DONT_EXPIRE_PASSWORD",
+    "131072": "MNS_LOGON_ACCOUNT",
+    "262144": "SMARTCARD_REQUIRED",
+    "524288": "TRUSTED_FOR_DELEGATION",
+    "1048576": "NOT_DELEGATED",
+    "2097152": "USE_DES_KEY_ONLY",
+    "4194304": "DONT_REQ_PREAUTH",
+    "8388608": "PASSWORD_EXPIRED",
+    "16777216": "TRUSTED_TO_AUTH_FOR_DELEGATION",
+    "67108864": "PARTIAL_SECRETS_ACCOUNT",
+}
+
+
+def main():
+
+    logger = log.Log().get_logger("user_account_control_property")
+    logger.info("Lookup script started executing..")
+
+    # prints usage of the lookup script if wrong number of arguments provided
+    if len(sys.argv) != 3:
+        logger.debug(
+            "Usage: python user_account_control_property.py [userAccountControl] [userAccountPropertyFlag]"
+        )
+        logger.debug("Lookup script stopped..")
+        sys.exit(1)
+
+    # Lookup Field names
+    userAccountControl = sys.argv[1]
+    userAccountPropertyFlag = sys.argv[2]
+
+    infile = sys.stdin
+    outfile = sys.stdout
+
+    r = csv.DictReader(infile)
+
+    w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
+
+    w.writeheader()
+
+    # Decode flags for every 'userAccountControl' attribute value present in a search result
+    for result in r:
+        try:
+            if result[userAccountControl].isdigit():
+                attribute_value = int(result[userAccountControl])
+                bit_cnt = 0
+                incorrect_result_flag = False
+                flags = list()
+
+                # Prepare flag list by decoding 'userAccountcontrol' decimal value
+                # As 'userAccountControl' is decimal value, For each bit set to '1' a property flag can be denoted by using 'property_flags' map given above
+                while attribute_value != 0:
+                    if attribute_value & 1 == 1:
+                        flags.append(str(1 << bit_cnt))
+                    attribute_value = attribute_value >> 1
+                    bit_cnt += 1
+
+                # If flag not present in 'property_flags' map, The 'userAccountPropertyFlag' won't be populated in search result
+                for flag in flags:
+                    if flag not in list(property_flags.keys()):
+                        logger.debug(
+                            "'userAccountControl' attribute can not be decoded for value: {}".format(
+                                result[userAccountControl]
+                            )
+                        )
+                        incorrect_result_flag = True
+                        break
+                if incorrect_result_flag:
+                    continue
+                else:
+                    for flag in flags:
+                        result[userAccountPropertyFlag] = property_flags[flag]
+                        w.writerow(result)
+            else:
+                logger.debug(
+                    "'userAccountControl' attribute can not be decoded for value: {}".format(
+                        result[userAccountControl]
+                    )
+                )
+        except:
+            logger.debug(
+                "No results for 'userAccountControl' attribute value :{}".format(
+                    result[userAccountControl]
+                )
+            )
+
+
+if __name__ == "__main__":
+    main()
diff --git a/deployment-apps/Splunk_TA_windows/bin/win_installed_apps.bat b/deployment-apps/Splunk_TA_windows/bin/win_installed_apps.bat
new file mode 100644
index 00000000..2a233ea4
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/win_installed_apps.bat
@@ -0,0 +1,67 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM For each app key, print out the name of the app and any parameters under the entry
+for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 72)
+
+REM Do the same as above but with 32-bit apps, first checking if the key exists
+reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" >nul 2>&1
+if %ERRORLEVEL% EQU 0 (
+  for /f "tokens=*" %%G in ('reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ^| findstr "Uninstall\\"') do (call :output_reg "%%G" 84)
+)
+
+goto :eof
+
+:output_reg
+
+
+	REM Echo an empty line to indicate that this is a new entry
+	@echo.
+
+	REM Get the current date and time into into a variable
+	for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+	set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+	REM Print out the date & time
+	@echo %date_time%
+
+	REM Add the enumerated key
+	@echo Installed application enumerated from %1
+
+	REM Get the name of the app from the last segment in the registry path
+	set app_name=%1
+
+	REM Strips out the first x characters (from input) of the path in order to get just the app name
+	set "app_name=!app_name:~%2%,150!"
+
+	REM Strip the last quote
+	set "app_name=!app_name:~0,-1!"
+
+	REM Store a count value so that we can avoid printing the first entry
+	set count=0
+
+	REM This variable determines if the display name was found
+	set display_name_found=0
+
+	REM Now get the sub-keys
+        for /F "tokens=1,2*" %%A in ('reg query %1') do (
+           set /a count+=1
+
+        REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
+
+        REM Note that the display name was already found
+           if %%A==DisplayName (
+              set /a display_name_found=1
+              echo %%A="%%C"
+           ) else (
+
+             REM Skip the entry if it just repeats the name we are querying for or if it is blank or if is "<NO" (which indicates the item has no name)
+             if not "%%A" == %1 if not "%%A" == "" if not "%%A" == "<NO" if not "%%C" == "" if not %%A==DisplayName echo %%A=%%C
+           )
+        )
+	REM If the display name was not found, then use the name of the registry path name instead
+	if !display_name_found!==0 echo DisplayName="%app_name%"
diff --git a/deployment-apps/Splunk_TA_windows/bin/win_listening_ports.bat b/deployment-apps/Splunk_TA_windows/bin/win_listening_ports.bat
new file mode 100644
index 00000000..6e98d4ef
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/win_listening_ports.bat
@@ -0,0 +1,50 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM Get the current date and time into a variable
+for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+REM Get the Tasklist command output and store array with pid and processname
+for /f "tokens=1,2 delims=," %%T in ('tasklist /nh  /fo csv') do (
+     set topic[%%~U]=%%~T
+)
+
+REM Get the list of open ports by running netstat and filtering the results to those that contain actual ports (dropping the header)
+for /f "tokens=*" %%G in ('netstat -nao ^| findstr /r "LISTENING"') do (call :output_ports "%%G")
+goto :eof
+
+:output_ports
+
+	REM Parse the ports list
+	for /f "tokens=1,2,4,5 delims= " %%A in (%1) do (
+		set protocol=%%A
+		set dest=%%B
+		set status=%%C
+		set pid=%%D
+		set appname=!topic[%%D]!
+	)
+
+	REM Skip the header
+	if "!protocol!"=="Proto" goto :eof
+	if "!protocol!"=="Active" goto :eof
+
+	REM Parse the each port
+	for /f "tokens=1,2,3 delims=:" %%A in ("%dest%") do (
+		set dest_ip=%%A
+		set dest_port=%%B
+		set alt_dest_port=%%C
+
+		REM Some entries will exist in the [::]:0 format and thus throw off the parsing. Correct for this:
+		if "!dest_port!" == "]" set dest_port=!alt_dest_port!
+	)
+
+	REM Replace the dest IP with the empty IP range if necessary
+	if "!dest_ip!"=="[" set dest_ip=[::]
+
+	REM Print out the result
+	echo %date_time% transport=%protocol% dest_ip=%dest_ip% dest_port=%dest_port% pid=!pid! appname=%appname%
diff --git a/deployment-apps/Splunk_TA_windows/bin/win_timesync_configuration.bat b/deployment-apps/Splunk_TA_windows/bin/win_timesync_configuration.bat
new file mode 100644
index 00000000..f9c901e3
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/win_timesync_configuration.bat
@@ -0,0 +1,21 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM Get the time service configuration and timezone.
+
+REM Get the date & time
+for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+REM Print the date and time. This will be the timestamp of the event.
+echo Current time: %date_time%
+
+REM Print the Windows time service configuration
+w32tm /query /configuration /verbose
+
+REM Print the Windows time zone information
+w32tm /tz
diff --git a/deployment-apps/Splunk_TA_windows/bin/win_timesync_status.bat b/deployment-apps/Splunk_TA_windows/bin/win_timesync_status.bat
new file mode 100644
index 00000000..76c214a5
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/bin/win_timesync_status.bat
@@ -0,0 +1,28 @@
+@echo off
+REM --------------------------------------------------------
+REM Copyright (C) 2021 Splunk Inc. All Rights Reserved.
+REM --------------------------------------------------------
+
+setlocal EnableDelayedExpansion
+
+REM Get the last current time synchronization status
+REM
+REM Example:
+REM
+REM     Successful sync:
+REM         Last Successful Sync Time: 1/22/2014 12:06:43 PM
+REM     Unsuccessful sync:
+REM         Last Successful Sync Time: unspecified
+
+REM Get the date & time
+for /f "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /value 2^>nul`) do if '.%%i.'=='.LocalDateTime.' set date_time=%%j
+set date_time=%date_time:~0,4%-%date_time:~4,2%-%date_time:~6,2% %date_time:~8,2%:%date_time:~10,2%:%date_time:~12,6%
+
+REM Print the date and time. This will be the timestamp of the event.
+echo Current time: %date_time%
+
+REM Print the Windows time service status
+w32tm /query /status /verbose
+
+REM Print the time zone
+w32tm /tz
diff --git a/deployment-apps/Splunk_TA_windows/default/app.conf b/deployment-apps/Splunk_TA_windows/default/app.conf
new file mode 100644
index 00000000..0e77a800
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/app.conf
@@ -0,0 +1,28 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+
+[install]
+is_configured = false
+state = enabled
+build = 1690943997
+
+[ui]
+is_visible = false
+label = Splunk Add-on for Microsoft Windows
+docs_section_override = AddOns:released
+
+[launcher]
+author = Splunk, Inc.
+version = 8.8.0
+description = Splunk Add-on for Microsoft Windows
+
+[package]
+id = Splunk_TA_windows
+
+[id]
+name = Splunk_TA_windows
+version = 8.8.0
+
diff --git a/deployment-apps/Splunk_TA_windows/default/eventtypes.conf b/deployment-apps/Splunk_TA_windows/default/eventtypes.conf
new file mode 100644
index 00000000..be813bbe
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/eventtypes.conf
@@ -0,0 +1,761 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+
+###### Global Windows Eventtype ######
+
+[windows_event_signature]
+search = sourcetype=WinEventLog OR sourcetype=XmlWinEventLog OR sourcetype=WMI:WinEventLog:System OR sourcetype=WMI:WinEventLog:Security OR sourcetype=WMI:WinEventLog:Application OR sourcetype=wineventlog OR sourcetype=xmlwineventlog
+#tags = track_event_signatures
+
+[wineventlog_windows]
+search = eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security OR eventtype=wineventlog-ds OR eventtype=wineventlog-dfs OR eventtype=wineventlog-keymanagement OR eventtype=wineventlog-filereplication OR eventtype=wineventlog-dns
+#tags = os windows
+
+[wineventlog_application]
+search = source=WinEventLog:Application OR source=WMI:WinEventLog:Application OR source=XmlWinEventLog:Application
+#tags = os windows
+
+[wineventlog_system]
+search = source=WinEventLog:System OR source=WMI:WinEventLog:System OR source=XmlWinEventLog:System
+#tags = os windows
+
+[wineventlog_security]
+search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security
+#tags = os windows
+
+[perfmon_windows]
+search = sourcetype=Perfmon:* OR sourcetype=PerfmonMk:* OR sourcetype=WMI:Perfmon*
+#tags = os windows
+
+[hostmon_windows]
+search = sourcetype=WinHostMon
+#tags = os windows
+
+[hostmon_os]
+search = sourcetype=WinHostMon Type=OperatingSystem
+#tags = os windows memory performance
+
+[hostmon_inventory]
+search = sourcetype=WinHostMon (Type=OperatingSystem OR Type=Processor)
+#tags = os inventory cpu memory
+
+[hostmon_disk]
+search = sourcetype=WinHostMon (Type=Disk)
+#tags = inventory performance storage
+
+[netmon_windows]
+search = sourcetype=WinNetMon
+#tags = os windows
+
+[printmon_windows]
+search = sourcetype=WinPrintMon
+#tags = os windows
+
+[script_windows]
+search = sourcetype=Script:* source=*.bat
+#tags = os windows
+
+[wmi_windows]
+search = sourcetype=WMI:*
+#tags = os windows
+
+[windowsupdatelog_windows]
+search = sourcetype=WindowsUpdateLog
+#tags = os windows
+
+[winregistry_windows]
+search = sourcetype=WinRegistry
+#tags = os windows endpoint change registry
+
+[winapp]
+search = eventtype=wineventlog_application
+
+[winsec]
+search = eventtype=wineventlog_security
+#tags = security
+
+[winsystem]
+search = eventtype=wineventlog_system
+
+
+###### DHCP ######
+[msdhcp]
+search = sourcetype=msdhcp
+#tags = dhcp network session windows
+
+[msdhcp_start]
+search = sourcetype=msdhcp (msdhcp_id=10 OR msdhcp_id=11 OR msdhcp_id=13)
+#tags = start
+
+[msdhcp_end]
+search = sourcetype=msdhcp (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17)
+#tags = end
+
+[DhcpSrvLog]
+search = sourcetype=DhcpSrvLog
+#tags = windows
+
+[DhcpSrvLog_dhcp]
+search = sourcetype=DhcpSrvLog (msdhcp_id=13 OR msdhcp_id=14 OR msdhcp_id=15)
+#tags = dhcp network session
+
+[DhcpSrvLog_start]
+search = sourcetype=DhcpSrvLog (msdhcp_id=10 OR msdhcp_id=11)
+#tags = dhcp network session start
+
+[DhcpSrvLog_end]
+search = sourcetype=DhcpSrvLog (msdhcp_id=12 OR msdhcp_id=16 OR msdhcp_id=17 OR msdhcp_id=18)
+#tags = dhcp network session end
+
+
+###### Security: Account Logon ######
+
+## Authentication Ticket Granted/Failed
+## EventCodes 4768, 4772, 672, 676
+[windows_auth_ticket_granted]
+search = eventtype=wineventlog_security (EventCode=4768 OR EventCode=672 OR EventCode=676)
+#tags = authentication
+
+## Service Ticket Granted/Failed
+## EventCodes 4769, 4773, 673, 677
+[windows_service_ticket_granted]
+search = eventtype=wineventlog_security (EventCode=4769 OR EventCode=4773 OR EventCode=673 OR EventCode=677)
+#tags = authentication
+
+## Ticket Granted Renewed
+## EventCodes 4770, 674
+[windows_ticket_renewed]
+search = eventtype=wineventlog_security (EventCode=4770 OR EventCode=674)
+## tags intentionally left blank
+#tags =
+
+## Pre-authentication failed
+## EventCodes 4771, 675
+[windows_pre_auth_failed]
+search = eventtype=wineventlog_security (EventCode=4771 OR EventCode=675)
+#tags = authentication
+
+## Account Mapped for Logon by
+## EventCodes 4774, 678
+[windows_account_mapped]
+search = eventtype=wineventlog_security (EventCode=4774 OR EventCode=678)
+## tags intentionally left blank
+#tags = authentication
+
+## The name: %2 could not be mapped for logon by: %1
+## EventCodes 4775, 679
+[windows_account_notmapped]
+search = eventtype=wineventlog_security (EventCode=4775 OR EventCode=679)
+#tags = authentication
+
+## Account Used for Logon by
+## The domain controller attempted/failed to validate the credentials for an account
+## The logon to account: %2 by: %1 from workstation: %3 failed.
+## EventCodes 4776, 4777, 680, 681
+[windows_account_used4logon]
+search = eventtype=wineventlog_security (EventCode=4776 OR EventCode=4777 OR EventCode=680 OR EventCode=681)
+#tags = authentication
+
+## Session reconnected to winstation
+## EventCodes 4778, 682
+[windows_session_reconnected]
+search = eventtype=wineventlog_security (EventCode=4778 OR EventCode=682)
+## tags intentionally left blank
+#tags =
+
+## Session disconnected from winstation
+## EventCodes 4779, 683
+[windows_session_disconnected]
+search = eventtype=wineventlog_security (EventCode=4779 OR EventCode=683)
+#tags = access stop logoff
+
+
+###### Security: Account Management ######
+[windows_account_management]
+search = eventtype=wineventlog_security (ta_windows_security_CategoryString="Account Management" OR TaskCategory="User Account Management")
+#tags = account change management
+
+## User/Computer Account Created
+## EventCodes 4720, 4741, 624, 645
+[windows_account_created]
+search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4741 OR EventCode=624 OR EventCode=645)
+#tags = add account change
+
+
+## User Account Enabled
+## EventCodes 4722, 626
+[windows_account_enabled]
+search = eventtype=wineventlog_security (EventCode=4722 OR EventCode=626)
+#tags = enable account change
+
+## Change Password Attempt
+## EventCodes 4723, 627
+[windows_account_password_change]
+search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=627)
+#tags = password modify account change
+
+## User Account password set
+## EventCodes 4724, 628
+[windows_account_password_set]
+search = eventtype=wineventlog_security (EventCode=4724 OR EventCode=628)
+#tags = password modify account change
+
+## User Account Disabled
+## EventCodes 4725, 629
+[windows_account_disabled]
+search = eventtype=wineventlog_security (EventCode=4725 OR EventCode=629)
+#tags = disable account change
+
+## User/Computer Account Deleted
+## EventCodes 4726, 4743, 630, 647
+[windows_account_deleted]
+search = eventtype=wineventlog_security (EventCode=4726 OR EventCode=4743 OR EventCode=630 OR EventCode=647)
+#tags = delete account change
+
+## User/Computer Account Changed
+## EventCodes 4738, 4742, 642, 646, 625
+[windows_account_modified]
+search = eventtype=wineventlog_security (EventCode=4738 OR EventCode=4742 OR EventCode=642 OR EventCode=646 OR EventCode=625)
+#tags = modify account change
+
+## User Account Locked Out
+## EventCodes 4740, 644
+[windows_account_lockout]
+search = eventtype=wineventlog_security (EventCode=4740 OR EventCode=644)
+#tags = lock lockout account change
+
+## User Account Unlocked
+## EventCodes 4767, 671
+[windows_account_unlocked]
+search = eventtype=wineventlog_security (EventCode=4767 OR EventCode=671)
+#tags = modify account change
+
+
+###### Security: Audit (Event Log) ######
+
+## The event logging service has shut down
+## EventCode 1100
+[windows_audit_log_stopped]
+search = eventtype=wineventlog_security EventCode=1100
+#tags = stop stopped watchlist
+
+## Audit events have been dropped by the transport.
+## The security Log is now full
+## The event logging service encountered an error
+## EventCodes 1101, 1104, 1108
+[windows_audit_errors]
+search = eventtype=wineventlog_security (EventCode=1101 OR EventCode=1104 OR EventCode=1108)
+#tags = audit error
+
+## The audit log was cleared
+## EventCodes 1102, 517
+[windows_audit_log_cleared]
+search = eventtype=wineventlog_security (EventCode=1102 OR EventCode=517)
+#tags = audit change delete cleared watchlist
+
+## Event log automatic backup
+## EventCode 1105
+[windows_audit_backup]
+search = eventtype=wineventlog_security EventCode=1105
+#tags = audit backup change
+
+## Logon/Logoff audit logs
+## EventCode 4625
+[windows_audit_log_logon]
+search = eventtype=wineventlog_security EventCode=4625 (ta_windows_status=0xC0000064 OR ta_windows_status=0xC000006A OR ta_windows_status=0xC000006F OR ta_windows_status=0xC0000070 OR ta_windows_status=0xC0000071 OR ta_windows_status=0xC0000072 OR ta_windows_status=0XC000018C OR ta_windows_status=0XC0000192 OR ta_windows_status=0xC0000193 OR ta_windows_status=0xC0000234 OR ta_windows_status=0XC00002EE OR ta_windows_status=0XC0000413)
+#tags = audit change
+
+
+###### Security: Logon/Logoff ######
+
+## User Logoff/User initiated logoff
+## EventCodes 4634, 4647, 538, 551
+[windows_logoff]
+search = eventtype=wineventlog_security (EventCode=4634 OR EventCode=4647 OR EventCode=538 OR EventCode=551)
+#tags = access stop logoff
+
+## A logon was attempted using explicit credentials
+## EventCodes 4648, 552
+[windows_logon_explicit]
+search = eventtype=wineventlog_security (EventCode=4648 OR EventCode=552)
+#tags = authentication privileged
+
+## An account failed to log on
+## EventCodes 4625, 529, 530, 531, 532, 533, 534, 535, 536, 537, 539
+[windows_logon_failure]
+search = eventtype=wineventlog_security ((EventCode=4625 AND ta_windows_action!=error) OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
+#tags = authentication
+
+## An account was successfully logged on
+## EventCodes 4624, 528, 540
+[windows_logon_success]
+search = eventtype=wineventlog_security (EventCode=4624 OR EventCode=528 OR EventCode=540)
+#tags = authentication
+
+
+###### Security: Object Access ######
+
+## Object Open
+## EventCodes 4656, 560
+[windows_object_open]
+search = eventtype=wineventlog_security (EventCode=4656 OR EventCode=560)
+#tags = resource file access start
+
+## Handle Closed
+## EventCodes 4658, 562
+[windows_handle_closed]
+search = eventtype=wineventlog_security (EventCode=4658 OR EventCode=562)
+#tags = resource file access stop
+
+
+###### Security: Policy Change ######
+
+## Audit Policy Change/The audit policy (SACL) on an object was changed
+## EventCodes 4715, 4719, 612
+[windows_audit_policy_change]
+search = eventtype=wineventlog_security (EventCode=4715 OR EventCode=4719 OR EventCode=612)
+#tags = policy configuration modify audit change
+
+## System security access was granted to an account
+## EventCodes 4717, 621
+[windows_security_access_granted]
+search = eventtype=wineventlog_security (EventCode=4717 OR EventCode=621)
+#tags = access authorization add change account
+
+## System security access was removed from an account
+## EventCodes 4718, 622
+[windows_security_access_removed]
+search = eventtype=wineventlog_security (EventCode=4718 OR EventCode=622)
+#tags = access authorization delete change account
+
+## Per User Audit Policy was changed
+## EventCodes 4912, 807
+[windows_audit_policy_changed]
+search = eventtype=wineventlog_security (EventCode=4912 OR EventCode=807)
+#tags = policy configuration modify audit change
+
+## The following policy was active when the Windows Firewall started
+## EventCodes 848, 849, 850
+[windows_firewall_policy_active]
+search = eventtype=wineventlog_security (EventCode=848 OR EventCode=849 OR EventCode=850)
+#tags = application firewall configuration report
+
+## A change has been made to Windows Firewall
+## EventCodes 4946, 4947, 4948, 851, 852
+[windows_firewall_policy_change]
+search = eventtype=wineventlog_security (EventCode=4946 OR EventCode=4947 OR EventCode=4948 OR EventCode=851 OR EventCode=852)
+#tags = application firewall configuration modify
+
+## The Windows Firewall has detected an application listening for incoming traffic
+## EventCodes 4957, 861
+[windows_firewall_port_listening]
+search = eventtype=wineventlog_security (EventCode=4957 OR EventCode=861)
+#tags = application firewall port listening report
+
+
+###### Security: Privilege Use ######
+
+## Special privileges assigned to new logon
+## EventCodes 4672, 576
+[windows_special_privileges]
+search = eventtype=wineventlog_security (EventCode=4672 OR EventCode=576)
+#tags = authentication privileged
+
+## Privileged Service Called
+## EventCodes 4673, 577
+[windows_privileged_service_call]
+search = eventtype=wineventlog_security (EventCode=4673 OR EventCode=577)
+#tags = process execute start privileged
+
+## Privileged object operation
+## EventCodes 4674, 578
+[windows_privileged_object_operation]
+search = eventtype=wineventlog_security (EventCode=4674 OR EventCode=578)
+#tags = resource execute start privileged
+
+
+###### Security: Process Tracking ######
+
+## A new process has been created
+## EventCodes 4688, 592
+[windows_process_new]
+search = eventtype=wineventlog_security (EventCode=4688 OR EventCode=592)
+#tags = process execute start
+
+## A process has exited
+## EventCodes 4689, 593
+[windows_process_exit]
+search = eventtype=wineventlog_security (EventCode=4689 OR EventCode=593)
+#tags = process execute stop
+
+## A process was assigned a primary token
+## EventCodes 4696, 600
+[windows_process_token]
+search = eventtype=wineventlog_security (EventCode=4696 OR EventCode=600)
+#tags = process execute start privileged
+
+
+###### Security: System ######
+
+## An authentication package has been loaded by the Local Security Authority
+## EventCodes 4610, 514
+[windows_auth_package]
+search = eventtype=wineventlog_security (EventCode=4610 OR EventCode=514)
+#tags = process execute start
+
+## A trusted logon process has registered with the Local Security Authority
+## EventCodes 4611, 515
+[windows_logon_process]
+search = eventtype=wineventlog_security (EventCode=4611 OR EventCode=515)
+#tags = process authorization add
+
+## A notification package has been loaded by the Security Account Manager
+## EventCodes 4614, 518
+[windows_notification_package]
+search = eventtype=wineventlog_security (EventCode=4614 OR EventCode=518)
+#tags = process execute start
+
+
+###### Security:  Vulnerability ######
+## System security domain policy was changed
+## EventCode 4739
+[windows_security_misconfiguration_password_minimum_length]
+search = eventtype=wineventlog_security EventCode="4739" (Min__Password_Length<7 OR Mixed_Domain_Mode<7)
+#tags = misconfiguration password policy vulnerability report audit change
+
+
+###### System: Time ######
+
+## EventCode 35, 37
+[windows_time_sync]
+search = (eventtype=wineventlog_system (SourceName=W32Time OR SourceName=Microsoft-Windows-Time-Service) (EventCode=35 OR EventCode=37)) OR (sourcetype=Script:TimesyncStatus windows_action=success)
+#tags = report time synchronize success performance
+
+## EventCodes 17, 29, 36, 38
+[windows_time_failure]
+search = (eventtype=wineventlog_system (SourceName=W32Time OR Microsoft-Windows-Time-Service) (EventCode=17 OR EventCode=29 OR EventCode=36 OR EventCode=38)) OR (sourcetype=Script:TimesyncStatus windows_action=failure)
+#tags = report time synchronize failure performance
+
+
+###### System: Update ######
+[windows_system_update]
+search = eventtype=wineventlog_system "Windows Update Agent"
+#tags = system update
+
+## EventCodes 17, 18, 19
+[windows_system_update_status]
+search = eventtype=wineventlog_system "Windows Update Agent" (EventCode=17 OR EventCode=18 OR EventCode=19)
+#tags = status
+
+[windows_updatelog]
+search = sourcetype=WindowsUpdateLog
+#tags = system update
+
+[windows_updatelog_status]
+search = sourcetype=WindowsUpdateLog "Content Install" NOT "Download Succeeded" NOT "Reboot Completed" NOT "Hide Update"
+#tags = status
+
+## WMI:Update
+[wmi_installed_packages]
+search = sourcetype=WMI:InstalledUpdates
+#tags = system update status
+
+
+###### Splunk WMI ######
+
+## ComputerSystem
+[wmi_computersystem]
+search = sourcetype=WMI:ComputerSystem
+#tags = performance memory
+
+## CPUTime
+[perfmon_cputime]
+search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime)
+#tags = performance cpu report
+
+[perfmon_cputime_anomalous]
+search = (sourcetype=Perfmon:CPU OR sourcetype=PerfmonMk:CPU OR sourcetype=Perfmon:CPUTime) windows_cpu_load_percent>90
+#tags = anomalous
+
+[wmi_cputime]
+search = sourcetype=WMI:CPUTime
+#tags = performance cpu report
+
+[wmi_cputime_anomalous]
+search = sourcetype=WMI:CPUTime windows_percent_processor_time>90
+#tags = anomalous
+
+## System
+[perfmon_system]
+search = sourcetype=Perfmon:System OR sourcetype=PerfmonMk:System
+#tags = performance cpu report
+
+## Disk
+[perfmon_freediskspace]
+search = sourcetype=Perfmon:FreeDiskSpace
+#tags = performance storage disk report
+
+[perfmon_freediskspace_anomalous]
+search = sourcetype=Perfmon:FreeDiskSpace windows_storage_free_percent<10
+#tags = anomalous
+
+[perfmon_logicaldisk]
+search = sourcetype=Perfmon:LogicalDisk OR sourcetype=PerfmonMk:LogicalDisk
+#tags = performance storage disk
+
+##ProcessorInformation
+[perfmon_processorinformation]
+search = (sourcetype=Perfmon:ProcessorInformation OR sourcetype=PerfmonMk:ProcessorInformation)
+#tags = performance cpu report process
+
+[wmi_freediskspace]
+search = sourcetype=WMI:FreeDiskSpace
+#tags = performance storage disk report
+
+[wmi_freediskspace_anomalous]
+search = sourcetype=WMI:FreeDiskSpace windows_storage_free_percent<10
+#tags = anomalous
+
+[wmi_logicaldisk]
+search = sourcetype=WMI:LogicalDisk
+#tags = performance storage disk
+
+## Listening Ports
+[script_listeningports]
+search = sourcetype=Script:ListeningPorts
+#tags = port listening report
+
+## Local Processes
+[wmi_localprocesses]
+search = sourcetype=WMI:LocalProcesses
+#tags = process report
+
+[wmi_localprocesses_anomalous]
+search = sourcetype=WMI:LocalProcesses (windows_cpu_load_percent>50) NOT windows_app=*Total
+#tags = anomalous
+
+## Memory
+[perfmon_memory]
+search = sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory
+#tags = performance memory report
+
+[perfmon_memory_anomalous]
+search = (sourcetype=Perfmon:Memory OR sourcetype=PerfmonMk:Memory) windows_mem_free<104857600
+#tags = anomalous
+
+[wmi_memory]
+search = sourcetype=WMI:Memory
+#tags = performance memory report
+
+[wmi_memory_anomalous]
+search = sourcetype=WMI:Memory windows_mem_free<104857600
+#tags = anomalous
+
+## Service
+[wmi_service]
+search = sourcetype=WMI:Service
+#tags = service report
+
+[wmi_service_status_anomalous]
+search = sourcetype=WMI:Service Status=* NOT Status=OK
+#tags = anomalous
+
+[wmi_service_state_anomalous]
+search = sourcetype=WMI:Service windows_start_mode=Auto windows_state=* NOT windows_state=Running
+#tags = anomalous
+
+## Network
+[perfmon_network]
+search = sourcetype=Perfmon:Network OR sourcetype=PerfmonMk:Network
+#tags = performance network
+
+[perfmon_network_throughput]
+search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Bytes Total/sec" OR Bytes_Total/sec = *)
+#tags = performance network
+
+[perfmon_network_bandwidth]
+search = (sourcetype=Perfmon:LocalNetwork OR sourcetype=PerfmonMk:Network OR sourcetype=Perfmon:Network) (counter="Current Bandwidth" OR Current_Bandwidth=*)
+#tags = performance network
+
+[wmi_network_throughput]
+search = sourcetype=WMI:LocalNetwork BytesTotalPersec=*
+#tags = performance network
+
+[wmi_network_bandwidth]
+search = sourcetype=WMI:LocalNetwork CurrentBandwidth=*
+#tags = performance network
+
+## Process
+[perfmon_process]
+search = sourcetype=Perfmon:Process OR sourcetype=PerfmonMk:Process
+#tags = performance process report
+
+## Uptime
+[wmi_uptime]
+search = sourcetype=WMI:Uptime
+#tags = performance uptime report
+
+[wmi_uptime_anomalous]
+search = sourcetype=WMI:Uptime windows_uptime>2592000
+#tags = anomalous
+
+## User Accounts
+[wmi_useraccounts]
+search = sourcetype=WMI:UserAccounts
+#tags = account report inventory user
+
+## Version
+[wmi_version]
+search = sourcetype=WMI:Version
+#tags = system version report inventory
+
+[microsoft_windows_hostmon_process]
+search = sourcetype=WinHostMon source=process
+#tags = process report
+
+[microsoft_windows_hostmon_service]
+search = sourcetype=WinHostMon source=service
+#tags = service report
+
+[microsoft_windows_hostmon_service_time]
+search = sourcetype=WinHostMon source=service Name=W32Time
+#tags = time synchronize os performance
+
+
+### AD/DNS eventtypes###
+
+[wineventlog-ds]
+search = source="WinEventLog:Directory Service" OR source="XmlWinEventLog:Directory Service"
+
+[powershell]
+search = source=Powershell
+
+[msad-dc-health]
+search = eventtype=powershell sourcetype="MSAD:*:Health"
+
+[msad-rep-health]
+search = eventtype=powershell sourcetype="MSAD:*:Replication"
+
+[msad-site]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo"
+
+[msad-subnetinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Subnet"
+
+[msad-sitelinkinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="SiteLink"
+
+[msad-siteinfo]
+search = eventtype=powershell sourcetype="MSAD:*:SiteInfo" Type="Site"
+
+[msad-subnet-affinity]
+search = sourcetype="MSAD:*:Netlogon" msad_affinity=NO_CLIENT_SITE
+
+[admon-gpo]
+search = eventtype=admon objectCategory="*CN=Group-Policy-Container*"
+
+[admon-group]
+search = eventtype=admon objectCategory="*CN=Group*"
+
+[admon-computer]
+search = eventtype=admon objectCategory="*CN=Computer*"
+
+[admon-user]
+search = eventtype=admon objectCategory="*CN=Person*"
+
+[admon]
+search = sourcetype=ActiveDirectory
+
+[perfmon]
+search = sourcetype="Perfmon:*" OR sourcetype="PerfmonMk:*"
+
+[ad-files]
+search = sourcetype=MSAD:NT6:Replication OR sourcetype=MSAD:NT6:Health OR sourcetype=MSAD:NT6:SiteInfo OR sourcetype=MSAD:NT6:Netlogon OR sourcetype=ActiveDirectory OR sourcetype=MSAD:NT6:DNS-Health OR sourcetype=MSAD:NT6:DNS-Zone-Information OR sourcetype=MSAD:NT6:DNS
+
+[perfmon-ntds]
+search = eventtype=perfmon (sourcetype="Perfmon:NTDS" OR sourcetype="PerfmonMk:NTDS")
+
+[nt6-dns-events]
+search = sourcetype=MSAD:NT6:DNS
+
+[wineventlog-dns]
+search = source="WinEventLog:DNS Server" OR source="XmlWinEventLog:DNS Server"
+
+[msad-dns-zoneinfo]
+search = eventtype=powershell sourcetype="MSAD:*:DNS-Zone-Information"
+
+[msad-dns-health]
+search = eventtype=powershell sourcetype="MSAD:*:DNS-Health"
+
+[msad-dns-debuglog]
+search = eventtype=ad-files sourcetype="MSAD:*:DNS"
+
+[perfmon-dns]
+search = eventtype=perfmon (sourcetype="Perfmon:DNS" OR sourcetype="PerfmonMk:DNS")
+
+[wineventlog-dfs]
+search = source="WinEventLog:DFS Replication" OR source="XmlWinEventLog:DFS Replication"
+
+[wineventlog-filereplication]
+search = source="WinEventLog:File Replication Service" OR source="XmlWinEventLog:File Replication Service"
+
+[wineventlog-keymanagement]
+search = source="WinEventLog:Key Management Service" OR source="XmlWinEventLog:Key Management Service"
+
+[endpoint_services_processes]
+search = source="WMI:WinEventLog:Security" OR sourcetype="WinEventLog" OR sourcetype="XmlWinEventLog"
+
+## Endpoint Processes
+[windows_endpoint_processes]
+search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security") (EventCode=4688 OR EventCode=4689 OR EventCode=4696 OR EventCode=4673 OR EventCode=4674)
+#tags = process report
+
+## Endpoint Services
+[windows_endpoint_services]
+search = (source="WinEventLog:Security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:System" OR source="XmlWinEventLog:System") (EventCode=1100 OR EventCode=4697 OR EventCode=5024 OR EventCode=5025 OR EventCode=5030 OR EventCode=5033 OR EventCode=5034 OR EventCode=5035 OR EventCode=5478 OR EventCode=7036 OR EventCode=7040 OR EventCode=7045)
+#tags = service report
+
+## Security-CIM Mappings
+
+## Endpoint Registry
+[windows_security_endpoint_registry]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4657 OR (EventCode=4670 AND (Object_Type="Registry" OR ObjectType="Registry")))
+#tags = endpoint registry
+
+## Endpoint Port
+[windows_security_endpoint_port]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5158)
+#tags = listening port
+
+## Change Audit
+[windows_security_change_audit]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=1101 OR EventCode=1108 OR EventCode=4719 OR EventCode=1102)
+#tags = change audit
+
+## Change
+[windows_security_change]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=5461 OR EventCode=4698 OR EventCode=4700 OR EventCode=4701 OR EventCode=4702 OR EventCode=4799)
+#tags = change
+
+## Authentication
+[windows_security_authentication]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) (EventCode=4624 OR EventCode=4625)
+#tags = authentication
+
+## Change Account - ADDON-42191
+[windows_security_change_account]
+search = (source=WinEventLog:Security OR source=XmlWinEventLog:Security) AND EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801)
+#tags = change account
+
+## System-CIM Mapping
+
+# Change Audit - ADDON-48489
+[windows_system_change_audit]
+search = (source=WinEventLog:System OR source=XmlWinEventLog:System) (EventCode=104)
+#tags = change audit
diff --git a/deployment-apps/Splunk_TA_windows/default/inputs.conf b/deployment-apps/Splunk_TA_windows/default/inputs.conf
new file mode 100644
index 00000000..3f26ec4e
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/inputs.conf
@@ -0,0 +1,442 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+
+
+
+###### OS Logs ######
+[WinEventLog://Application]
+disabled = 1
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+renderXml=true
+
+[WinEventLog://Security]
+disabled = 1
+start_from = oldest
+current_only = 0
+evt_resolve_ad_obj = 1
+checkpointInterval = 5
+blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
+blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
+renderXml=true
+
+[WinEventLog://System]
+disabled = 1
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+renderXml=true
+
+
+###### Forwarded WinEventLogs (WEF) ######
+[WinEventLog://ForwardedEvents]
+disabled = 1
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
+renderXml=true
+host=WinEventLogForwardHost
+
+
+###### WinEventLog Inputs for Active Directory ######
+
+## Application and Services Logs - DFS Replication
+[WinEventLog://DFS Replication]
+disabled = 1
+renderXml=true
+
+## Application and Services Logs - Directory Service
+[WinEventLog://Directory Service]
+disabled = 1
+renderXml=true
+
+## Application and Services Logs - File Replication Service
+[WinEventLog://File Replication Service]
+disabled = 1
+renderXml=true
+
+## Application and Services Logs - Key Management Service
+[WinEventLog://Key Management Service]
+disabled = 1
+renderXml=true
+
+
+###### WinEventLog Inputs for DNS ######
+[WinEventLog://DNS Server]
+disabled=1
+renderXml=true
+
+
+###### DHCP ######
+[monitor://$WINDIR\System32\DHCP]
+disabled = 1
+whitelist = DhcpSrvLog*
+crcSalt = <SOURCE>
+sourcetype = DhcpSrvLog
+
+
+###### Windows Update Log ######
+## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
+[monitor://$WINDIR\WindowsUpdate.log]
+disabled = 1
+sourcetype = WindowsUpdateLog
+
+## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
+## Below stanza will automatically generate WindowsUpdate.log daily
+[powershell://generate_windows_update_logs]
+script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
+schedule = 0 */24 * * *
+disabled = 1
+
+## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
+[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
+disabled = 1
+sourcetype = WindowsUpdateLog
+
+
+###### Monitor Inputs for Active Directory ######
+[monitor://$WINDIR\debug\netlogon.log]
+sourcetype=MSAD:NT6:Netlogon
+disabled=1
+
+
+###### Monitor Inputs for DNS ######
+[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
+sourcetype=MSAD:NT6:DNS
+disabled=1
+
+
+###### Scripted Input (See also wmi.conf)
+[script://.\bin\win_listening_ports.bat]
+disabled = 1
+## Run once per hour
+interval = 3600
+sourcetype = Script:ListeningPorts
+
+[script://.\bin\win_installed_apps.bat]
+disabled = 1
+## Run once per day
+interval = 86400
+sourcetype = Script:InstalledApps
+
+[script://.\bin\win_timesync_status.bat]
+disabled = 1
+## Run once per hour
+interval = 3600
+sourcetype = Script:TimesyncStatus
+
+[script://.\bin\win_timesync_configuration.bat]
+disabled = 1
+## Run once per hour
+interval = 3600
+sourcetype = Script:TimesyncConfiguration
+
+[script://.\bin\netsh_address.bat]
+disabled = 1
+## Run once per day
+interval = 86400
+sourcetype = Script:NetworkConfiguration
+
+###### Scripted/Powershell Mod inputs Active Directory ######
+
+## Replication Information NT6
+[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:Replication
+interval=300
+disabled=1
+
+## Replication Information 2012r2 and 2016
+[powershell://Replication-Stats]
+script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
+schedule = 0 */5 * ? * *
+source = Powershell
+sourcetype=MSAD:NT6:Replication
+disabled=1
+
+## Health and Topology Information NT6
+[script://.\bin\runpowershell.cmd nt6-health.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:Health
+interval=300
+disabled=1
+
+## Health and Topology Information 2012r2 and 2016
+[powershell://AD-Health]
+script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
+schedule = 0 */5 * ? * *
+source=Powershell
+sourcetype=MSAD:NT6:Health
+disabled=1
+
+
+## Site, Site Link and Subnet Information NT6
+[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:SiteInfo
+interval=3600
+disabled=1
+
+## Site, Site Link and Subnet Information 2012r2 and 2016
+[powershell://Siteinfo]
+script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
+schedule = 0 15 * ? * *
+source = Powershell
+sourcetype=MSAD:NT6:SiteInfo
+disabled=1
+
+
+##### Scripted Inputs for DNS #####
+
+## DNS Zone Information Collection
+[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:DNS-Zone-Information
+interval=3600
+disabled=1
+
+## DNS Health Information Collection
+[script://.\bin\runpowershell.cmd dns-health.ps1]
+source=Powershell
+sourcetype=MSAD:NT6:DNS-Health
+interval=3600
+disabled=1
+
+
+###### Host monitoring ######
+[WinHostMon://Computer]
+interval = 600
+disabled = 1
+type = Computer
+
+[WinHostMon://Process]
+interval = 600
+disabled = 1
+type = Process
+
+[WinHostMon://Processor]
+interval = 600
+disabled = 1
+type = Processor
+
+[WinHostMon://NetworkAdapter]
+interval = 600
+disabled = 1
+type = NetworkAdapter
+
+[WinHostMon://Service]
+interval = 600
+disabled = 1
+type = Service
+
+[WinHostMon://OperatingSystem]
+interval = 600
+disabled = 1
+type = OperatingSystem
+
+[WinHostMon://Disk]
+interval = 600
+disabled = 1
+type = Disk
+
+[WinHostMon://Driver]
+interval = 600
+disabled = 1
+type = Driver
+
+[WinHostMon://Roles]
+interval = 600
+disabled = 1
+type = Roles
+
+###### Print monitoring ######
+[WinPrintMon://printer]
+type = printer
+interval = 600
+baseline = 1
+disabled = 1
+
+[WinPrintMon://driver]
+type = driver
+interval = 600
+baseline = 1
+disabled = 1
+
+[WinPrintMon://port]
+type = port
+interval = 600
+baseline = 1
+disabled = 1
+
+###### Network monitoring ######
+[WinNetMon://inbound]
+direction = inbound
+disabled = 1
+
+[WinNetMon://outbound]
+direction = outbound
+disabled = 1
+
+###### Splunk 5.0+ Performance Counters ######
+## CPU
+[perfmon://CPU]
+counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Processor
+useEnglishOnly=true
+
+## Logical Disk
+[perfmon://LogicalDisk]
+counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = LogicalDisk
+useEnglishOnly=true
+
+## Physical Disk
+[perfmon://PhysicalDisk]
+counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = PhysicalDisk
+useEnglishOnly=true
+
+## Memory
+[perfmon://Memory]
+counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
+disabled = 1
+interval = 10
+mode = multikv
+object = Memory
+useEnglishOnly=true
+
+## Network
+[perfmon://Network]
+counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Network Interface
+useEnglishOnly=true
+
+## Process
+[perfmon://Process]
+counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Process
+useEnglishOnly=true
+
+## ProcessInformation
+[perfmon://ProcessorInformation]
+counters = % Processor Time; Processor Frequency
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = Processor Information
+useEnglishOnly=true
+
+## System
+[perfmon://System]
+counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
+disabled = 1
+instances = *
+interval = 10
+mode = multikv
+object = System
+useEnglishOnly=true
+
+
+###### Perfmon Inputs from TA-AD/TA-DNS ######
+[perfmon://Processor]
+object = Processor
+counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
+instances = *
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://Network_Interface]
+object = Network Interface
+counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
+instances = *
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://DFS_Replicated_Folders]
+object = DFS Replicated Folders
+counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
+instances = *
+interval = 30
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://NTDS]
+object = NTDS
+counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+[perfmon://DNS]
+object = DNS
+counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received
+interval = 10
+disabled = 1
+mode = multikv
+useEnglishOnly=true
+
+
+[admon://default]
+disabled = 1
+monitorSubtree = 1
+
+
+[WinRegMon://default]
+disabled = 1
+hive = .*
+proc = .*
+type = rename|set|delete|create
+
+[WinRegMon://hkcu_run]
+disabled = 1
+hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
+proc = .*
+type = set|create|delete|rename
+
+[WinRegMon://hklm_run]
+disabled = 1
+hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
+proc = .*
+type = set|create|delete|rename
+
+[powershell://windows_bios_data]
+script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\windows_bios_data.ps1"
+schedule = 0 */24 * * *
+source = Powershell
+sourcetype = win:bios
+disabled = 1
diff --git a/deployment-apps/Splunk_TA_windows/default/macros.conf b/deployment-apps/Splunk_TA_windows/default/macros.conf
new file mode 100644
index 00000000..02f422b2
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/macros.conf
@@ -0,0 +1,38 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+##
+##
+[events-search(6)]
+args = LogName, EventHost, TaskCategory, SourceName, EventCode, Type
+definition = eventtype="wineventlog_windows" source="*inEventLog:$LogName$" (host="$EventHost$" OR ComputerName="$EventHost$") TaskCategory="$TaskCategory$" SourceName="$SourceName$" EventCode="$EventCode$" Type="$Type$"
+
+[compute-ingestion-stats]
+# The below post-process can be used to compute generic statistics about event ingestion
+# The search computes event rate (count and size) in 5 minute chunks by assigning each event a weight of 1/300.0 and then computing the sum. This is the best way to get this into a sparkline.
+definition = eval temp=1/300.0, event_size=len(_raw) | eval event_size_temp=len(_raw)/300.0 | stats sparkline(sum(temp), 5m) as "Events per second", sparkline(sum(event_size_temp), 5m) as "Event throughput (kbps)", sum(event_size) as TotalBytes, sum(temp) as tempsum by sourcetype | eval "Total MB"=round(TotalBytes/1024.0/1024.0,2) | addinfo | eval APS=tempsum/(info_max_time-info_min_time) | eval "Average events per second"=round(APS*300.0,2) | fields sourcetype "Events per second" "Event throughput (kbps)" "Average events per second" "Total MB"
+
+[netmon-hosts-search]
+definition = eventtype=netmon_windows | stats count by host | sort +host
+
+[event-hosts-search]
+definition = eventtype=wineventlog_windows | stats count by host | sort +host
+
+[log-names-search]
+definition = eventtype=wineventlog_windows | stats count by LogName | sort +LogName
+
+[source-names-search(1)]
+args = LogName
+definition = eventtype=wineventlog_windows LogName="$LogName$" | stats count by SourceName | sort +SourceName
+
+[task-categories-search(2)]
+args = LogName, SourceName
+definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" | stats count by TaskCategory | sort +TaskCategory
+
+[event-codes-search(3)]
+args = LogName, SourceName, TaskCategory
+definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" | stats count by EventCode | sort +EventCode
+
+[event-types-search(4)]
+args = LogName, SourceName, TaskCategory, EventCode
+definition = eventtype=wineventlog_windows LogName="$LogName$" SourceName="$SourceName$" TaskCategory="$TaskCategory$" EventCode="$EventCode$" | stats count by Type | sort +Type
diff --git a/deployment-apps/Splunk_TA_windows/default/props.conf b/deployment-apps/Splunk_TA_windows/default/props.conf
new file mode 100644
index 00000000..dcd40cda
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/props.conf
@@ -0,0 +1,1946 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+###########################
+## Active Directory
+###########################
+
+[ActiveDirectory]
+LOOKUP-user_account_control_property = user_account_control_property userAccountControl OUTPUT userAccountPropertyFlag
+
+
+###########################
+## DHCP
+###########################
+
+[DhcpSrvLog]
+SHOULD_LINEMERGE = false
+MAX_TIMESTAMP_LOOKAHEAD = 20
+EVENT_BREAKER_ENABLE = true
+TRANSFORMS-0dhcp_discard_headers = dhcp_discard_headers
+REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
+REPORT_1microsoft_dhcp_dest_dns = microsoft_dhcp_dest_dns
+LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature
+FIELDALIAS-windows-dhcp = ip AS dest_ip, mac AS raw_mac, nt_host AS dest_nt_host
+FIELDALIAS-win-sign-id = msdhcp_id AS signature_id
+FIELDALIAS-dhcp-user = msdhcp_user AS user
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "DHCP"
+EVAL-vendor_product = "Microsoft DHCP"
+EVAL-dest_mac = lower(case(match(raw_mac, "^\w{12,}$"), replace(raw_mac, "^.*(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})$", "\1:\2:\3:\4:\5:\6"), true(), replace(raw_mac, "-|\.|\s", ":")))
+EVAL-dest = coalesce(if(nt_host!="BAD_ADDRESS", nt_host, null()), ip, lower(case(match(raw_mac, "^\w{12}$"), rtrim(replace(raw_mac, "(\w{2})", "\1:"), ":"), true(), replace(raw_mac, "-|\.|\s", ":"))))
+EVAL-quarantine_info = case(qresult == 0, "NoQuarantine", qresult == 1, "Quarantine", qresult == 2, "Drop Packet", qresult == 3, "Probation", qresult == 6, "No Quarantine Information",  true(), qresult)
+EVAL-action = case(msdhcp_id IN (13,15,12,16,18), "blocked", msdhcp_id IN (10,11), "added")
+EVAL-dest_nt_host = case(nt_host!="BAD_ADDRESS", nt_host)
+EVAL-reason = case(nt_host=="BAD_ADDRESS", nt_host)
+
+
+###########################
+## Splunk Windows Event Log
+###########################
+
+## Host override for WinEventLog events collected using WEF
+[host::WinEventLogForwardHost]
+TRANSFORMS-change_host_for_windows_wef = WinEventHostOverride
+TRANSFORMS-change_xml_host_for_windows_wef = WinEventXmlHostOverride
+
+## consistent sourcetypes for common extractions XmlWinEventLog or WinEventLog
+## format source using sourcetype value, so we know whether its XML or not
+## this stanza will ensure the new extractions are backwards compatible; we will know what to do regardless of what source/sourcetype
+## the mod input sets and new sources will be accommodated as well
+[(?::){0}WinEventLog:*]
+TRANSFORMS-Fixup = ta-windows-fix-classic-source,ta-windows-fix-sourcetype
+
+[(?::){0}XmlWinEventLog:*]
+TRANSFORMS-XmlFixup = ta-windows-fix-xml-source,ta-windows-fix-sourcetype
+
+
+## Fields common to all WinEventLogs
+[WinEventLog]
+LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
+FIELDALIAS-category_for_windows = TaskCategory as category
+FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
+FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
+LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
+FIELDALIAS-severity_id_for_windows = EventType AS severity_id
+FIELDALIAS-id_for_windows = RecordNumber AS id
+REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
+
+## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
+LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
+
+## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
+EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
+
+FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
+
+## Field Mapping for Endpoint Data Model
+## For Services, Processes and Filesystem Datasets
+FIELDALIAS-service_id_for_windows = Service_ID AS service_id
+FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name
+FIELDALIAS-process_for_windows = Process AS process
+EVAL-process_name = if(EventCode==4688, New_Process_Name, Process_Name)
+FIELDALIAS-parent_process_for_windows = Creator_Process_Name AS parent_process
+FIELDALIAS-user_id_for_windows = User_ID AS user_id
+EVAL-vendor_product = "Microsoft Windows"
+
+[XmlWinEventLog]
+KV_MODE = none
+REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
+REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
+
+REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
+REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode
+REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
+
+LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
+FIELDALIAS-category_for_windows = TaskCategory as category
+FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc
+FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
+LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
+FIELDALIAS-severity_id_for_windows = EventType AS severity_id
+FIELDALIAS-id_for_windows = RecordNumber AS id
+REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
+
+## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
+LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
+
+## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
+EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
+
+FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
+
+## Field Mapping for Endpoint Data Model
+## For Services, Processes and Filesystem Datasets
+FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name
+FIELDALIAS-service_id_for_windows = ServiceSid AS service_id
+EVAL-process_name = if(EventCode==4688, NewProcessName, ProcessName)
+FIELDALIAS-parent_process_for_windows = ParentProcessName AS parent_process
+FIELDALIAS-user_id_for_windows = UserID  AS user_id
+EVAL-vendor_product = "Microsoft Windows"
+
+##Below fields extractions have been moved from  [source::WinEventLog:System], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]  and [source::*:System]
+## windows system sub-sourcetyping
+[source::WinEventLog:System]
+TRANSFORMS-force_source_system_ias_for_wineventlog = force_source_system_ias_for_wineventlog
+
+REPORT-bestmatch_for_windows_system = ComputerName_as_dest
+REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
+REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
+REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
+LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
+REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
+FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body
+
+REPORT-1service_name_eventcode_7036 = service_name_eventcode_7036
+REPORT-1service_name_eventcode_7040 = service_name_eventcode_7040
+EVAL-status = case(EventCode=="7036" AND status=="running","started",EventCode=="7036" AND status=="stopped","stopped",EventCode=="104","success")
+
+LOOKUP-0start_mode_for_eventcode_7040_service_windows = windows_start_mode_lookup StartType AS start_type2 OUTPUTNEW start_mode
+LOOKUP-1start_mode_for_eventcode_7045_service_windows = windows_start_mode_lookup StartType AS Service_Start_Type OUTPUTNEW start_mode
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+# Legacy field aliases to support ES 2.0.2, Winfra
+FIELDALIAS-package_for_windows = signature_id AS package
+FIELDALIAS-package_title_for_windows = signature AS package_title
+
+
+## Below Extractions are for XmlWinEventLog:System and have been kept for backward compatibility
+# Extractions to add fields used by generic system extraction
+REPORT-signature_message_from_xml = updatelist_from_user_data
+REPORT-signature_from_xml = updatetitle_from_user_data
+FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature
+
+EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
+# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
+# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
+LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
+
+REPORT-bestmatch_for_windows_system_xml = Computer_as_dest
+
+
+## Below Extractions are for WinEventLog:System:IAS and have been kept for backward compatibility
+REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
+
+EVAL-user = case(EventCode IN (7040,7045),case(user!="-",user),true(),user)
+EVAL-user_name = if(EventCode==104, User, user_name)
+EVAL-result = if(EventCode==104, "log file was cleared", result)
+EVAL-object_category = if(EventCode==104, "audit log", object_category)
+EVAL-action = if(EventCode==104, "cleared", action)
+EVAL-change_type = case(EventCode==104, "audit", true(), change_type)
+EVAL-app = if(SourceName="IAS","ias",null())
+
+EXTRACT-object_for_windows_system = (?ms)EventCode=104(?:\n|\r).*(?:Message=The\s(?<object>.+)\sfile)
+
+##### Explanation for SEDCMD Extractions #####
+## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
+
+
+##### SEDCMD Extractions #####
+#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g
+
+## Apply the following properties to all WinEventLog events
+## In addition to WinEventLog properties located in $SPLUNK_HOME/etc/system/default/props.conf
+[source::(WMI:WinEventLog|WinEventLog)...]
+
+## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
+REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
+REPORT-MESSAGE =
+
+###########################
+## Windows XML Event Log
+###########################
+##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:System],  [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
+[source::XmlWinEventLog:System]
+
+# Extractions to add fields used by generic system extraction
+REPORT-signature_message_from_xml = updatelist_from_user_data
+REPORT-signature_from_xml = updatetitle_from_user_data
+FIELDALIAS-updateTitle_as_signature = updateTitle ASNEW signature
+
+EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
+# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
+# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
+LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
+
+
+REPORT-bestmatch_for_windows_system_xml = Computer_as_dest
+REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
+REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
+REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
+LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
+REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
+EVAL-body = coalesce('signature_message','Message')
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+# Legacy field aliases to support ES 2.0.2, Winfra
+FIELDALIAS-package_title_for_windows = signature AS package_title
+FIELDALIAS-package_for_windows = signature_id AS package
+
+REPORT-service_name = ServiceName_as_service_name
+EVAL-status = case(EventCode=="7036" AND param2=="running","started",EventCode=="7036" AND param2=="stopped","stopped", EventCode==104, "success")
+
+LOOKUP-0start_mode_for_eventcode_7045_service_windows_xml = windows_start_mode_lookup StartType OUTPUTNEW start_mode
+LOOKUP-1start_mode_for_eventcode_7040_service_windows_xml = windows_start_mode_lookup StartType AS param3 OUTPUTNEW start_mode
+
+EVAL-action = case(EventCode==104, "cleared")
+EVAL-object_category = case(EventCode==104, "audit log")
+EVAL-result = case(EventCode==104, "log file was cleared")
+EVAL-change_type = case(EventCode==104, "audit", true(), change_type)
+
+REPORT-channel_from_user_data = channel_from_user_data
+EVAL-object = case(EventCode==104, user_data_channel + " log")
+
+EXTRACT-user_from_SubjectUserName = <EventID>104<\/EventID>.*<SubjectUserName>(?<user>.*?)<\/SubjectUserName>
+EXTRACT-user_name_from_SubjectUserName = <EventID>104<\/EventID>.*<SubjectUserName>(?<user_name>.*?)<\/SubjectUserName>
+
+##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*],[source::*:Security], [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
+[source::XmlWinEventLog:Security]
+
+REPORT-logfilecleared_block_extract = logfilecleared_xml_block
+REPORT-logfilecleareddata_for_xml = LogFileClearedData_from_user_data
+
+## privilege
+REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege
+
+# Extractions to add fields used by generic security extraction
+REPORT-Source_Port_from_xml = IpPort_as_Source_Port
+REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
+REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
+REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
+REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
+REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
+REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
+REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
+REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
+REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation
+
+EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
+# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
+# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
+LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
+LOOKUP-CategoryString_for_windows_xml_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString
+
+## action, status
+## Override action to allow audit log changes to correspond to Change Analysis data model
+LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW  action,change_type,object_category
+LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
+LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
+LOOKUP-object_for_windows3_security = xmlsecurity_change_audit_and_account_management_lookup EventCode OUTPUTNEW object_attrs,result
+
+## privilege
+REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
+REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
+LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
+
+FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
+REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+FIELDALIAS-body_for_windows_security = Message AS body
+FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
+EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
+
+## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
+LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
+LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
+LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
+LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
+LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
+
+## Set the following fields based on order of operations
+REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
+REPORT-dest_for_windows_security = Target_Server_Name_as_dest,Computer_as_dest
+REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
+REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
+REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
+REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
+REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
+REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
+REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
+REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
+EVAL-user_group = coalesce(TargetUserName,New_Account_Name,Target_Account_Name)
+REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
+REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
+REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
+REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
+REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
+LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
+EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
+REPORT-member_user_name = special_user_from_member_name
+
+LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
+
+##Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
+LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
+
+EXTRACT-dest_port_for_windows_security_from_xml = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
+EXTRACT-object_attrs_for_windows_security_from_xml = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
+EXTRACT-1IpAddress_for_windows_security_from_xml =\<Data Name\=[}}\{\{'"]IpAddress['}}\{\{"]\>(?!\:\:1)(?!127\.0\.0\.1)(?<src_ip>[^\<]+)\<\/Data\>
+EXTRACT-process_for_windows_security_from_xml = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
+EXTRACT-new_process_for_windows_security_from_xml = <Data Name='NewProcessName'>(?<new_process>[^<]+)<\/Data>
+EXTRACT-parent_process_for_windows_security_from_xml = <Data Name='ParentProcessName'>(?<parent_process>[^<]+)<\/Data>
+EXTRACT-new_process_id_for_windows_security_from_xml = <Data Name='NewProcessId'>(?<new_process_id>[^<]+)<\/Data>
+EXTRACT-process_id_for_windows_security_from_xml = <Data Name='ProcessId'>(?<process_id>[^<]+)<\/Data>
+EXTRACT-process_command_line_for_xml = <Data Name='CommandLine'>(?<Process_Command_Line>[^<]+)<\/Data>
+
+EVAL-authentication_method = case(EventCode IN (4624, 4625), AuthenticationPackageName, true(), authentication_method)
+
+## XML Security-CIM Mappings
+REPORT-parent_process_name_windows_xml = extract_parent_process_name_for_windows_xml
+REPORT-new_process_name_windows_xml = extract_new_process_name_for_windows_xml
+REPORT-target_process_name_windows_xml = extract_target_process_name_for_windows_xml
+REPORT-caller_user_name_from_user_data_xml = SubjectUserName_from_user_data
+REPORT-file_name_and_path = object_file_name_and_path_from_ObjectName_for_xml,file_name_and_path_from_FileName_for_xml,file_name_and_path_from_KeyFilePath_for_xml
+REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments
+
+EVAL-object_attrs = if(EventCode IN (4720,4738), null(),if(EventCode=4717, AccessGranted, (if(EventCode==4718, AccessRemoved, (if(isnotnull(SamAccountName) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), SamAccountName, if(EventCode IN (4728,4729,4732,4733,4756,4757), TargetUserName, if(EventCode IN (4698,4700,4701), TaskContent, if(EventCode==4702, TaskContentNew, if(EventCode==4719, "Category="+CategoryId+",Subcategory="+SubcategoryId+",Subcategory GUID="+SubcategoryGuid+",Changes="+AuditPolicyChanges,object_attrs))))))))))
+EVAL-registry_path = if(EventCode==4657,ObjectName,registry_path)
+EVAL-registry_value_name = if(EventCode==4657,ObjectValueName,registry_value_name)
+EVAL-registry_value_type = if(EventCode==4657,NewValueType,registry_value_type)
+EVAL-src = case(EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764,4799), dest, EventCode==4778, ClientAddress, EventCode == 4624, IpAddress, EventCode==4625, WorkstationName, 1=1, src)
+EVAL-file_name = coalesce(file_name,if(ObjectType=="File",object_file_name,null()),ShareName)
+EVAL-file_path = coalesce(file_path,if(ObjectType=="File",object_file_path,null()),ShareLocalPath)
+EVAL-src_port = if(EventCode=5158 OR EventCode=5156, SourcePort, src_port)
+EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(NewProcessName,"\s"), "\"" + NewProcessName + "\"", NewProcessName)) + " " + process_command_line_arguments), NewProcessName) , EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName))
+EVAL-process_path = case(EventCode==4688, new_process, EventCode==4696, TargetProcessName, true(), coalesce(process, Process, ProcessName))
+EVAL-process_id = case(EventCode==4688, new_process_id, EventCode==4696, TargetProcessId, true(), process_id)
+EVAL-service = if(isnotnull(service),service, Service)
+
+EVAL-parent_process = case(EventCode==4696,ProcessName,true(),parent_process)
+EVAL-parent_process_id = case(EventCode==4688 OR EventCode==4696,ProcessId)
+EVAL-parent_process_name = case(EventCode==4696,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name)
+EVAL-parent_process_path = case(EventCode==4688,parent_process,EventCode==4696,ProcessName)
+EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"))
+EVAL-process_name = case(EventCode=4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(ProcessName,"(?:.*\\\)?(.*)","\1"),true(),ProcessName)
+
+EVAL-user = case(EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (1102,4673,4674,4689,4697,4698,4700,4701,4702,4719,4799), case(SubjectUserName!="-",SubjectUserName),EventCode==4696,case(user!="-",user),EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4767), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), true(), user)
+EVAL-user_name = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4738,4740,4767,4800,4801), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (1102,4719,4698,4700,4701,4702,4799), SubjectUserName, EventCode IN (4728, 4729, 4732, 4733, 4756, 4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"),-1), if(like(member_user_name, "%\%"), null(), member_user_name)), true(), user_name)
+EVAL-src_user = case(EventCode IN (4624,4625,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781), case(SubjectUserName!="-",SubjectUserName), EventCode IN (4634,4800,4801), TargetUserName, true(),src_user)
+EVAL-src_user_name = case(EventCode IN (4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4738,4740,4754,4755,4756,4757,4758,4764,4767,4781), SubjectUserName, EventCode IN (4634,4800,4801), TargetUserName, true(),src_user_name)
+EVAL-src_nt_domain = case(EventCode IN (4634,4800,4801), TargetDomainName, EventCode IN (4727,4728,4729,4730,4731,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764), SubjectDomainName, true(), src_nt_domain)
+EVAL-object = case(EventCode IN (4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4727,4730,4731,4734,4735,4737,4738,4740,4754,4755,4758,4764,4767,4799), TargetUserName, EventCode==4781, NewTargetUserName, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(MemberSid, "%\%"), mvindex(split(MemberSid, "\\"), -1), if(like(member_user_name, "%\%"), null(), member_user_name)), EventCode IN (4800,4801), Computer, EventCode IN (4698,4700,4701,4702),TaskName, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", true(), object)
+EVAL-object_id = case(EventCode IN (4704, 4705, 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4730, 4731, 4734, 4735, 4737, 4738, 4754, 4755, 4758, 4764, 4767, 4781, 4799), TargetSid, EventCode IN (4634,4703), TargetUserSid, EventCode IN (4728,4729,4732,4733,4756,4757), MemberSid, true(), object_id)
+
+EVAL-action = case(EventCode=="4688" AND Keywords=="0x8020000000000000","allowed")
+
+## Assigning Group_Name based on EventCodes as not all EventCodes have GroupName same as TargetUserName and GroupDomain same as TargetDomainName
+EVAL-Group_Name=case(isnotnull(TargetUserName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetUserName, 1=1, Group_Name)
+EVAL-Group_Domain=case(isnotnull(TargetDomainName) AND ((EventCode>=4727 AND EventCode<=4735) OR EventCode==4737 OR (EventCode>=4744 AND EventCode<=4764) OR EventCode==4799), TargetDomainName, 1=1, Group_Domain)
+
+EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer")
+
+LOOKUP-start_mode_for_windows_xml = windows_endpoint_service_service_type_lookup Service_Start_Type AS ServiceStartType OUTPUTNEW start_mode
+LOOKUP-service_name =  windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service, service_name
+LOOKUP-transport_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport
+LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status
+
+##Below fields extractions have been moved from [(?::){0}XmlWinEventLog:*]
+[source::XmlWinEventLog:Application]
+EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
+# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
+# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
+LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
+
+FIELDALIAS-dest_for_xmlwineventlog_application = Computer AS dest
+
+###### All Windows Event Log ######
+
+###### Windows Application Event Log ######
+
+## All Windows Application
+
+##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
+[source::WinEventLog:Application]
+EVAL-dest = coalesce('ComputerName','Computer')
+
+## Below Extractions are for XmlWinEventLog:Application and have been kept for backward compatibility
+EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
+# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
+# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
+LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
+
+
+
+##Below fields extractions have been moved from  [source::*:Security] and [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...]
+[source::WinEventLog:Security]
+
+LOOKUP-CategoryString_for_windows_legacy_security = windows_signature_lookup signature_id OUTPUTNEW CategoryString as ta_windows_security_CategoryString
+LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
+
+## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
+LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
+
+
+## action, status
+
+## Security-CIM Mappings
+LOOKUP-action_for_windows00_security = windows_wineventlog_change_action_lookup EventCode OUTPUTNEW action, status
+
+## Override action to allow audit log changes to correspond to Change Analysis data model
+LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW  action,change_type,object_category
+LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
+LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
+
+## privilege
+REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
+REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
+LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
+
+FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
+REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+FIELDALIAS-body_for_windows_security = Message AS body
+FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
+EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
+
+## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
+LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
+LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
+LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
+LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
+LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
+
+## Set the following fields based on order of operations
+REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
+REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
+REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
+REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
+REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
+REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
+REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,New_Security_ID_as_src_nt_domain,Security_ID_as_src_nt_domain
+REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
+REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
+REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Special_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
+EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name)
+REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
+REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
+REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
+REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
+REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
+LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
+EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
+
+REPORT-subject_fields = subject_fields_extraction
+REPORT-target_fields = target_fields_extraction
+REPORT-group_fields = group_fields_extraction
+REPORT-new_account_fields = new_account_fields_extraction
+REPORT-member_fields = member_fields_extraction
+REPORT-account_locked_out_fields = account_locked_out_fields_extraction
+REPORT-task_fields = task_fields_extraction
+REPORT-new_task_fields = new_task_fields_extraction
+
+EVAL-user = case(EventCode==4799,Subject_Account_Name,EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764),null(),EventCode==4688,if(user=="-" OR isnull(user),src_user,user),EventCode IN (4689,4696,4673,4674,4697),case(user!="-",user), EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), true(),user)
+EVAL-user_name = case(EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (1102,4634,4698,4700,4701,4702,4719,4799,4800,4801), Subject_Account_Name, EventCode==104, User, EventCode IN (4728,4729,4732,4733,4756,4757), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%")OR user=="-", null(), user)), true(),user_name)
+EVAL-src_user = case(EventCode IN (4634,4703,4704,4705,4722,4723,4724,4725,4726,4727,4728,4729,4730,4731,4733,4734,4735,4737,4738,4754,4755,4756,4757,4758,4764,4767,4781,4800,4801), Subject_Account_Name, true(),src_user)
+EVAL-src_user_name = case(EventCode IN (4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4728,4729,4733,4756,4757,4634,4703,4704,4705,4720,4722,4723,4724,4725,4726,4732,4738,4740,4767,4781,4800,4801), Subject_Account_Name, true(),src_user_name)
+EVAL-object = case(EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), Group_Name, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767), Target_Account_Name, EventCode==4781, Target_New_Account_Name, EventCode==4720, New_Account_Account_Name, EventCode==4740, Account_Locked_Out_Name, EventCode IN (4800,4801), ComputerName, EventCode==4634, Subject_Account_Name, EventCode IN (4698,4700,4701,4702), Task_Name, EventCode==1102, "audit log", EventCode==4719, "Windows Security Audit Policy", EventCode IN (4732,4729,4757,4756,4728,4733), if(like(Member_Security_ID, "%\%"), mvindex(split(Member_Security_ID, "\\"),-1), if(like(user, "%\%") OR user=="-", null(), user)), true(),object)
+EVAL-object_id = case(EventCode IN (4728,4729,4733,4756,4757),Member_Security_ID, EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799), Group_Security_ID, EventCode IN (4703,4704,4705,4722,4723,4724,4725,4726,4738,4767,4781), Target_Security_ID, EventCode==4720, New_Account_Security_ID, EventCode==4732, Member_Security_ID, EventCode==4740, Account_Locked_Out_Security_ID, EventCode==4634, Subject_Security_ID, true(), object_id)
+EVAL-authentication_method = case(EventCode IN (4624,4625), Authentication_Package, true(), authentication_method)
+EVAL-src_nt_domain = case(EventCode IN (4634,4720,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4740,4754,4755,4756,4757,4758,4764,4800,4801), Subject_Account_Domain, true(), src_nt_domain)
+EVAL-src = case(EventCode IN (4729,4799,4730,4727,4755,4754,4758,4764,4735,4737,4731,4734,4757,4756,4728,4733), ComputerName, true(), src)
+
+EXTRACT-dest_port_for_windows_security = (?s)Network Information:.*?Destination Port:\s+(?<dest_port>\S+).*?(?:(?:\r*\n){2})
+EXTRACT-object_attrs_for_windows_security = Rule Name:\s+(?<object_attrs>[^$]+)$
+EXTRACT-process_for_windows_security = (?s)Application Information:.*?Process Name:\s+(?<process>\S+).*?(?:(?:\r*\n){2})
+EXTRACT-0process_id_for_windows_security = (?s)Application Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
+EXTRACT-process_id_for_windows_security = (?s)Process Information:.*?Process ID:\s+(?<process_id>\S+).*?(?:(?:\r*\n){2})
+EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Security ID:\s*(?<Group_Domain>.*)\\(?<Group_Name>[^\n\r]+)
+
+## Below Extractions are for XmlWinEventLog:Security and have been kept for backward compatibility
+## privilege
+REPORT-0privilege_for_windows_security_xml= PrivilegeList_as_vendor_privilege
+
+# Extractions to add fields used by generic security extraction
+REPORT-Source_Port_from_xml = IpPort_as_Source_Port
+REPORT-Token_Elevation_Type_from_xml = TokenElevationType_as_Token_Elevation_Type
+REPORT-Target_Server_Name_from_xml = TargetServerName_as_Target_Server_Name
+REPORT-Logon_Type_from_xml = LogonType_as_Logon_Type
+REPORT-Logon_ID_from_xml = SubjectLogonId_as_Logon_ID
+REPORT-Caller_Domain_from_xml = SubjectDomainName_as_Caller_Domain
+REPORT-Target_Domain_from_xml = TargetDomainName_as_Target_Domain
+REPORT-Caller_User_Name_from_xml = SubjectUserName_as_Caller_User_Name
+REPORT-Target_User_Name_from_xml = TargetUserName_as_Target_User_Name
+REPORT-Source_Workstation_from_xml = Workstation_as_Source_Workstation,WorkstationName_as_Source_Workstation,IpAddress_as_Source_Workstation
+
+EVAL-Error_Code = case(isnotnull(Status), Status, isnotnull(Error_Code), Error_Code, true(), "-")
+
+# LOOKUP-action_for_windows_xmlsecurity = xmlsecurity_eventcode_action_lookup EventCode OUTPUTNEW action, action AS status
+# LOOKUP-action_for_windows_xmlsecurity_multi_input = xmlsecurity_eventcode_action_lookup_multiinput EventCode, Error_Code OUTPUTNEW action, action as status
+LOOKUP-action_for_windows_xmlsecurity_input = xmlsecurity_eventcode_errorcode_action_lookup EventCode, Error_Code OUTPUTNEW action, action as status
+EVAL-action = case(EventCode=="4688" AND Keywords=="Audit Success","allowed",EventCode=="4688" AND Keywords=="Audit Failure","blocked")
+
+REPORT-dest_for_windows_xml_security = Target_Server_Name_as_dest,Computer_as_dest
+
+EXTRACT-dest_port_for_windows_security_from_xml = <Data Name='DestPort'>(?<dest_port>[^<]+)<\/Data>
+EXTRACT-object_attrs_for_windows_security_from_xml = <Data Name='RuleName'>(?<object_attrs>[^<]+)<\/Data>
+EXTRACT-1IpAddress_for_windows_security_from_xml =\<Data Name\=[}}\{\{'"]IpAddress['}}\{\{"]\>(?!\:\:1)(?!127\.0\.0\.1)(?<src_ip>[^\<]+)\<\/Data\>
+EXTRACT-process_for_windows_security_from_xml = <Data Name='ProcessName'>(?<process>[^<]+)<\/Data>
+EXTRACT-process_id_for_windows_security_from_xml = <Execution ProcessID='(?<process_id>\d+)'
+
+
+##### Explanation for SEDCMD Extractions #####
+## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"
+## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:"
+## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:"
+## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:"
+## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
+## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing
+## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing
+## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
+## cleanxmlsrcport: This will replace all values like <Data Name='IpPort'>0<\/Data> to <Data Name='IpPort'><\/Data> in XmlWinEventLog:Security
+## cleanxmlsrcip: This will replace all values like <Data Name='IpAddress'>::1<\/Data> or <Data Name='IpAddress'>127.0.0.1<\/Data> to <Data Name='IpAddress'><\/Data> in XmlWinEventLog:Security
+
+
+##### SEDCMD Extractions #####
+#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
+#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
+#SEDCMD-cleansrcip = s/(Source Network Address:	(\:\:1|127\.0\.0\.1))/Source Network Address:/
+#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
+#SEDCMD-remove_ffff = s/::ffff://g
+#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
+#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
+#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
+
+## For XmlWinEventLog:Security
+#SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
+#SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
+
+## Security-CIM Mappings
+REPORT-parent_process_name = extract_parent_process_name
+REPORT-new_process_name = extract_new_process_name
+REPORT-target_process_name = extract_target_process_name
+REPORT-process_command_line_process_and_arguments = process_command_line_process_and_arguments
+REPORT-file_name_and_path = object_name_and_path_from_object_name,file_name_and_path_from_file_name,file_name_and_path_from_file_path
+
+EVAL-process = case(EventCode==4688, coalesce(if(match(process_command_line_process,"(\\\)"), Process_Command_Line, (if(match(New_Process_Name,"\s"), "\"" + New_Process_Name + "\"", New_Process_Name)) + " " + process_command_line_arguments), New_Process_Name), EventCode==4696, Target_Process_Name , true(), coalesce(Process, process, Process_Name))
+EVAL-registry_path = if(EventCode==4657 OR EventCode==4670,Object_Name,registry_path)
+EVAL-registry_value_name = if(EventCode==4657, Object_Value_Name, registry_value_name)
+EVAL-registry_value_type = if(EventCode==4657, New_Value_Type, registry_value_type)
+EVAL-object_attrs = if(EventCode==4717 OR EventCode==4718,Access_Right,if(isnotnull(Group_Name) AND NOT EventCode IN (4727,4730,4731,4734,4735,4737,4754,4755,4758,4764,4799),Group_Name,if(EventCode IN (4698,4700,4701),TaskContent,if(EventCode==4702,TaskNewContent,if(EventCode==4719, "Category="+Category+",Subcategory="+Subcategory+",Subcategory GUID="+Subcategory_GUID+",Changes="+Changes,object_attrs)))))
+EVAL-file_name = if(Object_Type=="File" AND isnotnull(object_file_name),object_file_name,if(isnotnull(Share_Name),Share_Name,file_name))
+EVAL-file_path = if(Object_Type=="File" AND isnotnull(object_file_path),object_file_path,if(isnotnull(Share_Path),Share_Path,file_path))
+
+EVAL-parent_process = case(EventCode==4696,Process_Name,true(),parent_process)
+EVAL-parent_process_id = case(EventCode==4688,Creator_Process_ID,EventCode==4696,Process_ID)
+EVAL-parent_process_name = case(EventCode==4696,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),parent_process_name)
+EVAL-process_path = case(EventCode==4688,New_Process_Name,EventCode==4696,Target_Process_Name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,Process_Name)
+EVAL-parent_process_path = case(EventCode==4688,Creator_Process_Name,EventCode==4696,Process_Name)
+EVAL-process_exec = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1"))
+EVAL-process_name = case(EventCode==4688,new_process_name,EventCode==4696,target_process_name,EventCode==4689 OR EventCode==4674 OR EventCode==4673,replace(Process_Name,"(?:.*\\\)?(.*)","\1"),true(),Process_Name)
+EVAL-process_id = case(EventCode==4696,Target_Process_ID, EventCode==4689 OR EventCode==4673, Process_ID, true(), process_id)
+
+EVAL-user_type= case(EventCode IN (4741, 4742, 4743), "computer")
+
+LOOKUP-service_name_for_endpoint_service =  windows_endpoint_service_service_name_lookup EventCode OUTPUTNEW service,service_name
+LOOKUP-service_type_for_endpoint_service = windows_endpoint_service_service_type_lookup Service_Start_Type OUTPUTNEW start_mode
+LOOKUP-transpot_for_endpoint_pot = windows_endpoint_port_transport_lookup Protocol OUTPUTNEW transport
+LOOKUP-wineventlog-change-object-fields = windows_wineventlog_change_object_fields_lookup EventCode OUTPUTNEW change_type,object_attrs,object_category,result
+
+
+## IAS (Currently WinEventLog Support Only)
+[source::WinEventLog:System:IAS]
+REPORT-0auto_kv_for_windows_system_ias = auto_kv_for_windows_system_ias
+
+EVAL-app = "ias"
+
+
+[source::WinEventLog:ForwardedEvents]
+##### Explanation for SEDCMD Extractions #####
+## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
+## cleanxmlsrcport: This will replace all values like <Data Name='IpPort'>0<\/Data> to <Data Name='IpPort'><\/Data> in XmlWinEventLog:Security
+## cleanxmlsrcip: This will replace all values like <Data Name='IpAddress'>::1<\/Data> or <Data Name='IpAddress'>127.0.0.1<\/Data> to <Data Name='IpAddress'><\/Data> in XmlWinEventLog:Security
+## clean_rendering_info_block: This will eliminate the entire extra <RenderingInfo> block from all the events that indexes when using WEF before indexing
+
+
+##### SEDCMD Extractions #####
+#SEDCMD-remove_ffff = s/::ffff://g
+#SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
+#SEDCMD-cleansrcportxml=s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
+#SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>//
+
+
+###### WindowsUpdateLog ######
+[source::...WindowsUpdate.Log]
+sourcetype = WindowsUpdateLog
+
+[WindowsUpdateLog]
+SHOULD_LINEMERGE = false
+EVENT_BREAKER_ENABLE = true
+FIELDALIAS-dest_for_windowsupdatelog = host AS dest
+REPORT-0signature_message_for_windowsupdatelog = signature_message_for_windowsupdatelog
+REPORT-1signature_for_windowsupdatelog = signature_for_windowsupdatelog,signature_for_windowsupdatelog_restartrequired,signature_for_windowsupdatelog_signature_message
+REPORT-signature_id_for_windowsupdatelog = signature_id_for_windowsupdatelog
+REPORT-pid-tid-component_for_windowsupdatelog = pid-tid-component_for_windowsupdatelog
+LOOKUP-status_for_windowsupdatelog = windows_update_status_lookup vendor_status OUTPUTNEW status
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+FIELDALIAS-process_id_for_windowsupdatelog  = pid as process_id
+
+# Legacy field aliases to support ES 2.0.2, Winfra
+FIELDALIAS-package_for_windows = signature_id AS package
+FIELDALIAS-package_title_for_windows = signature AS package_title
+
+[WinRegistry]
+
+## Registry Extractions
+
+## registry_path, registry_key_name, registry_value_name
+REPORT-registry_path_parser    = registry_key_for_WinRegistry,registry_key-registry_value_for_WinRegistry
+REPORT-registry_value_data     = registry_value_data_for_WinRegistry
+FIELDALIAS-registry_value_type = data_type AS registry_value_type
+
+## Endpoint Change Extractions
+## Required fields: action,dest,object,object_category,object_path,status,user
+## Optional fields: object_id,object_attrs,user_type,msg,data,severity
+FIELDALIAS-vendor_action_for_WinRegistry = registry_type AS vendor_action
+LOOKUP-action_for_WinRegistry            = endpoint_change_vendor_action_lookup vendor_action OUTPUT action
+FIELDALIAS-dest_for_WinRegistry          = host AS dest
+REPORT-object_for_WinRegistry            = object_as_registry_key_for_WinRegistry,object_as_registry_value_for_WinRegistry
+LOOKUP-object_category_for_WinRegistry   = endpoint_change_object_category_lookup object as sourcetype OUTPUT object_category
+REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry
+LOOKUP-status_for_WinRegistry            = endpoint_change_status_lookup vendor_status OUTPUT status
+REPORT-user_for_WinRegistry              = user_for_WinRegistry
+LOOKUP-user_type_for_WinRegistry         = endpoint_change_user_type_lookup sourcetype OUTPUT user_type
+FIELDALIAS-src_for_WinRegistry           = host AS src
+
+## Field Mapping for Endpoint Data Model
+## For Registry Dataset
+FIELDALIAS-process_id_for_WinRegistry = pid AS process_id
+EVAL-vendor_product = "Microsoft Windows"
+
+#####################
+## Splunk Perfmon/WMI
+#####################
+
+## Apply the following properties to all WMI events
+[source::WMI...]
+## Override default REPORT-MESSAGE with REPORT-0MESSAGE to force alphanumeric precedence
+REPORT-0MESSAGE = wel-message, wel-eq-kv, wel-col-kv
+REPORT-MESSAGE =
+
+[wmi]
+LINE_BREAKER = ([\r\n]---splunk-wmi-end-of-event---[\r\n]+)
+## Override default TRANSFORMS-FIELDS with TRANSFORMS-0FIELDS to force alphanumeric precedence
+## Override default wmi-host, wmi-source, wmi-sourcetype with the following transforms to strip "WinEventLog"
+TRANSFORMS-0FIELDS = wmi-host, wmi-override-host, wmi-source, wmi-wineventlog-source, wmi-sourcetype, wmi-wineventlog-sourcetype
+TRANSFORMS-FIELDS =
+
+###### ComputerSystem ######
+[WMI:ComputerSystem]
+FIELDALIAS-mem_for_wmi_computersystem = TotalPhysicalMemory AS mem
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+
+[Perfmon:Processor]
+EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
+EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
+FIELDALIAS-cpu_instance = instance AS cpu_instance
+EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:Processor]
+FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent
+EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null())
+FIELDALIAS-cpu_instance = instance AS cpu_instance
+FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+[Perfmon:Network_Interface]
+EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
+EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
+EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
+EVAL-packets = if(counter=="Packets/sec",Value,null())
+EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
+EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())
+EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
+EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:Network_Interface]
+FIELDALIAS-bytes = Bytes_Total/sec as bytes
+FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in
+FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out
+FIELDALIAS-packets = Packets/sec as packets
+FIELDALIAS-packets_in = Packets_Received/sec as packets_in
+FIELDALIAS-packets_out = Packets_Sent/sec as packets_out
+FIELDALIAS-thruput = Bytes_Total/sec as thruput
+FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+[Perfmon:DFS_Replicated_Folders]
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[Perfmon:NTDS]
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[Perfmon:DNS]
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[Perfmon:CPU]
+EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
+EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
+FIELDALIAS-cpu_instance = instance AS cpu_instance
+EVAL-cpu_interrupts = if(counter=="Interrupts/sec" AND instance=="_Total",Value,null())
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:CPU]
+FIELDALIAS-cpu_user_percent = %_User_Time AS cpu_user_percent
+EVAL-cpu_interrupts = if(instance=="_Total", 'Interrupts/sec', null())
+FIELDALIAS-cpu_instance = instance AS cpu_instance
+FIELDALIAS-cpu_load_percent = %_Processor_Time AS cpu_load_percent
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+FIELDALIAS-windows_cpu_load_percent = %_Processor_Time AS windows_cpu_load_percent
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+[Perfmon:System]
+EVAL-wait_threads_count = if(counter=="Processor Queue Length",Value,null())
+EVAL-system_threads_count = if(counter=="Threads",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:System]
+FIELDALIAS-wait_threads_count = Processor_Queue_Length as wait_threads_count
+FIELDALIAS-system_threads_count = Threads as system_threads_count
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+[Perfmon:ProcessorInformation]
+SEDCMD-instance_replace_for_perfmon_processorInformation = y/,/_/
+EVAL-cpu_load_mhz = if(counter=="Processor Frequency" AND instance=="_Total",Value,null())
+EVAL-cpu_load_percent = if(counter=="% Processor Time" AND instance=="_Total",Value,null())
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+## Field Mapping for Endpoint Data Model
+## For Processes Dataset
+EVAL-vendor_product = "Microsoft Windows"
+
+[PerfmonMk:ProcessorInformation]
+EVAL-cpu_load_mhz = if(instance=="_Total", 'Processor_Frequency', null())
+EVAL-cpu_load_percent = if(instance=="_Total", '%_Processor_Time', null())
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+## Field Mapping for Endpoint Data Model
+## For Processes Dataset
+EVAL-vendor_product = "Microsoft Windows"
+
+[WMI:CPUTime]
+REPORT-report_field_extract_wmi_cputime_anomalous = field_extract_wmi_cputime_anomalous
+
+FIELDALIAS-cpu_load_percent = PercentProcessorTime AS cpu_load_percent
+FIELDALIAS-cpu_user_percent = PercentUserTime AS cpu_user_percent
+FIELDALIAS-cpu_instance = Name AS cpu_instance
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Disk ######
+[Perfmon:LogicalDisk]
+EVAL-mount = if(instance=="_Total", null(), instance)
+# Keeping this field in ms
+EVAL-latency = if(counter=="Avg. Disk sec/Transfer",Value*1000,null())
+EVAL-read_latency = if(counter=="Avg. Disk sec/Read",Value,null())
+EVAL-write_latency = if(counter=="Avg. Disk sec/Write",Value,null())
+EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
+EVAL-read_ops = if(counter=="Disk Reads/sec",Value,null())
+EVAL-write_ops = if(counter=="Disk Writes/sec",Value,null())
+EVAL-total_ops = if(counter=="Disk Transfers/sec",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:LogicalDisk]
+EVAL-mount = if(instance=="_Total", null(), instance)
+# Keeping this field in ms
+EVAL-latency = 'Avg._Disk_sec/Transfer' * 1000
+FIELDALIAS-read_latency = Avg._Disk_sec/Read as read_latency
+FIELDALIAS-write_latency = Avg._Disk_sec/Write as write_latency
+FIELDALIAS-storage_free_percent = %_Free_Space as storage_free_percent
+FIELDALIAS-read_ops = Disk_Reads/sec as read_ops
+FIELDALIAS-write_ops = Disk_Writes/sec as write_ops
+FIELDALIAS-total_ops = Disk_Transfers/sec as total_ops
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+FIELDALIAS-storage_free = Free_Megabytes as storage_free
+EVAL-storage=((100*Free_Megabytes)/storage_free_percent)
+EVAL-storage_used=(((100-storage_free_percent)*Free_Megabytes)/storage_free_percent)
+EVAL-storage_used_percent=(100-storage_free_percent)
+
+[Perfmon:PhysicalDisk]
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:PhysicalDisk]
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+[WMI:FreeDiskSpace]
+REPORT-report_field_extract_wmi_freediskspace_anomalous = field_extract_wmi_freediskspace_anomalous
+
+FIELDALIAS-mount_for_wmi_freediskspace = Name AS mount
+EVAL-storage = if(isnotnull(FreeMBytes) AND isnotnull(PercentFreeSpace),(FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)),null())
+EVAL-storage_free = if(isnotnull(FreeMegabytes),FreeMegabytes*1048576,null())
+FIELDALIAS-storage_free_percent = PercentFreeSpace AS storage_free_percent
+EVAL-storage_used = if(isnotnull(FreeMegabytes) AND isnotnull(PercentFreeSpace),((FreeMegabytes*1048576)*(1-(PercentFreeSpace/100)))-FreeMegabytes,null())
+EVAL-storage_used_percent = if(isnotnull(PercentFreeSpace),100-PercentFreeSpace,null())
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+
+[WMI:LogicalDisk]
+FIELDALIAS-for_wmi_latency = AvgDisksecPerTransfer AS latency
+FIELDALIAS-for_wmi_read_latency = AvgDisksecPerRead AS read_latency
+FIELDALIAS-for_wmi_write_latency = AvgDisksecPerWrite AS write_latency
+FIELDALIAS-for_wmi_read_ops = DiskReadsPersec AS read_ops
+FIELDALIAS-for_wmi_write_ops = DiskWritesPersec AS write_ops
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+[WMI:LocalPhysicalDisk]
+REPORT-report_field_extract_name = field_extract_wmi_localphysicaldisk_name
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Network ######
+[WMI:LocalNetwork]
+FIELDALIAS-bytestotalpersec_as_thruput = BytesTotalPersec AS thruput
+FIELDALIAS-currentbandwidth_as_thruput_max = CurrentBandwidth AS thruput_max
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Process ######
+[Perfmon:Process]
+EVAL-process_name = if(instance!="_Total" AND instance!="Idle",instance,null())
+EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle" AND counter=="% Processor Time", Value, null())
+EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+## Field Mapping for Endpoint Data Model
+## For Processes Dataset
+EVAL-mem_used = if(instance!="_Total" AND instance!="Idle" AND counter=="Working Set - Private", Value, null())
+EVAL-vendor_product = "Microsoft Windows"
+
+[PerfmonMk:Process]
+EVAL-process_name = if(instance!="_Total" AND instance!="Idle", instance,null())
+EVAL-process_cpu_used_percent = if(instance!="_Total" AND instance!="Idle", '%_Processor_Time', null())
+EVAL-process_mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+## Field Mapping for Endpoint Data Model
+## For Processes Dataset
+FIELDALIAS-process_id_for_perfmon = ID_Process AS process_id
+EVAL-mem_used = if(instance!="_Total" AND instance!="Idle", 'Working_Set_-_Private', null())
+EVAL-vendor_product = "Microsoft Windows"
+
+###### Installed Apps ######
+[Script:InstalledApps]
+SHOULD_LINEMERGE = false
+TRUNCATE = 0
+LINE_BREAKER     = ([\r\n]+)\d{4}\-\d{2}\-\d{2}\s+\d{1,2}:\d{2}:\d{2}.\d{3}
+
+KV_MODE = none
+
+REPORT-AuthorizedCDFPrefix_for_win_installed_apps = AuthorizedCDFPrefix_for_win_installed_apps
+REPORT-Comments_for_win_installed_apps            = Comments_for_win_installed_apps
+REPORT-Contact_for_win_installed_apps             = Contact_for_win_installed_apps
+REPORT-DisplayVersion_for_win_installed_apps      = DisplayVersion_for_win_installed_apps
+REPORT-HelpLink_for_win_installed_apps            = HelpLink_for_win_installed_apps
+REPORT-HelpTelephone_for_win_installed_apps       = HelpTelephone_for_win_installed_apps
+REPORT-InstallDate_for_win_installed_apps         = InstallDate_for_win_installed_apps
+REPORT-InstallLocation_for_win_installed_apps     = InstallLocation_for_win_installed_apps
+REPORT-InstallSource_for_win_installed_apps       = InstallSource_for_win_installed_apps
+REPORT-ModifyPath_for_win_installed_apps          = ModifyPath_for_win_installed_apps
+REPORT-NoModify_for_win_installed_apps            = NoModify_for_win_installed_apps
+REPORT-NoRepair_for_win_installed_apps            = NoRepair_for_win_installed_apps
+REPORT-Publisher_for_win_installed_apps           = Publisher_for_win_installed_apps
+REPORT-Readme_for_win_installed_apps              = Readme_for_win_installed_apps
+REPORT-Size_for_win_installed_apps                = Size_for_win_installed_apps
+REPORT-EstimatedSize_for_win_installed_apps       = EstimatedSize_for_win_installed_apps
+REPORT-UninstallString_for_win_installed_apps     = UninstallString_for_win_installed_apps
+REPORT-URLInfoAbout_for_win_installed_apps        = URLInfoAbout_for_win_installed_apps
+REPORT-URLUpdateInfo_for_win_installed_apps       = URLUpdateInfo_for_win_installed_apps
+REPORT-VersionMajor_for_win_installed_apps        = VersionMajor_for_win_installed_apps
+REPORT-VersionMinor_for_win_installed_apps        = VersionMinor_for_win_installed_apps
+REPORT-WindowsInstaller_for_win_installed_apps    = WindowsInstaller_for_win_installed_apps
+REPORT-Version_for_win_installed_apps             = Version_for_win_installed_apps
+REPORT-Language_for_win_installed_apps            = Language_for_win_installed_apps
+REPORT-DisplayName_for_win_installed_apps         = DisplayName_for_win_installed_apps
+
+###### Installed Updates ######
+[WMI:InstalledUpdates]
+REPORT-00Description_for_installedupdates = Description_for_installedupdates
+FIELDALIAS-signature_id_for_installedupdates = HotFixID AS signature_id
+EVAL-signature = case(isnotnull(Description) AND isnotnull(HotFixID),Description." (".HotFixID.")",isnotnull(Description),Description,isnotnull(HotFixID),HotFixID,1=1,null())
+LOOKUP-status_for_installedupdates = windows_update_status_lookup sourcetype OUTPUTNEW status
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Listening Ports ######
+[Script:ListeningPorts]
+SHOULD_LINEMERGE = false
+
+KV_MODE = None
+REPORT-0dest_ip_for_listeningports = dest_ip_for_listeningports
+REPORT-1kv_for_listeningports = kv_for_listeningports
+FIELDALIAS-dest_for_listeningports = dest_ip AS dest
+FIELDALIAS-process_id_for_listeningports = pid AS process_id
+
+## Field Mapping for Endpoint Data Model
+## For Ports Dataset
+EVAL-transport_dest_port = transport."/".dest_port
+EVAL-vendor_product = "Microsoft Windows"
+
+###### Local Processes ######
+[WMI:LocalProcesses]
+REPORT-rep_field_extract_wmi_localprocesses_anomalous = field_extract_wmi_localprocesses_anomalous
+
+FIELDALIAS-cpu_load_percent_for_wmi_localprocesses = PercentProcessorTime AS cpu_load_percent
+FIELDALIAS-mem_used_for_wmi_localprocesses = PrivateBytes AS UsedBytes
+FIELDALIAS-process_for_wmi_localprocesses = windows_app AS Name, windows_app AS app, windows_app AS process
+FIELDALIAS-process_id_for_wmi_localprocesses = IDProcess AS process_id
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+## Field Mapping for Endpoint Data Model
+## For Processes Dataset
+EVAL-vendor_product = "Microsoft Windows"
+
+###### Memory ######
+## Used memory unavailable in Perfmon Memory object and WMI Win32_PerfFormattedData_PerfOS_Memory
+## Total memory available in WMI:ComputerSystem
+[Perfmon:Memory]
+EVAL-mem_committed = if(counter=="Committed Bytes",Value,null())
+EVAL-mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
+EVAL-swap_free = if(counter=="Pool Nonpaged Bytes",Value,null())
+EVAL-swap_used = if(counter=="Pool Paged Bytes",Value,null())
+EVAL-mem_page_ops = if(counter=="Pages/sec",Value,null())
+EVAL-mem_page_in = if(counter=="Pages Input/sec",Value,null())
+EVAL-mem_page_out = if(counter=="Pages Output/sec",Value,null())
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+EVAL-windows_mem_free = case(counter=="Available MBytes",Value,counter=="Available Bytes",Value/1048576,1=1,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:Memory]
+FIELDALIAS-mem_committed = Committed_Bytes as mem_committed
+FIELDALIAS-mem_free = Available_MBytes as mem_free
+FIELDALIAS-swap_free = Pool_Nonpaged_Bytes as swap_free
+FIELDALIAS-swap_used = Pool_Paged_Bytes as swap_used
+FIELDALIAS-mem_page_ops = Pages/sec as mem_page_ops
+EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+FIELDALIAS-windows_mem_free = Available_MBytes as windows_mem_free
+
+FIELDALIAS-mem_page_in = Pages_Input/sec as mem_page_in
+FIELDALIAS-mem_page_out = Pages_Output/sec as mem_page_out
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+[Perfmon:Network]
+EVAL-bytes = if(counter=="Bytes Total/sec",Value,null())
+EVAL-bytes_in = if(counter=="Bytes Received/sec",Value,null())
+EVAL-bytes_out = if(counter=="Bytes Sent/sec",Value,null())
+EVAL-packets = if(counter=="Packets/sec",Value,null())
+EVAL-packets_in = if(counter=="Packets Received/sec",Value,null())
+EVAL-packets_out = if(counter=="Packets Sent/sec",Value,null())
+EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
+EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+TRANSFORMS-_value_for_perfmon_metrics_store = value_for_perfmon_metrics_store
+TRANSFORMS-metric_name_for_perfmon_metrics_store = metric_name_for_perfmon_metrics_store
+TRANSFORMS-object_for_perfmon_metrics_store = object_for_perfmon_metrics_store
+TRANSFORMS-instance_for_perfmon_metrics_store = instance_for_perfmon_metrics_store
+TRANSFORMS-collection_for_perfmon_metrics_store = collection_for_perfmon_metrics_store
+EVAL-metric_type = "gauge"
+
+[PerfmonMk:Network]
+FIELDALIAS-bytes = Bytes_Total/sec as bytes
+FIELDALIAS-bytes_in = Bytes_Received/sec as bytes_in
+FIELDALIAS-bytes_out = Bytes_Sent/sec as bytes_out
+FIELDALIAS-packets = Packets/sec as packets
+FIELDALIAS-packets_in = Packets_Received/sec as packets_in
+FIELDALIAS-packets_out = Packets_Sent/sec as packets_out
+FIELDALIAS-thruput = Bytes_Total/sec as thruput
+FIELDALIAS-thruput_max = Current_Bandwidth as thruput_max
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+[WMI:Memory]
+REPORT-report_field_extract_wmi_memory_anomalous = field_extract_wmi_memory_anomalous
+
+FIELDALIAS-mem_committed_for_wmi_memory = CommittedBytes AS mem_committed
+FIELDALIAS-swap_free = PoolNonpagedBytes AS swap_free
+FIELDALIAS-swap_used = PoolPagedBytes AS swap_used
+EVAL-swap_percent = (swap_used/(swap_used+swap_free))*100
+FIELDALIAS-mem_page_in = PagesInputPersec AS mem_page_in
+FIELDALIAS-mem_page_out = PagesOutputPersec AS mem_page_out
+FIELDALIAS-mem_page_ops = PagesPersec AS mem_page_ops
+
+
+EVAL-mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+EVAL-windows_mem_free = case(isnotnull(AvailableMBytes),AvailableMBytes,isnotnull(windows_available_bytes),windows_available_bytes/1048576,1=1,null())
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Service ######
+[WMI:Service]
+REPORT-report_field_extract_wmi_service_state_anomalous = field_extract_wmi_service_state_anomalous
+REPORT-report_field_extract_wmi_service_state_full = field_extract_wmi_service_caption_description_pathname
+
+FIELDALIAS-file_path_for_wmi_service = service_path AS file_path
+FIELDALIAS-service_for_wmi_service = Name AS app,Name AS service
+FIELDALIAS-start_mode_for_wmi_service = StartMode AS start_mode
+FIELDALIAS-status_for_wmi_service = State AS status
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+## Field Mapping for Endpoint Data Model
+## For Services Dataset
+REPORT-report_field_extract_wmi_service_path_and_exec_name = field_extract_wmi_service_path, field_extract_wmi_service_exec
+FIELDALIAS-description_for_wmi = Description AS description
+FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
+FIELDALIAS-service_name_for_wmi = Name AS service, Name AS service_name
+EVAL-vendor_product = "Microsoft Windows"
+
+###### Time Configuration ######
+[Script:TimesyncConfiguration]
+DATETIME_CONFIG = CURRENT
+LINE_BREAKER    = ([\r\n]+)Current time:
+
+KV_MODE = None
+
+REPORT-Current_time_for_win_timesync_configuration          = Current_time_for_win_timesync
+REPORT-EventLogFlags_for_win_timesync_configuration         = EventLogFlags_for_win_timesync_configuration
+REPORT-AnnounceFlags_for_win_timesync_configuration         = AnnounceFlags_for_win_timesync_configuration
+REPORT-TimeJumpAuditOffset_for_win_timesync_configuration   = TimeJumpAuditOffset_for_win_timesync_configuration
+REPORT-MinPollInterval_for_win_timesync_configuration       = MinPollInterval_for_win_timesync_configuration
+REPORT-MaxPollInterval_for_win_timesync_configuration       = MaxPollInterval_for_win_timesync_configuration
+REPORT-MaxNegPhaseCorrection_for_win_timesync_configuration = MaxNegPhaseCorrection_for_win_timesync_configuration
+REPORT-MaxPosPhaseCorrection_for_win_timesync_configuration = MaxPosPhaseCorrection_for_win_timesync_configuration
+REPORT-MaxAllowedPhaseOffset_for_win_timesync_configuration = MaxAllowedPhaseOffset_for_win_timesync_configuration
+REPORT-FrequencyCorrectRate_for_win_timesync_configuration  = FrequencyCorrectRate_for_win_timesync_configuration
+REPORT-PollAdjustFactor_for_win_timesync_configuration      = PollAdjustFactor_for_win_timesync_configuration
+REPORT-LargePhaseOffset_for_win_timesync_configuration      = LargePhaseOffset_for_win_timesync_configuration
+REPORT-SpikeWatchPeriod_for_win_timesync_configuration      = SpikeWatchPeriod_for_win_timesync_configuration
+REPORT-LocalClockDispersion_for_win_timesync_configuration  = LocalClockDispersion_for_win_timesync_configuration
+REPORT-HoldPeriod_for_win_timesync_configuration            = HoldPeriod_for_win_timesync_configuration
+REPORT-PhaseCorrectRate_for_win_timesync_configuration      = PhaseCorrectRate_for_win_timesync_configuration
+REPORT-UpdateInterval_for_win_timesync_configuration        = UpdateInterval_for_win_timesync_configuration
+REPORT-FileLogName_for_win_timesync_configuration           = FileLogName_for_win_timesync_configuration
+REPORT-FileLogEntries_for_win_timesync_configuration        = FileLogEntries_for_win_timesync_configuration
+REPORT-FileLogSize_for_win_timesync_configuration           = FileLogSize_for_win_timesync_configuration
+REPORT-FileLogFlags_for_win_timesync_configuration          = FileLogFlags_for_win_timesync_configuration
+REPORT-Time_zone_for_win_timesync_configuration             = Time_zone_for_win_timesync
+
+###### Time Synchronization ######
+[Script:TimesyncStatus]
+DATETIME_CONFIG = CURRENT
+LINE_BREAKER    = ([\r\n]+)Current time:
+
+KV_MODE = None
+
+REPORT-Current_time_for_win_timesync_status      = Current_time_for_win_timesync
+REPORT-Leap_Indicator_for_win_timesync_status    = Leap_Indicator_for_win_timesync_status
+REPORT-Stratum_for_win_timesync_status           = Stratum_for_win_timesync_status
+REPORT-Precision_for_win_timesync_status         = Precision_for_win_timesync_status
+REPORT-Root_Delay_for_win_timesync_status        = Root_Delay_for_win_timesync_status
+REPORT-Root_Dispersion_for_win_timesync_status   = Root_Dispersion_for_win_timesync_status
+REPORT-ReferenceId_for_win_timesync_status       = ReferenceId_for_win_timesync_status
+REPORT-Last_Successful_Sync_Time_for_win_timesync_status = Last_Successful_Sync_Time_for_win_timesync_status
+REPORT-Source_for_win_timesync_status            = Source_for_win_timesync_status
+REPORT-Poll_Interval_for_win_timesync_status     = Poll_Interval_for_win_timesync_status
+REPORT-Phase_Offset_for_win_timesync_status      = Phase_Offset_for_win_timesync_status
+REPORT-ClockRate_for_win_timesync_status         = ClockRate_for_win_timesync_status
+REPORT-State_Machine_for_win_timesync_status     = State_Machine_for_win_timesync_status
+REPORT-Time_Source_Flags_for_win_timesync_status = Time_Source_Flags_for_win_timesync_status
+REPORT-Server_Role_for_win_timesync_status       = Server_Role_for_win_timesync_status
+REPORT-Last_Sync_Error_for_win_timesync_status   = Last_Sync_Error_for_win_timesync_status
+REPORT-Time_since_Last_Good_Sync_Time_for_win_timesync_status = Time_since_Last_Good_Sync_Time_for_win_timesync_status
+REPORT-Time_zone_for_win_timesync_status         = Time_zone_for_win_timesync
+
+LOOKUP-action_for_win_timesync_status            = windows_timesync_action_lookup Last_Sync_Error OUTPUT windows_action, windows_action AS action
+EVAL-last_sync_time = coalesce(strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S %p"),strptime(Last_Successful_Sync_Time, "%m/%d/%Y %H:%M:%S"),strptime(Last_Successful_Sync_Time, "%d-%m-%Y %H:%M:%S"))
+
+FIELDALIAS-dest = host as dest
+EVAL-resource_type = "system"
+
+###### Uptime ######
+[WMI:Uptime]
+REPORT-report_field_extract_wmi_uptime_anomalous = field_extract_wmi_uptime_anomalous
+
+FIELDALIAS-uptime_for_wmi_uptime = SystemUpTime AS uptime
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+TRANSFORMS-_value_for_wmi_uptime_metrics_store = value_for_wmi_uptime_metrics_store
+TRANSFORMS-metric_name_for_wmi_uptime_metrics_store = metric_name_for_wmi_uptime_metrics_store
+EVAL-metric_type = "gauge"
+
+###### User Accounts ######
+[WMI:UserAccounts]
+REPORT-report_field_extract_description = field_extract_wmi_useraccounts_caption_description_name
+FIELDALIAS-dest_nt_domain_for_wmi_useraccounts = Domain AS dest_nt_domain
+FIELDALIAS-status_for_wmi_useraccounts = Status AS status
+FIELDALIAS-user_for_wmi_useraccounts = Name AS user
+FIELDALIAS-user_id_for_wmi_useraccounts = SID AS user_id
+LOOKUP-action_for_wmi_user_account_status = wmi_user_account_status_lookup status OUTPUTNEW enabled
+FIELDALIAS-description_for_wmi_user_account_status = Description AS description
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Version ######
+[WMI:Version]
+REPORT-0Caption_for_wmi_version = Caption_for_wmi_version
+LOOKUP-range_for_wmi_version = wmi_version_range_lookup sourcetype OUTPUTNEW range
+FIELDALIAS-os_name_for_wmi_version = Caption AS os_name,Caption AS family
+FIELDALIAS-os_version_for_wmi_version = Version AS kernel_release,Version AS os_release,Version AS version
+EVAL-os = if(isnotnull(Caption) AND isnotnull(Version),Caption." ".Version,null())
+FIELDALIAS-description = Caption as description
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Scheduled Jobs ######
+[WMI:ScheduledJobs]
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-src_for_wmi = host AS src
+
+###### Host Inventory ######
+[WinHostMon]
+EVAL-mem_free_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), FreePhysicalMemoryKB/TotalPhysicalMemoryKB * 100)), null())
+EVAL-mem_used = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/1024)), null())
+EVAL-mem_used_percent = if(Type=="OperatingSystem", if(isNull(TotalPhysicalMemoryKB), null(), if(isNull(FreePhysicalMemoryKB), null(), (TotalPhysicalMemoryKB - FreePhysicalMemoryKB)/TotalPhysicalMemoryKB * 100)), null())
+EVAL-os = if(Type=="OperatingSystem", OS, null())
+EVAL-family = if(Type=="Processor", Architecture, null())
+EVAL-version = if(Type=="OperatingSystem", Version, null())
+EVAL-cpu_cores = if(Type=="Processor", NumberOfCores, null())
+EVAL-cpu_count = if(Type=="Processor", NumberOfProcessors, null())
+EVAL-cpu_mhz = if(Type=="Processor", ClockSpeedMHz, null())
+EVAL-mem = if(Type=="OperatingSystem", TotalPhysicalMemoryKB/1024, null())
+EVAL-vendor_product = if(Type=="OperatingSystem", OS, null())
+EVAL-mount = if (Type=="Disk", Name, null())
+EVAL-storage = if (Type=="Disk", TotalSpaceKB/1024, null())
+EVAL-storage_free = if (Type=="Disk", FreeSpaceKB/1024, null())
+EVAL-storage_used = if (Type=="Disk", (TotalSpaceKB-FreeSpaceKB)/1024, null())
+EVAL-storage_free_percent = if (Type=="Disk", (FreeSpaceKB*100)/TotalSpaceKB, null())
+EVAL-storage_used_percent = if (Type=="Disk", ((TotalSpaceKB-FreeSpaceKB)*100)/TotalSpaceKB, null())
+EVAL-status = case(Type=="OperatingSystem", Status, Type=="Service", State, 1=1, null())
+EVAL-serial = if(Type=="OperatingSystem", SerialNumber, null())
+EVAL-description = if(Type=="Processor", Name, null())
+EVAL-mem_free = if(Type=="OperatingSystem",if(isNull(FreePhysicalMemoryKB), null(), (FreePhysicalMemoryKB)/1024), null())
+EVAL-cpu_architecture = if(Type=="Processor", Architecture, null())
+REPORT-System_Type_for_WinHostMon_computer = System_Type_for_WinHostMon_computer
+REPORT-Processor_Id_for_WinHostMon_processor = Processor_Id_for_WinHostMon_processor
+REPORT-Path_for_WinHostMon_service = Path_for_WinHostMon_service
+
+FIELDALIAS-dest_for_winhostmon = host as dest
+EXTRACT-process_for_winhostmon = Type=Process.*?Name="(?<process>[^"}}\{\{]+)"
+EXTRACT-service_for_winhostmon = DisplayName="(?<service>[^"}}\{\{]+)"
+EVAL-start_mode = lower(StartMode)
+
+## Field Mapping for Endpoint Data Model
+## For Services Dataset
+REPORT-service_exec_for_WinHostMon_service_path_and_exec_name = service_exec_for_WinHostMon_service_path, service_exec_for_WinHostMon_service_exec
+FIELDALIAS-process_id_for_winhostmon = ProcessId AS process_id
+EXTRACT-service_name_for_winhostmon = DisplayName="(?<service_name>[^"}}\{\{]+)"
+
+####WMI:WinEventLog####
+##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:System]
+[WMI:WinEventLog:System]
+LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
+FIELDALIAS-category_for_windows = TaskCategory as category
+FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
+FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
+LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
+LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
+FIELDALIAS-severity_id_for_windows = EventType AS severity_id
+FIELDALIAS-id_for_windows = RecordNumber AS id
+REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
+
+## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
+LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
+
+## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
+EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
+
+FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
+
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+
+REPORT-bestmatch_for_windows_system = ComputerName_as_dest
+REPORT-0signature_message_for_windows_system_update = signature_message_for_windows_system_update
+REPORT-signature_for_windows_system_update = signature_for_windows_system_timesync,signature_for_windows_system_update,signature_for_windows_system_update2
+REPORT-signature_id_for_windows_system_update = signature_id_for_windowsupdatelog
+LOOKUP-status_for_windows_system_update = windows_update_status_lookup EventCode OUTPUTNEW status
+REPORT-user_for_windows_system = user_for_windows_system_ias,User_as_user
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+FIELDALIAS-body_for_windows_system = signature_message AS body, Message AS body
+
+# Legacy field aliases to support ES 2.0.2, Winfra
+FIELDALIAS-package_for_windows = signature_id AS package
+FIELDALIAS-package_title_for_windows = signature AS package_title
+
+## Field Mapping for Endpoint Data Model
+## For Filesystem Dataset
+FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
+EVAL-vendor_product = "Microsoft Windows"
+
+##### Explanation for SEDCMD Extractions #####
+## clean_info_text_from_winsystem_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
+
+
+##### SEDCMD Extractions #####
+#SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This [Ee]vent is generated[\S\s\r\n]+$//g
+
+##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...],[source::*:Security]
+[WMI:WinEventLog:Security]
+LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result,CategoryString as ta_windows_security_CategoryString
+FIELDALIAS-category_for_windows = TaskCategory as category
+FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
+FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
+LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
+LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
+FIELDALIAS-severity_id_for_windows = EventType AS severity_id
+FIELDALIAS-id_for_windows = RecordNumber AS id
+REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
+EXTRACT-group_change_groupname = (?ms)EventCode=4756(?:\n|\r).*Group:(?:\n|\r).*Account Name:\s*(?<Group_Name>.*)(?:\n|\r).*Account Domain:\s*(?<Group_Domain>[^\n\r]+)
+
+## Attempt to map EventCodes that have sub statii ( i.e. EventCode=4625 + SubStatus=0xC0000064 = "User name does not exist" )
+LOOKUP-signature_for_windows = windows_signature_lookup2 signature_id,Sub_Status OUTPUTNEW signature,signature AS name, signature as subject
+
+## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
+LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
+
+## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
+EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
+
+FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
+
+FIELDALIAS-dest_for_wmi = host AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+
+## action, status
+## Override action to allow audit log changes to correspond to Change Analysis data model
+LOOKUP-action_for_windows0_security = windows_audit_changes_lookup EventCode OUTPUTNEW  action,change_type,object_category
+LOOKUP-action_for_windows1_security = windows_action_lookup Type OUTPUTNEW action, action AS status
+LOOKUP-action_for_windows2_security = windows_action_lookup Type AS Keywords OUTPUTNEW action, action AS status
+
+## privilege
+REPORT-0vendor_privilege_for_windows_security = vendor_privilege_sv_for_windows_security,vendor_privilege_mv_for_windows_security
+REPORT-privilege_id_for_windows_security = privilege_id_for_windows_security
+LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege
+
+FIELDALIAS-src_port_for_windows_security = Source_Port AS src_port
+REPORT-Token_Elevation_Type_id_for_windows_security = Token_Elevation_Type_id_for_windows_security
+
+EVAL-vendor = "Microsoft"
+EVAL-product = "Windows"
+
+FIELDALIAS-body_for_windows_security = Message AS body
+FIELDALIAS-Status_as_ta_windows_status =Status AS ta_windows_status
+EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
+
+## Set the app field to "win:remote" or "win:local" based on EventCode, Source_Network_Address, Target_Server_Name or Logon_Type
+LOOKUP-app0_for_windows_security = windows_app_lookup EventCode OUTPUTNEW app
+LOOKUP-app1_for_windows_security = windows_app_lookup Source_Network_Address OUTPUTNEW app
+LOOKUP-app2_for_windows_security = windows_app_lookup Target_Server_Name OUTPUTNEW app
+LOOKUP-app3_for_windows_security = windows_app_lookup Logon_Type OUTPUTNEW app
+LOOKUP-app4_for_windows_security = windows_app_lookup source OUTPUTNEW app
+
+## Set the following fields based on order of operations
+REPORT-session_id_for_windows_security = Logon_ID_as_session_id,Client_Logon_ID_as_session_id,Caller_Logon_ID_as_session_id
+REPORT-dest_for_windows_security = Target_Server_Name_as_dest,ComputerName_as_dest
+REPORT-dest_nt_domain_for_windows_security = Target_Domain_as_dest_nt_domain,Primary_Domain_as_dest_nt_domain,Group_Domain_as_dest_nt_domain,Account_Domain_as_dest_nt_domain,New_Domain_as_dest_nt_domain,Domain_as_dest_nt_domain,User_ID_as_dest_nt_domain,Security_ID_as_dest_nt_domain,Supplied_Realm_Name_as_dest_nt_domain,Target_Account_ID_as_dest_nt_domain
+REPORT-dest_nt_host_for_windows_security = Target_Server_Name_as_dest_nt_host,ComputerName_as_dest_nt_host
+REPORT-src_for_windows_security = Source_Workstation_as_src,Workstation_Name_as_src,Caller_Machine_Name_as_src,Client_Machine_Name_as_src,Source_Network_Address_as_src,Client_Address_as_src
+REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip
+REPORT-src_nt_domain_for_windows_security = Caller_Domain_as_src_nt_domain,Client_Domain_as_src_nt_domain,Account_Domain_as_src_nt_domain,Security_ID_as_src_nt_domain
+REPORT-src_nt_host_for_windows_security = Source_Workstation_as_src_nt_host,Workstation_Name_as_src_nt_host,Caller_Machine_Name_as_src_nt_host,Client_Machine_Name_as_src_nt_host,Caller_Computer_Name_as_src_nt_host
+REPORT-src_user_for_windows_security = Caller_User_Name_as_src_user,Client_User_Name_as_src_user,Account_Name_as_src_user,User_Name_as_src_user
+REPORT-user_for_windows_security = Logon_Account_as_user,Logon_account_as_user,Target_User_Name_as_user,Primary_User_Name_as_user,Target_Account_Name_as_user,New_Account_Name_as_user,Account_Name_as_user,User_Name_as_user,User_as_user,Security_ID_as_user
+EVAL-user_group = coalesce(Group_Name,New_Account_Name,Target_Account_Name)
+REPORT-member_id_for_windows_security = Member_ID_as_member_id,Security_ID_as_member_id
+REPORT-member_dn_for_windows_security = Member_Name_as_member_dn,Account_Name_as_member_dn
+REPORT-member_nt_domain_for_windows_security = Member_ID_as_member_nt_domain,Security_ID_as_member_nt_domain
+REPORT-msad_actions_for_windows_security = msad_action_from_Group_Type_Change,msad_action_from_Change_Type,msad_action_from_Description1,msad_action_from_Description2,msad_action_from_Description3,msad_action_from_raw1,msad_action_from_raw2,msad_action_from_raw3,msad_action_from_raw4
+REPORT-msad_attribute_changes_for_windows_security = msad_attribute_changes_from_raw1,msad_attribute_changes_from_raw2,msad_attribute_changes_from_raw3,msad_attribute_changes_from_raw4,msad_attribute_changes_from_raw5,msad_attribute_changes_from_raw6
+LOOKUP-msadgroupclass = MSADGroupType MSADGroupClassID OUTPUTNEW MSADGroupClass
+EVAL-dest_nt_domain = nullif(dest_nt_domain,"-")
+
+## Field Mapping for Endpoint Data Model
+## For Ports, Services and Processes Datasets
+FIELDALIAS-dest_port_for_windows_security = Port AS dest_port
+FIELDALIAS-service_id_for_windows_security = Service_ID AS service_id
+FIELDALIAS-service_for_windows_security = Service_Name AS service, Service_Name AS service_name
+FIELDALIAS-process_name_for_windows_security = Process_Name AS process_name
+FIELDALIAS-user_id_for_windows_security = User_ID AS user_id
+EVAL-process_id = coalesce('IDProcess','Process_ID')
+EVAL-vendor_product = "Microsoft Windows"
+
+##### Explanation for SEDCMD Extractions #####
+## windows_security_event_formater: This will replace all values like "Account Name:-" to "Account Name:"
+## windows_security_event_formater_null_sid_id: This will replace all values like "Security ID:NULL SID" to "Security ID:" and all values like "Logon ID:0x0" to "Logon ID:"
+## cleansrcip: This will replace all values like "Source Network Address: ::1" or "Source Network Address:127.0.0.1" to "Source Network Address:"
+## cleansrcport: This will replace all values like "Source Port:0" to "Source Port:"
+## remove_ffff: This will replace all values like "Client Address: ::ffff:10.x.x.x" to "Client Address:10.x.x.x" which Addresses most of the Ipv6 log event issues
+## clean_info_text_from_winsecurity_events_certificate_information: This will delete all the infomation text at the end of event starting from "Certificate information is..." before indexing
+## clean_info_text_from_winsecurity_events_token_elevation_type: This will delete all the infomation text at the end of event starting from "Token Elevation Type indicates..." before indexing
+## clean_info_text_from_winsecurity_events_this_event: This will delete all the infomation text at the end of event starting from "This event is generated..." before indexing
+
+
+##### SEDCMD Extractions #####
+#SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
+#SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
+#SEDCMD-cleansrcip = s/(Source Network Address:	(\:\:1|127\.0\.0\.1))/Source Network Address:/
+#SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
+#SEDCMD-remove_ffff = s/::ffff://g
+#SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
+#SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
+#SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
+
+##Below fields extractions have been moved from [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...],[source::WMI...]
+[WMI:WinEventLog:Application]
+LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
+FIELDALIAS-category_for_windows = TaskCategory as category
+FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
+FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
+LOOKUP-0severity_for_windows = windows_severity_lookup EventCode OUTPUTNEW severity
+LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
+FIELDALIAS-severity_id_for_windows = EventType AS severity_id
+FIELDALIAS-id_for_windows = RecordNumber AS id
+REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
+
+
+## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
+LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
+
+## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
+EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
+
+FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
+
+FIELDALIAS-dest_for_wmi = ComputerName AS dest
+FIELDALIAS-pid_for_wmi = IDProcess AS pid
+
+## Field Mapping for Endpoint Data Model
+## For Filesystem Dataset
+FIELDALIAS-process_id_for_wmi = IDProcess AS process_id
+FIELDALIAS-user_for_wmi = User AS user
+EVAL-vendor_product = "Microsoft Windows"
+
+###### Backward Compatibility ######
+
+## Perfmon Disk Space
+# "Perfmon:FreeDiskSpace" sourcetype is created from perfmon.conf.
+# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
+# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0.
+[Perfmon:FreeDiskSpace]
+FIELDALIAS-mount_for_perfmon_freediskspace = instance AS mount
+EVAL-storage_free = if(counter=="Free Megabytes",Value*1048576,null())
+EVAL-storage_used_percent = if(counter=="% Free Space",100-Value,null())
+EVAL-storage_free_percent = if(counter=="% Free Space",Value,null())
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+EVAL-windows_storage_free_percent = if(counter=="% Free Space",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+## Perfmon CPUTime
+# "Perfmon:CPUTime" sourcetype is created from perfmon.conf.
+# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
+# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less 4.8.0.
+[Perfmon:CPUTime]
+EVAL-cpu_load_mhz = if(counter=="Processor Frequency",Value,null())
+EVAL-cpu_load_percent = if(counter=="% Processor Time",Value,null())
+EVAL-cpu_user_percent = if(counter=="% User Time",Value,null())
+EVAL-cpu_interrupts = if(counter=="Interrupts/sec",Value,null())
+
+## Creation of redundant EVAL to avoid tag expansion issue ADDON-10972
+EVAL-windows_cpu_load_percent = if(counter=="% Processor Time",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+
+## Perfmon LocalNetwork
+# "Perfmon:LocalNetwork" sourcetype is created from perfmon.conf.
+# The perfmon.conf file was removed from add-on version 4.8.0 and so its events won't be generated.
+# The below stanza is provided for backward compatibility of field extractions for already indexed data from add-on version less than 4.8.0.
+[Perfmon:LocalNetwork]
+EVAL-thruput = if(counter=="Bytes Total/sec",Value,null())
+EVAL-thruput_max = if(counter=="Current Bandwidth",Value,null())
+
+FIELDALIAS-dest_for_perfmon = host AS dest
+FIELDALIAS-src_for_perfmon = host AS src
+
+
+## To provide backward compatibility for WinEventLog and XmlWinEventLog data
+## These will be deprecated in future
+[WinEventLog:Security]
+rename = wineventlog
+
+[WinEventLog:Application]
+rename = wineventlog
+
+[WinEventLog:System]
+rename = wineventlog
+
+[WinEventLog:System:IAS]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-AppLocker/MSI and Script]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-DNS-Client/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational]
+rename = wineventlog
+
+[WinEventLog:Setup]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-CAPI2/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-CodeIntegrity/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-Defender/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-LSA/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-NetworkProfile/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-PowerShell/Operational]
+rename = wineventlog
+
+[WinEventLog:Windows PowerShell]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-PrintService/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-WinRM/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-SMBClient/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-TaskScheduler/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational]
+rename = wineventlog
+
+[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
+rename = wineventlog
+
+[XmlWinEventLog:Security]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Application]
+rename = xmlwineventlog
+
+[XmlWinEventLog:System]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-AppLocker/MSI and Script]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-DNS-Client/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-DriverFrameworks-UserMode/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Setup]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-Application-Experience/Program-Inventory]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-CAPI2/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-CodeIntegrity/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-Defender/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-LSA/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-NetworkProfile/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-WLAN-Autoconfig/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-Kernel-PnP/Device Configuration]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-PowerShell/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Windows PowerShell]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-PrintService/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-WinRM/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-SmartCard-Audit/Authentication]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-SMBClient/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Admin]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational]
+rename = xmlwineventlog
+
+[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
+rename = xmlwineventlog
+
+
+###### Rename stanzas for TA-AD WinEventLog sourcetypes ######
+[WinEventLog:DFS-Replication]
+rename = wineventlog
+
+[WinEventLog:Directory-Service]
+rename = wineventlog
+
+[WinEventLog:File-Replication-Service]
+rename = wineventlog
+
+[WinEventLog:Key-Management-Service]
+rename = wineventlog
+
+
+###### Rename stanzas for TA-DNS WinEventLog sourcetypes ######
+[WinEventLog:DNS-Server]
+rename = wineventlog
+
+
+## Below two stanzas have been kept for backward compatibility for already indexed events before Splunk Addon For Microsoft Windows 5.0.0.
+## Stanzas are exactly similar to [WinEventLog] and [XmlWinEventLog] respectively.
+## These will be deprecated in future
+[wineventlog]
+LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
+FIELDALIAS-category_for_windows = TaskCategory as category
+FIELDALIAS-dvc_for_windows = host AS dvc_nt_host, ComputerName as dvc
+FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
+LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
+FIELDALIAS-severity_id_for_windows = EventType AS severity_id
+FIELDALIAS-id_for_windows = RecordNumber AS id
+REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
+
+## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
+LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
+
+## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
+EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
+
+FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
+
+## Field Mapping for Endpoint Data Model
+## For Services, Processes and Filesystem Datasets
+FIELDALIAS-service_id_for_windows = Service_ID AS service_id
+FIELDALIAS-service_for_windows = Service_Name AS service, Service_Name AS service_name
+FIELDALIAS-process_for_windows = Process AS process
+FIELDALIAS-process_name_for_windows = Process_Name AS process_name
+FIELDALIAS-user_id_for_windows = User_ID AS user_id
+EVAL-vendor_product = "Microsoft Windows"
+
+[xmlwineventlog]
+KV_MODE = none
+REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
+REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
+
+REPORT-RecordNumber_from_xml = EventRecordID_as_RecordNumber
+REPORT-EventCode_from_xml = EventID_as_EventCode,EventID2_as_EventCode
+REPORT-Sub_Status_from_xml = SubStatus_as_Sub_Status
+
+LOOKUP-CategoryString_for_windows = windows_signature_lookup signature_id OUTPUTNEW CategoryString,action,result
+FIELDALIAS-category_for_windows = TaskCategory as category
+FIELDALIAS-dvc_for_windows = host AS dvc_nt_host,Computer AS dvc
+FIELDALIAS-event_id_for_windows = RecordNumber AS event_id
+LOOKUP-1severity_for_windows = windows_severity_lookup Type OUTPUTNEW severity
+FIELDALIAS-severity_id_for_windows = EventType AS severity_id
+FIELDALIAS-id_for_windows = RecordNumber AS id
+REPORT-file_path-file_name_for_windows = file_path-file_name_for_windows
+
+## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
+LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
+
+## Since FIELDALIAS is destructive we need to preserve signature_id for certain SourceName values
+EVAL-signature_id = if(SourceName="Microsoft-Windows-WindowsUpdateClient",signature_id,EventCode)
+
+FIELDALIAS-user_group_id_for_windows = Primary_Group_ID AS user_group_id
+
+## Field Mapping for Endpoint Data Model
+## For Services, Processes and Filesystem Datasets
+FIELDALIAS-service_for_windows = ServiceName AS service, ServiceName AS service_name
+FIELDALIAS-service_id_for_windows = ServiceSid AS service_id
+FIELDALIAS-process_name_for_windows = ProcessName AS process_name
+FIELDALIAS-user_id_for_windows = UserID  AS user_id
+EVAL-vendor_product = "Microsoft Windows"
+
+## Scripted input for collecting local ip config
+[Script:NetworkConfiguration]
+SHOULD_LINEMERGE = false
+LINE_BREAKER = ([\r\n]+)(Configuration for interface )
+KV_MODE = none
+TRUNCATE = 0
+
+EXTRACT-netshaddressif=Configuration for interface \"(?<if>[^\"]+)
+EXTRACT-netshaddressdhcp=DHCP enabled\:\s+(?<dhcp>(Yes|No))
+EXTRACT-netshaddressip=IP Address\:\s+(?<ip>[\d\.]+)
+EXTRACT-netshaddresscidr=Subnet Prefix\:\s+(?<cidr>[^\s]+)
+EXTRACT-netshaddressmask=mask (?<mask>[^\)]+)
+EXTRACT-netshaddressgw=Gateway\:\s+(?<gw>[\d\.]+)
+EXTRACT-netshaddressmetric=InterfaceMetric\:\s+(?<metric>\d+)
+
+
+###### Extractions moved from TA-AD ######
+[MSAD:NT6:Health]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+
+[MSAD:NT6:SiteInfo]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+REPORT-extractions = MSAD-SiteInfo-AdjacentSites, MSAD-SiteInfo-Sites, MSAD-SiteInfo-SiteLinks, MSAD-SiteInfo-Subnets
+
+[MSAD:NT6:Replication]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+
+[MSAD:NT6:Netlogon]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+LINE_BREAKER = ([\r\n]+(?=\d{2}\/\d{2} \d{2}:\d{2}:\d{2} \[))
+EXTRACT-subnetaffinity = \s(?<src_domain>[^:]+): (?<msad_affinity>NO_CLIENT_SITE): (?<src_host>[^\s]+) (?<src_ip>[0-9A-Fa-f:\.]+)
+
+[MSAD:SubnetAffinity]
+EXTRACT-subnetaffinity = (?<src_nt_domain>\w+): NO_CLIENT_SITE: (?<src_host>\w+) (?<src_ip>[0-9\.]+)
+
+
+###### Extractions moved from TA-DNS ######
+[MSAD:NT6:DNS-Zone-Information]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+
+[MSAD:NT6:DNS-Health]
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+TRUNCATE = 0
+REPORT-mvcheck = DNSHealth_ServerAddress_MV, DNSHealth_ListenAddress_MV, DNSHealth_Forwarder_MV, DNSHealth_LogIPFilterList_MV
+
+[MSAD:NT6:DNS]
+KV_MODE = none
+LINE_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
+# Load balancing on UF
+EVENT_BREAKER_ENABLE = true
+EVENT_BREAKER = ([\r\n]+)(\d{1,2}.\d{1,2}.\d{4} \d{1,2}:\d{1,2}:\d{1,2} \w{2})
+SHOULD_LINEMERGE = false
+CHECK_FOR_HEADER = false
+EXTRACT-singleLine = (?<threadid>[0-9A-Fa-f]+)\s+(?<context>PACKET)\s+(?<packetid>[0-9A-Fa-f]*) (?<protocol>UDP|TCP) (?<direction>\w+) (?<src_ip>[0-9A-Fa-f\.\:]+)\s+(?<xid>[0-9A-Fa-f]+)\s+(?<operation>[ R]) (?<opcode>.) \[(?<hexflags>[0-9A-Fa-f]+) (?<flags>....) (?<response>[^\]]+)\]\s+(?:QTYPE\s+)?(?<questiontype>\w+)\s+(?:QCLASS\s+\d+\s+)?(:?\(\d+\))?(?<questionname>[^\n]*)\(0\)
+EXTRACT-answer = (ANSWER\s+SECTION|UPDATE\s+SECTION):(?<ANSWER_OR_UPDATE_SECTION>.*?)(AUTHORITY\s+SECTION|ADDITIONAL\s+SECTION)
+EVAL-query = replace(questionname,"(?:\(\d+\))",".")
+FIELDALIAS-record_type = questiontype AS record_type
+FIELDALIAS-query = questionname AS query
+FIELDALIAS-src = src_ip AS src
+FIELDALIAS-dest = host AS dest
+FIELDALIAS-transaction_id = packetid AS transaction_id
+FIELDALIAS-transport = protocol AS transport
+FIELDALIAS-vendor_query_type = opcode AS vendor_query_type
+EVAL-message_type = if(operation=="R","Response", "Query")
+EVAL-name = if(operation=="R","R","")+opcode+"_"+response+"_"+questiontype
+EVAL-answer = mvmap(answer, replace(replace(answer,"\(\d+\)","."),"\\[\\w+\\]",""))
+EVAL-vendor_product = "Microsoft Windows"
+REPORT-Multi_answer = Answer_multi_value
+REPORT-KV_for_microsoft_dns_web = KV_for_port,KV_for_Domain,KV_for_microsoftdns_action,KV_for_Record_type,KV_for_Record_Class,KV_for_Answer_Section_Count,KV_for_Update_Section_Count
+LOOKUP-windows_dns_query_type_lookup = windows_dns_query_type_lookup opcode OUTPUT query_type
+LOOKUP-windows_dns_action_lookup = windows_dns_action_lookup message_type,vendor_dns_action OUTPUT action,reply_code,reply_code_id
+LOOKUP-dns_recordclass_lookup = dns_recordclass_lookup record_class_number OUTPUT record_class
diff --git a/deployment-apps/Splunk_TA_windows/default/tags.conf b/deployment-apps/Splunk_TA_windows/default/tags.conf
new file mode 100644
index 00000000..3eefe0a7
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/tags.conf
@@ -0,0 +1,674 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+
+###### Global Windows Eventtype ######
+
+[eventtype=windows_event_signature]
+track_event_signatures = enabled
+
+[eventtype=wineventlog_windows]
+os = enabled
+windows = enabled
+
+[eventtype=wineventlog_application]
+os = enabled
+windows = enabled
+
+[eventtype=wineventlog_system]
+os = enabled
+windows = enabled
+
+[eventtype=wineventlog_security]
+os = enabled
+windows = enabled
+
+[eventtype=perfmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=perfmon_processorinformation]
+process = enabled
+report = enabled
+performance = enabled
+cpu = enabled
+
+[eventtype=hostmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=hostmon_os]
+os = enabled
+windows = enabled
+memory = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=hostmon_inventory]
+os = enabled
+inventory = enabled
+cpu = enabled
+memory = enabled
+oshost = enabled
+
+[eventtype=hostmon_disk]
+performance = enabled
+inventory = enabled
+storage = enabled
+oshost = enabled
+
+[eventtype=netmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=printmon_windows]
+os = enabled
+windows = enabled
+
+[eventtype=script_windows]
+os = enabled
+windows = enabled
+
+[eventtype=wmi_windows]
+os = enabled
+windows = enabled
+
+[eventtype=windowsupdatelog_windows]
+os = enabled
+windows = enabled
+
+[eventtype=winregistry_windows]
+os = enabled
+windows = enabled
+endpoint = enabled
+change = enabled
+registry = enabled
+
+[eventtype=winsec]
+security = enabled
+
+
+###### DHCP ######
+[eventtype=msdhcp]
+dhcp    = enabled
+network = enabled
+session = enabled
+windows = enabled
+
+[eventtype=msdhcp_start]
+start = enabled
+
+[eventtype=msdhcp_end]
+end = disabled
+
+[eventtype=DhcpSrvLog]
+windows = enabled
+
+[eventtype=DhcpSrvLog_dhcp]
+dhcp    = enabled
+network = enabled
+session = enabled
+
+[eventtype=DhcpSrvLog_start]
+dhcp    = enabled
+network = enabled
+session = enabled
+start = enabled
+
+[eventtype=DhcpSrvLog_end]
+dhcp    = enabled
+network = enabled
+session = enabled
+end = enabled
+
+
+###### Security: Account Logon ######
+[eventtype=windows_auth_ticket_granted]
+authentication = enabled
+
+[eventtype=windows_service_ticket_granted]
+authentication = enabled
+
+[eventtype=windows_pre_auth_failed]
+authentication = enabled
+
+[eventtype=windows_account_used4logon]
+authentication = enabled
+
+[eventtype=windows_session_disconnected]
+access = enabled
+stop = enabled
+logoff = enabled
+
+
+###### Security: Account Management ######
+[eventtype=windows_account_management]
+account = enabled
+change = enabled
+management = enabled
+
+[eventtype=windows_account_created]
+add = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_enabled]
+enable = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_password_change]
+password = enabled
+modify = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_password_set]
+password = enabled
+modify = enabled
+account = enabled
+change = enabled
+
+[Service_Name=kadmin%2Fchangepw]
+account = enabled
+change = enabled
+password = enabled
+modify = enabled
+
+[eventtype=windows_account_disabled]
+disable = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_deleted]
+delete = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_modified]
+modify = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_lockout]
+lock = enabled
+lockout = enabled
+account = enabled
+change = enabled
+
+[eventtype=windows_account_unlocked]
+modify = enabled
+account = enabled
+change = enabled
+
+###### Security: Audit (Event Log) ######
+[eventtype=windows_audit_log_stopped]
+stop = enabled
+stopped = enabled
+watchlist = enabled
+
+[eventtype=windows_audit_errors]
+audit = enabled
+error = enabled
+
+[eventtype=windows_audit_log_cleared]
+audit = enabled
+change = enabled
+delete = enabled
+cleared = enabled
+watchlist = enabled
+
+[eventtype=windows_audit_backup]
+audit = enabled
+backup = enabled
+change = enabled
+
+[eventtype=windows_audit_log_logon]
+audit = enabled
+change = enabled
+
+[privilege_id=SeAuditPrivilege]
+audit = enabled
+
+[privilege_id=SeSecurityPrivilege]
+audit = enabled
+
+
+###### Security: Logon/Logoff ######
+[eventtype=windows_logoff]
+access = enabled
+stop = enabled
+logoff = enabled
+
+[eventtype=windows_logon_explicit]
+authentication = enabled
+privileged = enabled
+
+[eventtype=windows_logon_failure]
+authentication = enabled
+
+[app=win%3Alocal]
+local = enabled
+
+[app=win%3Aremote]
+remote = enabled
+
+[eventtype=windows_logon_success]
+authentication = enabled
+
+[Logon_Type=8]
+cleartext = enabled
+
+
+###### Security: Object Access ######
+[eventtype=windows_object_open]
+resource = enabled
+file = enabled
+access = enabled
+start = enabled
+
+[eventtype=windows_handle_closed]
+resource = enabled
+file = enabled
+access = enabled
+stop = enabled
+
+
+###### Security: Policy Change ######
+[eventtype=windows_audit_policy_change]
+policy = enabled
+configuration = enabled
+modify = enabled
+audit = enabled
+change = enabled
+
+[eventtype=windows_security_access_granted]
+access = enabled
+authorization = enabled
+add = enabled
+change = enabled
+account = enabled
+
+[eventtype=windows_security_access_removed]
+access = enabled
+authorization = enabled
+delete = enabled
+change = enabled
+account = enabled
+
+[eventtype=windows_audit_policy_changed]
+policy = enabled
+configuration = enabled
+modify = enabled
+audit = enabled
+change = enabled
+
+[eventtype=windows_firewall_policy_active]
+application = enabled
+firewall = enabled
+configuration = enabled
+report = enabled
+
+[eventtype=windows_firewall_policy_change]
+application = enabled
+firewall = enabled
+configuration = enabled
+modify = enabled
+
+[eventtype=windows_firewall_port_listening]
+application = enabled
+firewall = enabled
+port = enabled
+listening = enabled
+report = enabled
+
+
+###### Security: Privilege Use ######
+[eventtype=windows_special_privileges]
+authentication = enabled
+privileged = enabled
+
+[eventtype=windows_privileged_service_call]
+process = enabled
+execute = enabled
+start = enabled
+privileged = enabled
+
+[eventtype=windows_privileged_object_operation]
+resource = enabled
+execute = enabled
+start = enabled
+privileged = enabled
+
+
+###### Security: Process Tracking ######
+[eventtype=windows_process_new]
+process = enabled
+execute = enabled
+start = enabled
+
+[eventtype=windows_process_exit]
+process = enabled
+execute = enabled
+stop = enabled
+
+[eventtype=windows_process_token]
+process = enabled
+execute = enabled
+start = enabled
+privileged = enabled
+
+[Token_Elevation_Type_id=2]
+privileged = enabled
+
+
+###### Security: System ######
+[eventtype=windows_auth_package]
+process = enabled
+execute = enabled
+start = enabled
+
+[eventtype=windows_logon_process]
+process = enabled
+authorization = enabled
+add = enabled
+
+[eventtype=windows_notification_package]
+process = enabled
+execute = enabled
+start = enabled
+
+
+###### Security: Vulnerability ######
+[eventtype=windows_security_misconfiguration_password_minimum_length]
+misconfiguration = enabled
+password = enabled
+policy = enabled
+vulnerability = enabled
+report = enabled
+audit = enabled
+change = enabled
+
+
+###### System: Time ######
+[eventtype=windows_time_sync]
+report = enabled
+time = enabled
+synchronize = enabled
+success = enabled
+performance = enabled
+
+[eventtype=windows_time_failure]
+report = enabled
+time = enabled
+synchronize = enabled
+failure = enabled
+performance = enabled
+
+
+###### System: Update ######
+[eventtype=windows_system_update]
+system = enabled
+update = enabled
+
+[eventtype=windows_system_update_status]
+status = enabled
+
+[eventtype=windows_updatelog]
+system = enabled
+update = enabled
+
+[eventtype=windows_updatelog_status]
+status = enabled
+
+## WMI:Update
+[eventtype=wmi_installed_packages]
+system = enabled
+update = enabled
+status = enabled
+
+
+###### Splunk WMI ######
+
+## ComputerSystem
+[eventtype=wmi_computersystem]
+performance = enabled
+memory = enabled
+
+## CPUTime
+[eventtype=perfmon_cputime]
+cpu = enabled
+report = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_cputime_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_cputime]
+cpu = enabled
+report = enabled
+performance = enabled
+
+[eventtype=wmi_cputime_anomalous]
+anomalous = enabled
+
+## System
+[eventtype=perfmon_system]
+cpu = enabled
+report = enabled
+performance = enabled
+oshost = enabled
+
+## Disk
+[eventtype=perfmon_freediskspace]
+disk = enabled
+report = enabled
+performance = enabled
+storage = enabled
+oshost = enabled
+
+[eventtype=perfmon_freediskspace_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_freediskspace]
+disk = enabled
+report = enabled
+performance = enabled
+storage = enabled
+
+[eventtype=wmi_freediskspace_anomalous]
+anomalous = enabled
+
+[eventtype=perfmon_logicaldisk]
+disk = enabled
+performance = enabled
+storage = enabled
+oshost = enabled
+
+[eventtype=wmi_logicaldisk]
+disk = enabled
+performance = enabled
+storage = enabled
+
+## Network
+[eventtype=perfmon_network]
+network = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_network_throughput]
+network = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_network_bandwidth]
+network = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=wmi_network_throughput]
+network = enabled
+performance = enabled
+
+[eventtype=wmi_network_bandwidth]
+network = enabled
+performance = enabled
+
+## Process
+[eventtype=perfmon_process]
+performance = enabled
+process = enabled
+oshost = enabled
+report = enabled
+
+## Listening Ports
+[eventtype=script_listeningports]
+port = enabled
+listening = enabled
+report = enabled
+
+## Local Processes
+[eventtype=wmi_localprocesses]
+process = enabled
+report = enabled
+
+[eventtype=wmi_localprocesses_anomalous]
+anomalous = enabled
+
+## Memory
+[eventtype=perfmon_memory]
+memory = enabled
+report = enabled
+performance = enabled
+oshost = enabled
+
+[eventtype=perfmon_memory_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_memory]
+memory = enabled
+report = enabled
+performance = enabled
+
+[eventtype=wmi_memory_anomalous]
+anomalous = enabled
+
+## Service
+[eventtype=wmi_service]
+service = enabled
+report = enabled
+
+[eventtype=wmi_service_status_anomalous]
+anomalous = enabled
+
+[eventtype=wmi_service_state_anomalous]
+anomalous = enabled
+
+[app=W32Time]
+time = enabled
+synchronize = enabled
+
+[app=wuauserv]
+automatic = enabled
+update = enabled
+
+## Uptime
+[eventtype=wmi_uptime]
+uptime = enabled
+report = enabled
+performance = enabled
+
+[eventtype=wmi_uptime_anomalous]
+anomalous = enabled
+
+## User Accounts
+[eventtype=wmi_useraccounts]
+account = enabled
+report = enabled
+
+inventory = enabled
+user = enabled
+
+## Version
+[eventtype=wmi_version]
+system = enabled
+version = enabled
+report = enabled
+
+inventory = enabled
+
+
+[eventtype=windows_account_mapped]
+authentication = enabled
+
+[eventtype=windows_account_notmapped]
+authentication = enabled
+
+[eventtype=microsoft_windows_hostmon_process]
+process = enabled
+report = enabled
+
+[eventtype=microsoft_windows_hostmon_service]
+service = enabled
+report = enabled
+
+[eventtype=microsoft_windows_hostmon_service_time]
+time = enabled
+synchronize = enabled
+os = enabled
+performance = enabled
+
+## Endpoint.processes Data Model
+[eventtype=windows_endpoint_processes]
+process = enabled
+report = enabled
+
+## Endpoint.services Data Model
+[eventtype=windows_endpoint_services]
+service = enabled
+report = enabled
+
+## Security-CIM Mappings
+
+## Endpoint Registry Data Model
+[eventtype=windows_security_endpoint_registry]
+endpoint = enabled
+registry = enabled
+
+## Endpoint Port Data Model
+[eventtype=windows_security_endpoint_port]
+listening = enabled
+port = enabled
+
+## Change Audit Data Model
+[eventtype=windows_security_change_audit]
+change = enabled
+audit = enabled
+
+## Change Data Model
+[eventtype=windows_security_change]
+change = enabled
+
+# Authentication Data Model
+[eventtype=windows_security_authentication]
+authentication = enabled
+
+[eventtype=windows_security_change_account]
+change = enabled
+account = enabled
+
+# Change Audit DM for Windows System
+[eventtype=windows_system_change_audit]
+change = enabled
+audit = enabled
+
+# Network resolution (dns) DM for DNS events.
+[eventtype=nt6-dns-events]
+network = enabled
+resolution = enabled
+dns = enabled
diff --git a/deployment-apps/Splunk_TA_windows/default/transforms.conf b/deployment-apps/Splunk_TA_windows/default/transforms.conf
new file mode 100644
index 00000000..e35102d6
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/transforms.conf
@@ -0,0 +1,1445 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+
+###### Active Directory ######
+[user_account_control_property]
+external_cmd = user_account_control_property.py userAccountControl userAccountPropertyFlag
+external_type = python
+fields_list = userAccountControl,userAccountPropertyFlag
+python.version = python3
+
+
+
+
+###### DHCP ######
+[dhcp_discard_headers]
+REGEX = ^(?:[^\d]+|\d+[^\d,])
+DEST_KEY = queue
+FORMAT = nullQueue
+
+[auto_kv_for_microsoft_dhcp]
+DELIMS = ","
+FIELDS = msdhcp_id,date,time,description,ip,nt_host,mac,msdhcp_user,transaction_id,qresult,probation_time,correlation_id,dhc_id,vendorclass_hex,vendorclass_ascii,userclass_hex,userclass_ascii,relay_agent_information,dns_reg_error
+
+[microsoft_dhcp_dest_dns]
+SOURCE_KEY = nt_host
+REGEX = (?<dest_dns>[^\.]+\.\w+)$
+
+[msdhcp_signature_lookup]
+filename = msdhcp_signatures.csv
+
+## IAS (Currently WinEventLog Support Only)
+[force_source_system_ias_for_wineventlog]
+DEST_KEY = MetaData:Source
+REGEX = SourceName\=IAS
+FORMAT = source::WinEventLog:System:IAS
+
+
+###### All Windows Event Log ######
+
+## Lookups
+[windows_severity_lookup]
+filename = windows_severities.csv
+case_sensitive_match = false
+
+[windows_signature_lookup]
+filename = windows_signatures_860.csv
+
+[windows_signature_lookup2]
+filename = windows_signatures_substatus_850.csv
+
+[windows_eventtype_lookup]
+filename = windows_eventtypes.csv
+
+## REPORT
+[file_path-file_name_for_windows]
+SOURCE_KEY = Image_File_Name
+REGEX = ^(.*[\\/]+)*(.*)$
+FORMAT = file_path::$1 file_name::$2
+
+
+####### Windows Security Event Log ######
+
+## Lookups
+[windows_action_lookup]
+filename = windows_actions.csv
+
+[windows_app_lookup]
+filename = windows_apps.csv
+
+[windows_audit_changes_lookup]
+filename = windows_audit_changes_860.csv
+
+[windows_privilege_lookup]
+filename = windows_privileges.csv
+
+[MSADGroupType]
+filename=msad_group_type.csv
+max_matches=1
+
+[xmlsecurity_eventcode_action_lookup]
+filename = xmlsecurity_eventcode_action.csv
+
+[xmlsecurity_eventcode_action_lookup_multiinput]
+filename = xmlsecurity_eventcode_action_multiinput.csv
+case_sensitive_match = false
+
+[xmlsecurity_eventcode_errorcode_action_lookup]
+filename = xmlsecurity_eventcode_errorcode_action.csv
+case_sensitive_match = false
+
+## REPORT
+[vendor_privilege_sv_for_windows_security]
+SOURCE_KEY = Message
+REGEX = (?s)^\s*(?:Privileges|Assigned):?\s+(.*?)(?:^[^:]+:)
+FORMAT = vendor_privilege::$1
+
+[vendor_privilege_mv_for_windows_security]
+SOURCE_KEY = Message
+REGEX = (?s)^\s*(?:Privileges|Assigned):\s+(.*)
+FORMAT = vendor_privilege::$1
+
+[privilege_id_for_windows_security]
+SOURCE_KEY = vendor_privilege
+REGEX = ^([^\r\n]+)
+FORMAT = privilege_id::$1
+MV_ADD = True
+
+[Token_Elevation_Type_id_for_windows_security]
+SOURCE_KEY = Token_Elevation_Type
+REGEX = ^[^\d]+(\d+)
+FORMAT = Token_Elevation_Type_id::$1
+
+## Aliases
+[Logon_ID_as_session_id]
+SOURCE_KEY = Logon_ID
+REGEX = (?:(?:[^\n]+)\n)?(.*)
+FORMAT = session_id::"$1"
+
+[Client_Logon_ID_as_session_id]
+SOURCE_KEY = Client_Logon_ID
+REGEX = (.+)
+FORMAT = session_id::"$1"
+
+[Caller_Logon_ID_as_session_id]
+SOURCE_KEY = Caller_Logon_ID
+REGEX = (.+)
+FORMAT = session_id::"$1"
+
+[Target_Server_Name_as_dest]
+SOURCE_KEY = Target_Server_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = dest::"$1"
+
+[ComputerName_as_dest]
+SOURCE_KEY = ComputerName
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = dest::"$1"
+
+[Computer_as_dest]
+REGEX = <Computer>([^<]+)<\/Computer>
+FORMAT = dest::$1
+
+[Computer_as_src]
+REGEX = <Computer>([^<]+)<\/Computer>
+FORMAT = src::$1
+
+[Target_Server_Name_as_dest_nt_host]
+SOURCE_KEY = Target_Server_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = dest_nt_host::"$1"
+
+[ComputerName_as_dest_nt_host]
+SOURCE_KEY = ComputerName
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = dest_nt_host::"$1"
+
+[Target_Domain_as_dest_nt_domain]
+SOURCE_KEY = Target_Domain
+REGEX = (?:(?:[^\n]+)\n)?(.+)
+FORMAT = dest_nt_domain::"$1"
+
+[Primary_Domain_as_dest_nt_domain]
+SOURCE_KEY = Primary_Domain
+REGEX = (?:(?:[^\n]+)\n)?(.+)
+FORMAT = dest_nt_domain::"$1"
+
+[Group_Domain_as_dest_nt_domain]
+SOURCE_KEY = Group_Domain
+REGEX = (?:(?:[^\n]+)\n)?(.+)
+FORMAT = dest_nt_domain::"$1"
+
+[Account_Domain_as_dest_nt_domain]
+SOURCE_KEY = Account_Domain
+REGEX = (?:(?:[^\n]+)\n)?(.+)
+FORMAT = dest_nt_domain::"$1"
+
+[New_Domain_as_dest_nt_domain]
+SOURCE_KEY = New_Domain
+REGEX = (?:(?:[^\n]+)\n)?(.+)
+FORMAT = dest_nt_domain::"$1"
+
+[Domain_as_dest_nt_domain]
+SOURCE_KEY = Domain
+REGEX = (?:(?:[^\n]+)\n)?(.+)
+FORMAT = dest_nt_domain::"$1"
+
+[User_ID_as_dest_nt_domain]
+SOURCE_KEY = User_ID
+REGEX = (.+)[\\]
+FORMAT = dest_nt_domain::"$1"
+
+[Security_ID_as_dest_nt_domain]
+SOURCE_KEY = Security_ID
+REGEX = (.+)[\\]
+FORMAT = dest_nt_domain::"$1"
+
+[Supplied_Realm_Name_as_dest_nt_domain]
+SOURCE_KEY = Supplied_Realm_Name
+REGEX = (.+)
+FORMAT = dest_nt_domain::"$1"
+
+[Target_Account_ID_as_dest_nt_domain]
+SOURCE_KEY = Target_Account_ID
+REGEX = (.+)[\\]
+FORMAT = dest_nt_domain::"$1"
+
+[Workstation_Name_as_src]
+SOURCE_KEY = Workstation_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src::"$1"
+
+[Caller_Machine_Name_as_src]
+SOURCE_KEY = Caller_Machine_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src::"$1"
+
+[Client_Machine_Name_as_src]
+SOURCE_KEY = Client_Machine_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src::"$1"
+
+[Source_Network_Address_as_src]
+SOURCE_KEY = Source_Network_Address
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src::"$1"
+
+[Client_Address_as_src]
+SOURCE_KEY = Client_Address
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src::"$1"
+
+[Source_Workstation_as_src]
+SOURCE_KEY = Source_Workstation
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src::"$1"
+
+[Source_Network_Address_as_src_ip]
+SOURCE_KEY = Source_Network_Address
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src_ip::"$1"
+
+[Client_Address_as_src_ip]
+SOURCE_KEY = Client_Address
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src_ip::"$1"
+
+[Caller_Domain_as_src_nt_domain]
+SOURCE_KEY = Caller_Domain
+REGEX = (?!^-$)(.+)
+FORMAT = src_nt_domain::"$1"
+
+[Client_Domain_as_src_nt_domain]
+SOURCE_KEY = Client_Domain
+REGEX = (?!^-$)(.+)
+FORMAT = src_nt_domain::"$1"
+
+[Account_Domain_as_src_nt_domain]
+SOURCE_KEY = Account_Domain
+REGEX = (?!^-$)([^\n]+)\n
+FORMAT = src_nt_domain::"$1"
+
+[Domain_as_src_nt_domain]
+SOURCE_KEY = Domain
+REGEX = (?!^-$)(.+)
+FORMAT = src_nt_domain::"$1"
+
+[New_Security_ID_as_src_nt_domain]
+REGEX = (?s)(?:Subject|User|Account\sInformation)\s*:.*?Security\sID:[ \t]*(.*?)[\\|\n]
+FORMAT = src_nt_domain::"$1"
+
+[Security_ID_as_src_nt_domain]
+SOURCE_KEY = Security_ID
+REGEX = (?!^-$)(.+)[\\]
+FORMAT = src_nt_domain::"$1"
+
+[Workstation_Name_as_src_nt_host]
+SOURCE_KEY = Workstation_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src_nt_host::"$1"
+
+[Caller_Machine_Name_as_src_nt_host]
+SOURCE_KEY = Caller_Machine_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src_nt_host::"$1"
+
+[Client_Machine_Name_as_src_nt_host]
+SOURCE_KEY = Client_Machine_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src_nt_host::"$1"
+
+[Caller_Computer_Name_as_src_nt_host]
+SOURCE_KEY = Caller_Computer_Name
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src_nt_host::"$1"
+
+[Source_Workstation_as_src_nt_host]
+SOURCE_KEY = Source_Workstation
+REGEX = (?:[\\]+)?([^-].*)
+FORMAT = src_nt_host::"$1"
+
+[Caller_User_Name_as_src_user]
+SOURCE_KEY = Caller_User_Name
+REGEX = (?!^-$)(.+)
+FORMAT = src_user::"$1"
+
+[Client_User_Name_as_src_user]
+SOURCE_KEY = Client_User_Name
+REGEX = (?!^-$)(.+)
+FORMAT = src_user::"$1"
+
+[Account_Name_as_src_user]
+SOURCE_KEY = Account_Name
+REGEX = (?!^-$)([^\n]+)\n
+FORMAT = src_user::"$1"
+
+[User_Name_as_src_user]
+SOURCE_KEY = User_Name
+REGEX = (?!^-$)(.+)
+FORMAT = src_user::"$1"
+
+[Target_User_Name_as_user]
+SOURCE_KEY = Target_User_Name
+REGEX = (.+)
+FORMAT = user::"$1"
+
+[Primary_User_Name_as_user]
+SOURCE_KEY = Primary_User_Name
+REGEX = (.+)
+FORMAT = user::"$1"
+
+[Target_Account_Name_as_user]
+SOURCE_KEY = Target_Account_Name
+REGEX = (.+)
+FORMAT = user::"$1"
+
+[New_Account_Name_as_user]
+SOURCE_KEY = New_Account_Name
+REGEX = (.+)
+FORMAT = user::"$1"
+
+[User_Name_as_user]
+SOURCE_KEY = User_Name
+REGEX = (.+)
+FORMAT = user::"$1"
+
+[Account_Name_as_user]
+SOURCE_KEY = Account_Name
+REGEX = (?:(?:[^\n]*)\n)?([^\n]*)
+FORMAT = user::"$1"
+
+## Security-CIM Mappings
+
+[Special_Account_Name_as_user]
+SOURCE_KEY = Account_Name
+REGEX = (?:(?:[^\n]*)\n)?(?:(?:CN|cn)=)?([^\n]*?),.*
+FORMAT = user::"$1"
+
+## End Security-CIM Mappings
+
+[User_as_user]
+SOURCE_KEY = User
+REGEX = (?:[^\\]+\\)?(.+)
+FORMAT = user::"$1"
+
+# Event Code 4776 (and possibly others)
+# See also: [Logon_account_as_user]
+[Logon_Account_as_user]
+SOURCE_KEY = Logon_Account
+REGEX = (?:[^\\]+\\)?(.+)
+FORMAT = user::"$1"
+
+# Event Code 680 (and possibly others)
+# See also: [Logon_Account_as_user]
+[Logon_account_as_user]
+SOURCE_KEY = Logon_account
+REGEX = (?:[^\\]+\\)?(.+)
+FORMAT = user::"$1"
+
+[Security_ID_as_user]
+SOURCE_KEY = Security_ID
+REGEX = (?:[^\\]+\\)?(.+)
+FORMAT = user::"$1"
+
+[Member_ID_as_member_id]
+SOURCE_KEY = Member_ID
+REGEX = (?:[^\\]+\\)?(.+)
+FORMAT = member_id::"$1"
+
+[Security_ID_as_member_id]
+SOURCE_KEY = Security_ID
+REGEX = (.+)
+FORMAT = member_id::"$1"
+
+[Member_Name_as_member_dn]
+SOURCE_KEY = Member_Name
+REGEX = (.+)
+FORMAT = member_dn::"$1"
+
+[Account_Name_as_member_dn]
+SOURCE_KEY = Account_Name
+REGEX = (.+)
+FORMAT = member_dn::"$1"
+
+[Member_ID_as_member_nt_domain]
+SOURCE_KEY = Member_ID
+REGEX = ([^\\]+\\)?(?:.+)
+FORMAT = member_nt_domain::"$1"
+
+[Security_ID_as_member_nt_domain]
+SOURCE_KEY = Security_ID
+REGEX = ([^\\]+\\)?(?:.+)
+FORMAT = member_nt_domain::"$1"
+
+[msad_action_from_Group_Type_Change]
+SOURCE_KEY = Group_Type_Change
+REGEX = Security (Enabled|Disabled) (\w+) Group (Changed) to Security (Enabled|Disabled) (\w+) Group[:\.]
+FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3" MSADNewGroupClassID::"$4" MSADNewGroupType::"$5"
+
+[msad_action_from_Change_Type]
+SOURCE_KEY = Change_Type
+REGEX = Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group Changed to Security[ -]([Ee]nabled|[Dd]isabled) (\w+) Group[.:]
+FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" MSADNewGroupClassID::"$3" MSADNewGroupType::"$4"
+
+[msad_action_from_Description1]
+SOURCE_KEY = Description
+REGEX = Security (Enabled|Disabled) (\w+) Group (.*?)[:\.]
+FORMAT = MSADGroupClassID::"$1" MSADGroupType::"$2" msad_action::"$3"
+
+[msad_action_from_Description2]
+SOURCE_KEY = Description
+REGEX = Computer Account (.*?)[:\.]
+FORMAT = msad_action::"$1"
+
+[msad_action_from_Description3]
+SOURCE_KEY = Description
+REGEX = User Account (.*?)[:\.]
+FORMAT = msad_action::"$1"
+
+[msad_action_from_raw1]
+SOURCE_KEY = _raw
+REGEX = (?ms).*A computer account was (.*?)[:\.]
+FORMAT = msad_action::"$1"
+
+[msad_action_from_raw2]
+SOURCE_KEY = _raw
+REGEX = (?ms).*A user account was (.*?)[:\.]
+FORMAT = msad_action::"$1"
+
+[msad_action_from_raw3]
+SOURCE_KEY = _raw
+REGEX = (?ms).*An attempt was made to (.*?)[:\.]
+FORMAT = msad_action::"$1"
+
+[msad_action_from_raw4]
+SOURCE_KEY = _raw
+REGEX = (?ms)EventCode=(4781|4912)\s*\n.*Message=(?:.*?)[:\.]
+FORMAT = msad_action::"$1"
+
+[msad_attribute_changes_from_raw1]
+SOURCE_KEY = _raw
+REGEX = (?ms).*Changed Attributes:\s*\n(.*?)\s*\n\s*Additional Information:
+FORMAT = MSADChangedAttributes::"$1"
+
+[msad_attribute_changes_from_raw2]
+SOURCE_KEY = _raw
+REGEX = (?ms).*Attributes:\s*\n(.*?)\s*\n\s*Additional Information:
+FORMAT = MSADChangedAttributes::"$1"
+
+[msad_attribute_changes_from_raw3]
+SOURCE_KEY = _raw
+REGEX = (?ms).*Changed Attributes:\s*\n(.*)
+FORMAT = MSADChangedAttributes::"$1"
+
+[msad_attribute_changes_from_raw4]
+SOURCE_KEY = _raw
+REGEX = (?ms)EventCode=(?:624|645|4720|4741).*Attributes:\s*\n(.*)
+FORMAT = MSADChangedAttributes::"$1"
+
+[msad_attribute_changes_from_raw5]
+SOURCE_KEY = _raw
+REGEX = (?ms).*Category Settings:\s*\n(.*)
+FORMAT = MSADChangedAttributes::"$1"
+
+[msad_attribute_changes_from_raw6]
+SOURCE_KEY = _raw
+REGEX = (?ms).*Policy Change Details:\s*\n(.*)
+FORMAT = MSADChangedAttributes::"$1"
+
+###### Windows System Event Log ######
+[signature_for_windows_system_timesync]
+SOURCE_KEY = Message
+REGEX = ((?:The\s+time\s+provider\s+\w+\s+is\s+configured\s+to\s+acquire\s+time\s+from\s+one\s+or\s+more\s+time\s+sources\,\s+however\s+none\s+of\s+the\s+sources\s+are\s+currently\s+accessible)|(?:The\s+time\s+service\s+is\s+now\s+synchronizing\s+the\s+system\s+time\s+with\s+the\s+time\s+source)|(?:Time\s+Provider\s+\w+\:\s+An\s+error\s+occurred\s+during\s+DNS\s+lookup\s+of\s+the\s+manually\s+configured\s+peer))
+FORMAT = signature::$1
+
+[signature_message_for_windows_system_update]
+REGEX = Installation Ready: The following updates are downloaded and ready for installation.*?:\s+((?:.*[\r\n])*)
+FORMAT = signature_message::$1
+
+[signature_for_windows_system_update]
+REGEX = Windows successfully installed the following update:\s+(.*)
+FORMAT = signature::"$1"
+
+[signature_for_windows_system_update2]
+SOURCE_KEY = signature_message
+REGEX = -\s+([^\r\n]+)
+FORMAT = signature::$1
+MV_ADD = True
+
+[user_for_windows_system_ias]
+REGEX = Message\=User\s+(?:[^\/\\]+[\/\\])?([^.]+).*?was
+FORMAT = user::"$1"
+
+[service_name_eventcode_7036]
+SOURCE_KEY = Message
+REGEX = ^The (.*) service entered the (.*) state\.
+FORMAT = Service_Name::"$1" status::"$2"
+
+[ServiceName_as_service_name]
+SOURCE_KEY = param1
+REGEX = (.+)
+FORMAT = ServiceName::"$1"
+
+[service_name_eventcode_7040]
+SOURCE_KEY = Message
+REGEX = ^The start type of the (.*) service was changed from .* to (.*)\.
+FORMAT = Service_Name::"$1" start_type2::"$2"
+
+## IAS (Currently WinEventLog Support Only)
+[auto_kv_for_windows_system_ias]
+SOURCE_KEY = Message
+REGEX = \n([^=\n\r\s]+)\s+\=\s+([^\n]*)
+FORMAT = $1::$2
+MV_ADD = TRUE
+
+
+###### Update ######
+[windows_update_status_lookup]
+filename = windows_update_statii.csv
+
+[signature_message_for_windowsupdatelog]
+REGEX = (Content\s+Install\s+((?:Restart\s+Required)|(?:Installation\s+Ready)).*)
+FORMAT = signature_message::"$1" vendor_status::"$2"
+
+[signature_for_windowsupdatelog]
+REGEX = Content\s+Install\s+(Installation\s+(?:Successful|Failure)):\s+Windows.*the\s+following\s+update.*?:\s+(.*)
+FORMAT = vendor_status::"$1" signature::"$2"
+
+[signature_for_windowsupdatelog_restartrequired]
+REGEX = Content\s+Install\s+(Installation\s+successful\s+and\s+restart\s+required)\s+for\s+the\s+following\s+update:\s+(.*)
+FORMAT = vendor_status::"$1" signature::"$2"
+
+[signature_for_windowsupdatelog_signature_message]
+SOURCE_KEY = signature_message
+REGEX = \-\s+([^)]+\)(?:\,\s+\d+\-[bB]it\s+Edition)?)
+FORMAT = signature::"$1"
+MV_ADD = True
+
+[signature_id_for_windowsupdatelog]
+SOURCE_KEY = signature
+REGEX = (KB\d+)
+FORMAT = signature_id::$1
+MV_ADD = True
+
+[pid-tid-component_for_windowsupdatelog]
+REGEX = ^\S+\s+\S+\s+(\S+)\s+(\S+)\s+(\S+)
+FORMAT = pid::$1 tid::$2 component::$3
+
+
+###### Endpoint Changes ######
+
+## Endpoint Changes: lookups
+[endpoint_change_status_lookup]
+filename = status_850.csv
+default_match = failure
+min_matches = 1
+max_matches = 1
+
+[endpoint_change_object_category_lookup]
+filename = object_category_850.csv
+
+[endpoint_change_vendor_action_lookup]
+filename = vendor_actions.csv
+
+[endpoint_change_user_type_lookup]
+filename = user_types.csv
+
+## WinRegistry
+
+## Registry Extractions
+[registry_key_for_WinRegistry]
+REGEX  = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\\([^"]+))
+FORMAT = registry_path::$1 registry_key_name::$2
+
+[registry_key-registry_value_for_WinRegistry]
+REGEX  = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(.*?))\\([^"]+)
+FORMAT = registry_path::$1 registry_key_name::$2 registry_value_name::$3
+
+[registry_value_data_for_WinRegistry]
+REGEX  = data="([^"]+)"
+FORMAT = registry_value_data::$1
+
+## Endpoint Change Extractions
+[object_as_registry_key_for_WinRegistry]
+REGEX  = registry_type="\w+Key"[\r\n]+key_path="((?:.*)\\([^"]+))
+FORMAT = object_path::$1 object::$2
+
+[object_as_registry_value_for_WinRegistry]
+REGEX  = registry_type="\w+Value"[\r\n]+key_path="((?:.*)\\(?:.*?))\\([^"]+)
+FORMAT = object_path::$1 object::$2
+
+[vendor_status_msg_for_WinRegistry]
+REGEX  = event_status="\(([0-9-]+)\)([^\"]+)"
+FORMAT = vendor_status::$1 msg::$2
+
+# Note: user_path is not a CIM field, so we exclude it so as to avoid potential overlap.
+# The commented "FORMAT" is for reference only.
+[user_for_WinRegistry]
+REGEX  = process_image=\"(?:[^\"]+)\\([^\"]+)\"
+FORMAT = user::$1
+##FORMAT = user_path::$1 user::$2
+
+
+###### Splunk WMI ######
+[wmi-host]
+REGEX = (?m)ComputerName=(.+)
+DEST_KEY = MetaData:Host
+FORMAT = host::$1
+
+[wmi-override-host]
+REGEX = (?m)wmi_hostname=(.+)
+DEST_KEY = MetaData:Host
+FORMAT = host::$1
+
+[wmi-source]
+REGEX = (?m)wmi_type=([^\r\n]+)
+DEST_KEY = MetaData:Source
+FORMAT = source::WMI:$1
+
+[wmi-sourcetype]
+REGEX = (?m)wmi_type=([^\r\n]+)
+DEST_KEY = MetaData:Sourcetype
+FORMAT = sourcetype::WMI:$1
+
+[wmi-wineventlog-source]
+REGEX = (?m)wmi_type=(WinEventLog:)(\S+)
+DEST_KEY = MetaData:Source
+FORMAT = source::$1$2
+
+[wmi-wineventlog-sourcetype]
+REGEX = (?m)wmi_type=(WinEventLog:)(\S+)
+DEST_KEY = MetaData:Sourcetype
+FORMAT = sourcetype::$1$2
+
+## Installed Apps
+[AuthorizedCDFPrefix_for_win_installed_apps]
+REGEX  = ^AuthorizedCDFPrefix=([^\r\n]+)
+FORMAT = AuthorizedCDFPrefix::$1
+
+[Comments_for_win_installed_apps]
+REGEX  = ^Comments=([^\r\n]+)
+FORMAT = Comments::$1
+
+[Contact_for_win_installed_apps]
+REGEX  = ^Contact=([^\r\n]+)
+FORMAT = Contact::$1
+
+[DisplayVersion_for_win_installed_apps]
+REGEX  = ^DisplayVersion=([^\r\n]+)
+FORMAT = DisplayVersion::$1
+
+[HelpLink_for_win_installed_apps]
+REGEX  = ^HelpLink=([^\r\n]+)
+FORMAT = HelpLink::$1
+
+[HelpTelephone_for_win_installed_apps]
+REGEX  = ^HelpTelephone=([^\r\n]+)
+FORMAT = HelpTelephone::$1
+
+[InstallDate_for_win_installed_apps]
+REGEX  = ^InstallDate=([^\r\n]+)
+FORMAT = InstallDate::$1
+
+[InstallLocation_for_win_installed_apps]
+REGEX  = ^InstallLocation=([^\r\n]+)
+FORMAT = InstallLocation::$1
+
+[InstallSource_for_win_installed_apps]
+REGEX  = ^InstallSource=([^\r\n]+)
+FORMAT = InstallSource::$1
+
+[ModifyPath_for_win_installed_apps]
+REGEX  = ^ModifyPath=([^\r\n]+)
+FORMAT = ModifyPath::$1
+
+[NoModify_for_win_installed_apps]
+REGEX  = ^NoModify=([^\r\n]+)
+FORMAT = NoModify::$1
+
+[NoRepair_for_win_installed_apps]
+REGEX  = ^NoRepair=([^\r\n]+)
+FORMAT = NoRepair::$1
+
+[Publisher_for_win_installed_apps]
+REGEX  = ^Publisher=([^\r\n]+)
+FORMAT = Publisher::$1
+
+[Readme_for_win_installed_apps]
+REGEX  = ^Readme=([^\r\n]+)
+FORMAT = Readme::$1
+
+[Size_for_win_installed_apps]
+REGEX  = ^Size=([^\r\n]+)
+FORMAT = Size::$1
+
+[EstimatedSize_for_win_installed_apps]
+REGEX  = ^EstimatedSize=([^\r\n]+)
+FORMAT = EstimatedSize::$1
+
+[UninstallString_for_win_installed_apps]
+REGEX  = ^UninstallString=([^\r\n]+)
+FORMAT = UninstallString::$1
+
+[URLInfoAbout_for_win_installed_apps]
+REGEX  = ^URLInfoAbout=([^\r\n]+)
+FORMAT = URLInfoAbout::$1
+
+[URLUpdateInfo_for_win_installed_apps]
+REGEX  = ^URLUpdateInfo=([^\r\n]+)
+FORMAT = URLUpdateInfo::$1
+
+[VersionMajor_for_win_installed_apps]
+REGEX  = ^VersionMajor=([^\r\n]+)
+FORMAT = VersionMajor::$1
+
+[VersionMinor_for_win_installed_apps]
+REGEX  = ^VersionMinor=([^\r\n]+)
+FORMAT = VersionMinor::$1
+
+[WindowsInstaller_for_win_installed_apps]
+REGEX  = ^WindowsInstaller=([^\r\n]+)
+FORMAT = WindowsInstaller::$1
+
+[Version_for_win_installed_apps]
+REGEX  = ^Version=([^\r\n]+)
+FORMAT = Version::$1
+
+[Language_for_win_installed_apps]
+REGEX  = Language=([^\r\n]+)
+FORMAT = Language::$1
+
+[DisplayName_for_win_installed_apps]
+REGEX  = ^DisplayName=([^\r\n]+)
+FORMAT = DisplayName::$1
+
+## Installed Updates
+[Description_for_installedupdates]
+REGEX = ^Description=([^\r\n]+)
+FORMAT = Description::$1
+
+## Listening Ports
+[dest_ip_for_listeningports]
+REGEX = dest_ip=\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
+FORMAT = dest_ip::$1
+
+[kv_for_listeningports]
+DELIMS = " ", "="
+
+## Time Configuration
+[Current_time_for_win_timesync]
+REGEX = ^Current\s*time:([^\r\n]+)
+FORMAT = Current_time::$1
+
+[EventLogFlags_for_win_timesync_configuration]
+REGEX = ^EventLogFlags:([^\r\n]+)
+FORMAT = EventLogFlags::$1
+
+[AnnounceFlags_for_win_timesync_configuration]
+REGEX = ^AnnounceFlags:([^\r\n]+)
+FORMAT = AnnounceFlags::$1
+
+[TimeJumpAuditOffset_for_win_timesync_configuration]
+REGEX = ^TimeJumpAuditOffset:([^\r\n]+)
+FORMAT = TimeJumpAuditOffset::$1
+
+[MinPollInterval_for_win_timesync_configuration]
+REGEX = ^MinPollInterval:([^\r\n]+)
+FORMAT = MinPollInterval::$1
+
+[MaxPollInterval_for_win_timesync_configuration]
+REGEX = ^MaxPollInterval:([^\r\n]+)
+FORMAT = MaxPollInterval::$1
+
+[MaxNegPhaseCorrection_for_win_timesync_configuration]
+REGEX = ^MaxNegPhaseCorrection:([^\r\n]+)
+FORMAT = MaxNegPhaseCorrection::$1
+
+[MaxPosPhaseCorrection_for_win_timesync_configuration]
+REGEX = ^MaxPosPhaseCorrection:([^\r\n]+)
+FORMAT = MaxPosPhaseCorrection::$1
+
+[MaxAllowedPhaseOffset_for_win_timesync_configuration]
+REGEX = ^MaxAllowedPhaseOffset:([^\r\n]+)
+FORMAT = MaxAllowedPhaseOffset::$1
+
+[FrequencyCorrectRate_for_win_timesync_configuration]
+REGEX = ^FrequencyCorrectRate:([^\r\n]+)
+FORMAT = FrequencyCorrectRate::$1
+
+[PollAdjustFactor_for_win_timesync_configuration]
+REGEX = ^PollAdjustFactor:([^\r\n]+)
+FORMAT = PollAdjustFactor::$1
+
+[LargePhaseOffset_for_win_timesync_configuration]
+REGEX = ^LargePhaseOffset:([^\r\n]+)
+FORMAT = LargePhaseOffset::$1
+
+[SpikeWatchPeriod_for_win_timesync_configuration]
+REGEX = ^SpikeWatchPeriod:([^\r\n]+)
+FORMAT = SpikeWatchPeriod::$1
+
+[LocalClockDispersion_for_win_timesync_configuration]
+REGEX = ^LocalClockDispersion:([^\r\n]+)
+FORMAT = LocalClockDispersion::$1
+
+[HoldPeriod_for_win_timesync_configuration]
+REGEX = ^HoldPeriod:([^\r\n]+)
+FORMAT = HoldPeriod::$1
+
+[PhaseCorrectRate_for_win_timesync_configuration]
+REGEX = ^PhaseCorrectRate:([^\r\n]+)
+FORMAT = PhaseCorrectRate::$1
+
+[UpdateInterval_for_win_timesync_configuration]
+REGEX = ^UpdateInterval:([^\r\n]+)
+FORMAT = UpdateInterval::$1
+
+[FileLogName_for_win_timesync_configuration]
+REGEX = ^FileLogName:([^\r\n]+)
+FORMAT = FileLogName::$1
+
+[FileLogEntries_for_win_timesync_configuration]
+REGEX = ^FileLogEntries:([^\r\n]+)
+FORMAT = FileLogEntries::$1
+
+[FileLogSize_for_win_timesync_configuration]
+REGEX = ^FileLogSize:([^\r\n]+)
+FORMAT = FileLogSize::$1
+
+[FileLogFlags_for_win_timesync_configuration]
+REGEX = ^FileLogFlags:([^\r\n]+)
+FORMAT = FileLogFlags::$1
+
+[Time_zone_for_win_timesync]
+REGEX = ^Time\s*zone:([^\r\n]+)
+FORMAT = Time_zone::$1
+
+## Time Synchronization
+[windows_timesync_action_lookup]
+filename    = windows_timesync_actions.csv
+match_type  = WILDCARD(Last_Sync_Error)
+max_matches = 1
+
+[Leap_Indicator_for_win_timesync_status]
+REGEX = ^Leap\s*Indicator:([^\r\n]+)
+FORMAT = Leap_Indicator::$1
+
+[Stratum_for_win_timesync_status]
+REGEX = ^Stratum:([^\r\n]+)
+FORMAT = Stratum::$1
+
+[Precision_for_win_timesync_status]
+REGEX = ^Precision:([^\r\n]+)
+FORMAT = Precision::$1
+
+[Root_Delay_for_win_timesync_status]
+REGEX = ^Root\s*Delay:([^\r\n]+)
+FORMAT = Root_Delay::$1
+
+[Root_Dispersion_for_win_timesync_status]
+REGEX = ^Root\s*Dispersion:([^\r\n]+)
+FORMAT = Root_Dispersion::$1
+
+[ReferenceId_for_win_timesync_status]
+REGEX = ^ReferenceId:([^\r\n]+)
+FORMAT = ReferenceId::$1
+
+[Last_Successful_Sync_Time_for_win_timesync_status]
+REGEX = ^Last\s*Successful\s*Sync\s*Time:([^\r\n]+)
+FORMAT = Last_Successful_Sync_Time::$1
+
+[Source_for_win_timesync_status]
+REGEX = ^Source:([^\r\n]+)
+FORMAT = Source::$1
+
+[Poll_Interval_for_win_timesync_status]
+REGEX = ^Poll\s*Interval:([^\r\n]+)
+FORMAT = Poll_Interval::$1
+
+[Phase_Offset_for_win_timesync_status]
+REGEX = ^Phase\s*Offset:([^\r\n]+)
+FORMAT = Phase_Offset::$1
+
+[ClockRate_for_win_timesync_status]
+REGEX = ^ClockRate:([^\r\n]+)
+FORMAT = ClockRate::$1
+
+[State_Machine_for_win_timesync_status]
+REGEX = ^State\s*Machine:([^\r\n]+)
+FORMAT = State_Machine::$1
+
+[Time_Source_Flags_for_win_timesync_status]
+REGEX = ^Time\s*Source\s*Flags:([^\r\n]+)
+FORMAT = Time_Source_Flags::$1
+
+[Server_Role_for_win_timesync_status]
+REGEX = ^Server\s*Role:([^\r\n]+)
+FORMAT = Server_Role::$1
+
+[Last_Sync_Error_for_win_timesync_status]
+REGEX = ^Last\s*Sync\s*Error:([^\r\n]+)
+FORMAT = Last_Sync_Error::$1
+
+[Time_since_Last_Good_Sync_Time_for_win_timesync_status]
+REGEX = ^Time\s*since\s*Last\s*Good\s*Sync\s*Time:([^\r\n]+)
+FORMAT = Time_since_Last_Good_Sync_Time::$1
+
+## Version
+[wmi_version_range_lookup]
+filename = wmi_version_range.csv
+
+[wmi_user_account_status_lookup]
+filename = wmi_user_account_status.csv
+
+[Caption_for_wmi_version]
+REGEX = ^Caption=([^\r\n]+)
+FORMAT = Caption::$1
+
+
+## Setting generic sourcetype and unique source
+[ta-windows-fix-classic-source]
+DEST_KEY = MetaData:Source
+REGEX = (?m)^LogName=(.+?)\s*$
+FORMAT = source::WinEventLog:$1
+
+[ta-windows-fix-xml-source]
+DEST_KEY = MetaData:Source
+REGEX = <Channel>(.+?)<\/Channel>.*
+FORMAT = source::XmlWinEventLog:$1
+
+[ta-windows-fix-sourcetype]
+SOURCE_KEY = MetaData:Sourcetype
+DEST_KEY = MetaData:Sourcetype
+REGEX = sourcetype::([^:]*)
+FORMAT = sourcetype::$1
+
+
+## Overriding host to identify system from which events are generated
+[WinEventHostOverride]
+DEST_KEY = MetaData:Host
+REGEX = (?m)^ComputerName=([^.]+)
+FORMAT = host::$1
+
+[WinEventXmlHostOverride]
+DEST_KEY = MetaData:Host
+REGEX = <Computer>([^.<]+).*?<\/Computer>
+FORMAT = host::$1
+
+
+###### Generic XML eventlog extraction ######
+
+# Extract the XML into blocks
+[system_xml_block]
+REGEX = (?ms)<System(?:\s+[^>]+)?>(.*?)<\/System>
+FORMAT = System_Props_Xml::$1
+
+[eventdata_xml_block]
+REGEX = (?ms)<EventData(?:\s+[^>]+)?>(.*?)<\/EventData>
+FORMAT = EventData_Xml::$1
+MV_ADD = 1
+
+[userdata_xml_block]
+REGEX = (?ms)<UserData(?:\s+[^>]+)?>(.*?)<\/UserData>
+FORMAT = UserData_Xml::$1
+
+[debugdata_xml_block]
+REGEX = (?ms)<DebugData(?:\s+[^>]+)?>(.*?)<\/DebugData>
+FORMAT = DebugData_Xml::$1
+
+[renderinginfo_xml_block]
+REGEX = (?ms)<RenderingInfo(?:\s+[^>]+)?>(.*?)<\/RenderingInfo>
+FORMAT = RenderingInfo_Xml::$1
+
+[system_props_xml_kv]
+# Extracts anything in the form of <tag>value</tag> as tag::value
+SOURCE_KEY = System_Props_Xml
+REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
+FORMAT = $1::$2
+MV_ADD = 1
+
+[windows_start_mode_lookup]
+filename = windows_start_mode_lookup.csv
+
+[system_props_xml_attributes]
+# Extracts values from following fields:
+# Provider: Name, Guid
+# TimeCreated: SystemTime, RawTime
+# Correlation: ActivityID, RelativeActivityID
+# Execution: ProcessID, ThreadID, ProcessorID, SessionID, KernelTime, UserTime, ProcessorTime
+# Security: UserID
+SOURCE_KEY = System_Props_Xml
+REGEX = (?ms)\s([^\s=]+)\s*=\s*(\'[^<\']*\'|"[^<"]*")
+FORMAT = $1::$2
+MV_ADD = 1
+
+[eventdata_xml_data]
+# Extracts from <Data Name='name'>value</Data> as name:value. Skips ComplexData tags
+SOURCE_KEY = EventData_Xml
+REGEX = <(?:\w+)\sName='([^>]*)'\/?>([^<]*)(?:<\/\1>)?
+FORMAT = $1::$2
+MV_ADD = 1
+
+[rendering_info_xml_data]
+# Extracts anything in the form of <tag>value</tag> as tag::value
+SOURCE_KEY = RenderingInfo_Xml
+REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
+FORMAT = $1::$2
+MV_ADD = 1
+
+[updatelist_from_user_data]
+SOURCE_KEY = UserData_Xml
+REGEX = (?ms)<updatelist(?:\s+[^>]+)?>(.*?)<\/updatelist>
+FORMAT = signature_message::$1
+
+[updatetitle_from_user_data]
+SOURCE_KEY = UserData_Xml
+REGEX = (?ms)<updatetitle(?:\s+[^>]+)?>(.*?)<\/updatetitle>
+FORMAT = signature::$1
+
+[EventID_as_EventCode]
+SOURCE_KEY = EventID
+REGEX = (.+)
+FORMAT = EventCode::$1
+
+[EventID2_as_EventCode]
+REGEX = <EventID.*?>(.+?)<\/EventID>.*
+FORMAT = EventCode::$1
+
+[EventRecordID_as_RecordNumber]
+SOURCE_KEY = EventRecordID
+REGEX = (.+)
+FORMAT = RecordNumber::$1
+
+[PrivilegeList_as_vendor_privilege]
+SOURCE_KEY = PrivilegeList
+REGEX = (.+)
+FORMAT = vendor_privilege::$1
+
+[IpPort_as_Source_Port]
+SOURCE_KEY = IpPort
+REGEX = (.+)
+FORMAT = Source_Port::$1
+
+[TokenElevationType_as_Token_Elevation_Type]
+SOURCE_KEY = TokenElevationType
+REGEX = (.+)
+FORMAT = Token_Elevation_Type::$1
+
+[TargetServerName_as_Target_Server_Name]
+SOURCE_KEY = TargetServerName
+REGEX = (.+)
+FORMAT = Target_Server_Name::$1
+
+[LogonType_as_Logon_Type]
+SOURCE_KEY = LogonType
+REGEX = (.+)
+FORMAT = Logon_Type::$1
+
+[SubjectLogonId_as_Logon_ID]
+SOURCE_KEY = SubjectLogonId
+REGEX = (.+)
+FORMAT = Logon_ID::$1
+
+[SubjectDomainName_as_Caller_Domain]
+SOURCE_KEY = SubjectDomainName
+REGEX = (.+)
+FORMAT = Caller_Domain::$1
+
+[TargetDomainName_as_Target_Domain]
+SOURCE_KEY = TargetDomainName
+REGEX = (.+)
+FORMAT = Target_Domain::$1
+
+[SubjectUserName_as_Caller_User_Name]
+SOURCE_KEY = SubjectUserName
+REGEX = (.+)
+FORMAT = Caller_User_Name::$1
+
+[TargetUserName_as_Target_User_Name]
+SOURCE_KEY = TargetUserName
+REGEX = (.+)
+FORMAT = Target_User_Name::$1
+
+[SubStatus_as_Sub_Status]
+SOURCE_KEY = SubStatus
+REGEX = (.+)
+FORMAT = Sub_Status::$1
+
+[Workstation_as_Source_Workstation]
+SOURCE_KEY = Workstation
+REGEX = (.+)
+FORMAT = Source_Workstation::$1
+
+[WorkstationName_as_Source_Workstation]
+SOURCE_KEY = WorkstationName
+REGEX = (.+)
+FORMAT = Source_Workstation::$1
+
+[IpAddress_as_Source_Workstation]
+SOURCE_KEY = IpAddress
+REGEX = (.+)
+FORMAT = Source_Workstation::$1
+
+
+#Tag Expansion Regexs - ADDON10972
+[field_extract_wmi_localprocesses_anomalous]
+REGEX = IDProcess=(?<windows_id_process>\d+)\s*Name=(?<windows_app>.+)\s*PercentProcessorTime=(?<windows_cpu_load_percent>\d+)\s*PrivateBytes=(?<mem_used>\d+)
+
+[field_extract_wmi_freediskspace_anomalous]
+REGEX = FreeMegabytes=(?<windows_free_megabytes>\d+)\s*Name=(?<windows_name>\S+)\s*PercentFreeSpace=(?<windows_storage_free_percent>\d*)
+
+[field_extract_wmi_memory_anomalous]
+REGEX = AvailableBytes=(?<windows_available_bytes>\d+)\s*CommittedBytes=(?<windows_committed_bytes>\d+)\s*(?:PagesInputPersec=\d+(?:\.\d+)?\s*PagesOutputPersec=\d+(?:\.\d+)?)?\s*PagesPersec=(?<windows_pages_per_sec>\d+(?:\.\d+)?)\s*PercentCommittedBytesInUse=(?<windows_percent_committed>\d+(?:\.\d+)?)\s*PoolNonpagedBytes=(?<windows_pool_nonpaged_bytes>\d+)\s*PoolPagedBytes=(?<windows_pool_paged_bytes>\d+)
+
+[field_extract_wmi_service_state_anomalous]
+REGEX = Caption=(?<windows_caption>.+)\s*Description=(?<windows_description>.+)\s*Name=(?<windows_name>.+)\s*PathName=(?<windows_path_name>.*)\s*StartMode=(?<windows_start_mode>\S*)\s*StartName=(?<windows_start_name>.*)\s*State=(?<windows_state>\S*)\s*Status=(?<windows_status>\S+)
+
+[field_extract_wmi_uptime_anomalous]
+REGEX = SystemUpTime=(?<windows_uptime>\d+)
+
+[field_extract_wmi_cputime_anomalous]
+REGEX = PercentProcessorTime=(?<windows_percent_processor_time>\d+)\s*PercentUserTime=(?<windows_percent_user_time>\d+)
+
+[field_extract_wmi_useraccounts_caption_description_name]
+REGEX = Caption=(?<Caption>.+)\s*Description=(?<Description>.+)\s*Domain=.*Name=(?<Name>.+)\s*SID=
+
+[field_extract_wmi_service_caption_description_pathname]
+REGEX = Caption=(?<Caption>.+)\s*Description=(?<Description>.+)\s*Name=.*PathName=(?<PathName>.+)\sStartMode=
+
+[field_extract_wmi_localphysicaldisk_name]
+REGEX = Name=(?<Name>.+)\s*PercentDiskReadTime
+
+[group_fields_extraction]
+REGEX = Group:[\r\n]+(?:\s+Security\sID:\s*(?<Group_Security_ID>[^\r\n]*)[\r\n]*)?(?:\s+(Group|Account)\sName:\s*(?<Group_Name>[^\r\n]*)[\r\n]*)?(?:\s+(Group|Account)\sDomain:\s*(?<Group_Domain>[^\r\n]*)[\r\n]*)?
+
+[subject_fields_extraction]
+REGEX = Subject:[\r\n]+(?:\s+Security\sID:(?<Subject_Security_ID>[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?<Subject_Account_Name>[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?<Subject_Account_Domain>[^\r\n]*)[\r\n]*)?(?:\s+Logon\sID:(?<Subject_Logon_ID>[^\r\n]*)[\r\n]*)?
+
+[target_fields_extraction]
+REGEX = Target\sAccount:[\r\n]+(?:\s+Security\sID:(?<Target_Security_ID>[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?<Target_Account_Name>[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?<Target_Account_Domain>[^\r\n]*)[\r\n]*)?(?:\s+Old\sAccount\sName:(?<Target_Old_Account_Name>[^\r\n]*)[\r\n]*)?(?:\s+New\sAccount\sName:(?<Target_New_Account_Name>[^\r\n]*)[\r\n]*)?(?:\s+Logon\sID:(?<Target_Logon_ID>[^\r\n]*)[\r\n]*)?
+
+[new_account_fields_extraction]
+REGEX = New\sAccount:[\r\n]+(?:\s+Security\sID:(?<New_Account_Security_ID>[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?<New_Account_Account_Name>[^\r\n]*)[\r\n]*)?(?:\s+Account\sDomain:(?<New_Account_Domain>[^\r\n]*)[\r\n]*)?
+
+[member_fields_extraction]
+REGEX = Member:[\r\n]+(?:\s+Security\sID:(?<Member_Security_ID>[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?<Member_Account_Name>[^\r\n]*)[\r\n]*)?
+
+[account_locked_out_fields_extraction]
+REGEX = Account\sThat\sWas\sLocked\sOut:[\r\n]+(?:\s+Security\sID:(?<Account_Locked_Out_Security_ID>[^\r\n]*)[\r\n]*)?(?:\s+Account\sName:(?<Account_Locked_Out_Name>[^\r\n]*)[\r\n]*)?
+
+[task_fields_extraction]
+REGEX = Task\sContent:(?<TaskContent>[\w\W]*<\/Task>)
+
+[new_task_fields_extraction]
+REGEX = Task\sNew\sContent:(?<TaskNewContent>[\w\W]*<\/Task>)
+
+[field_extract_wmi_service_path]
+REGEX = PathName=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+)
+FORMAT = service_path::$1
+
+[field_extract_wmi_service_exec]
+SOURCE_KEY = service_path
+REGEX = (?:.*[\\\/](.*))
+FORMAT = service_exec::$1
+
+## WinHostMon
+[System_Type_for_WinHostMon_computer]
+REGEX = ^System\sType="([^\r\n]+)"
+FORMAT = System_Type::$1
+
+[Processor_Id_for_WinHostMon_processor]
+REGEX = ^Processor\sId="([^\r\n]+)"
+FORMAT = Processor_Id::$1
+
+[Path_for_WinHostMon_service]
+REGEX = ^Path="([^\r\n]+)"
+FORMAT = Path::$1
+
+[service_exec_for_WinHostMon_service_path]
+REGEX = Path=[\"\']?([^=]*[\\][^\s:"'><|\/\\]+)
+FORMAT = service_path::$1
+
+[service_exec_for_WinHostMon_service_exec]
+SOURCE_KEY = service_path
+REGEX = (?:.*[\\\/](.*))
+FORMAT = service_exec::$1
+
+##Metric store transforms
+
+[value_for_perfmon_metrics_store]
+REGEX = Value=\"?([^\"\r\n]*[^\"\s])
+FORMAT = _value::$1
+WRITE_META = true
+
+[metric_name_for_perfmon_metrics_store]
+REGEX = counter=\"?([^\"\r\n]*[^\"\s])
+FORMAT = metric_name::$1
+WRITE_META = true
+
+[object_for_perfmon_metrics_store]
+REGEX = object=\"?([^\"\r\n]*[^\"\s])
+FORMAT = object::$1
+WRITE_META = true
+
+[instance_for_perfmon_metrics_store]
+REGEX = instance=\"?([^\"\r\n]*[^\"\s])
+FORMAT = instance::$1
+WRITE_META = true
+
+[collection_for_perfmon_metrics_store]
+REGEX = collection=\"?([^\"\r\n]*[^\"\s])
+FORMAT = collection::$1
+WRITE_META = true
+
+[value_for_wmi_uptime_metrics_store]
+REGEX = SystemUpTime=([^\s]+)
+FORMAT = _value::$1
+WRITE_META = true
+
+[metric_name_for_wmi_uptime_metrics_store]
+REGEX = wmi_type=([^\s]+)
+FORMAT = metric_name::$1
+WRITE_META = true
+
+
+###### Transforms moved from TA-AD ######
+
+[MSAD-Netlogon-Subnetaffinity]
+DEST_KEY=MetaData:Sourcetype
+REGEX=.*NO_CLIENT_SITE:.*
+FORMAT=sourcetype::MSAD:SubnetAffinity
+
+[MSAD-SiteInfo-AdjacentSites]
+REGEX=AdjacentSite="([^"]+)
+FORMAT=AdjacentSite::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-SiteLinks]
+REGEX=SiteLink="([^"]+)
+FORMAT=SiteLink::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-Sites]
+REGEX=Site="([^"]+)
+FORMAT=Site::$1
+MV_ADD=True
+
+[MSAD-SiteInfo-Subnets]
+REGEX=Subnet="([^"]+)
+FORMAT=Subnet::$1
+MV_ADD=True
+
+
+###### Transforms moved from TA-DNS ######
+
+[DNSHealth_ServerAddress_MV]
+REGEX = ServerAddress=\"?(?<ServerAddress>[^"]*)\"?
+MV_ADD = true
+
+[DNSHealth_ListenAddress_MV]
+REGEX = ListenAddress=\"?(?<ListenAddress>[^"]*)\"?
+MV_ADD = true
+
+[DNSHealth_Forwarder_MV]
+REGEX = Forwarder=\"?(?<Forwarder>[^"]*)\"?
+MV_ADD = true
+
+[DNSHealth_LogIPFilterList_MV]
+REGEX = LogIPFilterList=\"?(?<LogIPFilterList>[^"]*)\"?
+MV_ADD = true
+
+[KV_for_port]
+REGEX = (?:port)\s*(\d{1,5})
+FORMAT = src_port::$1
+
+[KV_for_Domain]
+REGEX = (\(\d\)*[\w+\(\d\)-]{1,})
+FORMAT = src_domain::$1
+
+[KV_for_microsoftdns_action]
+REGEX = \[[\d\w]{1,4}\s*[A-Z]*\s*[D|DR]*\s([^.]+)\]\s(?:\w*)
+FORMAT = vendor_dns_action::$1
+
+[KV_for_Record_type]
+REGEX = QTYPE\s+(\w+)\s+
+FORMAT = record_type::$1
+
+[KV_for_Record_Class]
+REGEX = QCLASS\s+(\w+)\s+
+FORMAT = record_class_number::$1
+
+[KV_for_Answer_Section_Count]
+REGEX = QCOUNT\s+(?<query_count>\d+)[\n\s]+ACOUNT\s+(?<answer_count>\d+)[\n\s]+NSCOUNT\s+(?<authority_answer_count>\d+)[\n\s]+ARCOUNT\s+(?<additional_answer_count>\d+)
+
+[KV_for_Update_Section_Count]
+REGEX = UPCOUNT\s+(?<answer_count>\d+)[\n\s]+ARCOUNT\s+(?<additional_answer_count>\d+)
+
+[Answer_multi_value]
+SOURCE_KEY = ANSWER_OR_UPDATE_SECTION
+REGEX = (?s)(?:Offset).*?DATA[ \t]*(?:\(\d+\))?(?<answer>[\S]*?)(?:\((\d+|none)\))?(?:\n|$)
+MV_ADD = true
+
+[windows_dns_query_type_lookup]
+filename = windows_dns_query_type_lookup.csv
+
+[windows_dns_action_lookup]
+filename = windows_dns_action_lookup.csv
+
+[dns_recordclass_lookup]
+filename = dns_recordclass_lookup.csv
+
+## Security-CIM Mappings
+
+[extract_parent_process_name]
+SOURCE_KEY = Creator_Process_Name
+REGEX = (?:.*\\)?(.*)
+FORMAT = parent_process_name::$1
+
+[extract_new_process_name]
+SOURCE_KEY = New_Process_Name
+REGEX = (?:.*\\)?(.*)
+FORMAT = new_process_name::$1
+
+[extract_target_process_name]
+SOURCE_KEY = Target_Process_Name
+REGEX = (?:.*\\)?(.*)
+FORMAT = target_process_name::$1
+
+[object_name_and_path_from_object_name]
+SOURCE_KEY = Object_Name
+REGEX = ^((?:.*[\\/]+)*([^-].*))$
+FORMAT = object_file_path::$1 object_file_name::$2
+
+[file_name_and_path_from_file_name]
+SOURCE_KEY = File_Name
+REGEX = ^((?:.*[\\/]+)*([^-].*))$
+FORMAT = file_path::$1 file_name::$2
+
+[file_name_and_path_from_file_path]
+SOURCE_KEY = File_Path
+REGEX = ^((?:.*[\\/]+)*([^-].*))$
+FORMAT = file_path::$1 file_name::$2
+
+[windows_endpoint_service_service_name_lookup]
+filename = windows_endpoint_service_service_name.csv
+
+[process_command_line_process_and_arguments]
+SOURCE_KEY = Process_Command_Line
+REGEX = (^\"[^\"]+\"|[^\s]+)\s*(.*)
+FORMAT = process_command_line_process::$1 process_command_line_arguments::$2
+
+[extract_parent_process_name_for_windows_xml]
+SOURCE_KEY = parent_process
+REGEX = (?:.*\\)?(.*)
+FORMAT = parent_process_name::$1
+
+[extract_new_process_name_for_windows_xml]
+SOURCE_KEY = new_process
+REGEX = (?:.*\\)?(.*)
+FORMAT = new_process_name::$1
+
+[extract_target_process_name_for_windows_xml]
+SOURCE_KEY = TargetProcessName
+REGEX = (?:.*\\)?(.*)
+FORMAT = target_process_name::$1
+
+[logfilecleared_xml_block]
+SOURCE_KEY = UserData_Xml
+REGEX = (?ms)<LogFileCleared(?:\s+[^>]+)?>(.*?)<\/LogFileCleared>
+FORMAT = LogFileCleared_Xml::$1
+
+[LogFileClearedData_from_user_data]
+SOURCE_KEY = LogFileCleared_Xml
+REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
+FORMAT = $1::$2
+
+[SubjectUserName_from_user_data]
+SOURCE_KEY = UserData_Xml
+REGEX = (?ms)<SubjectUserName(?:\s+[^>]+)?>(.*?)<\/SubjectUserName>
+FORMAT = Caller_User_Name::$1
+
+[object_file_name_and_path_from_ObjectName_for_xml]
+SOURCE_KEY = ObjectName
+REGEX = ^((?:.*[\\/]+)*([^-].*))$
+FORMAT = object_file_path::$1 object_file_name::$2
+
+[file_name_and_path_from_FileName_for_xml]
+SOURCE_KEY = FileName
+REGEX = ^((?:.*[\\/]+)*([^-].*))$
+FORMAT = file_path::$1 file_name::$2
+
+[file_name_and_path_from_KeyFilePath_for_xml]
+SOURCE_KEY = KeyFilePath
+REGEX = ^((?:.*[\\/]+)*([^-].*))$
+FORMAT = file_path::$1 file_name::$2
+
+[windows_endpoint_service_service_type_lookup]
+filename = windows_endpoint_service_service_type.csv
+
+[windows_endpoint_port_transport_lookup]
+filename = windows_endpoint_port_transport.csv
+
+[windows_wineventlog_change_object_fields_lookup]
+filename = windows_wineventlog_change_object_fields_860.csv
+
+[windows_wineventlog_change_action_lookup]
+filename = windows_wineventlog_change_action_860.csv
+
+[xmlsecurity_change_audit_and_account_management_lookup]
+filename = xmlsecurity_change_audit_and_account_management_860.csv
+
+[channel_from_user_data]
+SOURCE_KEY = UserData_Xml
+REGEX = <Channel>(.*?)<\/Channel>
+FORMAT = user_data_channel::$1
+
+[special_user_from_member_name]
+SOURCE_KEY = MemberName
+REGEX = (?:CN|cn)=(.*?),.*
+FORMAT = member_user_name::$1
diff --git a/deployment-apps/Splunk_TA_windows/default/wmi.conf b/deployment-apps/Splunk_TA_windows/default/wmi.conf
new file mode 100644
index 00000000..67ca1288
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/wmi.conf
@@ -0,0 +1,152 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk.
+##
+
+[settings]
+initial_backoff = 5
+max_backoff = 20
+max_retries_at_max_backoff = 0
+checkpoint_sync_interval = 2
+
+## Pull event logs FROM the local system
+## Usually disabled in favor of using WinEventLog inputs
+[WMI:LocalApplication]
+interval = 10
+event_log_file = Application
+disabled = 1
+
+[WMI:LocalSystem]
+interval = 10
+event_log_file = System
+disabled = 1
+
+[WMI:LocalSecurity]
+interval = 10
+event_log_file = Security
+disabled = 1
+
+
+## Gather performance data FROM the local system
+
+## Computer System
+[WMI:ComputerSystem]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
+
+
+## CPU
+## Usually disabled in favor of Perfmon counters
+[WMI:CPUTime]
+interval = 3
+wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor
+disabled = 1
+
+
+## Disk
+
+## Usually disabled in favor of Perfmon counters
+[WMI:FreeDiskSpace]
+interval = 120
+wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
+disabled = 1
+
+[WMI:LogicalDisk]
+interval = 120
+wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
+disabled = 1
+
+[WMI:LocalPhysicalDisk]
+interval = 10
+wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
+disabled = 1
+
+
+## Memory
+## Usually disabled in favor of Perfmon counters
+[WMI:Memory]
+interval = 5
+wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory
+disabled = 1
+
+
+## Network
+## Usuall disabled in favor of Perfmon counters
+[WMI:LocalNetwork]
+interval = 10
+wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface
+disabled = 1
+
+
+## Processes
+[WMI:LocalProcesses]
+interval = 30
+wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
+disabled = 1
+
+
+## Scheduled Jobs
+
+## Use the Win32_ScheduledJob  class. Note that this class can only return jobs that are created using either a script or AT.exe.
+## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
+[WMI:ScheduledJobs]
+disabled = 1
+## Run twice per day
+interval = 43200
+wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
+
+## Services
+
+## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
+## Lists all services registered on the system,if they are running,and the status
+[WMI:Service]
+disabled = 1
+## Run once an hour
+interval = 3600
+wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
+
+
+## Update
+[WMI:InstalledUpdates]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
+
+
+## Uptime
+[WMI:Uptime]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
+
+
+## User Accounts
+[WMI:UserAccounts]
+disabled = 1
+## Run twice per day
+interval = 43200
+wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true
+
+## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza
+## disabled = 1
+## Run twice per day
+## interval = 43200
+## wql = SELECT * FROM Win32_AccountSID
+
+
+## Version
+[WMI:Version]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
diff --git a/deployment-apps/Splunk_TA_windows/default/workflow_actions.conf b/deployment-apps/Splunk_TA_windows/default/workflow_actions.conf
new file mode 100644
index 00000000..8c188a54
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/default/workflow_actions.conf
@@ -0,0 +1,50 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+
+###### EventID.net ######
+[windows_eventidnet_winapp]
+display_location = both
+eventtypes = winapp
+fields = SourceName, EventCode, signature_id
+label = EventId Encyclopedia
+link.method = get
+link.target = blank
+link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
+type = link
+
+[windows_eventidnet_winsec]
+display_location = both
+eventtypes = winsec
+fields = SourceName, EventCode, signature_id
+label = EventId Encyclopedia
+link.method = get
+link.target = blank
+link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
+type = link
+
+[windows_eventidnet_winsystem]
+display_location = both
+eventtypes = winsystem
+fields = SourceName, EventCode, signature_id
+label = EventId Encyclopedia
+link.method = get
+link.target = blank
+link.uri = https://www.eventid.net/display.asp?eventid=$signature_id$&source=$SourceName$
+type = link
+
+###### Ultimate Windows Security ######
+[windows_ultimatewinsec]
+display_location = both
+eventtypes = winsec
+fields = EventCode, signature_id
+label = Winsec Encyclopedia
+link.method = get
+link.target = blank
+link.uri = https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=$signature_id$
+type = link
diff --git a/deployment-apps/Splunk_TA_windows/local/inputs.conf b/deployment-apps/Splunk_TA_windows/local/inputs.conf
new file mode 100644
index 00000000..8766b4eb
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/local/inputs.conf
@@ -0,0 +1,29 @@
+[WinEventLog://Security]
+disabled = 0
+evt_resolve_ad_obj = 1
+checkpointInterval = 5
+blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
+blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
+blacklist3 = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"
+index = oswinsec
+
+[WinEventLog://Application]
+disabled = 0
+checkpointInterval = 5
+index = oswin
+
+[WinEventLog://System]
+disabled = 0
+checkpointInterval = 5
+index = oswin
+
+[monitor://$WINDIR\WindowsUpdate.log]
+disabled = 0
+sourcetype = WindowsUpdateLog
+index = oswinsec
+
+[WinHostMon://Service]
+interval = 3600
+disabled = 0
+type = Service
+index = oswinscript
diff --git a/deployment-apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv b/deployment-apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv
new file mode 100644
index 00000000..51cef159
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/dns_recordclass_lookup.csv
@@ -0,0 +1,8 @@
+record_class_number,record_class
+0,reserved
+1,internet(IN)
+2,unassigned
+3,chaos (CH)
+4,hesiod (HS)
+255,* (any)
+65535,reserved
diff --git a/deployment-apps/Splunk_TA_windows/lookups/msad_group_type.csv b/deployment-apps/Splunk_TA_windows/lookups/msad_group_type.csv
new file mode 100644
index 00000000..6664a257
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/msad_group_type.csv
@@ -0,0 +1,5 @@
+MSADGroupClassID,MSADGroupClass
+Enabled,Security
+Disabled,Distribution
+enabled,Security
+disabled,Distribution
diff --git a/deployment-apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv b/deployment-apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv
new file mode 100644
index 00000000..81d57204
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/msdhcp_signatures.csv
@@ -0,0 +1,80 @@
+msdhcp_id,signature
+00,"The log was started"
+01,"The log was stopped"
+02,"The log was temporarily paused due to low disk space"
+0,"The log was started"
+1,"The log was stopped"
+2,"The log was temporarily paused due to low disk space"
+10,"A new IP address was leased to a client"
+11,"A lease was renewed by a client"
+12,"A lease was released by a client"
+13,"An IP address was found to be in use on the network"
+14,"A lease request could not be satisfied because the scope's address pool was exhausted"
+15,"A lease was denied"
+16,"A lease was deleted"
+17,"A lease was expired and DNS records for an expired leases have not been deleted"
+18,"A lease was expired and DNS records were deleted"
+20,"A BOOTP address was leased to a client"
+21,"A dynamic BOOTP address was leased to a client"
+22,"A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted"
+23,"A BOOTP IP address was deleted after checking to see that it was not in use"
+24,"IP address cleanup operation has began"
+25,"IP address cleanup statistics"
+30,"DNS dynamic update request"
+31,"DNS dynamic update failed"
+32,"DNS dynamic update successful"
+33,"Packet dropped due to NAP policy"
+34,"DNS update request failed.as the DNS update request queue limit exceeded"
+35,"DNS update request failed"
+36,"Packet dropped because the server is in failover standby role or the hash of the client ID does not match"
+50,"Rogue Server Detection"
+51,"Rogue Server Detection"
+52,"Rogue Server Detection"
+53,"Rogue Server Detection"
+54,"Rogue Server Detection"
+55,"Rogue Server Detection"
+56,"Rogue Server Detection"
+57,"Rogue Server Detection"
+58,"Rogue Server Detection"
+59,"Rogue Server Detection"
+60,"Rogue Server Detection"
+61,"Rogue Server Detection"
+62,"Rogue Server Detection"
+63,"Rogue Server Detection"
+64,"Rogue Server Detection"
+65,"Rogue Server Detection"
+66,"Rogue Server Detection"
+67,"Rogue Server Detection"
+68,"Rogue Server Detection"
+69,"Rogue Server Detection"
+70,"Rogue Server Detection"
+71,"Rogue Server Detection"
+72,"Rogue Server Detection"
+73,"Rogue Server Detection"
+74,"Rogue Server Detection"
+75,"Rogue Server Detection"
+76,"Rogue Server Detection"
+77,"Rogue Server Detection"
+78,"Rogue Server Detection"
+79,"Rogue Server Detection"
+80,"Rogue Server Detection"
+81,"Rogue Server Detection"
+82,"Rogue Server Detection"
+83,"Rogue Server Detection"
+84,"Rogue Server Detection"
+85,"Rogue Server Detection"
+86,"Rogue Server Detection"
+87,"Rogue Server Detection"
+88,"Rogue Server Detection"
+89,"Rogue Server Detection"
+90,"Rogue Server Detection"
+91,"Rogue Server Detection"
+92,"Rogue Server Detection"
+93,"Rogue Server Detection"
+94,"Rogue Server Detection"
+95,"Rogue Server Detection"
+96,"Rogue Server Detection"
+97,"Rogue Server Detection"
+98,"Rogue Server Detection"
+99,"Rogue Server Detection"
+100,"Rogue Server Detection"
diff --git a/deployment-apps/Splunk_TA_windows/lookups/object_category_850.csv b/deployment-apps/Splunk_TA_windows/lookups/object_category_850.csv
new file mode 100644
index 00000000..374f1a13
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/object_category_850.csv
@@ -0,0 +1,2 @@
+object,object_category
+WinRegistry,registry
diff --git a/deployment-apps/Splunk_TA_windows/lookups/status_850.csv b/deployment-apps/Splunk_TA_windows/lookups/status_850.csv
new file mode 100644
index 00000000..d0ce349f
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/status_850.csv
@@ -0,0 +1,2 @@
+vendor_status,status
+0,success
diff --git a/deployment-apps/Splunk_TA_windows/lookups/user_types.csv b/deployment-apps/Splunk_TA_windows/lookups/user_types.csv
new file mode 100644
index 00000000..7bcd4575
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/user_types.csv
@@ -0,0 +1,2 @@
+sourcetype,user_type
+WinRegistry,process
diff --git a/deployment-apps/Splunk_TA_windows/lookups/vendor_actions.csv b/deployment-apps/Splunk_TA_windows/lookups/vendor_actions.csv
new file mode 100644
index 00000000..161cfb93
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/vendor_actions.csv
@@ -0,0 +1,11 @@
+vendor_action,action
+CreateKey,created
+SetValue,modified
+DeleteKey,deleted
+RenameKey,modified
+add,created
+delete,deleted
+update,modified
+created,created
+deleted,deleted
+modified,modified
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_actions.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_actions.csv
new file mode 100644
index 00000000..c34ff1bd
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_actions.csv
@@ -0,0 +1,18 @@
+Type,action
+"audit failure",failure
+"Audit Failure",failure
+"AUDIT_FAILURE",failure
+"failure audit",failure
+"Failure Audit",failure
+"FAILURE_AUDIT",failure
+"audit success",success
+"Audit Success",success
+"AUDIT_SUCCESS",success
+"success audit",success
+"Success Audit",success
+"SUCCESS_AUDIT",success
+"success","success"
+"failure","failure"
+"0x8010000000000000","failure"
+"0x8020000000000000","success"
+"0x4020000000000000","success"
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_apps.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_apps.csv
new file mode 100644
index 00000000..d14fcff3
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_apps.csv
@@ -0,0 +1,21 @@
+EventCode,Source_Network_Address,Target_Server_Name,Logon_Type,source,app
+552,,,,,win:remote
+4648,,,,,win:remote
+,127.0.0.1,,,,win:local
+,::1,,,,win:local
+,,localhost,,,win:local
+,,,0,,win:unknown
+,,,1,,win:unknown
+,,,2,,win:local
+,,,3,,win:remote
+,,,4,,win:local
+,,,5,,win:local
+,,,6,,win:local
+,,,7,,win:local
+,,,8,,win:remote
+,,,9,,win:local
+,,,10,,win:remote
+,,,11,,win:local
+,,,,WinEventLog:Security,win:unknown
+,,,,XmlWinEventLog:Security,win:unknown
+,,,,WMI:WinEventLog:Security,win:unknown
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_audit_changes_860.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_audit_changes_860.csv
new file mode 100644
index 00000000..530d77cd
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_audit_changes_860.csv
@@ -0,0 +1,65 @@
+EventCode,action,change_type,object_category
+517,cleared,audit,audit
+1100,stopped,audit,audit
+1102,cleared,audit,audit log
+4720,created,AAA,user
+4741,created,user,user
+624,created,user,user
+645,created,user,user
+4722,modified,AAA,user
+626,modified,user,user
+4723,modified,AAA,user
+627,modified,user,user
+4724,modified,AAA,user
+628,modified,user,user
+4725,modified,AAA,user
+629,modified,user,user
+4726,deleted,AAA,user
+4743,deleted,user,user
+630,deleted,user,user
+647,deleted,user,user
+4738,modified,AAA,user
+4742,modified,user,user
+642,modified,user,user
+646,modified,user,user
+4740,lockout,AAA,user
+644,modified,user,user
+625,modified,user,user
+671,modified,user,user
+4767,modified,AAA,user
+1101,success,audit,audit
+1108,success,audit,audit
+4719,modified,audit,audit policy
+4717,,AAA,security access
+4718,,AAA,security access
+4727,,AAA,group
+4728,,AAA,user
+4729,,AAA,user
+4730,,AAA,group
+4731,,AAA,group
+4732,modified,AAA,user
+4733,,AAA,user
+4734,,AAA,group
+4735,,AAA,group
+4737,,AAA,group
+4739,,AAA,global group
+4750,,AAA,global group
+4753,,AAA,global group
+4754,,AAA,group
+4755,,AAA,group
+4756,,AAA,user
+4757,,AAA,user
+4758,,AAA,group
+4764,,AAA,group
+4799,,AAA,group
+4781,modified,AAA,user
+4703,modified,AAA,user
+4704,modified,AAA,user
+4705,modified,AAA,user
+4800,locked,AAA,user
+4801,unlocked,AAA,user
+4634,logoff,AAA,user
+4698,created,scheduled task,scheduled task
+4700,started,scheduled task,scheduled task
+4701,stopped,scheduled task,scheduled task
+4702,modified,scheduled task,scheduled task
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv
new file mode 100644
index 00000000..56cbe32d
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_dns_action_lookup.csv
@@ -0,0 +1,43 @@
+message_type,vendor_dns_action,action,reply_code,reply_code_id
+Response,NOERROR,success,No Error,0
+Response,FORMERR,failure,Format Error,1
+Response,SERVFAIL,failure,Server Failure,2
+Response,NXDOMAIN,failure,Non-Existent Domain,3
+Response,NOTIMPL,failure,NotImp,4
+Response,REFUSED,failure,Refused,5
+Response,YXDOMAIN,failure,YXDomain,6
+Response,YXRRSET,failure,YXRRSet,7
+Response,NXRRSET,failure,NXRRSer,8
+Response,NOTAUTH,failure,NotAuth,9
+Response,NOTZONE,failure,NotZone,10
+Response,DSOTYPENI,failure,DSOTYPENI,11
+Response,BADVERS,failure,BADVERS,16
+Response,BADSIG,failure,BADSIG,16
+Response,BADKEY,failure,BADKEY,17
+Response,BADTIME,failure,BADTIME,18
+Response,BADMODE,failure,BADMODE,19
+Response,BADNAME,failure,BADNAME,20
+Response,BADALG,failure,BADALG,21
+Response,BADTRUNC,failure,BADTRUNC,22
+Response,BADCOOKIE,failure,BADCOOKIE,23
+Query,NOERROR,success,,
+Query,FORMERR,failure,,
+Query,SERVFAIL,failure,,
+Query,NXDOMAIN,failure,,
+Query,NOTIMPL,failure,,
+Query,REFUSED,failure,,
+Query,YXDOMAIN,failure,,
+Query,YXRRSET,failure,,
+Query,NXRRSET,failure,,
+Query,NOTAUTH,failure,,
+Query,NOTZONE,failure,,
+Query,DSOTYPENI,failure,,
+Query,BADVERS,failure,,
+Query,BADSIG,failure,,
+Query,BADKEY,failure,,
+Query,BADTIME,failure,,
+Query,BADMODE,failure,,
+Query,BADNAME,failure,,
+Query,BADALG,failure,,
+Query,BADTRUNC,failure,,
+Query,BADCOOKIE,failure,,
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv
new file mode 100644
index 00000000..18116cd0
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_dns_query_type_lookup.csv
@@ -0,0 +1,4 @@
+opcode,query_type
+Q,Query
+N,Notify
+U,Update
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport.csv
new file mode 100644
index 00000000..0723ba87
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_port_transport.csv
@@ -0,0 +1,3 @@
+Protocol,transport
+6,TCP
+17,UDP
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv
new file mode 100644
index 00000000..c57da945
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_name.csv
@@ -0,0 +1,9 @@
+EventCode,service,service_name
+5024,Firewall,Firewall
+5025,Firewall,Firewall
+5030,Firewall,Firewall
+5033,Firewall Driver,Firewall Driver
+5034,Firewall Driver,Firewall Driver
+5035,Firewall Driver,Firewall Driver
+5478,IPsec Policy Agent service,IPsec Policy Agent service
+1100,Event Logging Service,Event Logging Service
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv
new file mode 100644
index 00000000..8e777f47
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_endpoint_service_service_type.csv
@@ -0,0 +1,6 @@
+Service_Start_Type,start_mode
+0,auto
+1,auto
+2,auto
+3,manual
+4,disabled
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_eventtypes.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_eventtypes.csv
new file mode 100644
index 00000000..8775f160
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_eventtypes.csv
@@ -0,0 +1,7 @@
+EventType,Description
+0,Information
+1,Error
+2,Warning
+4,Information
+8,Success Audit
+16,Failure Audit
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_privileges.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_privileges.csv
new file mode 100644
index 00000000..67c23178
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_privileges.csv
@@ -0,0 +1,29 @@
+privilege_id,privilege
+SeAssignPrimaryTokenPrivilege,"Replace a process level token"
+SeAuditPrivilege,"Generate security audits"
+SeBackupPrivilege,"Back up files and directories"
+SeChangeNotifyPrivilege,"Bypass traverse checking"
+SeCreatePagefilePrivilege,"Create a pagefile"
+SeCreatePermanentPrivilege,"Create permanent shared objects"
+SeCreateTokenPrivilege,"Create a token object"
+SeDebugPrivilege,"Debug programs"
+SeEnableDelegationPrivilege,"Enable computer and user accounts to be trusted for delegation"
+SeImpersonatePrivilege,"Impersonate a Client After Authentication"
+SeIncreaseBasePriorityPrivilege,"Increase scheduling priority"
+SeIncreaseQuotaPrivilege,"Adjust memory quotas for a process"
+SeLoadDriverPrivilege,"Load and unload device drivers"
+SeLockMemoryPrivilege,"Lock pages in memory"
+SeMachineAccountPrivilege,"Add workstations to domain"
+SeManageVolumePrivilege,"Perform volume maintenance tasks"
+SeProfileSingleProcessPrivilege,"Profile single process"
+SeRemoteShutdownPrivilege,"Force shutdown from a remote system"
+SeRestorePrivilege,"Restore files and directories"
+SeSecurityPrivilege,"Manage auditing and security log"
+SeShutdownPrivilege,"Shut down the system"
+SeSyncAgentPrivilege,"Synchronize directory service data"
+SeSystemEnvironmentPrivilege,"Modify firmware environment values"
+SeSystemProfilePrivilege,"Profile system performance"
+SeSystemtimePrivilege,"Change the system time"
+SeTakeOwnershipPrivilege,"Take ownership of files or other objects"
+SeTcbPrivilege,"Act as part of the operating system"
+SeUndockPrivilege,"Remove computer from docking station"
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_severities.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_severities.csv
new file mode 100644
index 00000000..1dbb5db4
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_severities.csv
@@ -0,0 +1,7 @@
+Type,EventCode,severity
+Error,,high
+Warning,,medium
+Information,,informational
+Success Audit,,informational
+Failure Audit,,medium
+,4739,high
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_signatures_860.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_signatures_860.csv
new file mode 100644
index 00000000..13361a40
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_signatures_860.csv
@@ -0,0 +1,540 @@
+signature_id,signature,CategoryString,action,result
+512,"Windows NT is starting up",,,
+513,"Windows is shutting down",,,
+514,"An authentication package has been loaded by the Local Security Authority",,,
+515,"A trusted logon process has registered with the Local Security Authority",,,
+516,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits",,,
+517,"The audit log was cleared",,,
+518,"A notification package has been loaded by the Security Account Manager",,,
+519,"A process is using an invalid local procedure call (LPC) port",,,
+520,"The system time was changed",,,
+528,"Successful Logon",,,
+529,"Unknown user name or bad password",,,
+530,"Account logon time restriction violation",,,
+531,"Account currently disabled",,,
+532,"The specified user account has expired",,,
+533,"User not allowed to logon at this computer",,,
+534,"The user has not been granted the requested logon type at this machine",,,
+535,"The specified account's password has expired",,,
+536,"The NetLogon component is not active",,,
+537,"The logon attempt failed for other reasons.",,,
+538,"User Logoff",,,
+539,"Logon Failure - Account locked out",,,
+540,"Successful Network Logon",,,
+551,"User initiated logoff",,,
+552,"Logon attempt using explicit credentials",,,
+560,"Object Open",,,
+561,"Handle Allocated",,,
+562,"Handle Closed",,,
+563,"Object Open for Delete",,,
+564,"Object Deleted",,,
+565,"Object Open (Active Directory)",,,
+566,"Object Operation (W3 Active Directory)",,,
+567,"Object Access Attempt",,,
+576,"Special privileges assigned to new logon",,,
+577,"Privileged Service Called",,,
+578,"Privileged object operation",,,
+592,"A new process has been created",,,
+593,"A process has exited",,,
+594,"A handle to an object has been duplicated",,,
+595,"Indirect access to an object has been obtained",,,
+600,"A process was assigned a primary token",,,
+601,"Attempt to install service",,,
+602,"Scheduled Task created",,,
+608,"User Right Assigned",,,
+609,"User Right Removed",,,
+610,"New Trusted Domain",,,
+611,"Removing Trusted Domain",,,
+612,"Audit Policy Change",,,
+613,"IPSec policy agent started",,,
+614,"IPSec policy agent disabled",,,
+615,"IPSEC PolicyAgent Service",,,
+616,"IPSec policy agent encountered a potentially serious failure.",,,
+617,"Kerberos Policy Changed",,,
+618,"Encrypted Data Recovery Policy Changed",,,
+619,"Quality of Service Policy Changed",,,
+620,"Trusted Domain Information Modified",,,
+621,"System Security Access Granted",,,
+622,"System Security Access Removed",,,
+623,"Per User Audit Policy was refreshed",,,
+624,"User Account Created",Account Management,created,
+625,"User Account Type Changed",,,
+626,"User Account Enabled",Account Management,,
+627,"Change Password Attempt",Account Management,,
+628,"User Account password set",Account Management,modified,
+629,"User Account Disabled",Account Management,,
+630,"User Account Deleted",Account Management,deleted,
+631,"Security Enabled Global Group Created",Account Management,,
+632,"Security Enabled Global Group Member Added",Account Management,,
+633,"Security Enabled Global Group Member Removed",Account Management,,
+634,"Security Enabled Global Group Deleted",Account Management,,
+635,"Security Enabled Local Group Created",Account Management,,
+636,"Security Enabled Local Group Member Added",Account Management,,
+637,"Security Enabled Local Group Member Removed",Account Management,,
+638,"Security Enabled Local Group Deleted",Account Management,,
+639,"Security Enabled Local Group Changed",Account Management,,
+640,"General Account Database Change",Account Management,,
+641,"Security Enabled Global Group Changed",Account Management,,
+642,"User Account Changed",Account Management,modified,
+643,"Domain Policy Changed",Account Management,,
+644,"User Account Locked Out",Account Management,modified,lockout
+645,"Computer Account Created",Account Management,,
+646,"Computer Account Changed",Account Management,,
+647,"Computer Account Deleted",Account Management,,
+648,"Security Disabled Local Group Created",Account Management,,
+649,"Security Disabled Local Group Changed",Account Management,,
+650,"Security Disabled Local Group Member Added",Account Management,,
+651,"Security Disabled Local Group Member Removed",Account Management,,
+652,"Security Disabled Local Group Deleted",Account Management,,
+653,"Security Disabled Global Group Created",Account Management,,
+654,"Security Disabled Global Group Changed",Account Management,,
+655,"Security Disabled Global Group Member Added",Account Management,,
+656,"Security Disabled Global Group Member Removed",Account Management,,
+657,"Security Disabled Global Group Deleted",Account Management,,
+658,"Security Enabled Universal Group Created",Account Management,,
+659,"Security Enabled Universal Group Changed",Account Management,,
+660,"Security Enabled Universal Group Member Added",Account Management,,
+661,"Security Enabled Universal Group Member Removed",Account Management,,
+662,"Security Enabled Universal Group Deleted",Account Management,,
+663,"Security Disabled Universal Group Created",Account Management,,
+664,"Security Disabled Universal Group Changed",Account Management,,
+665,"Security Disabled Universal Group Member Added",Account Management,,
+666,"Security Disabled Universal Group Member Removed",Account Management,,
+667,"Security Disabled Universal Group Deleted",Account Management,,
+668,"Group Type Changed",Account Management,,
+669,"Add SID History",Account Management,,
+670,"Add SID History",Account Management,,
+671,"User Account Unlocked",Account Management,,
+672,"Authentication Ticket Granted",,,
+673,"Service Ticket Granted",,,
+674,"Ticket Granted Renewed",,,
+675,"Pre-authentication failed",,,
+676,"Authentication Ticket Request Failed",,,
+677,"Service Ticket Request Failed",,,
+678,"Account Mapped for Logon by",,,
+679,"The name: %2 could not be mapped for logon by: %1",,,
+680,"Account Used for Logon by",,,
+681,"The logon to account: %2 by: %1 from workstation: %3 failed.",,,
+682,"Session reconnected to winstation",,,
+683,"Session disconnected from winstation",,,
+684,"Set ACLs of members in administrators groups",Account Management,,
+685,"Account Name Changed",Account Management,,
+686,"Password of the following user accessed",Account Management,,
+687,"Basic Application Group Created",Account Management,,
+688,"Basic Application Group Changed",Account Management,,
+689,"Basic Application Group Member Added",Account Management,,
+690,"Basic Application Group Member Removed",Account Management,,
+691,"Basic Application Group Non-Member Added",Account Management,,
+692,"Basic Application Group Non-Member Removed",Account Management,,
+693,"Basic Application Group Deleted",Account Management,,
+694,"LDAP Query Group Created",Account Management,,
+695,"LDAP Query Group Changed",Account Management,,
+696,"LDAP Query Group Deleted",Account Management,,
+697,"Password Policy Checking API is called",API Calls,,
+806,"Per User Audit Policy was refreshed",,,
+807,"Per user auditing policy set for user",,,
+808,"A security event source has attempted to register",,,
+809,"A security event source has attempted to unregister",,,
+848,"The following policy was active when the Windows Firewall started",,,
+849,"An application was listed as an exception when the Windows Firewall started",,,
+850,"A port was listed as an exception when the Windows Firewall started",,,
+852,"A change has been made to the Windows Firewall port exception list",,,
+861,"The Windows Firewall has detected an application listening for incoming traffic",,,
+1100,"The event logging service has shut down",,,
+1101,"Audit events have been dropped by the transport.",,,
+1102,"The audit log was cleared",,,
+1104,"The security Log is now full",,,
+1105,"Event log automatic backup",,,
+1108,"The event logging service encountered an error",,,
+4500,"Metabase Add Key",,,
+4501,"Metabase Delete Key",,,
+4502,"Metabase Delete Chid Keys",,,
+4503,"Metabase Copy Key",,,
+4504,"Metabase Rename Key",,,
+4505,"Metabase Set Data",,,
+4506,"Metabase Delete Data",,,
+4507,"Metabase Delete All Data",,,
+4508,"Metabase Copy Data",,,
+4509,"Metabase Set Last Change Time",,,
+4510,"Metabase Restore",,,
+4511,"Metabase Delete Backup",,,
+4512,"Metabase Import",,,
+4608,"Windows is starting up",,,
+4609,"Windows is shutting down",,,
+4610,"An authentication package has been loaded by the Local Security Authority",,,
+4611,"A trusted logon process has been registered with the Local Security Authority",,,
+4612,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",,,
+4614,"A notification package has been loaded by the Security Account Manager.",,,
+4615,"Invalid use of LPC port",,,
+4616,"The system time was changed.",,,
+4618,"A monitored security event pattern has occurred",,,
+4621,"Administrator recovered system from CrashOnAuditFail",,,
+4622,"A security package has been loaded by the Local Security Authority.",,,
+4624,"An account was successfully logged on",,,
+4625,"An account failed to log on",,,
+4634,"An account was logged off",,,
+4646,"%1",,,
+4647,"User initiated logoff",,,
+4648,"A logon was attempted using explicit credentials",,,
+4649,"A replay attack was detected",,,
+4650,"An IPsec Main Mode security association was established",,,
+4651,"An IPsec Main Mode security association was established",,,
+4652,"An IPsec Main Mode negotiation failed",,,
+4653,"An IPsec Main Mode negotiation failed",,,
+4654,"An IPsec Quick Mode negotiation failed",,,
+4655,"An IPsec Main Mode security association ended",,,
+4656,"A handle to an object was requested",,,
+4657,"A registry value was modified",,,
+4658,"The handle to an object was closed",,,
+4659,"A handle to an object was requested with intent to delete",,,
+4660,"An object was deleted",,,
+4661,"A handle to an object was requested",,,
+4662,"An operation was performed on an object",,,
+4663,"An attempt was made to access an object",,,
+4664,"An attempt was made to create a hard link",,,
+4665,"An attempt was made to create an application client context.",,,
+4666,"An application attempted an operation",,,
+4667,"An application client context was deleted",,,
+4668,"An application was initialized",,,
+4670,"Permissions on an object were changed",,,
+4671,"An application attempted to access a blocked ordinal through the TBS",,,
+4672,"Special privileges assigned to new logon",,,
+4673,"A privileged service was called",,,
+4674,"An operation was attempted on a privileged object",,,
+4675,"SIDs were filtered",,,
+4685,"The state of a transaction has changed",,,
+4688,"A new process has been created",,,
+4689,"A process has exited",,,
+4690,"An attempt was made to duplicate a handle to an object",,,
+4691,"Indirect access to an object was requested",,,
+4692,"Backup of data protection master key was attempted",,,
+4693,"Recovery of data protection master key was attempted",,,
+4694,"Protection of auditable protected data was attempted",,,
+4695,"Unprotection of auditable protected data was attempted",,,
+4696,"A primary token was assigned to process",,,
+4697,"A service was installed in the system",,,
+4698,"A scheduled task was created",,,
+4699,"A scheduled task was deleted",,,
+4700,"A scheduled task was enabled",,,
+4701,"A scheduled task was disabled",,,
+4702,"A scheduled task was updated",,,
+4704,"A user right was assigned",,,
+4705,"A user right was removed",,,
+4706,"A new trust was created to a domain",,,
+4707,"A trust to a domain was removed",,,
+4709,"IPsec Services was started",,,
+4710,"IPsec Services was disabled",,,
+4711,"PAStore Engine (1%)",,,
+4712,"IPsec Services encountered a potentially serious failure",,,
+4713,"Kerberos policy was changed",,,
+4714,"Encrypted data recovery policy was changed",,,
+4715,"The audit policy (SACL) on an object was changed",,,
+4716,"Trusted domain information was modified",,,
+4717,"System security access was granted to an account",,,
+4718,"System security access was removed from an account",,,
+4719,"System audit policy was changed",,,
+4720,"A user account was created",Account Management,,
+4722,"A user account was enabled",Account Management,,
+4723,"An attempt was made to change an account's password",Account Management,,
+4724,"An attempt was made to reset an accounts password",Account Management,,
+4725,"A user account was disabled",Account Management,,
+4726,"A user account was deleted",Account Management,,
+4727,"A security-enabled global group was created",Account Management,,
+4728,"A member was added to a security-enabled global group",Account Management,,
+4729,"A member was removed from a security-enabled global group",Account Management,,
+4730,"A security-enabled global group was deleted",Account Management,,
+4731,"A security-enabled local group was created",Account Management,,
+4732,"A member was added to a security-enabled local group",Account Management,,
+4733,"A member was removed from a security-enabled local group",Account Management,,
+4734,"A security-enabled local group was deleted",Account Management,,
+4735,"A security-enabled local group was changed",Account Management,,
+4737,"A security-enabled global group was changed",Account Management,,
+4738,"A user account was changed",Account Management,,
+4739,"Domain Policy was changed",Account Management,,
+4740,"A user account was locked out",Account Management,,
+4741,"A computer account was created",Account Management,,
+4742,"A computer account was changed",Account Management,,
+4743,"A computer account was deleted",Account Management,,
+4744,"A security-disabled local group was created",Account Management,,
+4745,"A security-disabled local group was changed",Account Management,,
+4746,"A member was added to a security-disabled local group",Account Management,,
+4747,"A member was removed from a security-disabled local group",Account Management,,
+4748,"A security-disabled local group was deleted",Account Management,,
+4749,"A security-disabled global group was created",Account Management,,
+4750,"A security-disabled global group was changed",Account Management,,
+4751,"A member was added to a security-disabled global group",Account Management,,
+4752,"A member was removed from a security-disabled global group",Account Management,,
+4753,"A security-disabled global group was deleted",Account Management,,
+4754,"A security-enabled universal group was created",Account Management,,
+4755,"A security-enabled universal group was changed",Account Management,,
+4756,"A member was added to a security-enabled universal group",Account Management,,
+4757,"A member was removed from a security-enabled universal group",Account Management,,
+4758,"A security-enabled universal group was deleted",Account Management,,
+4759,"A security-disabled universal group was created",Account Management,,
+4760,"A security-disabled universal group was changed",Account Management,,
+4761,"A member was added to a security-disabled universal group",Account Management,,
+4762,"A member was removed from a security-disabled universal group",Account Management,,
+4763,"A security-disabled universal group was deleted",Account Management,,
+4764,"A group's type was changed",Account Management,,
+4765,"SID History was added to an account",Account Management,,
+4766,"An attempt to add SID History to an account failed",Account Management,,
+4767,"A user account was unlocked",Account Management,,
+4768,"A Kerberos authentication ticket (TGT) was requested",,,
+4769,"A Kerberos service ticket was requested",,,
+4770,"A Kerberos service ticket was renewed",,,
+4771,"Kerberos pre-authentication failed",,,
+4772,"A Kerberos authentication ticket request failed",,,
+4773,"A Kerberos service ticket request failed",,,
+4774,"An account was mapped for logon",,,
+4775,"An account could not be mapped for logon",,,
+4776,"The domain controller attempted to validate the credentials for an account",,,
+4777,"The domain controller failed to validate the credentials for an account",,,
+4778,"A session was reconnected to a Window Station",,,
+4779,"A session was disconnected from a Window Station",,,
+4780,"The ACL was set on accounts which are members of administrators groups",Account Management,,
+4781,"The name of an account was changed",Account Management,,
+4782,"The password hash an account was accessed",Account Management,,
+4783,"A basic application group was created",Account Management,,
+4784,"A basic application group was changed",Account Management,,
+4785,"A member was added to a basic application group",Account Management,,
+4786,"A member was removed from a basic application group",Account Management,,
+4787,"A non-member was added to a basic application group",Account Management,,
+4788,"A non-member was removed from a basic application group..",Account Management,,
+4789,"A basic application group was deleted",Account Management,,
+4790,"An LDAP query group was created",Account Management,,
+4791,"A basic application group was changed",Account Management,,
+4792,"An LDAP query group was deleted",Account Management,,
+4793,"The Password Policy Checking API was called",API Calls,,
+4794,"An attempt was made to set the Directory Services Restore Mode administrator password",Account Management,,
+4799,"A security-enabled local group membership was enumerated",,,
+4800,"The workstation was locked",,,
+4801,"The workstation was unlocked",,,
+4802,"The screen saver was invoked",,,
+4803,"The screen saver was dismissed",,,
+4816,"RPC detected an integrity violation while decrypting an incoming message",,,
+4817,"Auditing settings on object were changed.",,,
+4864,"A namespace collision was detected",,,
+4865,"A trusted forest information entry was added",,,
+4866,"A trusted forest information entry was removed",,,
+4867,"A trusted forest information entry was modified",,,
+4868,"The certificate manager denied a pending certificate request",,,
+4869,"Certificate Services received a resubmitted certificate request",,,
+4870,"Certificate Services revoked a certificate",,,
+4871,"Certificate Services received a request to publish the certificate revocation list (CRL)",,,
+4872,"Certificate Services published the certificate revocation list (CRL)",,,
+4873,"A certificate request extension changed",,,
+4874,"One or more certificate request attributes changed.",,,
+4875,"Certificate Services received a request to shut down",,,
+4876,"Certificate Services backup started",,,
+4877,"Certificate Services backup completed",,,
+4878,"Certificate Services restore started",,,
+4879,"Certificate Services restore completed",,,
+4880,"Certificate Services started",,,
+4881,"Certificate Services stopped",,,
+4882,"The security permissions for Certificate Services changed",,,
+4883,"Certificate Services retrieved an archived key",,,
+4884,"Certificate Services imported a certificate into its database",,,
+4885,"The audit filter for Certificate Services changed",,,
+4886,"Certificate Services received a certificate request",,,
+4887,"Certificate Services approved a certificate request and issued a certificate",,,
+4888,"Certificate Services denied a certificate request",,,
+4889,"Certificate Services set the status of a certificate request to pending",,,
+4890,"The certificate manager settings for Certificate Services changed.",,,
+4891,"A configuration entry changed in Certificate Services",,,
+4892,"A property of Certificate Services changed",,,
+4893,"Certificate Services archived a key",,,
+4894,"Certificate Services imported and archived a key",,,
+4895,"Certificate Services published the CA certificate to Active Directory Domain Services",,,
+4896,"One or more rows have been deleted from the certificate database",,,
+4897,"Role separation enabled",,,
+4898,"Certificate Services loaded a template",,,
+4899,"A Certificate Services template was updated",,,
+4900,"Certificate Services template security was updated",,,
+4902,"The Per-user audit policy table was created",,,
+4904,"An attempt was made to register a security event source",,,
+4905,"An attempt was made to unregister a security event source",,,
+4906,"The CrashOnAuditFail value has changed",,,
+4907,"Auditing settings on object were changed",,,
+4908,"Special Groups Logon table modified",,,
+4909,"The local policy settings for the TBS were changed",,,
+4910,"The group policy settings for the TBS were changed",,,
+4912,"Per User Audit Policy was changed",,,
+4928,"An Active Directory replica source naming context was established",,,
+4929,"An Active Directory replica source naming context was removed",,,
+4930,"An Active Directory replica source naming context was modified",,,
+4931,"An Active Directory replica destination naming context was modified",,,
+4932,"Synchronization of a replica of an Active Directory naming context has begun",,,
+4933,"Synchronization of a replica of an Active Directory naming context has ended",,,
+4934,"Attributes of an Active Directory object were replicated",,,
+4935,"Replication failure begins",,,
+4936,"Replication failure ends",,,
+4937,"A lingering object was removed from a replica",,,
+4944,"The following policy was active when the Windows Firewall started",,,
+4945,"A rule was listed when the Windows Firewall started",,,
+4946,"A change has been made to Windows Firewall exception list. A rule was added",,,
+4947,"A change has been made to Windows Firewall exception list. A rule was modified",,,
+4948,"A change has been made to Windows Firewall exception list. A rule was deleted",,,
+4949,"Windows Firewall settings were restored to the default values",,,
+4950,"A Windows Firewall setting has changed",,,
+4951,"A rule has been ignored because its major version number was not recognized by Windows Firewall",,,
+4952,"Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall",,,
+4953,"A rule has been ignored by Windows Firewall because it could not parse the rule",,,
+4954,"Windows Firewall Group Policy settings has changed. The new settings have been applied",,,
+4956,"Windows Firewall has changed the active profile",,,
+4957,"Windows Firewall did not apply the following rule",,,
+4958,"Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer",,,
+4960,"IPsec dropped an inbound packet that failed an integrity check",,,
+4961,"IPsec dropped an inbound packet that failed a replay check",,,
+4962,"IPsec dropped an inbound packet that failed a replay check",,,
+4963,"IPsec dropped an inbound clear text packet that should have been secured",,,
+4964,"Special groups have been assigned to a new logon",,,
+4965,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).",,,
+4976,"During Main Mode negotiation, IPsec received an invalid negotiation packet.",,,
+4977,"During Quick Mode negotiation, IPsec received an invalid negotiation packet.",,,
+4978,"During Extended Mode negotiation, IPsec received an invalid negotiation packet.",,,
+4979,"IPsec Main Mode and Extended Mode security associations were established.",,,
+4980,"IPsec Main Mode and Extended Mode security associations were established",,,
+4981,"IPsec Main Mode and Extended Mode security associations were established",,,
+4982,"IPsec Main Mode and Extended Mode security associations were established",,,
+4983,"An IPsec Extended Mode negotiation failed",,,
+4984,"An IPsec Extended Mode negotiation failed",,,
+4985,"The state of a transaction has changed",,,
+5024,"The Windows Firewall Service has started successfully",,,
+5025,"The Windows Firewall Service has been stopped",,,
+5027,"The Windows Firewall Service was unable to retrieve the security policy from the local storage",,,
+5028,"The Windows Firewall Service was unable to parse the new security policy.",,,
+5029,"The Windows Firewall Service failed to initialize the driver",,,
+5030,"The Windows Firewall Service failed to start",,,
+5031,"The Windows Firewall Service blocked an application from accepting incoming connections on the network.",,,
+5032,"Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network",,,
+5033,"The Windows Firewall Driver has started successfully",,,
+5034,"The Windows Firewall Driver has been stopped",,,
+5035,"The Windows Firewall Driver failed to start",,,
+5037,"The Windows Firewall Driver detected critical runtime error. Terminating",,,
+5038,"Code integrity determined that the image hash of a file is not valid",,,
+5039,"A registry key was virtualized.",,,
+5040,"A change has been made to IPsec settings. An Authentication Set was added.",,,
+5041,"A change has been made to IPsec settings. An Authentication Set was modified",,,
+5042,"A change has been made to IPsec settings. An Authentication Set was deleted",,,
+5043,"A change has been made to IPsec settings. A Connection Security Rule was added",,,
+5044,"A change has been made to IPsec settings. A Connection Security Rule was modified",,,
+5045,"A change has been made to IPsec settings. A Connection Security Rule was deleted",,,
+5046,"A change has been made to IPsec settings. A Crypto Set was added",,,
+5047,"A change has been made to IPsec settings. A Crypto Set was modified",,,
+5048,"A change has been made to IPsec settings. A Crypto Set was deleted",,,
+5049,"An IPsec Security Association was deleted",,,
+5050,"An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE",,,
+5051,"A file was virtualized",,,
+5056,"A cryptographic self test was performed",,,
+5057,"A cryptographic primitive operation failed",,,
+5058,"Key file operation",,,
+5059,"Key migration operation",,,
+5060,"Verification operation failed",,,
+5061,"Cryptographic operation",,,
+5062,"A kernel-mode cryptographic self test was performed",,,
+5063,"A cryptographic provider operation was attempted",,,
+5064,"A cryptographic context operation was attempted",,,
+5065,"A cryptographic context modification was attempted",,,
+5066,"A cryptographic function operation was attempted",,,
+5067,"A cryptographic function modification was attempted",,,
+5068,"A cryptographic function provider operation was attempted",,,
+5069,"A cryptographic function property operation was attempted",,,
+5070,"A cryptographic function property operation was attempted",,,
+5120,"OCSP Responder Service Started",,,
+5121,"OCSP Responder Service Stopped",,,
+5122,"A Configuration entry changed in the OCSP Responder Service",,,
+5123,"A configuration entry changed in the OCSP Responder Service",,,
+5124,"A security setting was updated on OCSP Responder Service",,,
+5125,"A request was submitted to OCSP Responder Service",,,
+5126,"Signing Certificate was automatically updated by the OCSP Responder Service",,,
+5127,"The OCSP Revocation Provider successfully updated the revocation information",,,
+5136,"A directory service object was modified",,,
+5137,"A directory service object was created",,,
+5138,"A directory service object was undeleted",,,
+5139,"A directory service object was moved",,,
+5140,"A network share object was accessed",,,
+5141,"A directory service object was deleted",,,
+5142,"A network share object was added.",,,
+5143,"A network share object was modified",,,
+5144,"A network share object was deleted.",,,
+5145,"A network share object was checked to see whether client can be granted desired access",,,
+5148,"The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.",,,
+5149,"The DoS attack has subsided and normal processing is being resumed.",,,
+5150,"The Windows Filtering Platform has blocked a packet.",,,
+5151,"A more restrictive Windows Filtering Platform filter has blocked a packet.",,,
+5152,"The Windows Filtering Platform blocked a packet",,,
+5153,"A more restrictive Windows Filtering Platform filter has blocked a packet",,,
+5154,"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections",,,
+5155,"The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections",,,
+5156,"The Windows Filtering Platform has allowed a connection",,,
+5157,"The Windows Filtering Platform has blocked a connection",,,
+5158,"The Windows Filtering Platform has permitted a bind to a local port",,,
+5159,"The Windows Filtering Platform has blocked a bind to a local port",,,
+5168,"Spn check for SMB/SMB2 fails.",,,
+5376,"Credential Manager credentials were backed up",Account Management,,
+5377,"Credential Manager credentials were restored from a backup",Account Management,,
+5378,"The requested credentials delegation was disallowed by policy",,,
+5440,"The following callout was present when the Windows Filtering Platform Base Filtering Engine started",,,
+5441,"The following filter was present when the Windows Filtering Platform Base Filtering Engine started",,,
+5442,"The following provider was present when the Windows Filtering Platform Base Filtering Engine started",,,
+5443,"The following provider context was present when the Windows Filtering Platform Base Filtering Engine started",,,
+5444,"The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started",,,
+5446,"A Windows Filtering Platform callout has been changed",,,
+5447,"A Windows Filtering Platform filter has been changed",,,
+5448,"A Windows Filtering Platform provider has been changed",,,
+5449,"A Windows Filtering Platform provider context has been changed",,,
+5450,"A Windows Filtering Platform sub-layer has been changed",,,
+5451,"An IPsec Quick Mode security association was established",,,
+5452,"An IPsec Quick Mode security association ended",,,
+5453,"An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started",,,
+5456,"PAStore Engine applied Active Directory storage IPsec policy on the computer",,,
+5457,"PAStore Engine failed to apply Active Directory storage IPsec policy on the computer",,,
+5458,"PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer",,,
+5459,"PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer",,,
+5460,"PAStore Engine applied local registry storage IPsec policy on the computer",,,
+5461,"PAStore Engine failed to apply local registry storage IPsec policy on the computer",,,
+5462,"PAStore Engine failed to apply some rules of the active IPsec policy on the computer",,,
+5463,"PAStore Engine polled for changes to the active IPsec policy and detected no changes",,,
+5464,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services",,,
+5465,"PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully",,,
+5466,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead",,,
+5467,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy",,,
+5468,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes",,,
+5471,"PAStore Engine loaded local storage IPsec policy on the computer",,,
+5472,"PAStore Engine failed to load local storage IPsec policy on the computer",,,
+5473,"PAStore Engine loaded directory storage IPsec policy on the computer",,,
+5474,"PAStore Engine failed to load directory storage IPsec policy on the computer",,,
+5477,"PAStore Engine failed to add quick mode filter",,,
+5478,"IPsec Services has started successfully",,,
+5479,"IPsec Services has been shut down successfully",,,
+5480,"IPsec Services failed to get the complete list of network interfaces on the computer",,,
+5483,"IPsec Services failed to initialize RPC server. IPsec Services could not be started",,,
+5484,"IPsec Services has experienced a critical failure and has been shut down",,,
+5485,"IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces",,,
+5632,"A request was made to authenticate to a wireless network",,,
+5633,"A request was made to authenticate to a wired network",,,
+5712,"A Remote Procedure Call (RPC) was attempted",,,
+5888,"An object in the COM+ Catalog was modified",,,
+5889,"An object was deleted from the COM+ Catalog",,,
+5890,"An object was added to the COM+ Catalog",,,
+6144,"Security policy in the group policy objects has been applied successfully",,,
+6145,"One or more errors occured while processing security policy in the group policy objects",,,
+6272,"Network Policy Server granted access to a user",,,
+6273,"Network Policy Server denied access to a user",,,
+6274,"Network Policy Server discarded the request for a user",,,
+6275,"Network Policy Server discarded the accounting request for a user",,,
+6276,"Network Policy Server quarantined a user",,,
+6277,"Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy",,,
+6278,"Network Policy Server granted full access to a user because the host met the defined health policy",,,
+6279,"Network Policy Server locked the user account due to repeated failed authentication attempts",,,
+6280,"Network Policy Server unlocked the user account",,,
+6281,"Code Integrity determined that the page hashes of an image file are not valid...",,,
+6400,"BranchCache: Received an incorrectly formatted response while discovering availability of content.",,,
+6401,"BranchCache: Received invalid data from a peer. Data discarded.",,,
+6402,"BranchCache: The message to the hosted cache offering it data is incorrectly formatted.",,,
+6403,"BranchCache: The hosted cache sent an incorrectly formatted response to the client's message to offer it data.",,,
+6404,"BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.",,,
+6405,"BranchCache: %2 instance(s) of event id %1 occurred.",,,
+6406,"%1 registered to Windows Firewall to control filtering for the following:",,,
+6407,"%1",,,
+6408,"Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.",,,
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv
new file mode 100644
index 00000000..1c726c7d
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_signatures_substatus_850.csv
@@ -0,0 +1,41 @@
+signature_id,Sub_Status,signature
+4625,0xc0000064,"User logon with misspelled or bad user account"
+4625,0xC0000064,"User logon with misspelled or bad user account"
+4625,0xc000006a,"User logon with misspelled or bad password"
+4625,0xC000006A,"User logon with misspelled or bad password"
+4625,0xc0000234,"User logon with account locked"
+4625,0xC0000234,"User logon with account locked"
+4625,0xc0000072,"User logon to account disabled by administrator"
+4625,0xC0000072,"User logon to account disabled by administrator"
+4625,0xc000006f,"User logon outside authorized hours"
+4625,0xC000006F,"User logon outside authorized hours"
+4625,0xc0000070,"User logon from unauthorized workstation"
+4625,0xC0000070,"User logon from unauthorized workstation"
+4625,0xc0000193,"User logon with expired account"
+4625,0xC0000193,"User logon with expired account"
+4625,0xc0000071,"User logon with expired password"
+4625,0xC0000071,"User logon with expired password"
+4625,0xc0000133,"Clocks between DC and other computer too far out of sync"
+4625,0xC0000133,"Clocks between DC and other computer too far out of sync"
+4625,0xc0000224,"User is required to change password at next logon"
+4625,0xC0000224,"User is required to change password at next logon"
+4625,0xc0000225,"Evidently a bug in Windows and not a risk"
+4625,0xC0000225,"Evidently a bug in Windows and not a risk"
+4625,0xc000005e,"There are currently no logon servers available to service the logon request"
+4625,0xC000005E,"There are currently no logon servers available to service the logon request"
+4625,0xc000006d,"The cause is either a bad username or authentication information"
+4625,0xC000006D,"The cause is either a bad username or authentication information"
+4625,0xc000006e,"Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)"
+4625,0xC000006E,"Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)"
+4625,0xc00000dc,"Indicates the Sam Server was in the wrong state to perform the desired operation"
+4625,0xC00000DC,"Indicates the Sam Server was in the wrong state to perform the desired operation"
+4625,0xc000015b,"The user has not been granted the requested logon type (also called the logon right) at this machine"
+4625,0xC000015B,"The user has not been granted the requested logon type (also called the logon right) at this machine"
+4625,0xc000018c,"The logon request failed because the trust relationship between the primary domain and the trusted domain failed"
+4625,0xC000018C,"The logon request failed because the trust relationship between the primary domain and the trusted domain failed"
+4625,0xc0000192,"An attempt was made to logon, but the Netlogon service was not started"
+4625,0xC0000192,"An attempt was made to logon, but the Netlogon service was not started"
+4625,0xc00002ee,"Failure Reason: An Error occurred during Logon"
+4625,0xC00002EE,"Failure Reason: An Error occurred during Logon"
+4625,0xc0000413,"Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine"
+4625,0xC0000413,"Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine"
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv
new file mode 100644
index 00000000..03276718
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_start_mode_lookup.csv
@@ -0,0 +1,6 @@
+StartType,start_mode
+disabled,disabled
+"auto start",auto
+"demand start",manual
+"boot start",auto
+"system start",auto
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv
new file mode 100644
index 00000000..84f0ea24
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_timesync_actions.csv
@@ -0,0 +1,3 @@
+Last_Sync_Error,windows_action
+0*,success
+*,failure
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_update_statii.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_update_statii.csv
new file mode 100644
index 00000000..64e2a58f
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_update_statii.csv
@@ -0,0 +1,10 @@
+sourcetype,EventCode,vendor_status,status
+WMI:InstalledUpdates,,,installed
+,17,,available
+,18,,available
+,19,,installed
+,,"Installation Ready",available
+,,"Installation Successful",installed
+,,"Restart Required","restart required"
+,,"Installation successful and restart required","restart required"
+,,"Installation Failure",failure
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_860.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_860.csv
new file mode 100644
index 00000000..57d7c5aa
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_action_860.csv
@@ -0,0 +1,25 @@
+EventCode,action,status
+5461,modified,failure
+1100,,stopped
+4697,,started
+5024,,started
+5025,,stopped
+5033,,started
+5034,,stopped
+5478,,started
+4727,created,success
+4728,modified,success
+4729,modified,success
+4730,deleted,success
+4731,created,success
+4733,modified,success
+4734,deleted,success
+4735,modified,success
+4737,modified,success
+4754,created,success
+4755,modified,success
+4756,modified,success
+4757,modified,success
+4758,deleted,success
+4764,modified,success
+4799,read,success
diff --git a/deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_860.csv b/deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_860.csv
new file mode 100644
index 00000000..26df478d
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/windows_wineventlog_change_object_fields_860.csv
@@ -0,0 +1,52 @@
+EventCode,change_type,object_attrs,object_category,result
+1100,,service,,
+1101,audit,transport,audit,
+1102,,registry,,The audit log was cleared
+1108,audit,Microsoft-Windows-Security-Auditing,audit,
+4719,audit,Kerberos Authentication Service,audit policy,System audit policy was changed
+4717,AAA,,security access,access was granted
+4718,AAA,,security access,account was removed
+4720,,account,,A user account was created
+4722,,account,,A user account was enabled
+4723,,account,,An attempt was made to change an account's password
+4724,,account,,An attempt was made to reset an account's password
+4725,,account,,A user account was disabled
+4726,,account,,A user account was deleted
+4727,AAA,global group,group,A security-enabled global group was created
+4728,AAA,,user,A member was added to a security-enabled global group
+4729,AAA,,user,A member was removed from a security-enabled global group
+4730,AAA,global group,group,A security-enabled global group was deleted
+4731,AAA,local group,group,A security-enabled local group was created
+4732,AAA,,user,A member was added to a security-enabled local group
+4733,AAA,,user,A member was removed from a security-enabled local group
+4734,AAA,local group,group,A security-enabled local group was deleted
+4735,AAA,local group,group,A security-enabled local group was changed
+4737,AAA,global group,group,A security-enabled global group was changed
+4738,,account,,A user account was changed
+4739,AAA,domain policy,global group,Domain Policy was changed
+4740,,account,,A user account was locked out
+4741,,computer account,,account was created
+4742,,computer account,,account was changed
+4743,,computer account,,account was deleted
+4750,AAA,,global group,group was changed
+4753,AAA,,global group,group was deleted
+4754,AAA,universal group,group,A security-enabled universal group was created
+4755,AAA,universal group,group,A security-enabled universal group was changed
+4756,AAA,,user,A member was added to a security-enabled universal group
+4757,AAA,,user,A member was removed from a security-enabled universal group
+4758,AAA,universal group,group,A security-enabled universal group was deleted
+4764,AAA,,group,A group's type was changed
+4767,AAA,account,user,A user account was unlocked
+4781,AAA,account,user,The name of an account was changed
+5461,AAA,registry,policy,failed
+4703,,account,,A token right was adjusted
+4704,,account,,A user right was assigned
+4705,,account,,A user right was removed
+4800,AAA,workstation,user,The workstation was locked
+4801,AAA,workstation,user,The workstation was unlocked
+4634,,login session,,An account was logged off
+4698,,,,A scheduled task was created
+4700,,,,A scheduled task was enabled
+4701,,,,A scheduled task was disabled
+4702,,,,A scheduled task was updated
+4799,AAA,local group,group,A security-enabled local group membership was enumerated
diff --git a/deployment-apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv b/deployment-apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv
new file mode 100644
index 00000000..d8db0325
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/wmi_user_account_status.csv
@@ -0,0 +1,3 @@
+status,enabled
+OK,true
+Degraded,false
diff --git a/deployment-apps/Splunk_TA_windows/lookups/wmi_version_range.csv b/deployment-apps/Splunk_TA_windows/lookups/wmi_version_range.csv
new file mode 100644
index 00000000..e8f9254b
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/wmi_version_range.csv
@@ -0,0 +1,2 @@
+sourcetype,range
+WMI:Version,windows
diff --git a/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_860.csv b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_860.csv
new file mode 100644
index 00000000..3f2a1dca
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_change_audit_and_account_management_860.csv
@@ -0,0 +1,51 @@
+EventCode,object_attrs,result
+1100,service,
+1102,registry,The audit log was cleared
+4720,account,A user account was created
+4741,computer account,account was created
+4722,account,A user account was enabled
+4723,account,An attempt was made to change an account's password
+4724,account,An attempt was made to reset an account's password
+4725,account,A user account was disabled
+4726,account,A user account was deleted
+4743,computer account,account was deleted
+4738,account,A user account was changed
+4742,computer account,account was changed
+4740,account,A user account was locked out
+4767,account,A user account was unlocked
+1101,transport,
+1108,Microsoft-Windows-Security-Auditing,
+4719,Kerberos Authentication Service,System audit policy was changed
+4717,,access was granted
+4718,,account was removed
+4727,global group,A security-enabled global group was created
+4728,,A member was added to a security-enabled global group
+4729,,A member was removed from a security-enabled global group
+4730,global group,A security-enabled global group was deleted
+4731,local group,A security-enabled local group was created
+4732,,A member was added to a security-enabled local group
+4733,,A member was removed from a security-enabled local group
+4734,local group,A security-enabled local group was deleted
+4735,local group,A security-enabled local group was changed
+4737,global group,A security-enabled global group was changed
+4739,domain policy,Domain Policy was changed
+4750,,group was changed
+4753,,group was deleted
+4754,universal group,A security-enabled universal group was created
+4755,universal group,A security-enabled universal group was changed
+4756,,A member was added to a security-enabled universal group
+4757,,A member was removed from a security-enabled universal group
+4758,universal group,A security-enabled universal group was deleted
+4764,,A group's type was changed
+4799,local group,A security-enabled local group membership was enumerated
+4781,account,The name of an account was changed
+4703,account,A token right was adjusted
+4704,account,A user right was assigned
+4705,account,A user right was removed
+4800,workstation,The workstation was locked
+4801,workstation,The workstation was unlocked
+4634,login session,An account was logged off
+4698,,A scheduled task was created
+4700,,A scheduled task was enabled
+4701,,A scheduled task was disabled
+4702,,A scheduled task was updated
diff --git a/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv
new file mode 100644
index 00000000..cadf1f5c
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action.csv
@@ -0,0 +1,362 @@
+EventCode,action,Category,Subcategory,message,os
+4608,success,System,Security State Change,Windows is starting up.,"Windows Vista, Windows Server 2008"
+4609,unknown,System,Security State Change,Windows is shutting down.,"Windows Vista, Windows Server 2008"
+4610,unknown,System,Security System Extension,An authentication package has been loaded by the Local Security Authority.,"Windows Vista, Windows Server 2008"
+4611,success,System,Security System Extension,A trusted logon process has been registered with the Local Security Authority.,"Windows Vista, Windows Server 2008"
+4612,unknown,System,System Integrity,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.","Windows Vista, Windows Server 2008"
+4614,unknown,System,Security System Extension,A notification package has been loaded by the Security Account Manager.,"Windows Vista, Windows Server 2008"
+4615,unknown,System,System Integrity,Invalid use of LPC port.,"Windows Vista, Windows Server 2008"
+4616,success,System,Security State Change,The system time was changed.,"Windows Vista, Windows Server 2008"
+4618,unknown,System,System Integrity,A monitored security event pattern has occurred.,"Windows Vista, Windows Server 2008"
+4621,unknown,System,Security State Change,Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.,"Windows Vista, Windows Server 2008"
+4622,unknown,System,Security System Extension,A security package has been loaded by the Local Security Authority.,"Windows Vista, Windows Server 2008"
+4624,success,Logon/Logoff,Logon,An account was successfully logged on.,"Windows Vista, Windows Server 2008"
+4626,unknown,Logon/Logoff,Logon,User/Device claims information.,"Windows 8, Windows Server 2012"
+4634,success,Logon/Logoff,Logoff,An account was logged off.,"Windows Vista, Windows Server 2008"
+4646,unknown,Logon/Logoff,IPsec Main Mode,IKE DoS-prevention mode started.,"Windows Vista, Windows Server 2008"
+4647,success,Logon/Logoff,Logoff,User initiated logoff.,"Windows Vista, Windows Server 2008"
+4648,success,Logon/Logoff,Logon,A logon was attempted using explicit credentials.,"Windows Vista, Windows Server 2008"
+4649,unknown,Logon/Logoff,Other Logon/Logoff Events,A replay attack was detected.,"Windows Vista, Windows Server 2008"
+4650,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.,"Windows Vista, Windows Server 2008"
+4651,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.,"Windows Vista, Windows Server 2008"
+4652,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode negotiation failed.,"Windows Vista, Windows Server 2008"
+4653,failure,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode negotiation failed.,"Windows Vista, Windows Server 2008"
+4654,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode negotiation failed.,"Windows Vista, Windows Server 2008"
+4655,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Main Mode security association ended.,"Windows Vista, Windows Server 2008"
+4656,failure,Object Access,Handle Manipulation,A handle to an object was requested.,"Windows Vista, Windows Server 2008"
+4657,unknown,Object Access,Registry,A registry value was modified.,"Windows Vista, Windows Server 2008"
+4658,success,Object Access,Handle Manipulation,The handle to an object was closed.,"Windows Vista, Windows Server 2008"
+4659,unknown,Object Access,Special,A handle to an object was requested with intent to delete.,"Windows Vista, Windows Server 2008"
+4660,unknown,Object Access,Special,An object was deleted.,"Windows Vista, Windows Server 2008"
+4661,success,Object Access,Special,A handle to an object was requested.,"Windows Vista, Windows Server 2008"
+4662,success,DS Access,Directory Service Access,An operation was performed on an object.,"Windows Vista, Windows Server 2008"
+4663,success,Object Access,Special,An attempt was made to access an object.,"Windows Vista, Windows Server 2008"
+4664,success,Object Access,File System,An attempt was made to create a hard link.,"Windows Vista, Windows Server 2008"
+4665,unknown,Object Access,Application Generated,An attempt was made to create an application client context.,"Windows Vista, Windows Server 2008"
+4666,unknown,Object Access,Application Generated,An application attempted an operation:,"Windows Vista, Windows Server 2008"
+4667,unknown,Object Access,Application Generated,An application client context was deleted.,"Windows Vista, Windows Server 2008"
+4668,unknown,Object Access,Application Generated,An application was initialized.,"Windows Vista, Windows Server 2008"
+4670,success,Policy Change,Subcategory (special),Permissions on an object were changed.,"Windows Vista, Windows Server 2008"
+4671,unknown,Object Access,Other Object Access Events,An application attempted to access a blocked ordinal through the TBS.,"Windows Vista, Windows Server 2008"
+4672,success,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,Special privileges assigned to new logon.,"Windows Vista, Windows Server 2008"
+4673,failure,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,A privileged service was called.,"Windows Vista, Windows Server 2008"
+4674,success,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,An operation was attempted on a privileged object.,"Windows Vista, Windows Server 2008"
+4675,unknown,Logon/Logoff,Logon,SIDs were filtered.,"Windows Vista, Windows Server 2008"
+4688,success,Detailed Tracking,Process Creation,A new process has been created.,"Windows Vista, Windows Server 2008"
+4689,success,Detailed Tracking,Process Termination,A process has exited.,"Windows Vista, Windows Server 2008"
+4690,success,Object Access,Handle Manipulation,An attempt was made to duplicate a handle to an object.,"Windows Vista, Windows Server 2008"
+4691,unknown,Object Access,Other Object Access Events,Indirect access to an object was requested.,"Windows Vista, Windows Server 2008"
+4692,unknown,Detailed Tracking,DPAPI Activity,Backup of data protection master key was attempted.,"Windows Vista, Windows Server 2008"
+4693,unknown,Detailed Tracking,DPAPI Activity,Recovery of data protection master key was attempted.,"Windows Vista, Windows Server 2008"
+4694,unknown,Detailed Tracking,DPAPI Activity,Protection of auditable protected data was attempted.,"Windows Vista, Windows Server 2008"
+4695,unknown,Detailed Tracking,DPAPI Activity,Unprotection of auditable protected data was attempted.,"Windows Vista, Windows Server 2008"
+4696,unknown,Detailed Tracking,Process Creation,A primary token was assigned to process.,"Windows Vista, Windows Server 2008"
+4697,unknown,System,Security System Extension,A service was installed in the system.,"Windows Vista, Windows Server 2008"
+4698,unknown,Object Access,Other Object Access Events,A scheduled task was created.,"Windows Vista, Windows Server 2008"
+4699,unknown,Object Access,Other Object Access Events,A scheduled task was deleted.,"Windows Vista, Windows Server 2008"
+4700,unknown,Object Access,Other Object Access Events,A scheduled task was enabled.,"Windows Vista, Windows Server 2008"
+4701,unknown,Object Access,Other Object Access Events,A scheduled task was disabled.,"Windows Vista, Windows Server 2008"
+4702,success,Object Access,Other Object Access Events,A scheduled task was updated.,"Windows Vista, Windows Server 2008"
+4704,success,Policy Change,Authorization Policy Change,A user right was assigned.,"Windows Vista, Windows Server 2008"
+4705,unknown,Policy Change,Authorization Policy Change,A user right was removed.,"Windows Vista, Windows Server 2008"
+4706,unknown,Policy Change,Authorization Policy Change,A new trust was created to a domain.,"Windows Vista, Windows Server 2008"
+4707,unknown,Policy Change,Authorization Policy Change,A trust to a domain was removed.,"Windows Vista, Windows Server 2008"
+4709,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services was started.,"Windows Vista, Windows Server 2008"
+4710,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services was disabled.,"Windows Vista, Windows Server 2008"
+4711,unknown,Policy Change,Filtering Platform Policy Change,"May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.","Windows Vista, Windows Server 2008"
+4712,unknown,Policy Change,Filtering Platform Policy Change,IPsec Services encountered a potentially serious failure.,"Windows Vista, Windows Server 2008"
+4713,unknown,Policy Change,Authentication Policy Change,Kerberos policy was changed.,"Windows Vista, Windows Server 2008"
+4714,unknown,Policy Change,Authorization Policy Change,Encrypted data recovery policy was changed.,"Windows Vista, Windows Server 2008"
+4715,unknown,Policy Change,Audit Policy Change,The audit policy (SACL) on an object was changed.,"Windows Vista, Windows Server 2008"
+4716,unknown,Policy Change,Authentication Policy Change,Trusted domain information was modified.,"Windows Vista, Windows Server 2008"
+4717,success,Policy Change,Authentication Policy Change,System security access was granted to an account.,"Windows Vista, Windows Server 2008"
+4718,unknown,Policy Change,Authentication Policy Change,System security access was removed from an account.,"Windows Vista, Windows Server 2008"
+4719,unknown,Policy Change,Audit Policy Change,System audit policy was changed.,"Windows Vista, Windows Server 2008"
+4720,created,Account Management,User Account Management,A user account was created.,"Windows Vista, Windows Server 2008"
+4722,modified,Account Management,User Account Management,A user account was enabled.,"Windows Vista, Windows Server 2008"
+4723,modified,Account Management,User Account Management,An attempt was made to change an account's password.,"Windows Vista, Windows Server 2008"
+4724,modified,Account Management,User Account Management,An attempt was made to reset an account's password.,"Windows Vista, Windows Server 2008"
+4725,modified,Account Management,User Account Management,A user account was disabled.,"Windows Vista, Windows Server 2008"
+4726,deleted,Account Management,User Account Management,A user account was deleted.,"Windows Vista, Windows Server 2008"
+4727,success,Account Management,Security Group Management,A security-enabled global group was created.,"Windows Vista, Windows Server 2008"
+4728,success,Account Management,Security Group Management,A member was added to a security-enabled global group.,"Windows Vista, Windows Server 2008"
+4729,success,Account Management,Security Group Management,A member was removed from a security-enabled global group.,"Windows Vista, Windows Server 2008"
+4730,unknown,Account Management,Security Group Management,A security-enabled global group was deleted.,"Windows Vista, Windows Server 2008"
+4731,unknown,Account Management,Security Group Management,A security-enabled local group was created.,"Windows Vista, Windows Server 2008"
+4732,success,Account Management,Security Group Management,A member was added to a security-enabled local group.,"Windows Vista, Windows Server 2008"
+4733,success,Account Management,Security Group Management,A member was removed from a security-enabled local group.,"Windows Vista, Windows Server 2008"
+4734,unknown,Account Management,Security Group Management,A security-enabled local group was deleted.,"Windows Vista, Windows Server 2008"
+4735,success,Account Management,Security Group Management,A security-enabled local group was changed.,"Windows Vista, Windows Server 2008"
+4737,success,Account Management,Security Group Management,A security-enabled global group was changed.,"Windows Vista, Windows Server 2008"
+4738,modified,Account Management,User Account Management,A user account was changed.,"Windows Vista, Windows Server 2008"
+4739,unknown,Policy Change,Authentication Policy Change,Domain Policy was changed.,"Windows Vista, Windows Server 2008"
+4740,unknown,Account Management,User Account Management,A user account was locked out.,"Windows Vista, Windows Server 2008"
+4742,modified,Account Management,Computer Account Management,A computer account was changed.,"Windows Vista, Windows Server 2008"
+4743,unknown,Account Management,Computer Account Management,A computer account was deleted.,"Windows Vista, Windows Server 2008"
+4744,unknown,Account Management,Distribution Group Management,A security-disabled local group was created.,"Windows Vista, Windows Server 2008"
+4745,unknown,Account Management,Distribution Group Management,A security-disabled local group was changed.,"Windows Vista, Windows Server 2008"
+4746,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled local group.,"Windows Vista, Windows Server 2008"
+4747,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled local group.,"Windows Vista, Windows Server 2008"
+4748,unknown,Account Management,Distribution Group Management,A security-disabled local group was deleted.,"Windows Vista, Windows Server 2008"
+4749,unknown,Account Management,Distribution Group Management,A security-disabled global group was created.,"Windows Vista, Windows Server 2008"
+4750,unknown,Account Management,Distribution Group Management,A security-disabled global group was changed.,"Windows Vista, Windows Server 2008"
+4751,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled global group.,"Windows Vista, Windows Server 2008"
+4752,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled global group.,"Windows Vista, Windows Server 2008"
+4753,unknown,Account Management,Distribution Group Management,A security-disabled global group was deleted.,"Windows Vista, Windows Server 2008"
+4754,success,Account Management,Security Group Management,A security-enabled universal group was created.,"Windows Vista, Windows Server 2008"
+4755,success,Account Management,Security Group Management,A security-enabled universal group was changed.,"Windows Vista, Windows Server 2008"
+4756,success,Account Management,Security Group Management,A member was added to a security-enabled universal group.,"Windows Vista, Windows Server 2008"
+4757,success,Account Management,Security Group Management,A member was removed from a security-enabled universal group.,"Windows Vista, Windows Server 2008"
+4758,unknown,Account Management,Security Group Management,A security-enabled universal group was deleted.,"Windows Vista, Windows Server 2008"
+4759,unknown,Account Management,Distribution Group Management,A security-disabled universal group was created.,"Windows Vista, Windows Server 2008"
+4760,unknown,Account Management,Distribution Group Management,A security-disabled universal group was changed.,"Windows Vista, Windows Server 2008"
+4761,unknown,Account Management,Distribution Group Management,A member was added to a security-disabled universal group.,"Windows Vista, Windows Server 2008"
+4762,unknown,Account Management,Distribution Group Management,A member was removed from a security-disabled universal group.,"Windows Vista, Windows Server 2008"
+4764,unknown,Account Management,Security Group Management,A group's type was changed.,"Windows Vista, Windows Server 2008"
+4765,unknown,Account Management,User Account Management,SID History was added to an account.,"Windows Vista, Windows Server 2008"
+4766,unknown,Account Management,User Account Management,An attempt to add SID History to an account failed.,"Windows Vista, Windows Server 2008"
+4767,modified,Account Management,User Account Management,A user account was unlocked.,"Windows Vista, Windows Server 2008"
+4770,success,Account Logon,Kerberos Service Ticket Operations,A Kerberos service ticket was renewed.,"Windows Vista, Windows Server 2008"
+4772,unknown,Account Logon,Kerberos Authentication Service,A Kerberos authentication ticket request failed.,"Windows Vista, Windows Server 2008"
+4774,unknown,Account Logon,Credential Validation,An account was mapped for logon.,"Windows Vista, Windows Server 2008"
+4775,unknown,Account Logon,Credential Validation,An account could not be mapped for logon.,"Windows Vista, Windows Server 2008"
+4777,unknown,Account Logon,Credential Validation,The domain controller failed to validate the credentials for an account.,"Windows Vista, Windows Server 2008"
+4778,success,Logon/Logoff,Other Logon/Logoff Events,A session was reconnected to a Window Station.,"Windows Vista, Windows Server 2008"
+4779,success,Logon/Logoff,Other Logon/Logoff Events,A session was disconnected from a Window Station.,"Windows Vista, Windows Server 2008"
+4780,success,Account Management,User Account Management,The ACL was set on accounts which are members of administrators groups.,"Windows Vista, Windows Server 2008"
+4781,unknown,Account Management,User Account Management,The name of an account was changed:,"Windows Vista, Windows Server 2008"
+4782,unknown,Account Management,Other Account Management Events,The password hash an account was accessed.,"Windows Vista, Windows Server 2008"
+4783,unknown,Account Management,Application Group Management,A basic application group was created.,"Windows Vista, Windows Server 2008"
+4784,unknown,Account Management,Application Group Management,A basic application group was changed.,"Windows Vista, Windows Server 2008"
+4785,unknown,Account Management,Application Group Management,A member was added to a basic application group.,"Windows Vista, Windows Server 2008"
+4786,unknown,Account Management,Application Group Management,A member was removed from a basic application group.,"Windows Vista, Windows Server 2008"
+4787,unknown,Account Management,Application Group Management,A non-member was added to a basic application group.,"Windows Vista, Windows Server 2008"
+4788,unknown,Account Management,Application Group Management,A non-member was removed from a basic application group.,"Windows Vista, Windows Server 2008"
+4789,unknown,Account Management,Application Group Management,A basic application group was deleted.,"Windows Vista, Windows Server 2008"
+4790,unknown,Account Management,Application Group Management,An LDAP query group was created.,"Windows Vista, Windows Server 2008"
+4793,unknown,Account Management,Other Account Management Events,The Password Policy Checking API was called.,"Windows Vista, Windows Server 2008"
+4794,unknown,Account Management,User Account Management,An attempt was made to set the Directory Services Restore Mode.,"Windows Vista, Windows Server 2008"
+4800,success,Logon/Logoff,Other Logon/Logoff Events,The workstation was locked.,"Windows Vista, Windows Server 2008"
+4801,unknown,Logon/Logoff,Other Logon/Logoff Events,The workstation was unlocked.,"Windows Vista, Windows Server 2008"
+4802,unknown,Logon/Logoff,Other Logon/Logoff Events,The screen saver was invoked.,"Windows Vista, Windows Server 2008"
+4803,unknown,Logon/Logoff,Other Logon/Logoff Events,The screen saver was dismissed.,"Windows Vista, Windows Server 2008"
+4816,unknown,System,System Integrity,RPC detected an integrity violation while decrypting an incoming message.,"Windows Vista, Windows Server 2008"
+4817,unknown,Policy Change,Audit Policy Change,Auditing settings on an object were changed.,"Windows 7, Windows Server 2008 R2"
+4818,unknown,Object Access,Central Policy Staging,Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy,"Windows 8, Windows Server 2012"
+4819,unknown,Policy Change,Other Policy Change Events,Central Access Policies on the machine have been changed.,"Windows 8, Windows Server 2012"
+4864,unknown,Policy Change,Authentication Policy Change,A namespace collision was detected.,"Windows Vista, Windows Server 2008"
+4865,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was added.,"Windows Vista, Windows Server 2008"
+4866,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was removed.,"Windows Vista, Windows Server 2008"
+4867,unknown,Policy Change,Authentication Policy Change,A trusted forest information entry was modified.,"Windows Vista, Windows Server 2008"
+4868,unknown,Object Access,Certification Services,The certificate manager denied a pending certificate request.,"Windows Vista, Windows Server 2008"
+4869,unknown,Object Access,Certification Services,Certificate Services received a resubmitted certificate request.,"Windows Vista, Windows Server 2008"
+4870,unknown,Object Access,Certification Services,Certificate Services revoked a certificate.,"Windows Vista, Windows Server 2008"
+4871,unknown,Object Access,Certification Services,Certificate Services received a request to publish the certificate revocation list (CRL).,"Windows Vista, Windows Server 2008"
+4872,unknown,Object Access,Certification Services,Certificate Services published the certificate revocation list (CRL).,"Windows Vista, Windows Server 2008"
+4873,unknown,Object Access,Certification Services,A certificate request extension changed.,"Windows Vista, Windows Server 2008"
+4874,unknown,Object Access,Certification Services,One or more certificate request attributes changed.,"Windows Vista, Windows Server 2008"
+4875,unknown,Object Access,Certification Services,Certificate Services received a request to shut down.,"Windows Vista, Windows Server 2008"
+4876,unknown,Object Access,Certification Services,Certificate Services backup started.,"Windows Vista, Windows Server 2008"
+4877,unknown,Object Access,Certification Services,Certificate Services backup completed.,"Windows Vista, Windows Server 2008"
+4878,unknown,Object Access,Certification Services,Certificate Services restore started.,"Windows Vista, Windows Server 2008"
+4879,unknown,Object Access,Certification Services,Certificate Services restore completed.,"Windows Vista, Windows Server 2008"
+4880,unknown,Object Access,Certification Services,Certificate Services started.,"Windows Vista, Windows Server 2008"
+4881,unknown,Object Access,Certification Services,Certificate Services stopped.,"Windows Vista, Windows Server 2008"
+4882,unknown,Object Access,Certification Services,The security permissions for Certificate Services changed.,"Windows Vista, Windows Server 2008"
+4883,unknown,Object Access,Certification Services,Certificate Services retrieved an archived key.,"Windows Vista, Windows Server 2008"
+4884,unknown,Object Access,Certification Services,Certificate Services imported a certificate into its database.,"Windows Vista, Windows Server 2008"
+4885,unknown,Object Access,Certification Services,The audit filter for Certificate Services changed.,"Windows Vista, Windows Server 2008"
+4886,unknown,Object Access,Certification Services,Certificate Services received a certificate request.,"Windows Vista, Windows Server 2008"
+4887,unknown,Object Access,Certification Services,Certificate Services approved a certificate request and issued a certificate.,"Windows Vista, Windows Server 2008"
+4888,unknown,Object Access,Certification Services,Certificate Services denied a certificate request.,"Windows Vista, Windows Server 2008"
+4889,unknown,Object Access,Certification Services,Certificate Services set the status of a certificate request to pending.,"Windows Vista, Windows Server 2008"
+4890,unknown,Object Access,Certification Services,The certificate manager settings for Certificate Services changed.,"Windows Vista, Windows Server 2008"
+4891,unknown,Object Access,Certification Services,A configuration entry changed in Certificate Services.,"Windows Vista, Windows Server 2008"
+4892,unknown,Object Access,Certification Services,A property of Certificate Services changed.,"Windows Vista, Windows Server 2008"
+4893,unknown,Object Access,Certification Services,Certificate Services archived a key.,"Windows Vista, Windows Server 2008"
+4894,unknown,Object Access,Certification Services,Certificate Services imported and archived a key.,"Windows Vista, Windows Server 2008"
+4895,unknown,Object Access,Certification Services,Certificate Services published the CA certificate to Active Directory Domain Services.,"Windows Vista, Windows Server 2008"
+4896,unknown,Object Access,Certification Services,One or more rows have been deleted from the certificate database.,"Windows Vista, Windows Server 2008"
+4897,unknown,Object Access,Certification Services,Role separation enabled:,"Windows Vista, Windows Server 2008"
+4898,unknown,Object Access,Certification Services,Certificate Services loaded a template.,"Windows Vista, Windows Server 2008"
+4902,success,Policy Change,Audit Policy Change,The Per-user audit policy table was created.,"Windows Vista, Windows Server 2008"
+4904,success,Policy Change,Audit Policy Change,An attempt was made to register a security event source.,"Windows Vista, Windows Server 2008"
+4905,success,Policy Change,Audit Policy Change,An attempt was made to unregister a security event source.,"Windows Vista, Windows Server 2008"
+4906,unknown,Policy Change,Audit Policy Change,The CrashOnAuditFail value has changed.,"Windows Vista, Windows Server 2008"
+4907,success,Policy Change,Audit Policy Change,Auditing settings on object were changed.,"Windows Vista, Windows Server 2008"
+4908,unknown,Policy Change,Audit Policy Change,Special Groups Logon table modified.,"Windows Vista, Windows Server 2008"
+4909,unknown,Policy Change,Other Policy Change Events,The local policy settings for the TBS were changed.,"Windows Vista, Windows Server 2008"
+4910,unknown,Policy Change,Other Policy Change Events,The group policy settings for the TBS were changed.,"Windows Vista, Windows Server 2008"
+4911,unknown,Policy Change,Authorization Policy Change,Resource attributes of the object were changed.,"Windows 8, Windows Server 2012"
+4912,unknown,Policy Change,Audit Policy Change,Per User Audit Policy was changed.,"Windows Vista, Windows Server 2008"
+4913,unknown,Policy Change,Authorization Policy Change,Central Access Policy on the object was changed.,"Windows 8, Windows Server 2012"
+4928,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was established.,"Windows Vista, Windows Server 2008"
+4929,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was removed.,"Windows Vista, Windows Server 2008"
+4930,unknown,DS Access,Detailed Directory Service Replication,An Active Directory replica source naming context was modified.,"Windows Vista, Windows Server 2008"
+4931,success,DS Access,Detailed Directory Service Replication,An Active Directory replica destination naming context was modified.,"Windows Vista, Windows Server 2008"
+4932,success,DS Access,Directory Service Replication,Synchronization of a replica of an Active Directory naming context has begun.,"Windows Vista, Windows Server 2008"
+4933,failure,DS Access,Directory Service Replication,Synchronization of a replica of an Active Directory naming context has ended.,"Windows Vista, Windows Server 2008"
+4934,unknown,DS Access,Detailed Directory Service Replication,Attributes of an Active Directory object were replicated.,"Windows Vista, Windows Server 2008"
+4935,unknown,DS Access,Detailed Directory Service Replication,Replication failure begins.,"Windows Vista, Windows Server 2008"
+4936,unknown,DS Access,Detailed Directory Service Replication,Replication failure ends.,"Windows Vista, Windows Server 2008"
+4937,unknown,DS Access,Detailed Directory Service Replication,A lingering object was removed from a replica.,"Windows Vista, Windows Server 2008"
+4944,success,Policy Change,MPSSVC Rule-Level Policy Change,The following policy was active when the Windows Firewall started.,"Windows Vista, Windows Server 2008"
+4945,success,Policy Change,MPSSVC Rule-Level Policy Change,A rule was listed when the Windows Firewall started.,"Windows Vista, Windows Server 2008"
+4946,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was added.,"Windows Vista, Windows Server 2008"
+4947,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was modified.,"Windows Vista, Windows Server 2008"
+4948,success,Policy Change,MPSSVC Rule-Level Policy Change,A change has been made to Windows Firewall exception list. A rule was deleted.,"Windows Vista, Windows Server 2008"
+4949,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall settings were restored to the default values.,"Windows Vista, Windows Server 2008"
+4950,unknown,Policy Change,MPSSVC Rule-Level Policy Change,A Windows Firewall setting has changed.,"Windows Vista, Windows Server 2008"
+4951,failure,Policy Change,MPSSVC Rule-Level Policy Change,A rule has been ignored because its major version number was not recognized by Windows Firewall.,"Windows Vista, Windows Server 2008"
+4952,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.,"Windows Vista, Windows Server 2008"
+4953,failure,Policy Change,MPSSVC Rule-Level Policy Change,A rule has been ignored by Windows Firewall because it could not parse the rule.,"Windows Vista, Windows Server 2008"
+4954,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall Group Policy settings have changed. The new settings have been applied.,"Windows Vista, Windows Server 2008"
+4956,success,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall has changed the active profile.,"Windows Vista, Windows Server 2008"
+4957,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall did not apply the following rule:,"Windows Vista, Windows Server 2008"
+4958,unknown,Policy Change,MPSSVC Rule-Level Policy Change,Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:,"Windows Vista, Windows Server 2008"
+4960,unknown,System,IPsec Driver,"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.","Windows Vista, Windows Server 2008"
+4961,unknown,System,IPsec Driver,"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.","Windows Vista, Windows Server 2008"
+4962,unknown,System,IPsec Driver,IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.,"Windows Vista, Windows Server 2008"
+4963,unknown,System,IPsec Driver,IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.,"Windows Vista, Windows Server 2008"
+4964,unknown,Logon/Logoff,Special Logon,Special groups have been assigned to a new logon.,"Windows Vista, Windows Server 2008"
+4965,unknown,System,IPsec Driver,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.","Windows Vista, Windows Server 2008"
+4976,unknown,Logon/Logoff,IPsec Main Mode,"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008"
+4977,unknown,Logon/Logoff,IPsec Quick Mode,"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008"
+4978,unknown,Logon/Logoff,IPsec Extended Mode,"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.","Windows Vista, Windows Server 2008"
+4979,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
+4980,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
+4981,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
+4982,unknown,Logon/Logoff,IPsec Extended Mode,IPsec Main Mode and Extended Mode security associations were established.,"Windows Vista, Windows Server 2008"
+4983,unknown,Logon/Logoff,IPsec Extended Mode,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,"Windows Vista, Windows Server 2008"
+4984,unknown,Logon/Logoff,IPsec Extended Mode,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,"Windows Vista, Windows Server 2008"
+4985,success,Object Access,File System,The state of a transaction has changed.,"Windows Vista, Windows Server 2008"
+5024,success,System,Other System Events,The Windows Firewall Service has started successfully.,"Windows Vista, Windows Server 2008"
+5025,unknown,System,Other System Events,The Windows Firewall Service has been stopped.,"Windows Vista, Windows Server 2008"
+5027,unknown,System,Other System Events,The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.,"Windows Vista, Windows Server 2008"
+5028,unknown,System,Other System Events,The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.,"Windows Vista, Windows Server 2008"
+5029,unknown,System,Other System Events,The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.,"Windows Vista, Windows Server 2008"
+5030,unknown,System,Other System Events,The Windows Firewall Service failed to start.,"Windows Vista, Windows Server 2008"
+5031,unknown,Object Access,Filtering Platform Connection,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,"Windows Vista, Windows Server 2008"
+5032,unknown,System,Other System Events,Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.,"Windows Vista, Windows Server 2008"
+5033,success,System,Other System Events,The Windows Firewall Driver has started successfully.,"Windows Vista, Windows Server 2008"
+5034,unknown,System,Other System Events,The Windows Firewall Driver has been stopped.,"Windows Vista, Windows Server 2008"
+5035,unknown,System,Other System Events,The Windows Firewall Driver failed to start.,"Windows Vista, Windows Server 2008"
+5037,unknown,System,Other System Events,The Windows Firewall Driver detected critical runtime error. Terminating.,"Windows Vista, Windows Server 2008"
+5038,unknown,System,System Integrity,Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.,"Windows Vista, Windows Server 2008"
+5039,unknown,Object Access,Registry,A registry key was virtualized.,"Windows Vista, Windows Server 2008"
+5040,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was added.,"Windows Vista, Windows Server 2008"
+5041,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was modified.,"Windows Vista, Windows Server 2008"
+5042,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. An Authentication Set was deleted.,"Windows Vista, Windows Server 2008"
+5043,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was added.,"Windows Vista, Windows Server 2008"
+5044,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was modified.,"Windows Vista, Windows Server 2008"
+5045,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Connection Security Rule was deleted.,"Windows Vista, Windows Server 2008"
+5046,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was added.,"Windows Vista, Windows Server 2008"
+5047,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was modified.,"Windows Vista, Windows Server 2008"
+5048,unknown,Policy Change,Filtering Platform Policy Change,A change has been made to IPsec settings. A Crypto Set was deleted.,"Windows Vista, Windows Server 2008"
+5049,unknown,Logon/Logoff,IPsec Main Mode,An IPsec Security Association was deleted.,"Windows Vista, Windows Server 2008"
+5051,unknown,Object Access,File System,A file was virtualized.,"Windows Vista, Windows Server 2008"
+5056,success,System,System Integrity,A cryptographic self test was performed.,"Windows Vista, Windows Server 2008"
+5057,unknown,System,System Integrity,A cryptographic primitive operation failed.,"Windows Vista, Windows Server 2008"
+5058,success,System,Other System Events,Key file operation.,"Windows Vista, Windows Server 2008"
+5059,success,System,Other System Events,Key migration operation.,"Windows Vista, Windows Server 2008"
+5060,unknown,System,System Integrity,Verification operation failed.,"Windows Vista, Windows Server 2008"
+5061,failure,System,System Integrity,Cryptographic operation.,"Windows Vista, Windows Server 2008"
+5062,unknown,System,System Integrity,A kernel-mode cryptographic self test was performed.,"Windows Vista, Windows Server 2008"
+5063,unknown,Policy Change,Other Policy Change Events,A cryptographic provider operation was attempted.,"Windows Vista, Windows Server 2008"
+5064,unknown,Policy Change,Other Policy Change Events,A cryptographic context operation was attempted.,"Windows Vista, Windows Server 2008"
+5065,unknown,Policy Change,Other Policy Change Events,A cryptographic context modification was attempted.,"Windows Vista, Windows Server 2008"
+5066,unknown,Policy Change,Other Policy Change Events,A cryptographic function operation was attempted.,"Windows Vista, Windows Server 2008"
+5067,unknown,Policy Change,Other Policy Change Events,A cryptographic function modification was attempted.,"Windows Vista, Windows Server 2008"
+5068,unknown,Policy Change,Other Policy Change Events,A cryptographic function provider operation was attempted.,"Windows Vista, Windows Server 2008"
+5069,unknown,Policy Change,Other Policy Change Events,A cryptographic function property operation was attempted.,"Windows Vista, Windows Server 2008"
+5070,unknown,Policy Change,Other Policy Change Events,A cryptographic function property modification was attempted.,"Windows Vista, Windows Server 2008"
+5136,success,DS Access,Directory Service Changes,A directory service object was modified.,"Windows Vista, Windows Server 2008"
+5137,unknown,DS Access,Directory Service Changes,A directory service object was created.,"Windows Vista, Windows Server 2008"
+5138,unknown,DS Access,Directory Service Changes,A directory service object was undeleted.,"Windows Vista, Windows Server 2008"
+5139,unknown,DS Access,Directory Service Changes,A directory service object was moved.,"Windows Vista, Windows Server 2008"
+5140,failure,Object Access,File Share,A network share object was accessed.,"Windows Vista, Windows Server 2008"
+5141,unknown,DS Access,Directory Service Changes,A directory service object was deleted.,"Windows Vista SP1, Windows Server 2008"
+5142,unknown,Object Access,File Share,A network share object was added.,"Windows 7, Windows Server 2008 R2"
+5143,success,Object Access,File Share,A network share object was modified.,"Windows 7, Windows Server 2008 R2"
+5144,unknown,Object Access,File Share,A network share object was deleted.,"Windows 7, Windows Server 2008 R2"
+5145,unknown,Object Access,Detailed File Share,A network share object was checked to see whether the client can be granted desired access.,"Windows 7, Windows Server 2008 R2"
+5148,unknown,Object Access,Other Object Access Events,The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.,"Windows 7, Windows Server 2008 R2"
+5149,unknown,Object Access,Other Object Access Events,The DoS attack has subsided and normal processing is being resumed.,"Windows 7, Windows Server 2008 R2"
+5150,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a packet.,"Windows 7, Windows Server 2008 R2"
+5151,unknown,Object Access,Filtering Platform Connection,A more restrictive Windows Filtering Platform filter has blocked a packet.,"Windows 7, Windows Server 2008 R2"
+5152,failure,Object Access,Filtering Platform Packet Drop ,The Windows Filtering Platform blocked a packet.,"Windows Vista, Windows Server 2008"
+5153,unknown,Object Access,Filtering Platform Packet Drop ,A more restrictive Windows Filtering Platform filter has blocked a packet.,"Windows Vista, Windows Server 2008"
+5154,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,"Windows Vista, Windows Server 2008"
+5155,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,"Windows Vista, Windows Server 2008"
+5156,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has allowed a connection.,"Windows Vista, Windows Server 2008"
+5157,failure,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a connection.,"Windows Vista, Windows Server 2008"
+5158,success,Object Access,Filtering Platform Connection,The Windows Filtering Platform has permitted a bind to a local port.,"Windows Vista, Windows Server 2008"
+5159,unknown,Object Access,Filtering Platform Connection,The Windows Filtering Platform has blocked a bind to a local port.,"Windows Vista, Windows Server 2008"
+5168,unknown,Object Access,File Share,Spn check for SMB/SMB2 failed.,"Windows 7, Windows Server 2008 R2"
+5376,unknown,Account Management,User Account Management,Credential Manager credentials were backed up.,"Windows Vista, Windows Server 2008"
+5377,unknown,Account Management,User Account Management,Credential Manager credentials were restored from a backup.,"Windows Vista, Windows Server 2008"
+5378,unknown,Logon/Logoff,Other Logon/Logoff Events,The requested credentials delegation was disallowed by policy.,"Windows Vista, Windows Server 2008"
+5440,success,Policy Change,Filtering Platform Policy Change,The following callout was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
+5441,success,Policy Change,Filtering Platform Policy Change,The following filter was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
+5442,success,Policy Change,Filtering Platform Policy Change,The following provider was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
+5443,unknown,Policy Change,Filtering Platform Policy Change,The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
+5444,success,Policy Change,Filtering Platform Policy Change,The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.,"Windows Vista, Windows Server 2008"
+5446,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform callout has been changed.,"Windows Vista, Windows Server 2008"
+5447,success,Policy Change,Other Policy Change Events,A Windows Filtering Platform filter has been changed.,"Windows Vista, Windows Server 2008"
+5448,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform provider has been changed.,"Windows Vista, Windows Server 2008"
+5449,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform provider context has been changed.,"Windows Vista, Windows Server 2008"
+5450,success,Policy Change,Filtering Platform Policy Change,A Windows Filtering Platform sub-layer has been changed.,"Windows Vista, Windows Server 2008"
+5451,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode security association was established.,"Windows Vista, Windows Server 2008"
+5452,unknown,Logon/Logoff,IPsec Quick Mode,An IPsec Quick Mode security association ended.,"Windows Vista, Windows Server 2008"
+5453,unknown,Logon/Logoff,IPsec Main Mode,An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.,"Windows Vista, Windows Server 2008"
+5456,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5457,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5458,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5459,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5460,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine applied local registry storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5461,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply local registry storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5462,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008"
+5463,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine polled for changes to the active IPsec policy and detected no changes.,"Windows Vista, Windows Server 2008"
+5464,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.","Windows Vista, Windows Server 2008"
+5465,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.,"Windows Vista, Windows Server 2008"
+5466,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.","Windows Vista, Windows Server 2008"
+5467,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.","Windows Vista, Windows Server 2008"
+5468,unknown,Policy Change,Filtering Platform Policy Change,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.","Windows Vista, Windows Server 2008"
+5471,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine loaded local storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5472,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to load local storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5473,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine loaded directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5474,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to load directory storage IPsec policy on the computer.,"Windows Vista, Windows Server 2008"
+5477,unknown,Policy Change,Filtering Platform Policy Change,PAStore Engine failed to add quick mode filter.,"Windows Vista, Windows Server 2008"
+5478,unknown,System,IPsec Driver,IPsec Services has started successfully.,"Windows Vista, Windows Server 2008"
+5479,unknown,System,IPsec Driver,IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,"Windows Vista, Windows Server 2008"
+5480,unknown,System,IPsec Driver,IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008"
+5483,unknown,System,IPsec Driver,IPsec Services failed to initialize RPC server. IPsec Services could not be started.,"Windows Vista, Windows Server 2008"
+5484,unknown,System,IPsec Driver,IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,"Windows Vista, Windows Server 2008"
+5485,unknown,System,IPsec Driver,IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,"Windows Vista, Windows Server 2008"
+5632,unknown,Logon/Logoff,Other Logon/Logoff Events,A request was made to authenticate to a wireless network.,"Windows Vista, Windows Server 2008"
+5633,unknown,Logon/Logoff,Other Logon/Logoff Events,A request was made to authenticate to a wired network.,"Windows Vista, Windows Server 2008"
+5712,unknown,Detailed Tracking,RPC Events,A Remote Procedure Call (RPC) was attempted.,"Windows Vista, Windows Server 2008"
+5888,unknown,Object Access,Other Object Access Events,An object in the COM+ Catalog was modified.,"Windows Vista, Windows Server 2008"
+5889,unknown,Object Access,Other Object Access Events,An object was deleted from the COM+ Catalog.,"Windows Vista, Windows Server 2008"
+5890,unknown,Object Access,Other Object Access Events,An object was added to the COM+ Catalog.,"Windows Vista, Windows Server 2008"
+6144,success,Policy Change,Other Policy Change Events,Security policy in the group policy objects has been applied successfully.,"Windows Vista, Windows Server 2008"
+6145,unknown,Policy Change,Other Policy Change Events,One or more errors occurred while processing security policy in the group policy objects.,"Windows Vista, Windows Server 2008"
+6272,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted access to a user.,"Windows Vista SP1, Windows Server 2008"
+6273,unknown,Logon/Logoff,Network Policy Server,Network Policy Server denied access to a user.,"Windows Vista SP1, Windows Server 2008"
+6274,unknown,Logon/Logoff,Network Policy Server,Network Policy Server discarded the request for a user.,"Windows Vista SP1, Windows Server 2008"
+6275,unknown,Logon/Logoff,Network Policy Server,Network Policy Server discarded the accounting request for a user.,"Windows Vista SP1, Windows Server 2008"
+6276,unknown,Logon/Logoff,Network Policy Server,Network Policy Server quarantined a user.,"Windows Vista SP1, Windows Server 2008"
+6277,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.,"Windows Vista SP1, Windows Server 2008"
+6278,unknown,Logon/Logoff,Network Policy Server,Network Policy Server granted full access to a user because the host met the defined health policy.,"Windows Vista SP1, Windows Server 2008"
+6279,unknown,Logon/Logoff,Network Policy Server,Network Policy Server locked the user account due to repeated failed authentication attempts.,"Windows Vista SP1, Windows Server 2008"
+6280,unknown,Logon/Logoff,Network Policy Server,Network Policy Server unlocked the user account.,"Windows Vista SP1, Windows Server 2008"
+6281,unknown,System,System Integrity,Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error,"Windows 7, Windows Server 2008 R2"
+6400,unknown,System,Other System Events,BranchCache: Received an incorrectly formatted response while discovering availability of content. ,"Windows 7, Windows Server 2008 R2"
+6401,unknown,System,Other System Events,BranchCache: Received invalid data from a peer. Data discarded. ,"Windows 7, Windows Server 2008 R2"
+6402,unknown,System,Other System Events,BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ,"Windows 7, Windows Server 2008 R2"
+6403,unknown,System,Other System Events,BranchCache: The hosted cache sent an incorrectly formatted response to the client.,"Windows 7, Windows Server 2008 R2"
+6404,unknown,System,Other System Events,BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ,"Windows 7, Windows Server 2008 R2"
+6405,unknown,System,Other System Events,BranchCache: %2 instance(s) of event id %1 occurred.,"Windows 7, Windows Server 2008 R2"
+6406,unknown,System,Other System Events,%1 registered to Windows Firewall to control filtering for the following: %2,"Windows 7, Windows Server 2008 R2"
+6407,unknown,System,Other System Events,1%,"Windows 7, Windows Server 2008 R2"
+6408,unknown,System,Other System Events,Registered product %1 failed and Windows Firewall is now controlling the filtering for %2,"Windows 7, Windows Server 2008 R2"
diff --git a/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv
new file mode 100644
index 00000000..a73c5b48
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_action_multiinput.csv
@@ -0,0 +1,197 @@
+EventCode,action,Error_Code,Description
+4625,failure,0XC000005E,There are currently no logon servers available to service the logon request.
+4625,unknown,0xC0000064,User logon with misspelled or bad user account
+4625,failure,0xC000006A,User logon with misspelled or bad password
+4625,failure,0XC000006D,This is either due to a bad username or authentication information
+4625,failure,0XC000006E,Unknown user name or bad password.
+4625,failure,0XC000010B,Indicates an invalid value has been provided for the LogonType requested.
+4625,denied,0xC000006F,User logon outside authorized hours
+4625,denied,0xC0000070,User logon from unauthorized workstation
+4625,failure,0xC0000071,User logon with expired password
+4625,failure,0xC0000072,User logon to account disabled by administrator
+4625,failure,0XC00000DC,Indicates the Sam Server was in the wrong state to perform the desired operation.
+4625,error,0XC0000133,Clocks between DC and other computer too far out of sync
+4625,denied,0XC000015B,The user has not been granted the requested logon type (aka logon right) at this machine
+4625,failure,0XC000018C,The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
+4625,failure,0XC0000192,"An attempt was made to logon, but the Netlogon service was not started."
+4625,failure,0xC0000193,User logon with expired account
+4625,failure,0XC0000224,User is required to change password at next logon
+4625,error,0XC0000225,Evidently a bug in Windows and not a risk
+4625,denied,0xC0000234,User logon with account locked
+4625,failure,0XC00002EE,Failure Reason: An Error occurred during Logon
+4625,failure,0XC0000413,Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
+4625,failure,0x0,Status OK.
+4776,failure,0xC0000064,The username you typed does not exist. Bad username.
+4776,failure,0xC000006A,Account logon with misspelled or bad password.
+4776,failure,0xC000006D,Generic logon failure.
+4776,denied,0xC000006F,Account logon outside authorized hours.
+4776,denied,0xC0000070,Account logon from unauthorized workstation.
+4776,failure,0xC0000071,Account logon with expired password.
+4776,failure,0xC0000072,Account logon to account disabled by administrator.
+4776,failure,0xC0000193,Account logon with expired account.
+4776,failure,0xC0000224,Account logon with "Change Password at Next Logon" flagged.
+4776,failure,0xC0000234,Account logon with account locked.
+4776,failure,0xc0000371,The local account store does not contain secret material for the specified account.
+4776,success,0x0,No errors.
+4768,success,0x0,No error
+4768,failure,0x1,Client's entry in KDC database has expired
+4768,failure,0x2,Server's entry in KDC database has expired
+4768,failure,0x3,Requested Kerberos version number not supported
+4768,failure,0x4,Client's key encrypted in old master key
+4768,failure,0x5,Server's key encrypted in old master key
+4768,failure,0x6,Client not found in Kerberos database
+4768,failure,0x7,Server not found in Kerberos database
+4768,failure,0x8,Multiple principal entries in KDC database
+4768,failure,0x9,The client or server has a null key (master key)
+4768,failure,0xA,Ticket (TGT) not eligible for postdating
+4768,failure,0xB,Requested start time is later than end time
+4768,failure,0xC,Requested start time is later than end time
+4768,failure,0xD,KDC cannot accommodate requested option
+4768,failure,0xE,KDC has no support for encryption type
+4768,failure,0xF,KDC has no support for checksum type
+4768,failure,0x10,KDC has no support for PADATA type (pre-authentication data)
+4768,failure,0x11,KDC has no support for transited type
+4768,failure,0x12,Client's credentials have been revoked
+4768,failure,0x13,Credentials for server have been revoked
+4768,failure,0x14,TGT has been revoked
+4768,failure,0x15,Client not yet valid-try again later
+4768,failure,0x16,Server not yet valid-try again later
+4768,failure,0x17,Password has expired-change password to reset
+4768,failure,0x18,Pre-authentication information was invalid
+4768,failure,0x19,Additional pre-authentication required
+4768,failure,0x1A,KDC does not know about the requested server
+4768,failure,0x1B,KDC is unavailable
+4768,failure,0x1F,Integrity check on decrypted field failed
+4768,failure,0x20,The ticket has expired
+4768,failure,0x21,The ticket is not yet valid
+4768,failure,0x22,The request is a replay
+4768,failure,0x23,The ticket is not for us
+4768,failure,0x24,The ticket and authenticator do not match
+4768,failure,0x25,The clock skew is too great
+4768,failure,0x26,Network address in network layer header doesn't match address inside ticket
+4768,failure,0x27,Protocol version numbers don't match (PVNO)
+4768,failure,0x28,Message type is unsupported
+4768,failure,0x29,Message stream modified and checksum didn't match
+4768,failure,0x2A,Message out of order (possible tampering)
+4768,failure,0x2C,Specified version of key is not available
+4768,failure,0x2D,Service key not available
+4768,failure,0x2E,Mutual authentication failed
+4768,failure,0x2F,Incorrect message direction
+4768,failure,0x30,Alternative authentication method required
+4768,failure,0x31,Incorrect sequence number in message
+4768,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported)
+4768,failure,0x33,Desired path is unreachable
+4768,failure,0x34,Too much data
+4768,failure,0x3C,Generic error
+4768,failure,0x3D,Field is too long for this implementation
+4768,failure,0x3E,The client trust failed or is not implemented
+4768,failure,0x3F,The KDC server trust failed or could not be verified
+4768,failure,0x40,The signature is invalid
+4768,failure,0x41,A higher encryption level is needed
+4768,failure,0x42,User-to-user authorization is required
+4768,failure,0x43,No TGT was presented or available
+4768,failure,0x44,Incorrect domain or principal
+4769,success,0x0,No error
+4769,failure,0x1,Client's entry in KDC database has expired
+4769,failure,0x2,Server's entry in KDC database has expired
+4769,failure,0x3,Requested Kerberos version number not supported
+4769,failure,0x4,Client's key encrypted in old master key
+4769,failure,0x5,Server's key encrypted in old master key
+4769,failure,0x6,Client not found in Kerberos database
+4769,failure,0x7,Server not found in Kerberos database
+4769,failure,0x8,Multiple principal entries in KDC database
+4769,failure,0x9,The client or server has a null key (master key)
+4769,failure,0xA,Ticket (TGT) not eligible for postdating
+4769,failure,0xB,Requested start time is later than end time
+4769,failure,0xC,Requested start time is later than end time
+4769,failure,0xD,KDC cannot accommodate requested option
+4769,failure,0xE,KDC has no support for encryption type
+4769,failure,0xF,KDC has no support for checksum type
+4769,failure,0x10,KDC has no support for PADATA type (pre-authentication data)
+4769,failure,0x11,KDC has no support for transited type
+4769,failure,0x12,Client's credentials have been revoked
+4769,failure,0x13,Credentials for server have been revoked
+4769,failure,0x14,TGT has been revoked
+4769,failure,0x15,Client not yet valid try again later
+4769,failure,0x16,Server not yet valid try again later
+4769,failure,0x17,Password has expired change password to reset
+4769,failure,0x18,Pre-authentication information was invalid
+4769,failure,0x19,Additional pre-authentication required
+4769,failure,0x1A,KDC does not know about the requested server
+4769,failure,0x1B,KDC is unavailable
+4769,failure,0x1F,Integrity check on decrypted field failed
+4769,failure,0x20,The ticket has expired
+4769,failure,0x21,The ticket is not yet valid
+4769,failure,0x22,The request is a replay
+4769,failure,0x23,The ticket is not for us
+4769,failure,0x24,The ticket and authenticator do not match
+4769,failure,0x25,The clock skew is too great
+4769,failure,0x26,Network address in network layer header doesn't match address inside ticket
+4769,failure,0x27,Protocol version numbers don't match (PVNO)
+4769,failure,0x28,Message type is unsupported
+4769,failure,0x29,Message stream modified and checksum didn't match
+4769,failure,0x2A,Message out of order (possible tampering)
+4769,failure,0x2C,Specified version of key is not available
+4769,failure,0x2D,Service key not available
+4769,failure,0x2E,Mutual authentication failed
+4769,failure,0x2F,Incorrect message direction
+4769,failure,0x30,Alternative authentication method required
+4769,failure,0x31,Incorrect sequence number in message
+4769,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported)
+4769,failure,0x33,Desired path is unreachable
+4769,failure,0x34,Too much data
+4769,failure,0x3C,Generic error
+4769,failure,0x3D,Field is too long for this implementation
+4769,failure,0x3E,The client trust failed or is not implemented
+4769,failure,0x3F,The KDC server trust failed or could not be verified
+4769,failure,0x40,The signature is invalid
+4769,failure,0x41,A higher encryption level is needed
+4769,failure,0x42,User-to-user authorization is required
+4769,failure,0x43,No TGT was presented or available
+4769,failure,0x44,Incorrect domain or principal
+4771,failure,0x1,Client's entry in database has expired
+4771,failure,0x2,Server's entry in database has expired
+4771,failure,0x3,Requested protocol version # not supported
+4771,failure,0x4,Client's key encrypted in old master key
+4771,failure,0x5,Server's key encrypted in old master key
+4771,failure,0x6,Client not found in Kerberos database
+4771,failure,0x7,Server not found in Kerberos database
+4771,failure,0x8,Multiple principal entries in database
+4771,failure,0x9,The client or server has a null key
+4771,failure,0xA,Ticket not eligible for postdating
+4771,failure,0xB,Requested start time is later than end time
+4771,failure,0xC,KDC policy rejects request
+4771,failure,0xD,KDC cannot accommodate requested option
+4771,failure,0xE,KDC has no support for encryption type
+4771,failure,0xF,KDC has no support for checksum type
+4771,failure,0x10,KDC has no support for padata type
+4771,failure,0x11,KDC has no support for transited type
+4771,failure,0x12,Clients credentials have been revoked
+4771,failure,0x13,Credentials for server have been revoked
+4771,failure,0x14,TGT has been revoked
+4771,failure,0x15,Client not yet valid - try again later
+4771,failure,0x16,Server not yet valid - try again later
+4771,failure,0x17,Password has expired
+4771,failure,0x18,Pre-authentication information was invalid
+4771,failure,0x19,Additional pre-authentication required*
+4771,failure,0x1F,Integrity check on decrypted field failed
+4771,failure,0x20,Ticket expired
+4771,failure,0x21,Ticket not yet valid
+4771,failure,0x22,Request is a replay
+4771,failure,0x23,The ticket isn't for us
+4771,failure,0x24,Ticket and authenticator don't match
+4771,failure,0x25,Clock skew too great
+4771,failure,0x26,Incorrect net address
+4771,failure,0x27,Protocol version mismatch
+4771,failure,0x28,Invalid msg type
+4771,failure,0x29,Message stream modified
+4771,failure,0x2A,Message out of order
+4771,failure,0x2C,Specified version of key is not available
+4771,failure,0x2D,Service key not available
+4771,failure,0x2E,Mutual authentication failed
+4771,failure,0x2F,Incorrect message direction
+4771,failure,0x30,Alternative authentication method required*
+4771,failure,0x31,Incorrect sequence number in message
+4771,failure,0x32,Inappropriate type of checksum in message
+4771,failure,0x3C,Generic error
+4771,failure,0x3D,Field is too long for this implementation
diff --git a/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv
new file mode 100644
index 00000000..0518a53c
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/lookups/xmlsecurity_eventcode_errorcode_action.csv
@@ -0,0 +1,557 @@
+EventCode,action,Error_Code,Description,Category,Subcategory,os
+4608,success,-,Windows is starting up.,System,Security State Change,"Windows Vista, Windows Server 2008"
+4609,unknown,-,Windows is shutting down.,System,Security State Change,"Windows Vista, Windows Server 2008"
+4610,unknown,-,An authentication package has been loaded by the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008"
+4611,success,-,A trusted logon process has been registered with the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008"
+4612,unknown,-,"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.",System,System Integrity,"Windows Vista, Windows Server 2008"
+4614,unknown,-,A notification package has been loaded by the Security Account Manager.,System,Security System Extension,"Windows Vista, Windows Server 2008"
+4615,unknown,-,Invalid use of LPC port.,System,System Integrity,"Windows Vista, Windows Server 2008"
+4616,success,-,The system time was changed.,System,Security State Change,"Windows Vista, Windows Server 2008"
+4618,unknown,-,A monitored security event pattern has occurred.,System,System Integrity,"Windows Vista, Windows Server 2008"
+4621,unknown,-,Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.,System,Security State Change,"Windows Vista, Windows Server 2008"
+4622,unknown,-,A security package has been loaded by the Local Security Authority.,System,Security System Extension,"Windows Vista, Windows Server 2008"
+4624,success,-,An account was successfully logged on.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008"
+4626,unknown,-,User/Device claims information.,Logon/Logoff,Logon,"Windows 8, Windows Server 2012"
+4634,success,-,An account was logged off.,Logon/Logoff,Logoff,"Windows Vista, Windows Server 2008"
+4646,unknown,-,IKE DoS-prevention mode started.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+4647,success,-,User initiated logoff.,Logon/Logoff,Logoff,"Windows Vista, Windows Server 2008"
+4648,success,-,A logon was attempted using explicit credentials.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008"
+4649,unknown,-,A replay attack was detected.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+4650,unknown,-,An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+4651,unknown,-,An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+4652,unknown,-,An IPsec Main Mode negotiation failed.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+4653,failure,-,An IPsec Main Mode negotiation failed.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+4654,unknown,-,An IPsec Quick Mode negotiation failed.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
+4655,unknown,-,An IPsec Main Mode security association ended.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+4656,failure,-,A handle to an object was requested.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008"
+4657,unknown,-,A registry value was modified.,Object Access,Registry,"Windows Vista, Windows Server 2008"
+4658,success,-,The handle to an object was closed.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008"
+4659,unknown,-,A handle to an object was requested with intent to delete.,Object Access,Special,"Windows Vista, Windows Server 2008"
+4660,unknown,-,An object was deleted.,Object Access,Special,"Windows Vista, Windows Server 2008"
+4661,success,-,A handle to an object was requested.,Object Access,Special,"Windows Vista, Windows Server 2008"
+4662,success,-,An operation was performed on an object.,DS Access,Directory Service Access,"Windows Vista, Windows Server 2008"
+4663,success,-,An attempt was made to access an object.,Object Access,Special,"Windows Vista, Windows Server 2008"
+4664,success,-,An attempt was made to create a hard link.,Object Access,File System,"Windows Vista, Windows Server 2008"
+4665,unknown,-,An attempt was made to create an application client context.,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
+4666,unknown,-,An application attempted an operation:,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
+4667,unknown,-,An application client context was deleted.,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
+4668,unknown,-,An application was initialized.,Object Access,Application Generated,"Windows Vista, Windows Server 2008"
+4670,success,-,Permissions on an object were changed.,Policy Change,Subcategory (special),"Windows Vista, Windows Server 2008"
+4671,unknown,-,An application attempted to access a blocked ordinal through the TBS.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+4672,success,-,Special privileges assigned to new logon.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008"
+4673,failure,-,A privileged service was called.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008"
+4674,success,-,An operation was attempted on a privileged object.,Privilege Use,Sensitive Privilege Use / Non Sensitive Privilege Use,"Windows Vista, Windows Server 2008"
+4675,unknown,-,SIDs were filtered.,Logon/Logoff,Logon,"Windows Vista, Windows Server 2008"
+4689,success,-,A process has exited.,Detailed Tracking,Process Termination,"Windows Vista, Windows Server 2008"
+4690,success,-,An attempt was made to duplicate a handle to an object.,Object Access,Handle Manipulation,"Windows Vista, Windows Server 2008"
+4691,unknown,-,Indirect access to an object was requested.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+4692,unknown,-,Backup of data protection master key was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
+4693,unknown,-,Recovery of data protection master key was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
+4694,unknown,-,Protection of auditable protected data was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
+4695,unknown,-,Unprotection of auditable protected data was attempted.,Detailed Tracking,DPAPI Activity,"Windows Vista, Windows Server 2008"
+4696,unknown,-,A primary token was assigned to process.,Detailed Tracking,Process Creation,"Windows Vista, Windows Server 2008"
+4697,unknown,-,A service was installed in the system.,System,Security System Extension,"Windows Vista, Windows Server 2008"
+4698,unknown,-,A scheduled task was created.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+4699,unknown,-,A scheduled task was deleted.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+4700,unknown,-,A scheduled task was enabled.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+4701,unknown,-,A scheduled task was disabled.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+4702,success,-,A scheduled task was updated.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+4704,success,-,A user right was assigned.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
+4705,unknown,-,A user right was removed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
+4706,unknown,-,A new trust was created to a domain.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
+4707,unknown,-,A trust to a domain was removed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
+4709,unknown,-,IPsec Services was started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+4710,unknown,-,IPsec Services was disabled.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+4711,unknown,-,May contain any one of the following: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine applied Active Directory storage IPsec policy on the computer.PAStore Engine applied local registry storage IPsec policy on the computer.PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.PAStore Engine failed to apply local registry storage IPsec policy on the computer.PAStore Engine failed to apply some rules of the active IPsec policy on the computer.PAStore Engine failed to load directory storage IPsec policy on the computer.PAStore Engine loaded directory storage IPsec policy on the computer.PAStore Engine failed to load local storage IPsec policy on the computer.PAStore Engine loaded local storage IPsec policy on the computer.PAStore Engine polled for changes to the active IPsec policy and detected no changes.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+4712,unknown,-,IPsec Services encountered a potentially serious failure.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+4713,unknown,-,Kerberos policy was changed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4714,unknown,-,Encrypted data recovery policy was changed.,Policy Change,Authorization Policy Change,"Windows Vista, Windows Server 2008"
+4715,unknown,-,The audit policy (SACL) on an object was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4716,unknown,-,Trusted domain information was modified.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4717,success,-,System security access was granted to an account.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4718,unknown,-,System security access was removed from an account.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4719,unknown,-,System audit policy was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4720,created,-,A user account was created.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4722,modified,-,A user account was enabled.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4723,modified,-,An attempt was made to change an account's password.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4724,modified,-,An attempt was made to reset an account's password.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4725,modified,-,A user account was disabled.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4726,deleted,-,A user account was deleted.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4727,success,-,A security-enabled global group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4728,success,-,A member was added to a security-enabled global group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4729,success,-,A member was removed from a security-enabled global group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4730,unknown,-,A security-enabled global group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4731,unknown,-,A security-enabled local group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4732,success,-,A member was added to a security-enabled local group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4733,success,-,A member was removed from a security-enabled local group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4734,unknown,-,A security-enabled local group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4735,success,-,A security-enabled local group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4737,success,-,A security-enabled global group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4738,modified,-,A user account was changed.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4739,unknown,-,Domain Policy was changed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4740,unknown,-,A user account was locked out.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4742,modified,-,A computer account was changed.,Account Management,Computer Account Management,"Windows Vista, Windows Server 2008"
+4743,unknown,-,A computer account was deleted.,Account Management,Computer Account Management,"Windows Vista, Windows Server 2008"
+4744,unknown,-,A security-disabled local group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4745,unknown,-,A security-disabled local group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4746,unknown,-,A member was added to a security-disabled local group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4747,unknown,-,A member was removed from a security-disabled local group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4748,unknown,-,A security-disabled local group was deleted.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4749,unknown,-,A security-disabled global group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4750,unknown,-,A security-disabled global group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4751,unknown,-,A member was added to a security-disabled global group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4752,unknown,-,A member was removed from a security-disabled global group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4753,unknown,-,A security-disabled global group was deleted.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4754,success,-,A security-enabled universal group was created.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4755,success,-,A security-enabled universal group was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4756,success,-,A member was added to a security-enabled universal group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4757,success,-,A member was removed from a security-enabled universal group.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4758,unknown,-,A security-enabled universal group was deleted.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4759,unknown,-,A security-disabled universal group was created.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4760,unknown,-,A security-disabled universal group was changed.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4761,unknown,-,A member was added to a security-disabled universal group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4762,unknown,-,A member was removed from a security-disabled universal group.,Account Management,Distribution Group Management,"Windows Vista, Windows Server 2008"
+4764,unknown,-,A group's type was changed.,Account Management,Security Group Management,"Windows Vista, Windows Server 2008"
+4765,unknown,-,SID History was added to an account.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4766,unknown,-,An attempt to add SID History to an account failed.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4767,modified,-,A user account was unlocked.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4770,success,-,A Kerberos service ticket was renewed.,Account Logon,Kerberos Service Ticket Operations,"Windows Vista, Windows Server 2008"
+4772,unknown,-,A Kerberos authentication ticket request failed.,Account Logon,Kerberos Authentication Service,"Windows Vista, Windows Server 2008"
+4774,unknown,-,An account was mapped for logon.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008"
+4775,unknown,-,An account could not be mapped for logon.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008"
+4777,unknown,-,The domain controller failed to validate the credentials for an account.,Account Logon,Credential Validation,"Windows Vista, Windows Server 2008"
+4778,success,-,A session was reconnected to a Window Station.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+4779,success,-,A session was disconnected from a Window Station.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+4780,success,-,The ACL was set on accounts which are members of administrators groups.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4781,unknown,-,The name of an account was changed:,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4782,unknown,-,The password hash an account was accessed.,Account Management,Other Account Management Events,"Windows Vista, Windows Server 2008"
+4783,unknown,-,A basic application group was created.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4784,unknown,-,A basic application group was changed.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4785,unknown,-,A member was added to a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4786,unknown,-,A member was removed from a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4787,unknown,-,A non-member was added to a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4788,unknown,-,A non-member was removed from a basic application group.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4789,unknown,-,A basic application group was deleted.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4790,unknown,-,An LDAP query group was created.,Account Management,Application Group Management,"Windows Vista, Windows Server 2008"
+4793,unknown,-,The Password Policy Checking API was called.,Account Management,Other Account Management Events,"Windows Vista, Windows Server 2008"
+4794,unknown,-,An attempt was made to set the Directory Services Restore Mode.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+4800,success,-,The workstation was locked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+4801,unknown,-,The workstation was unlocked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+4802,unknown,-,The screen saver was invoked.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+4803,unknown,-,The screen saver was dismissed.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+4816,unknown,-,RPC detected an integrity violation while decrypting an incoming message.,System,System Integrity,"Windows Vista, Windows Server 2008"
+4817,unknown,-,Auditing settings on an object were changed.,Policy Change,Audit Policy Change,"Windows 7, Windows Server 2008 R2"
+4818,unknown,-,Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy,Object Access,Central Policy Staging,"Windows 8, Windows Server 2012"
+4819,unknown,-,Central Access Policies on the machine have been changed.,Policy Change,Other Policy Change Events,"Windows 8, Windows Server 2012"
+4864,unknown,-,A namespace collision was detected.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4865,unknown,-,A trusted forest information entry was added.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4866,unknown,-,A trusted forest information entry was removed.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4867,unknown,-,A trusted forest information entry was modified.,Policy Change,Authentication Policy Change,"Windows Vista, Windows Server 2008"
+4868,unknown,-,The certificate manager denied a pending certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4869,unknown,-,Certificate Services received a resubmitted certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4870,unknown,-,Certificate Services revoked a certificate.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4871,unknown,-,Certificate Services received a request to publish the certificate revocation list (CRL).,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4872,unknown,-,Certificate Services published the certificate revocation list (CRL).,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4873,unknown,-,A certificate request extension changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4874,unknown,-,One or more certificate request attributes changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4875,unknown,-,Certificate Services received a request to shut down.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4876,unknown,-,Certificate Services backup started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4877,unknown,-,Certificate Services backup completed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4878,unknown,-,Certificate Services restore started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4879,unknown,-,Certificate Services restore completed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4880,unknown,-,Certificate Services started.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4881,unknown,-,Certificate Services stopped.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4882,unknown,-,The security permissions for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4883,unknown,-,Certificate Services retrieved an archived key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4884,unknown,-,Certificate Services imported a certificate into its database.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4885,unknown,-,The audit filter for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4886,unknown,-,Certificate Services received a certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4887,unknown,-,Certificate Services approved a certificate request and issued a certificate.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4888,unknown,-,Certificate Services denied a certificate request.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4889,unknown,-,Certificate Services set the status of a certificate request to pending.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4890,unknown,-,The certificate manager settings for Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4891,unknown,-,A configuration entry changed in Certificate Services.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4892,unknown,-,A property of Certificate Services changed.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4893,unknown,-,Certificate Services archived a key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4894,unknown,-,Certificate Services imported and archived a key.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4895,unknown,-,Certificate Services published the CA certificate to Active Directory Domain Services.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4896,unknown,-,One or more rows have been deleted from the certificate database.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4897,unknown,-,Role separation enabled:,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4898,unknown,-,Certificate Services loaded a template.,Object Access,Certification Services,"Windows Vista, Windows Server 2008"
+4902,success,-,The Per-user audit policy table was created.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4904,success,-,An attempt was made to register a security event source.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4905,success,-,An attempt was made to unregister a security event source.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4906,unknown,-,The CrashOnAuditFail value has changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4907,success,-,Auditing settings on object were changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4908,unknown,-,Special Groups Logon table modified.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4909,unknown,-,The local policy settings for the TBS were changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+4910,unknown,-,The group policy settings for the TBS were changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+4911,unknown,-,Resource attributes of the object were changed.,Policy Change,Authorization Policy Change,"Windows 8, Windows Server 2012"
+4912,unknown,-,Per User Audit Policy was changed.,Policy Change,Audit Policy Change,"Windows Vista, Windows Server 2008"
+4913,unknown,-,Central Access Policy on the object was changed.,Policy Change,Authorization Policy Change,"Windows 8, Windows Server 2012"
+4928,unknown,-,An Active Directory replica source naming context was established.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4929,unknown,-,An Active Directory replica source naming context was removed.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4930,unknown,-,An Active Directory replica source naming context was modified.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4931,success,-,An Active Directory replica destination naming context was modified.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4932,success,-,Synchronization of a replica of an Active Directory naming context has begun.,DS Access,Directory Service Replication,"Windows Vista, Windows Server 2008"
+4933,failure,-,Synchronization of a replica of an Active Directory naming context has ended.,DS Access,Directory Service Replication,"Windows Vista, Windows Server 2008"
+4934,unknown,-,Attributes of an Active Directory object were replicated.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4935,unknown,-,Replication failure begins.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4936,unknown,-,Replication failure ends.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4937,unknown,-,A lingering object was removed from a replica.,DS Access,Detailed Directory Service Replication,"Windows Vista, Windows Server 2008"
+4944,success,-,The following policy was active when the Windows Firewall started.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4945,success,-,A rule was listed when the Windows Firewall started.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4946,success,-,A change has been made to Windows Firewall exception list. A rule was added.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4947,success,-,A change has been made to Windows Firewall exception list. A rule was modified.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4948,success,-,A change has been made to Windows Firewall exception list. A rule was deleted.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4949,unknown,-,Windows Firewall settings were restored to the default values.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4950,unknown,-,A Windows Firewall setting has changed.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4951,failure,-,A rule has been ignored because its major version number was not recognized by Windows Firewall.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4952,unknown,-,Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4953,failure,-,A rule has been ignored by Windows Firewall because it could not parse the rule.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4954,unknown,-,Windows Firewall Group Policy settings have changed. The new settings have been applied.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4956,success,-,Windows Firewall has changed the active profile.,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4957,unknown,-,Windows Firewall did not apply the following rule:,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4958,unknown,-,Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:,Policy Change,MPSSVC Rule-Level Policy Change,"Windows Vista, Windows Server 2008"
+4960,unknown,-,"IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.",System,IPsec Driver,"Windows Vista, Windows Server 2008"
+4961,unknown,-,"IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.",System,IPsec Driver,"Windows Vista, Windows Server 2008"
+4962,unknown,-,IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+4963,unknown,-,IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+4964,unknown,-,Special groups have been assigned to a new logon.,Logon/Logoff,Special Logon,"Windows Vista, Windows Server 2008"
+4965,unknown,-,"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.",System,IPsec Driver,"Windows Vista, Windows Server 2008"
+4976,unknown,-,"During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+4977,unknown,-,"During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
+4978,unknown,-,"During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.",Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
+4979,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
+4980,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
+4981,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
+4982,unknown,-,IPsec Main Mode and Extended Mode security associations were established.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
+4983,unknown,-,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
+4984,unknown,-,An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.,Logon/Logoff,IPsec Extended Mode,"Windows Vista, Windows Server 2008"
+4985,success,-,The state of a transaction has changed.,Object Access,File System,"Windows Vista, Windows Server 2008"
+5024,success,-,The Windows Firewall Service has started successfully.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5025,unknown,-,The Windows Firewall Service has been stopped.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5027,unknown,-,The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5028,unknown,-,The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5029,unknown,-,The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5030,unknown,-,The Windows Firewall Service failed to start.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5031,unknown,-,The Windows Firewall Service blocked an application from accepting incoming connections on the network.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
+5032,unknown,-,Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5033,success,-,The Windows Firewall Driver has started successfully.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5034,unknown,-,The Windows Firewall Driver has been stopped.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5035,unknown,-,The Windows Firewall Driver failed to start.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5037,unknown,-,The Windows Firewall Driver detected critical runtime error. Terminating.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5038,unknown,-,Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.,System,System Integrity,"Windows Vista, Windows Server 2008"
+5039,unknown,-,A registry key was virtualized.,Object Access,Registry,"Windows Vista, Windows Server 2008"
+5040,unknown,-,A change has been made to IPsec settings. An Authentication Set was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5041,unknown,-,A change has been made to IPsec settings. An Authentication Set was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5042,unknown,-,A change has been made to IPsec settings. An Authentication Set was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5043,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5044,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5045,unknown,-,A change has been made to IPsec settings. A Connection Security Rule was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5046,unknown,-,A change has been made to IPsec settings. A Crypto Set was added.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5047,unknown,-,A change has been made to IPsec settings. A Crypto Set was modified.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5048,unknown,-,A change has been made to IPsec settings. A Crypto Set was deleted.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5049,unknown,-,An IPsec Security Association was deleted.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+5051,unknown,-,A file was virtualized.,Object Access,File System,"Windows Vista, Windows Server 2008"
+5056,success,-,A cryptographic self test was performed.,System,System Integrity,"Windows Vista, Windows Server 2008"
+5057,unknown,-,A cryptographic primitive operation failed.,System,System Integrity,"Windows Vista, Windows Server 2008"
+5058,success,-,Key file operation.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5059,success,-,Key migration operation.,System,Other System Events,"Windows Vista, Windows Server 2008"
+5060,unknown,-,Verification operation failed.,System,System Integrity,"Windows Vista, Windows Server 2008"
+5061,failure,-,Cryptographic operation.,System,System Integrity,"Windows Vista, Windows Server 2008"
+5062,unknown,-,A kernel-mode cryptographic self test was performed.,System,System Integrity,"Windows Vista, Windows Server 2008"
+5063,unknown,-,A cryptographic provider operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5064,unknown,-,A cryptographic context operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5065,unknown,-,A cryptographic context modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5066,unknown,-,A cryptographic function operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5067,unknown,-,A cryptographic function modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5068,unknown,-,A cryptographic function provider operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5069,unknown,-,A cryptographic function property operation was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5070,unknown,-,A cryptographic function property modification was attempted.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5136,success,-,A directory service object was modified.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
+5137,unknown,-,A directory service object was created.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
+5138,unknown,-,A directory service object was undeleted.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
+5139,unknown,-,A directory service object was moved.,DS Access,Directory Service Changes,"Windows Vista, Windows Server 2008"
+5140,failure,-,A network share object was accessed.,Object Access,File Share,"Windows Vista, Windows Server 2008"
+5141,unknown,-,A directory service object was deleted.,DS Access,Directory Service Changes,"Windows Vista SP1, Windows Server 2008"
+5142,unknown,-,A network share object was added.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
+5143,success,-,A network share object was modified.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
+5144,unknown,-,A network share object was deleted.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
+5145,unknown,-,A network share object was checked to see whether the client can be granted desired access.,Object Access,Detailed File Share,"Windows 7, Windows Server 2008 R2"
+5148,unknown,-,The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.,Object Access,Other Object Access Events,"Windows 7, Windows Server 2008 R2"
+5149,unknown,-,The DoS attack has subsided and normal processing is being resumed.,Object Access,Other Object Access Events,"Windows 7, Windows Server 2008 R2"
+5150,unknown,-,The Windows Filtering Platform has blocked a packet.,Object Access,Filtering Platform Connection,"Windows 7, Windows Server 2008 R2"
+5151,unknown,-,A more restrictive Windows Filtering Platform filter has blocked a packet.,Object Access,Filtering Platform Connection,"Windows 7, Windows Server 2008 R2"
+5152,failure,-,The Windows Filtering Platform blocked a packet.,Object Access,Filtering Platform Packet Drop ,"Windows Vista, Windows Server 2008"
+5153,unknown,-,A more restrictive Windows Filtering Platform filter has blocked a packet.,Object Access,Filtering Platform Packet Drop ,"Windows Vista, Windows Server 2008"
+5154,success,-,The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
+5155,unknown,-,The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
+5156,success,-,The Windows Filtering Platform has allowed a connection.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
+5157,failure,-,The Windows Filtering Platform has blocked a connection.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
+5158,success,-,The Windows Filtering Platform has permitted a bind to a local port.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
+5159,unknown,-,The Windows Filtering Platform has blocked a bind to a local port.,Object Access,Filtering Platform Connection,"Windows Vista, Windows Server 2008"
+5168,unknown,-,Spn check for SMB/SMB2 failed.,Object Access,File Share,"Windows 7, Windows Server 2008 R2"
+5376,unknown,-,Credential Manager credentials were backed up.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+5377,unknown,-,Credential Manager credentials were restored from a backup.,Account Management,User Account Management,"Windows Vista, Windows Server 2008"
+5378,unknown,-,The requested credentials delegation was disallowed by policy.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+5440,success,-,The following callout was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5441,success,-,The following filter was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5442,success,-,The following provider was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5443,unknown,-,The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5444,success,-,The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5446,success,-,A Windows Filtering Platform callout has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5447,success,-,A Windows Filtering Platform filter has been changed.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+5448,success,-,A Windows Filtering Platform provider has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5449,success,-,A Windows Filtering Platform provider context has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5450,success,-,A Windows Filtering Platform sub-layer has been changed.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5451,unknown,-,An IPsec Quick Mode security association was established.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
+5452,unknown,-,An IPsec Quick Mode security association ended.,Logon/Logoff,IPsec Quick Mode,"Windows Vista, Windows Server 2008"
+5453,unknown,-,An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.,Logon/Logoff,IPsec Main Mode,"Windows Vista, Windows Server 2008"
+5456,unknown,-,PAStore Engine applied Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5457,unknown,-,PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5458,unknown,-,PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5459,unknown,-,PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5460,unknown,-,PAStore Engine applied local registry storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5461,unknown,-,PAStore Engine failed to apply local registry storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5462,unknown,-,PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5463,unknown,-,PAStore Engine polled for changes to the active IPsec policy and detected no changes.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5464,unknown,-,"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5465,unknown,-,PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5466,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5467,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5468,unknown,-,"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.",Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5471,unknown,-,PAStore Engine loaded local storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5472,unknown,-,PAStore Engine failed to load local storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5473,unknown,-,PAStore Engine loaded directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5474,unknown,-,PAStore Engine failed to load directory storage IPsec policy on the computer.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5477,unknown,-,PAStore Engine failed to add quick mode filter.,Policy Change,Filtering Platform Policy Change,"Windows Vista, Windows Server 2008"
+5478,unknown,-,IPsec Services has started successfully.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+5479,unknown,-,IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+5480,unknown,-,IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+5483,unknown,-,IPsec Services failed to initialize RPC server. IPsec Services could not be started.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+5484,unknown,-,IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+5485,unknown,-,IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.,System,IPsec Driver,"Windows Vista, Windows Server 2008"
+5632,unknown,-,A request was made to authenticate to a wireless network.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+5633,unknown,-,A request was made to authenticate to a wired network.,Logon/Logoff,Other Logon/Logoff Events,"Windows Vista, Windows Server 2008"
+5712,unknown,-,A Remote Procedure Call (RPC) was attempted.,Detailed Tracking,RPC Events,"Windows Vista, Windows Server 2008"
+5888,unknown,-,An object in the COM+ Catalog was modified.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+5889,unknown,-,An object was deleted from the COM+ Catalog.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+5890,unknown,-,An object was added to the COM+ Catalog.,Object Access,Other Object Access Events,"Windows Vista, Windows Server 2008"
+6144,success,-,Security policy in the group policy objects has been applied successfully.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+6145,unknown,-,One or more errors occurred while processing security policy in the group policy objects.,Policy Change,Other Policy Change Events,"Windows Vista, Windows Server 2008"
+6272,unknown,-,Network Policy Server granted access to a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6273,unknown,-,Network Policy Server denied access to a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6274,unknown,-,Network Policy Server discarded the request for a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6275,unknown,-,Network Policy Server discarded the accounting request for a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6276,unknown,-,Network Policy Server quarantined a user.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6277,unknown,-,Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6278,unknown,-,Network Policy Server granted full access to a user because the host met the defined health policy.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6279,unknown,-,Network Policy Server locked the user account due to repeated failed authentication attempts.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6280,unknown,-,Network Policy Server unlocked the user account.,Logon/Logoff,Network Policy Server,"Windows Vista SP1, Windows Server 2008"
+6281,unknown,-,Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error,System,System Integrity,"Windows 7, Windows Server 2008 R2"
+6400,unknown,-,BranchCache: Received an incorrectly formatted response while discovering availability of content. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6401,unknown,-,BranchCache: Received invalid data from a peer. Data discarded. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6402,unknown,-,BranchCache: The message to the hosted cache offering it data is incorrectly formatted. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6403,unknown,-,BranchCache: The hosted cache sent an incorrectly formatted response to the client.,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6404,unknown,-,BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. ,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6405,unknown,-,BranchCache: %2 instance(s) of event id %1 occurred.,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6406,unknown,-,%1 registered to Windows Firewall to control filtering for the following: %2,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6407,unknown,-,1%,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+6408,unknown,-,Registered product %1 failed and Windows Firewall is now controlling the filtering for %2,System,Other System Events,"Windows 7, Windows Server 2008 R2"
+4625,failure,0XC000005E,There are currently no logon servers available to service the logon request.,,,
+4625,unknown,0xC0000064,User logon with misspelled or bad user account,,,
+4625,failure,0xC000006A,User logon with misspelled or bad password,,,
+4625,failure,0XC000006D,This is either due to a bad username or authentication information,,,
+4625,failure,0XC000006E,Unknown user name or bad password.,,,
+4625,failure,0XC000010B,Indicates an invalid value has been provided for the LogonType requested.,,,
+4625,denied,0xC000006F,User logon outside authorized hours,,,
+4625,denied,0xC0000070,User logon from unauthorized workstation,,,
+4625,failure,0xC0000071,User logon with expired password,,,
+4625,failure,0xC0000072,User logon to account disabled by administrator,,,
+4625,failure,0XC00000DC,Indicates the Sam Server was in the wrong state to perform the desired operation.,,,
+4625,error,0XC0000133,Clocks between DC and other computer too far out of sync,,,
+4625,denied,0XC000015B,The user has not been granted the requested logon type (aka logon right) at this machine,,,
+4625,failure,0XC000018C,The logon request failed because the trust relationship between the primary domain and the trusted domain failed.,,,
+4625,failure,0XC0000192,"An attempt was made to logon, but the Netlogon service was not started.",,,
+4625,failure,0xC0000193,User logon with expired account,,,
+4625,failure,0XC0000224,User is required to change password at next logon,,,
+4625,error,0XC0000225,Evidently a bug in Windows and not a risk,,,
+4625,denied,0xC0000234,User logon with account locked,,,
+4625,failure,0XC00002EE,Failure Reason: An Error occurred during Logon,,,
+4625,failure,0XC0000413,Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.,,,
+4625,failure,0x0,Status OK.,,,
+4776,failure,0xC0000064,The username you typed does not exist. Bad username.,,,
+4776,failure,0xC000006A,Account logon with misspelled or bad password.,,,
+4776,failure,0xC000006D,Generic logon failure.,,,
+4776,denied,0xC000006F,Account logon outside authorized hours.,,,
+4776,denied,0xC0000070,Account logon from unauthorized workstation.,,,
+4776,failure,0xC0000071,Account logon with expired password.,,,
+4776,failure,0xC0000072,Account logon to account disabled by administrator.,,,
+4776,failure,0xC0000193,Account logon with expired account.,,,
+4776,failure,0xC0000224,"Account logon with ""Change Password at Next Logon"" flagged.",,,
+4776,failure,0xC0000234,Account logon with account locked.,,,
+4776,failure,0xc0000371,The local account store does not contain secret material for the specified account.,,,
+4776,success,0x0,No errors.,,,
+4768,success,0x0,No error,,,
+4768,failure,0x1,Client's entry in KDC database has expired,,,
+4768,failure,0x2,Server's entry in KDC database has expired,,,
+4768,failure,0x3,Requested Kerberos version number not supported,,,
+4768,failure,0x4,Client's key encrypted in old master key,,,
+4768,failure,0x5,Server's key encrypted in old master key,,,
+4768,failure,0x6,Client not found in Kerberos database,,,
+4768,failure,0x7,Server not found in Kerberos database,,,
+4768,failure,0x8,Multiple principal entries in KDC database,,,
+4768,failure,0x9,The client or server has a null key (master key),,,
+4768,failure,0xA,Ticket (TGT) not eligible for postdating,,,
+4768,failure,0xB,Requested start time is later than end time,,,
+4768,failure,0xC,Requested start time is later than end time,,,
+4768,failure,0xD,KDC cannot accommodate requested option,,,
+4768,failure,0xE,KDC has no support for encryption type,,,
+4768,failure,0xF,KDC has no support for checksum type,,,
+4768,failure,0x10,KDC has no support for PADATA type (pre-authentication data),,,
+4768,failure,0x11,KDC has no support for transited type,,,
+4768,failure,0x12,Client's credentials have been revoked,,,
+4768,failure,0x13,Credentials for server have been revoked,,,
+4768,failure,0x14,TGT has been revoked,,,
+4768,failure,0x15,Client not yet valid-try again later,,,
+4768,failure,0x16,Server not yet valid-try again later,,,
+4768,failure,0x17,Password has expired-change password to reset,,,
+4768,failure,0x18,Pre-authentication information was invalid,,,
+4768,failure,0x19,Additional pre-authentication required,,,
+4768,failure,0x1A,KDC does not know about the requested server,,,
+4768,failure,0x1B,KDC is unavailable,,,
+4768,failure,0x1F,Integrity check on decrypted field failed,,,
+4768,failure,0x20,The ticket has expired,,,
+4768,failure,0x21,The ticket is not yet valid,,,
+4768,failure,0x22,The request is a replay,,,
+4768,failure,0x23,The ticket is not for us,,,
+4768,failure,0x24,The ticket and authenticator do not match,,,
+4768,failure,0x25,The clock skew is too great,,,
+4768,failure,0x26,Network address in network layer header doesn't match address inside ticket,,,
+4768,failure,0x27,Protocol version numbers don't match (PVNO),,,
+4768,failure,0x28,Message type is unsupported,,,
+4768,failure,0x29,Message stream modified and checksum didn't match	,,,
+4768,failure,0x2A,Message out of order (possible tampering),,,
+4768,failure,0x2C,Specified version of key is not available,,,
+4768,failure,0x2D,Service key not available,,,
+4768,failure,0x2E,Mutual authentication failed,,,
+4768,failure,0x2F,Incorrect message direction,,,
+4768,failure,0x30,Alternative authentication method required,,,
+4768,failure,0x31,Incorrect sequence number in message,,,
+4768,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported),,,
+4768,failure,0x33,Desired path is unreachable,,,
+4768,failure,0x34,Too much data,,,
+4768,failure,0x3C,Generic error,,,
+4768,failure,0x3D,Field is too long for this implementation,,,
+4768,failure,0x3E,The client trust failed or is not implemented,,,
+4768,failure,0x3F,The KDC server trust failed or could not be verified,,,
+4768,failure,0x40,The signature is invalid,,,
+4768,failure,0x41,A higher encryption level is needed,,,
+4768,failure,0x42,User-to-user authorization is required,,,
+4768,failure,0x43,No TGT was presented or available,,,
+4768,failure,0x44,Incorrect domain or principal,,,
+4769,success,0x0,No error,,,
+4769,failure,0x1,Client's entry in KDC database has expired,,,
+4769,failure,0x2,Server's entry in KDC database has expired,,,
+4769,failure,0x3,Requested Kerberos version number not supported,,,
+4769,failure,0x4,Client's key encrypted in old master key,,,
+4769,failure,0x5,Server's key encrypted in old master key,,,
+4769,failure,0x6,Client not found in Kerberos database,,,
+4769,failure,0x7,Server not found in Kerberos database,,,
+4769,failure,0x8,Multiple principal entries in KDC database,,,
+4769,failure,0x9,The client or server has a null key (master key),,,
+4769,failure,0xA,Ticket (TGT) not eligible for postdating,,,
+4769,failure,0xB,Requested start time is later than end time,,,
+4769,failure,0xC,Requested start time is later than end time,,,
+4769,failure,0xD,KDC cannot accommodate requested option,,,
+4769,failure,0xE,KDC has no support for encryption type,,,
+4769,failure,0xF,KDC has no support for checksum type,,,
+4769,failure,0x10,KDC has no support for PADATA type (pre-authentication data),,,
+4769,failure,0x11,KDC has no support for transited type,,,
+4769,failure,0x12,Client's credentials have been revoked,,,
+4769,failure,0x13,Credentials for server have been revoked,,,
+4769,failure,0x14,TGT has been revoked,,,
+4769,failure,0x15,Client not yet valid try again later,,,
+4769,failure,0x16,Server not yet valid try again later,,,
+4769,failure,0x17,Password has expired change password to reset,,,
+4769,failure,0x18,Pre-authentication information was invalid,,,
+4769,failure,0x19,Additional pre-authentication required,,,
+4769,failure,0x1A,KDC does not know about the requested server,,,
+4769,failure,0x1B,KDC is unavailable,,,
+4769,failure,0x1F,Integrity check on decrypted field failed,,,
+4769,failure,0x20,The ticket has expired,,,
+4769,failure,0x21,The ticket is not yet valid,,,
+4769,failure,0x22,The request is a replay,,,
+4769,failure,0x23,The ticket is not for us,,,
+4769,failure,0x24,The ticket and authenticator do not match,,,
+4769,failure,0x25,The clock skew is too great,,,
+4769,failure,0x26,Network address in network layer header doesn't match address inside ticket,,,
+4769,failure,0x27,Protocol version numbers don't match (PVNO),,,
+4769,failure,0x28,Message type is unsupported,,,
+4769,failure,0x29,Message stream modified and checksum didn't match,,,
+4769,failure,0x2A,Message out of order (possible tampering),,,
+4769,failure,0x2C,Specified version of key is not available,,,
+4769,failure,0x2D,Service key not available,,,
+4769,failure,0x2E,Mutual authentication failed,,,
+4769,failure,0x2F,Incorrect message direction,,,
+4769,failure,0x30,Alternative authentication method required,,,
+4769,failure,0x31,Incorrect sequence number in message,,,
+4769,failure,0x32,Inappropriate type of checksum in message (checksum may be unsupported),,,
+4769,failure,0x33,Desired path is unreachable,,,
+4769,failure,0x34,Too much data,,,
+4769,failure,0x3C,Generic error,,,
+4769,failure,0x3D,Field is too long for this implementation,,,
+4769,failure,0x3E,The client trust failed or is not implemented,,,
+4769,failure,0x3F,The KDC server trust failed or could not be verified,,,
+4769,failure,0x40,The signature is invalid,,,
+4769,failure,0x41,A higher encryption level is needed,,,
+4769,failure,0x42,User-to-user authorization is required,,,
+4769,failure,0x43,No TGT was presented or available,,,
+4769,failure,0x44,Incorrect domain or principal,,,
+4771,failure,0x1,Client's entry in database has expired,,,
+4771,failure,0x2,Server's entry in database has expired,,,
+4771,failure,0x3,Requested protocol version # not supported,,,
+4771,failure,0x4,Client's key encrypted in old master key,,,
+4771,failure,0x5,Server's key encrypted in old master key,,,
+4771,failure,0x6,Client not found in Kerberos database,,,
+4771,failure,0x7,Server not found in Kerberos database,,,
+4771,failure,0x8,Multiple principal entries in database,,,
+4771,failure,0x9,The client or server has a null key,,,
+4771,failure,0xA,Ticket not eligible for postdating,,,
+4771,failure,0xB,Requested start time is later than end time,,,
+4771,failure,0xC,KDC policy rejects request,,,
+4771,failure,0xD,KDC cannot accommodate requested option,,,
+4771,failure,0xE,KDC has no support for encryption type,,,
+4771,failure,0xF,KDC has no support for checksum type,,,
+4771,failure,0x10,KDC has no support for padata type,,,
+4771,failure,0x11,KDC has no support for transited type,,,
+4771,failure,0x12,Clients credentials have been revoked	,,,
+4771,failure,0x13,Credentials for server have been revoked,,,
+4771,failure,0x14,TGT has been revoked,,,
+4771,failure,0x15,Client not yet valid - try again later,,,
+4771,failure,0x16,Server not yet valid - try again later,,,
+4771,failure,0x17,Password has expired,,,
+4771,failure,0x18,Pre-authentication information was invalid,,,
+4771,failure,0x19,Additional pre-authentication required*,,,
+4771,failure,0x1F,Integrity check on decrypted field failed,,,
+4771,failure,0x20,Ticket expired,,,
+4771,failure,0x21,Ticket not yet valid,,,
+4771,failure,0x22,Request is a replay,,,
+4771,failure,0x23,The ticket isn't for us,,,
+4771,failure,0x24,Ticket and authenticator don't match	,,,
+4771,failure,0x25,Clock skew too great,,,
+4771,failure,0x26,Incorrect net address,,,
+4771,failure,0x27,Protocol version mismatch,,,
+4771,failure,0x28,Invalid msg type,,,
+4771,failure,0x29,Message stream modified,,,
+4771,failure,0x2A,Message out of order,,,
+4771,failure,0x2C,Specified version of key is not available,,,
+4771,failure,0x2D,Service key not available,,,
+4771,failure,0x2E,Mutual authentication failed,,,
+4771,failure,0x2F,Incorrect message direction,,,
+4771,failure,0x30,Alternative authentication method required*,,,
+4771,failure,0x31,Incorrect sequence number in message,,,
+4771,failure,0x32,Inappropriate type of checksum in message,,,
+4771,failure,0x3C,Generic error,,,
+4771,failure,0x3D,Field is too long for this implementation,,,
diff --git a/deployment-apps/Splunk_TA_windows/metadata/default.meta b/deployment-apps/Splunk_TA_windows/metadata/default.meta
new file mode 100644
index 00000000..744f4a22
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/metadata/default.meta
@@ -0,0 +1,5 @@
+# Application-level permissions
+
+[]
+access = read : [ * ], write : [ admin, sc_admin ]
+export = system
diff --git a/deployment-apps/Splunk_TA_windows/splunkbase.manifest b/deployment-apps/Splunk_TA_windows/splunkbase.manifest
new file mode 100644
index 00000000..594b21f2
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows/splunkbase.manifest
@@ -0,0 +1,349 @@
+{
+  "version": "1.0",
+  "date": "2023-12-07T14:55:04.880743212Z",
+  "hashAlgorithm": "SHA-256",
+  "app": {
+    "id": 742,
+    "version": "8.8.0",
+    "files": [
+      {
+        "path": "LICENSES/LicenseRef-Splunk-8-2021.txt",
+        "hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47"
+      },
+      {
+        "path": "README/transforms.conf.spec",
+        "hash": "607ea0cb0566ae97eb2c398eee32e883fd2ce125ff83a47b07ec78bb4f4a3ae6"
+      },
+      {
+        "path": "README.txt",
+        "hash": "3b5d020d8b1f20f96a023b8f37d11277f629b63130071bc5f4896727a402b1ae"
+      },
+      {
+        "path": "THIRDPARTY",
+        "hash": "4e7ebeca6b8f71ea66f0b3d7699b91917724ee6dbc168d46ea39d3c44792e91d"
+      },
+      {
+        "path": "VERSION",
+        "hash": "e4e224e961aa088cd881e1a1e9afdf13622ad419074538278e69ce00a52acaa3"
+      },
+      {
+        "path": "app.manifest",
+        "hash": "9dfd7091b4c5a38d125bf9d35f4d420bf0f47634f12f50b9fa71fea88cfe6f9f"
+      },
+      {
+        "path": "appserver/static/appIcon.png",
+        "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
+      },
+      {
+        "path": "appserver/static/appLogo.png",
+        "hash": "c19b2fc8219cd435a8d59d683c98590f5c0d198be4d0f5004a6af000266f64fd"
+      },
+      {
+        "path": "bin/Invoke-MonitoredScript.ps1",
+        "hash": "0146474b232f581fb8d7275809b7fa7a1d33260aaba6bf3f87150cfda4c59a51"
+      },
+      {
+        "path": "bin/log.py",
+        "hash": "d0dc08cd8fd0beba8312b63c34511a5ce9d8314db3526de42b306c801f95fe31"
+      },
+      {
+        "path": "bin/netsh_address.bat",
+        "hash": "d437daa86ca97b67cde2a2970dc2d7e3b377106c7cb8a8ba331b37ae825e9c05"
+      },
+      {
+        "path": "bin/powershell/2012r2-health.ps1",
+        "hash": "fb956717460f18c257fb15d5bbce79bc9d2017d1be15724a647bb4601316882b"
+      },
+      {
+        "path": "bin/powershell/2012r2-repl-stats.ps1",
+        "hash": "176427ac5b5baf5d2533a2c97a69015e94df44421795dd82acce702e8dfac60a"
+      },
+      {
+        "path": "bin/powershell/2012r2-siteinfo.ps1",
+        "hash": "dc6fa3b3fac0474f87f179bc11e530c95732e2803309b5ffd763acbaf8691171"
+      },
+      {
+        "path": "bin/powershell/dns-health.ps1",
+        "hash": "18465ca9ac26c5bc2edd3023f92dd0ac5978dcd9f28aeaa22d9ae685b4d6ecf8"
+      },
+      {
+        "path": "bin/powershell/dns-zoneinfo.ps1",
+        "hash": "b00d8981eb454ee68ac9c2648fedb8b3453eb39788727ee7afc1d16149e5152c"
+      },
+      {
+        "path": "bin/powershell/generate_windows_update_logs.ps1",
+        "hash": "cbf6b5321b923b7585a0dc652acbe030730b974ab64149df3d1ef054bb87394e"
+      },
+      {
+        "path": "bin/powershell/nt6-health.ps1",
+        "hash": "f5557ba97869931ab694589762febe36a37e0585590653915feaed259071132c"
+      },
+      {
+        "path": "bin/powershell/nt6-repl-stat.ps1",
+        "hash": "e97bab3d9eb8b15785c240ac80814638be20c2ce4a9fabeb23b9623e696bbf31"
+      },
+      {
+        "path": "bin/powershell/nt6-siteinfo.ps1",
+        "hash": "f51e87b154df9577aeda0641beac2861b73d9f9e044c54b8676836d443dbb3d4"
+      },
+      {
+        "path": "bin/powershell/windows_bios_data.ps1",
+        "hash": "eb685d39d95435b3c44e63776493f624bbdf13d0661b3799fa52885d2289ba47"
+      },
+      {
+        "path": "bin/runpowershell.cmd",
+        "hash": "2334c8d7368f3257ebc652dde990bef106cec539a33e076acd9296be2d7ba1c8"
+      },
+      {
+        "path": "bin/user_account_control_property.py",
+        "hash": "9adc1442351e66b4a2633913c4b1ff68c8f98a6aa744fdb28ec8ed7f72841e25"
+      },
+      {
+        "path": "bin/win_installed_apps.bat",
+        "hash": "deb67756a20e3c37a31fa77b8ba442e296213286951b4e22fddf2dbe78b0bceb"
+      },
+      {
+        "path": "bin/win_listening_ports.bat",
+        "hash": "894012fc9413df5a3ee6b311cdabfc97807d3704ab18eea82b085f9e05b49b46"
+      },
+      {
+        "path": "bin/win_timesync_configuration.bat",
+        "hash": "f95a829dd06f4c43e374dd8bdd2e55ca521e85d7b7277c77e90fadf48dc51944"
+      },
+      {
+        "path": "bin/win_timesync_status.bat",
+        "hash": "a4697f547c886efa541102de2e5a27057c4629b5ca66bb19d37d4cbe90dc9923"
+      },
+      {
+        "path": "default/app.conf",
+        "hash": "32d33afd2aa2b7544525f772570be7c331088c2189f2d2cb547fd486156995d5"
+      },
+      {
+        "path": "default/eventtypes.conf",
+        "hash": "be883df17a2e5896701786f6030c83a2b0bcefd88db7759661643ab1f18cb605"
+      },
+      {
+        "path": "default/inputs.conf",
+        "hash": "2f6fd871b7183936e21d1741ee9b8fc1faf7c025b42228d2e703dd4adab89927"
+      },
+      {
+        "path": "default/macros.conf",
+        "hash": "67dea90fd9f4af58c855011e33b4b735885aae43adc6dca577c1394da045b564"
+      },
+      {
+        "path": "default/props.conf",
+        "hash": "a5e05786d153f11fd8753e2a23a3b8a99cd9b42f25462d8d5fb7088efc33a94c"
+      },
+      {
+        "path": "default/tags.conf",
+        "hash": "2a2fd41f0e878294cac5b56991b0222bf732c6294aa4bd388165d766cfb14b1e"
+      },
+      {
+        "path": "default/transforms.conf",
+        "hash": "9400270257bbfa58d2c6099eeae8c59292c40aed84e4ce3c8e359cd4195f0f30"
+      },
+      {
+        "path": "default/wmi.conf",
+        "hash": "40fafadc47299a48bee522a1e6a2e76d60f63233e8a102d46716c1945f79c5ca"
+      },
+      {
+        "path": "default/workflow_actions.conf",
+        "hash": "d0bbb3d3c61b9e95258b312f3e4976fa297862e470063220e90b578fc3638929"
+      },
+      {
+        "path": "lookups/dns_recordclass_lookup.csv",
+        "hash": "56287694ff666ebab8d2c054d94a0b923e3f79ce3a7d7ea14437f4c682deaef9"
+      },
+      {
+        "path": "lookups/msad_group_type.csv",
+        "hash": "c312edb9dfe6394b2f76b9f1d820fede58f898bb259aaf6c9f1a6190619b777b"
+      },
+      {
+        "path": "lookups/msdhcp_signatures.csv",
+        "hash": "57d29d2602463528f543c9b7bf68f260853a36a0558b77649f403ad5c2cb010e"
+      },
+      {
+        "path": "lookups/object_category_850.csv",
+        "hash": "3307577d3c0ba11912808fb8c21ec89ba86354d5068517bdc389a0312a4cdb01"
+      },
+      {
+        "path": "lookups/status_850.csv",
+        "hash": "98f62611b8ae183f3023e551b7859aa7afcfa2145d3d2dc5b25261087e04d28b"
+      },
+      {
+        "path": "lookups/user_types.csv",
+        "hash": "cab5e002aceb2932f66954dd2de422da370c4eea9dcdaa907f2b1753d1a72ac4"
+      },
+      {
+        "path": "lookups/vendor_actions.csv",
+        "hash": "87b64b0da91a9d0c163ec63453ed2e1418b1ad24d7afd312f6b7766f92ff52a0"
+      },
+      {
+        "path": "lookups/windows_actions.csv",
+        "hash": "a696d510431d8532bf925bb21cc9d1a7d9efce9e40aa9abfea4e5a8244cfa85c"
+      },
+      {
+        "path": "lookups/windows_apps.csv",
+        "hash": "6433f2214fdad6f5d9b9a262d9ab2508f7d518ecf4db6177f69b464f5bec6285"
+      },
+      {
+        "path": "lookups/windows_audit_changes_860.csv",
+        "hash": "81d55853a22c2dd4916e88f20fe81d361597b367132b0e38bfb6fc3917b82bb7"
+      },
+      {
+        "path": "lookups/windows_dns_action_lookup.csv",
+        "hash": "d2a2a81bc00d607ba005c6338f91f35d37116c751ae7c1138f87a8f1a9bc7ff2"
+      },
+      {
+        "path": "lookups/windows_dns_query_type_lookup.csv",
+        "hash": "8ea42c212d95de76d951a543b6f18bebf8d61fd869929ceef8133e3d5433bdd8"
+      },
+      {
+        "path": "lookups/windows_endpoint_port_transport.csv",
+        "hash": "c995b304ce28c433921bc8400c680b11370188bac916778088c66f5f8b73a0e0"
+      },
+      {
+        "path": "lookups/windows_endpoint_service_service_name.csv",
+        "hash": "7142d61c5dd4ba693e73a8247c590f55e87aa7edb90cfbe2d4dfb2ff54ff15c6"
+      },
+      {
+        "path": "lookups/windows_endpoint_service_service_type.csv",
+        "hash": "0bfcf6dee4634d9a5803dd349591178ca4fc6da6268715d061f327a0650ac443"
+      },
+      {
+        "path": "lookups/windows_eventtypes.csv",
+        "hash": "6d82b9e2a3aeeed09e6d0b01bc46199b80d625c46681a64680ff288a90605917"
+      },
+      {
+        "path": "lookups/windows_privileges.csv",
+        "hash": "4582b04b8ec594d98348acd5c0ccd0be27000bfa051e05dd9209f7ad182764c2"
+      },
+      {
+        "path": "lookups/windows_severities.csv",
+        "hash": "1aadf97658ff11a71e754b2f632b42ec0fd359b8fc94cc87856fc20c12760924"
+      },
+      {
+        "path": "lookups/windows_signatures_860.csv",
+        "hash": "62d9f1c59d60f1e768252809a393b65bdb2749ee2e66f53319f0325a49a433a1"
+      },
+      {
+        "path": "lookups/windows_signatures_substatus_850.csv",
+        "hash": "f0fd99a056f81b8a45b841b5d792ba390c0f70435d3419072e22b873fc9eaa85"
+      },
+      {
+        "path": "lookups/windows_start_mode_lookup.csv",
+        "hash": "ba8555b54afc901bbcbf8c9a172239587c19dfd0a37bbacf46042d0345344387"
+      },
+      {
+        "path": "lookups/windows_timesync_actions.csv",
+        "hash": "7ca18948fd296b3d24f0df767a314e10ed6d6efc7ac2c12a6c740c4026dbc356"
+      },
+      {
+        "path": "lookups/windows_update_statii.csv",
+        "hash": "f0d914d816c982134abab6b9fdacf8e7bc1ebd6dee36faaa641786220fc84620"
+      },
+      {
+        "path": "lookups/windows_wineventlog_change_action_860.csv",
+        "hash": "40b7c908b3245066c0e4ba4d56d89e45759d3555ae9f76aeddae0fdcc923e1cd"
+      },
+      {
+        "path": "lookups/windows_wineventlog_change_object_fields_860.csv",
+        "hash": "0662a5e8aa80c933fccfb12678b5ba711eb61a47da8fc088ed95ae8a4a4e9f90"
+      },
+      {
+        "path": "lookups/wmi_user_account_status.csv",
+        "hash": "c29c91036d6d466a198fc52dcff55b91fbc8341c0b86c35c2ecc4e4e56ca3966"
+      },
+      {
+        "path": "lookups/wmi_version_range.csv",
+        "hash": "de15c72fcb18ccd890ffe8658f29329450c1ed0404506feef857386e54bce08e"
+      },
+      {
+        "path": "lookups/xmlsecurity_change_audit_and_account_management_860.csv",
+        "hash": "3f1e9ffbeab129b36855d0ac9ad3ff4e3b9b5f802b2db472b5264df486262086"
+      },
+      {
+        "path": "lookups/xmlsecurity_eventcode_action.csv",
+        "hash": "3fb7fc859d75d11d4366ba29bfd24e16445c4c0ca8aa1bcfd5ee5bae7b935d5c"
+      },
+      {
+        "path": "lookups/xmlsecurity_eventcode_action_multiinput.csv",
+        "hash": "14ef17a196b6745539abaf81ca9c8f0b19525d6d3aa8dcaf9378d2141a6ec3e5"
+      },
+      {
+        "path": "lookups/xmlsecurity_eventcode_errorcode_action.csv",
+        "hash": "737195c4e417e20d96dabd43c54c74272d91fe6f60f830b8285cb76d17dd3d82"
+      },
+      {
+        "path": "metadata/default.meta",
+        "hash": "06d4afd0a270c2b6f4cbb47cbf59fbb55180df866df034f575ac40ea7568cf48"
+      },
+      {
+        "path": "static/appIcon.png",
+        "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
+      },
+      {
+        "path": "static/appIconAlt.png",
+        "hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
+      },
+      {
+        "path": "static/appIconAlt_2x.png",
+        "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
+      },
+      {
+        "path": "static/appIconLg.png",
+        "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
+      },
+      {
+        "path": "static/appIconLg_2x.png",
+        "hash": "11ca7ef68587f5f1bacbbcb24b85924089724bcf02610b512f899fadac186f34"
+      },
+      {
+        "path": "static/appIcon_2x.png",
+        "hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
+      }
+    ]
+  },
+  "products": [
+    {
+      "platform": "splunk",
+      "product": "enterprise",
+      "versions": [
+        "8.2",
+        "9.0",
+        "9.1"
+      ],
+      "architectures": [
+        "x86_64"
+      ],
+      "operatingSystems": [
+        "windows",
+        "linux",
+        "macos",
+        "freebsd",
+        "solaris",
+        "aix"
+      ]
+    },
+    {
+      "platform": "splunk",
+      "product": "cloud",
+      "versions": [
+        "8.2",
+        "9.0",
+        "9.1"
+      ],
+      "architectures": [
+        "x86_64"
+      ],
+      "operatingSystems": [
+        "windows",
+        "linux",
+        "macos",
+        "freebsd",
+        "solaris",
+        "aix"
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/deployment-apps/Splunk_TA_windows/static/appIcon.png b/deployment-apps/Splunk_TA_windows/static/appIcon.png
new file mode 100644
index 0000000000000000000000000000000000000000..88f67e7257157937dd747b21af2c7af4d3432386
GIT binary patch
literal 3348
zcma)<2{=@HAIGO|3uDQ?moauRW5!r!EEzL)(?znh&=`Y>S<H;>RYdl!8)Zv)O(+#g
zWeN4h;963WrLIC_DM?ACYw*rUx9(H#a-QdZ&j0++@B8^J|K)j3it}Du5ugGP004;C
z+hJXKPc?oM*v7k$1M>2Ck4+3$TPr}-eWjPY7eShx7XttglH|8dfPz9f0ANcT$<34L
ziE}~`sALG<kLpW=M38AbYXHD30>$f+iA+2wf*ed?pd!q{>lP?ppFa!*gVs%$LFQmj
zoHGbRr4vDh5ClXYYykv;KxTA5f0QfMW<$<<GY1DUnKTp>8Xg`F2{(XH=>bp}5{ZQB
z!=Z4v9?wFL5lLa<BlIW?)i02*94wJRpp$4!5|sktbMd~^P^LK;%y;zHwGk(ohQs~k
zio)2)i<coZ0#Ad&Ao@@;8TvCNgXv2A7UWNr47W%c5$Z~0P($eiBF|j)XCNlY|37f}
zU)DqTnT%KO{~q^WHQ}Xf#<RxZP*@_J6h`#3p;O80g`wf;3?e^BbMV(FzgO{v>uI7$
z6b2JdArS4c7CaJ!MDjx+;0A_<L<B+)hQQ<X5HL7W&&1cjM2~1fz!MGqktW6nLo?_P
z^1sc&2HlTJ2qhCK%niC9k8Xo8wt>Nn5&Fh(eIpYX3=K2FV6aGxwK38dV}n3^C4VRV
zMmB@~knZ{-`!e@mYw@E~0~0Hl3DO3Qurfr#VAh5va5&c5NZ$sIHa37EOnB*RaKA~v
zbNc0*{g0K}z#{(__B-hh*k9?S01^csjQ!@CKN0_5slG(^6U29J_-hTtGvQ4Gp1*M{
zU}n%C#=f)XF;N&g5znO3-Kf-H3pD>c067OznN&s~l?K9KKyZB+0;Gk*6G#;Pp!RzC
z{wCVsnL+ux^t)aA<w#f`<(&x@K%VmJ`C<VqA0g%d00O)1v1m6>LALwBV5I=*)v4>X
zwX+{a+pA^=!tAn#heIF~)nLr4j6lcD*ks4uodkOl8WbXKC$KeTyIOpNB~Zf7%x!X$
zbQdNvFy7%}mYl#<R@)KNOx&ws`@);Gw{LxdN97Amb88KDnTnR~*xOOG(pR{)-1m8^
z&|rG4teQJPx}68bJlb!U6~AMGuC%=@PO#bG<blq!_$x9h#$C>C@+H47Lp2)Du10fg
zde`di-%{fATaQ~kzNd3$oBaOJM#n%FJ88l1oKY|^UcuEea<dvRUH8qH;x%qGBy()p
zt2Q%SDurtxZaK*f$@$})UvX<=8>OkD<Td8_zpNwkdRaT(Z<U=N=HybsN*4+%#0Xn^
z+MBu$Pg!gwQlsC`;Ehh93ynJ(Kb+84DF|V4th*An$!-xLC-ubEymU`ax0B!VR&V5%
zz|%036(6G&VHc@nv5MdonRh}{j-CsZ<7j_n#Qe+Vkl7DP!W!(B`Dzt^xu$r%{z#)p
zPS7v9OO^nt$jL25?Vz@sV{8A=CJeptn5syh?L4ggnl?RU+oiGcP)bm@d+}gHd?qor
z>_gKDeF=ij>}J;ON~^pKfzzsO(Sp#_0@Jc1q!ErIK4{>gZodm;R6RbYq*FLt=_xz`
z?|-RNCH5vcdr;f?f|yc@yO3~{cy)WrFS*@kR`i3;aZNNFGxw#4g*t%QQTg^U99J=d
z(3WsjEJdhH80n_I{~>$U6Z=H#s<^gDfvfu9WRKc$y@Cq~rB12$u!;H7*26mwd1GT=
zAGlDO;*i*RRxR~OnwV^Od4%l90zzRCBXId~lduZ1r+SOL3fxDdMZyh?7LmCQ?h<3u
zMPJ^N!p}P2GRSnVv?bS%;;)|}L?29z7wm?(c(~)e)EBZX-N<n|FDG_S3urHAh85ic
zp0KhIF~|sr^0}K5OI69$I|4x_7SMM4&#&0il|-O>-b*qOOh;LNZ}z=cw*ymOw-05m
z$u+vA)s^>+akBTcPH(@Hi8<d<)^k9-uK$JWh>mY>y}EivH};A`<AJ2$5cyLBuhC7@
zk;CQj2QS%oPU>j29iH;d(w-mj%^EfWN6*M5?nobdalE4@FF($u$Je7(Fra2uD1v*9
za>H<rHZ?@S$8<B~X3TV$k53<H(qD2s28os^sKozjd+L3EK+CDB#MZsK192Vais^}{
zme`|LrOU3zKJUHbczOWV1kEh>RE*vewYA)9N`ZN1m36qHJ2B(NXVHn#ikdpsj=Ef#
z2Zx@=#W)?puCZ+2_NOS1-F>6!B6*p8^OMGdU32V9zsAU#n=XrsCcq40L|T_$*i}7i
z9WS28;Jh*16he(7JTa=snmZOE{4t}X_LAa|tVYQ7Pu(W<L1J@yJ10~lN*iR|(e2F>
zx?7VRYTV!#O=5TKxi0(o;nA*&gg*<mE!MGN^tbyauEs1+RiF08sZ@H5XDhGhy4PM_
zYCTvD_UUA491uF3c0@Z;HvjhBo2CRUDIvehGUVR5PQ^&4(Y&$Ff8L%0CH^@vd?y?r
zZl3z4%3EotNv5qL>Nle*S6qK?@%=kVRRyXu&qlT<q`Kuu&)|1rnu|*&_PdnRsyJEB
z()~d$e^yGJ>2_0WkOGejls&ctH)svUP&w9>tZFM(=V-k-?xR!>^#1s(9#erJyxijE
zzVpcRp;ayr-XMH`bxx$|Sh;L&fXzb*#qxy;1qb==nF}>9{kX5$#`+77j_2i{v)MPA
z^tLa><)1O{+QPLu;AM<mx$RJ2+aS%B#UAa{_*hOC+<VU_pmk$1HTqqW$sfk)cYGR7
zFkZx{ZQgd=OQzXV;Bvk+2PofD9^2Nn^U9U7wkHgG6fCRg{uO771-E4qCv@ht*3^8@
zc>khL$x}x=-N~6=${2TG)=tgU)3dPSDS_&{FeP1Bd`u)?T5^cGcf6Vq0L!h<Ok4Xb
z?LVF43>mIptQK18ZJ_>gE7K32k<!rZ=~=|i*xD$WJyTh!ktI5EC*|{`yqQdD?5t;+
z%f9GUTjkmz8KK_@>S{obhwh<(Yc$C>{vD?)EFO9r#Gkv&vUABWOo;vSEv10kese%;
zhLeI48K`Y^Q6#mxeta&6)2zv+nP*^18z5JTY(pb74e!h4FkS>^h*)ZFPM{~k4H8k!
z%8jmRXD1C2Z!U%is>=>KKa!LD-~t!=gWG9|y>QV9*OlFH@?cp0l-|(-@rQKeq=upC
zU{YX4<%2<VeHJNM&w3xLROQJ9A#Hq(c{eQOibHYBw(Mi?G>dW44{opu!lItZ&)jm7
zOw0~hM%}C_B@5(-gIl{6?&8k*FDdVRwop?Q7n2rNgfe2)L({HW>71cw*0tZbI8^_L
zGl-4-X!_1+l}$mf9C}TBwh5OfE)+js!r5*2mbj@z+2b0z_qI-7a%?pB_f+p5;1*U>
zbNWZovzv;nBs8}vD@rX{o3YTyWWlao{_o}5mf*{>#<t0$^_oTspYvWcd>B_tKL5lc
zIDw|woFCd$@y_OX@_dq3)FzeRRjj1Lj%kd)w^tvY-CgJ7n=5*r9kF;ySxMbO6gc;h
zF+7GA^IcP`4>&5Z<j80`6EdYdF<G9@&F*t>F+hUZ3iHu<@$u9!r}(@CpUFc<s#aC{
zRXn6cm4uCnYA|uMe~{I)>2B=Fg_FrqdA%=kBAy$Mgrzk)B^`T~cd-KKdJyu|Mjc69
zJ7iSpg*e@kExF_R!reX#xw;ZAD2JC!y<w5_rKesu=18=G#zDEpQ#VvEXiMp*zTGYk
jrax`GyestT{v~MTSw^BnV~!X9SH<3XFSg3+NZh{xjo5?@

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/static/appIconAlt.png b/deployment-apps/Splunk_TA_windows/static/appIconAlt.png
new file mode 100644
index 0000000000000000000000000000000000000000..88f67e7257157937dd747b21af2c7af4d3432386
GIT binary patch
literal 3348
zcma)<2{=@HAIGO|3uDQ?moauRW5!r!EEzL)(?znh&=`Y>S<H;>RYdl!8)Zv)O(+#g
zWeN4h;963WrLIC_DM?ACYw*rUx9(H#a-QdZ&j0++@B8^J|K)j3it}Du5ugGP004;C
z+hJXKPc?oM*v7k$1M>2Ck4+3$TPr}-eWjPY7eShx7XttglH|8dfPz9f0ANcT$<34L
ziE}~`sALG<kLpW=M38AbYXHD30>$f+iA+2wf*ed?pd!q{>lP?ppFa!*gVs%$LFQmj
zoHGbRr4vDh5ClXYYykv;KxTA5f0QfMW<$<<GY1DUnKTp>8Xg`F2{(XH=>bp}5{ZQB
z!=Z4v9?wFL5lLa<BlIW?)i02*94wJRpp$4!5|sktbMd~^P^LK;%y;zHwGk(ohQs~k
zio)2)i<coZ0#Ad&Ao@@;8TvCNgXv2A7UWNr47W%c5$Z~0P($eiBF|j)XCNlY|37f}
zU)DqTnT%KO{~q^WHQ}Xf#<RxZP*@_J6h`#3p;O80g`wf;3?e^BbMV(FzgO{v>uI7$
z6b2JdArS4c7CaJ!MDjx+;0A_<L<B+)hQQ<X5HL7W&&1cjM2~1fz!MGqktW6nLo?_P
z^1sc&2HlTJ2qhCK%niC9k8Xo8wt>Nn5&Fh(eIpYX3=K2FV6aGxwK38dV}n3^C4VRV
zMmB@~knZ{-`!e@mYw@E~0~0Hl3DO3Qurfr#VAh5va5&c5NZ$sIHa37EOnB*RaKA~v
zbNc0*{g0K}z#{(__B-hh*k9?S01^csjQ!@CKN0_5slG(^6U29J_-hTtGvQ4Gp1*M{
zU}n%C#=f)XF;N&g5znO3-Kf-H3pD>c067OznN&s~l?K9KKyZB+0;Gk*6G#;Pp!RzC
z{wCVsnL+ux^t)aA<w#f`<(&x@K%VmJ`C<VqA0g%d00O)1v1m6>LALwBV5I=*)v4>X
zwX+{a+pA^=!tAn#heIF~)nLr4j6lcD*ks4uodkOl8WbXKC$KeTyIOpNB~Zf7%x!X$
zbQdNvFy7%}mYl#<R@)KNOx&ws`@);Gw{LxdN97Amb88KDnTnR~*xOOG(pR{)-1m8^
z&|rG4teQJPx}68bJlb!U6~AMGuC%=@PO#bG<blq!_$x9h#$C>C@+H47Lp2)Du10fg
zde`di-%{fATaQ~kzNd3$oBaOJM#n%FJ88l1oKY|^UcuEea<dvRUH8qH;x%qGBy()p
zt2Q%SDurtxZaK*f$@$})UvX<=8>OkD<Td8_zpNwkdRaT(Z<U=N=HybsN*4+%#0Xn^
z+MBu$Pg!gwQlsC`;Ehh93ynJ(Kb+84DF|V4th*An$!-xLC-ubEymU`ax0B!VR&V5%
zz|%036(6G&VHc@nv5MdonRh}{j-CsZ<7j_n#Qe+Vkl7DP!W!(B`Dzt^xu$r%{z#)p
zPS7v9OO^nt$jL25?Vz@sV{8A=CJeptn5syh?L4ggnl?RU+oiGcP)bm@d+}gHd?qor
z>_gKDeF=ij>}J;ON~^pKfzzsO(Sp#_0@Jc1q!ErIK4{>gZodm;R6RbYq*FLt=_xz`
z?|-RNCH5vcdr;f?f|yc@yO3~{cy)WrFS*@kR`i3;aZNNFGxw#4g*t%QQTg^U99J=d
z(3WsjEJdhH80n_I{~>$U6Z=H#s<^gDfvfu9WRKc$y@Cq~rB12$u!;H7*26mwd1GT=
zAGlDO;*i*RRxR~OnwV^Od4%l90zzRCBXId~lduZ1r+SOL3fxDdMZyh?7LmCQ?h<3u
zMPJ^N!p}P2GRSnVv?bS%;;)|}L?29z7wm?(c(~)e)EBZX-N<n|FDG_S3urHAh85ic
zp0KhIF~|sr^0}K5OI69$I|4x_7SMM4&#&0il|-O>-b*qOOh;LNZ}z=cw*ymOw-05m
z$u+vA)s^>+akBTcPH(@Hi8<d<)^k9-uK$JWh>mY>y}EivH};A`<AJ2$5cyLBuhC7@
zk;CQj2QS%oPU>j29iH;d(w-mj%^EfWN6*M5?nobdalE4@FF($u$Je7(Fra2uD1v*9
za>H<rHZ?@S$8<B~X3TV$k53<H(qD2s28os^sKozjd+L3EK+CDB#MZsK192Vais^}{
zme`|LrOU3zKJUHbczOWV1kEh>RE*vewYA)9N`ZN1m36qHJ2B(NXVHn#ikdpsj=Ef#
z2Zx@=#W)?puCZ+2_NOS1-F>6!B6*p8^OMGdU32V9zsAU#n=XrsCcq40L|T_$*i}7i
z9WS28;Jh*16he(7JTa=snmZOE{4t}X_LAa|tVYQ7Pu(W<L1J@yJ10~lN*iR|(e2F>
zx?7VRYTV!#O=5TKxi0(o;nA*&gg*<mE!MGN^tbyauEs1+RiF08sZ@H5XDhGhy4PM_
zYCTvD_UUA491uF3c0@Z;HvjhBo2CRUDIvehGUVR5PQ^&4(Y&$Ff8L%0CH^@vd?y?r
zZl3z4%3EotNv5qL>Nle*S6qK?@%=kVRRyXu&qlT<q`Kuu&)|1rnu|*&_PdnRsyJEB
z()~d$e^yGJ>2_0WkOGejls&ctH)svUP&w9>tZFM(=V-k-?xR!>^#1s(9#erJyxijE
zzVpcRp;ayr-XMH`bxx$|Sh;L&fXzb*#qxy;1qb==nF}>9{kX5$#`+77j_2i{v)MPA
z^tLa><)1O{+QPLu;AM<mx$RJ2+aS%B#UAa{_*hOC+<VU_pmk$1HTqqW$sfk)cYGR7
zFkZx{ZQgd=OQzXV;Bvk+2PofD9^2Nn^U9U7wkHgG6fCRg{uO771-E4qCv@ht*3^8@
zc>khL$x}x=-N~6=${2TG)=tgU)3dPSDS_&{FeP1Bd`u)?T5^cGcf6Vq0L!h<Ok4Xb
z?LVF43>mIptQK18ZJ_>gE7K32k<!rZ=~=|i*xD$WJyTh!ktI5EC*|{`yqQdD?5t;+
z%f9GUTjkmz8KK_@>S{obhwh<(Yc$C>{vD?)EFO9r#Gkv&vUABWOo;vSEv10kese%;
zhLeI48K`Y^Q6#mxeta&6)2zv+nP*^18z5JTY(pb74e!h4FkS>^h*)ZFPM{~k4H8k!
z%8jmRXD1C2Z!U%is>=>KKa!LD-~t!=gWG9|y>QV9*OlFH@?cp0l-|(-@rQKeq=upC
zU{YX4<%2<VeHJNM&w3xLROQJ9A#Hq(c{eQOibHYBw(Mi?G>dW44{opu!lItZ&)jm7
zOw0~hM%}C_B@5(-gIl{6?&8k*FDdVRwop?Q7n2rNgfe2)L({HW>71cw*0tZbI8^_L
zGl-4-X!_1+l}$mf9C}TBwh5OfE)+js!r5*2mbj@z+2b0z_qI-7a%?pB_f+p5;1*U>
zbNWZovzv;nBs8}vD@rX{o3YTyWWlao{_o}5mf*{>#<t0$^_oTspYvWcd>B_tKL5lc
zIDw|woFCd$@y_OX@_dq3)FzeRRjj1Lj%kd)w^tvY-CgJ7n=5*r9kF;ySxMbO6gc;h
zF+7GA^IcP`4>&5Z<j80`6EdYdF<G9@&F*t>F+hUZ3iHu<@$u9!r}(@CpUFc<s#aC{
zRXn6cm4uCnYA|uMe~{I)>2B=Fg_FrqdA%=kBAy$Mgrzk)B^`T~cd-KKdJyu|Mjc69
zJ7iSpg*e@kExF_R!reX#xw;ZAD2JC!y<w5_rKesu=18=G#zDEpQ#VvEXiMp*zTGYk
jrax`GyestT{v~MTSw^BnV~!X9SH<3XFSg3+NZh{xjo5?@

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/static/appIconAlt_2x.png b/deployment-apps/Splunk_TA_windows/static/appIconAlt_2x.png
new file mode 100644
index 0000000000000000000000000000000000000000..c638b3f159fc4047a35e86d577c49cb0234f6933
GIT binary patch
literal 6738
zcma)Bby!sC+a6LH1W6HwMrs(kTV&{^Lt=mdhMHj*O36V$1OaJ8LMf4uP6?$`9h8t1
z7(i5F5NY_(-Tm!;*X|eRx=y|4zVGLLo;Ut@Pn@ygO==1@3IG5=4bjmuxwz~6JjqBe
zuIAtBZeH97{7i0Y0IJ5=KVQ6%BXz9(002scpC<v}(PI_>fEWWevqD=L=qorQyv3j{
z2q&0WkT>!I4FD(wDO@~y!_ZJ*khhnQpF)r__b-IP#q-Z*5I67_1nsHJZDn8#)I^|Q
zKxr{4F>!7c3Lp@ugmQ6JFwxTfgMRU*%<YawBNafPz`#JUKuIwK$_)gTmzM{LOMoOK
zL@yAce!)IyXppFnAJ6Y1f9hz#{G3s6BpQzJ0shp5IwAbg%G}&P1O4at!>2dWz~Dcj
zeEj~%>mox?5EKali;080y+QxR^h2A#{xbQmOh2<=Bn)H%^F#QfoM9Jmo_`ZU!(IOe
zou6NRS@<{FMZN!b-~Xw}MaoJSXafTUEf@+O0CUksA-sPT1_?#^!G4-l=Kj;=-&sG2
zztU8I`}m=uKF%<Rmdb^a7#!}RASEFwEe(^B5(P^^p`ub?33*XDCrLR`n4B{dChaOO
zCo3hb1o{X4zxBZ%>MjUpe{Yx%`VV!N3w3QxS#2;_R!Uq}LR>};3|0rrXliQ7Yu=ER
zm(|pklKNBmZ`8k(l|cVU_tzl%z3>05#Xo~e%4vY*<h9kMG^FLh;2Y9%5)xWBWW=>4
z)MX{XQgRpR{Gt07^>0Cc{|5PIrT&nW|G#AaM*WAZ5en`G_knt8{T2FWNBsXv^}Dlw
zk@#DfpJPqo0&>v}(4P}W1*`=6N88`<7n%y1C>RutK$#&BUMlK8*8`xjI|7aHb4MV7
znwmffaj+Cn&;aTT_xag){a5+^8|e={CD6}V`nOs8`;zdh^<qs>p}1iFxxT1SluW}i
z002ffL`&T)hyZtsG9kCuUuC~#e{+03cK@^8i*I&6BEexqGQIvzRL>L0b#<|X8V?Gd
zLKqsJK7VTQ{0bku+@jcEyySY?-6C^$v)>A?lTd)cpi5VsoujD37Mt2VU+f15ZrwQ!
zbvrxU3g4Rd&oF;q-&S`L=sNaTUUDtRZ*1gb-)SMUvq|}CQgP23!_Hyoqe9-`xDSw6
z3A^d>$Xfovt?gES+9amwv6TS}6(hTu`=KL_G#@L~I`o7~;w8s;`Bk!eiSl%;buh$h
z@7qr46N&f8iBFek4++xJ?Y(0BlC&Lb%PL&3){wsOqk6k09ZV0G7E<>R0FGFuU5u1&
zfzvlG`b|vR2C!04WR!}79CJ(>PE6UVG_nlxxtD6IA9*Q!(IevBQKSKoVbJABUf`!^
zH9$fwVeUDD2|Jzb47(T%26ugga;n5k^gJ!5oX&N;^qyR+IqBj75r9m$){qLbQrt_7
zAt2$WlW4Iqrr|N{=0{9pDg1^_vzYOW6Qbc<ryhIL-v=`<k=Fxz7^!n3(SR(Mv`b>E
zn!QT(?4j$f_LM`+vI3qegm<-uYl7&mHUOEV1iPJBQb$rH^X21oB2C0OKIACAh`$tc
z1=vuIp-I?iHDG?b=JJ8XD9?k50nlSX%(q&wAs;dIHsU^dBvm3-h*;|ZhUM9kSs2z?
z-37Uik|+%A2x9fWA(5;Gclz`eW9UOh!NXQFet1$c{_>zcf{w~2nTVpUfG8(YpOp-f
z7}s!KDRuQlo<aWgBe||-t7qhqlxP7RMf=iqR%93}_}=bGGh8P0{(~oD%kLbPFS9TL
z;~zr_%~|8)vb&{jx;Z)S6g2i>)WDY?^Y*ug{idh+@SHY<P}Ajr^OY09pf8x7k&XJT
z%l3}0Qy|y};dfZ;p*~2q$>ss{0EwwlWWdFnYc#{Y*G1GOHI3Y^aS5i_b$V(42)B<7
zvk#UDEg6zh7&okF5HuRY%#tSDl);(h1@A!7CG(_+s4I2}YJx!GKGD|`t0ZDoDfV-I
zYEvv)FMdN->;d=tfR-cdqH@|!OG#1D%Nm<9h`Ax|GJ@M2)|dBW=Cwdi8(5s*mdD7v
zb`nV)9E9>T%#ESavZqp-nk47V+pN#ZB^af~N{kG(3~%-ln}e9VqDferhO#ruj%!&y
zQftZYp^9h4$J0e#jFv9feb2^QhppCqUjFui9#~`?-oUN1-^_B;`KvFW&g3gqvsq_F
zkNk+sNjCmB+86eM!fGMqI#g4u^<TtF+=H*K`@9@g)E{v3H7-&sUEuWz_)#!8h~uke
z)n@M~S*!CK{1SivS~vD0&bR0m+*(Om^c(R@KvD)b=5C;vhgbCjdF$sDm6%U!VglQ}
z@rZE1wYmenavkBWQ7-;PN<zg>7Xit|VLD->TE;}TNB11nh1N~qDtJpf<ZXBxBWoNj
z*9yp7Nd{N>PmJ%<f?_ad^wJ~&1NtSrsRng&-cRX2dzqxK9@}+d)EH_h#+{A(FYL*o
zLgtnz9YvIqb&bhw#OZtwsw<9e6D%vD4snd~s)iD)aD796j8B=DM!)RQxUmSSb|aB-
z7*Y0tG}$XI79NH*E_bTEg0yHR2&8&e(1<UWm91C*8BjEjBR$S6|1Ke;35O4$ciToK
zfX8upkO1OBS|s&e@ZF+DgKUFPf->7yrtiQ2p;kVK_n~8@+1)P$u4KEqW%`~*?Bf~N
za|Xvo-;V?l$H^$m`O?JacFk@;d$}$ZvC9!B3{qp$v>m++k+staRbF}@bR+1ayAl$5
zK$<(3LzY=cg|B4{Qaz8-?9;lf<72yHiyaSWzs0ec$+;D(q0K-<Pm`hHs!MoQ-2)iG
zxYvDc-XVZjd8Y3hT}x)B4Rg>X#IXp75-rCTOJK#?shjj*=qLKT&ZvNG%@(;vOD65x
zyzKV~o258BFqd{=<ht9YsbQwh!Z8@uWo?Qtwr2B@!NhzSENN)|xUdLjJ5f??7J!NV
z_7iF<0y$Q&aWo+ximUOajOgjhkRJ@RI<P}RlCPstZ7Vgo;Xum5Zwkg1g*Hr4(T^c+
zFkWB7Du)jHs!rG3gq|2&F_F<At|qA<gw>*)*uskB%X;el6pt2ouWMO(Ri=)d(3@}P
zG*62-CuBuz+d2eoEzTd+ON*wvL(J&Qif%QdE$kJyYnAplRk;fcb;;tHwlC2UYNR|(
zc`L+1#?y}>cxlF81-mV<=RBix^74IJ<8ahW2e&k(2ksK+r2S>^l0#ABcbmJ>zI}8!
zKGhnqnD#p@BfleezzEz*xAS{r<->`-fcmU@r)eSU`cg|$CxN0?bX?ImID$2u7q3@C
z%llA86dV$rqdQKbm13NbF_5J`%$nB>wB$D&iu=T4V%s>2(<?4>G(PIH&ph@yNt|uK
zaa@0p=45Zp%69EFq4^*-g9eVU7o!|1$F;ScSv?Pl=gZ)T@XzbQ>^Yi}4fQ^3pQ5iC
zzzld?2bGOm>C9y{`|?VHb8p%%o1|M4d|@}ryBz*mcm0ic*OYs;c<4ddl_)D2O3#Sn
zggy|&?lX05MR7bk>Szg)<)pje$yVIvdo3-5_H>(C<Rp+-H;IqHwOeL->I_yEC+5pI
z*<8?;$61hPcGeKzG%Q+~-)&ay$jY$ITJ(l$E8V}6cJP~QsP3y4sVRXZ)#E^XY|^|y
zlFI2MRuy@<W<a26zS_>m>pbCBVmoLLmy5Lv7g!;Mxi2-}n*0v8I^E(aF&}13=<h8#
z2CjI@uM2C^2pc&0b#d-dA9`{zJG9J<_Q=!zwsk8x#+J3ti5D87#9wY3ZfbKi0|<0o
zX<t4r<~4f?@R!=Ve-7+?Gd2)JSbi0r@@DR&t@gQRWm=}iK+D;}tBA2l?$&q`z?h2u
zi5|YpU|;uU4#BC{0z6K8NRHP0gd)M+bYCVbEEgMAyB2)-aSSy0e8c{*Fqc*j_L;Ed
zc;c9kFw=IS!8%X=fVyS3?-&MKW1BvI#nF7r$|CTErLu~`9sRu7!)NT9Gtp|d1WIq(
zlhSb=BBl7s;qSyLJQO5U1mEmAWO#qJtX}UnVctl)_x|~4L>xd~rT?)a^Bm>b<B<d%
z%iTQ_Hqq2qp9rQygG!|)>IK#Gaui*BaTasrwW*Mnz}-n)MuV+++0;Rn6v##d8c{~R
zIs}-xRb#z5^Mk~?vDtL6u;#M${Ot#Qbo9++-(Zx*WmPw3UO0~I8+G#7;iR!9{<*V+
z@(9j5=00t{v1XPZFo+tn7@=ZP+{SaZ>6e=p4Wu?OAYB?`ZaH1lX6C}3r5UV!Xs4IM
zZfH-fME1S@YQf?oWI>LlSE|6(+jK;FPud0|Y4-;_x0Hp?Dr)K<lf2tn+?vHZ?QoTm
z`4380PMX9Zi#uD7b5L{i#P(JYJ<S}nbVcgT`J<Q+-_h>s$9qG8D?NAcM(2B$wbk|7
z9L>AXGTUYyOUaC8?k4mC4pZm3rH7{loy2{$Ixd(!EDzL!$YHE9v}e~NJ=4o8f}Aw?
z>7A{ldS0)vjC=q&??55E3?Ik3>^SWCotF!3O83s!s!CTDZz2YjXE;*$Mu%M>;}Y<)
zX6r{x^+Tmi^My=>BY8<VmWZAA+vT;!*(YD#oM}AL6!yPl8Sy?(9MGhHw4rnI?7PfD
z<h3F@#Yv5K`6}O2q$XrM+n-jLwAxteE*L&+ypf9(E_}bK*|xHfq$GAZXi{Ku(>TKY
zNrJgI^>F>x+x3Ez{h2odv`OuelB3+y=u;+mmBYw~NIVZ<h<G1Z0lZhRnQ20P9PHSG
z$U-8iNHv56B3bCWeFiHZ!QEHxpX^qtW`-*^7|Gb*DJNXnKQ1nNu4(9?!heUR;|bFh
zBg3xNZfr}@&A@(IBaRHH7vU4fdjjF|0Y}yEyZA^l{Wsr^*-`Bl-cf%@Wr0$X=A9cY
zFP?}adEh_#x<4la)S;~)tj6_>ZbWO>`>xxkNhzf1?lBvdbzGzM^icu3UV<*@NJ3CT
zM}nl_VCPemgm?(#%LhsiKv-<Z)*Pi=9o6ur-Z4&iF8@PrELA8G^UAE1s>O7Vg1#mb
z)bhk-j$j0G!_mV!E@l{4nVK|Q#@S9JYdA1i!+^E*iwfDLG!j-bYR3~De%w?|7yXbs
z1yxPMtI>)Cm-Y0I8gzy1QAO5sv@+91D!r(e^?wdZ>ea?QI8{y8(+s7v68dr*k<$CX
z8*4nn+f@HG*);TKjWeILTGhrZ@J)wl(ziCtD8*6;p!wL2V`I|V(p)6%!Ccc2&vAb8
zrAHR<6GtM;JAnD!&38?()B6uvhioTi#RRy*Cu<PHF9PRd=f2Q1JI7Uh?cizi1;UV)
zHAk;}V;ETDY5Qb+(<v>iotWg}7*vdwNqZs600(Bq2&@qF6-4D*cjYT$UkZOGI--U+
z)l31JLHv<7_QQO6l>N&P`;N2s0WIQOs4HvF)>O{x343x~cN+o+ctA_Q;7tPS`HAaS
zEqqcC=AA+?WJ}CP?QcfWug{*59(rGG`XUxMQ*sTj-VY@{A;s}IlQF$FwH7|F*+RJV
z;y<8vABkdXiu5?n9=sS*&J45Nr~x)mj&A-q>abkt4eS&iz3d$PkyA{=MM7MMgCqNO
zfp00s<2GJEbX|BdiZ4*<ql}#lG2rvq%lzUU**Hyp(G<uxQ(-g+$lU*`JoL9rGjkE+
zm}R%bje>kDJnLb)M+EvPl=W_>WW!Q*FUiTL_@u#X%2IT>{lv#eZ#nKewBIH)xoHy^
zAF@sRpMZl`1yoJKLEU3h<T%zOnrqQ|Kt2=Sim&wgUM3vjXCPekWEj=Fy7IRl0TpJ*
z<{XvtjXM0gUw911J;Nu(NY4s3?12_ltYZ(A{=FRt++A<^@r`6`^HLG=9qw9UhD;)|
zOVdjteen~kcZ?ycJ`->uYT;vs^3IPNr_r7e;!L&hTTGMwdT*9KP)yZO#;&~YQor8a
z0L;4^tnFD;8eA#z>{<HRD?ilAiHf}9No|E!i=_o<rpT>0FtPLc+NGr7n8eE4j!MW4
ze|G-kPaT=CQ*7J!M480FPTv)h?VB}<KFRTxV*^hl5nbjyw{;90pG=6f=mo6`C0Pt1
zy^Is{RCy8kx9Kg@Wv*XZk2BM6eI%o!=iQc&NIQ6D`eNypj7YBBfSC6>p|{n%;x1EP
zN725T(AbxokY{EVjovBP6qJ0>h8qh0U8>@xS)j>TvS~P}QeH~2Cz}?5LI*QIz7s_q
z?fW8|J=L$~G);gSrrazkiseysHWO0h3ax2!VTo-$au?l{o)iC^{5|Pf$`h?ldk0}n
z^)jIrrofg{aodL__^aO)URyFUBhwwf7LZJ8e|*c4URT3o!dw<rAy&a|*f>>5|JgTT
zmtTY}LCUm9P^q*dq_DB{iJ(!ZCIcsAp@)@SPu#NJ*Yav&e(G+Gvq>bt#G!-Wl2)H+
z9lV-$m>HZTrz6VfIYPqPALqr^i8gTKjU?ya5wX>aI18}-F*Q$VLf;Ex03JdMUpX3E
zW=JmIxhB+?d#@?bp8Oy$MqT>B;^V%tu10aO#91ck3}{M-!RtZp*3Zvt9sqXf^(EIJ
zIg_M$edOYZ?avAF%hj~b8iHi@&19gwuU}}19UuDoGq+Nw#$AJ&E0krLCM<s+brLXu
z9d-<o3x15^Joqe$USv1PCU={kGT!DvopQ-{LG+7U4nJx$6oEMzpJI@RClbC{2(cad
ze)W)zwQR4d2MoC5^tksdj+hoT_?>t|d5SvD^O0eh2<l{T!4ICf;eIe=8J>q8D&o$D
z2ojPc@Q(HK;#c-%L-!bCYUNhfwsWZ5#H^k{N^)E8a4JT)G4p8B2paNcenq3M*h+M<
z7CWjw4+?WY*@$I~5@w|YQkjg%1xO8nC9drwS69;e>|0#!tO{C`WTrR-^q~o!QuMrj
zYZqZAt1Rn?C0j{7bBe;n=T*s!=Skw~mP2lZ%^<Yp{Z~mzsYVoX-T{(h)gIkQT8N)^
z(SI%SxXEjV(hr|JgU5Q6*apxzuR4t+OWT6dY%6^Fg(iN0-95mmsYj-F(&prw7b>t%
zb&4$#{hzq3CT`I}WEc^_t>nqE*ZURQhvqZb!!HlId>64v>`u%moNC#Sy8q)hd*O#I
z@AC6Ve1Tc59h;85T+g$gd~Ie{l;GO8iD>d-DGB>{-NxQFe<<6i=H$?<$<=LzUaqCA
zc6SOdl$TiIZc9x%fuS;95myaYe+5-bl=lG5n3Dtx&)3Qro-PJXxCoDwqE<~s!d3P*
z8m7Nz3%#ph>r!(bEL$grqYHG8SV$REZmG|k<1_3?nXb?muPa*U`UQFC_1hPjJO&9g
z=`aUUZ5{L;P*rA$V6S9V)BpvY#5JNQlZ)SCu2h_W1%GX*%+A8=m7-gQWer~8jo^8W
zuNIf^4$)g1O6%_Drq%4~6v^OgPsvzU@L5^H{)x<HZhelIh)j{912xy{g`9o$@@MF*
zyOHA6+Dlf+>WS;0ySuSU$DA7@Z^BS=Z&R}#v$!OKCp3jM;=2oO?Jn|^wq1&6S0k0b
z8tzq)cd5Bq$Yu-7A{S&8@!qEEQy(WT;CL(v6P4V+`$fGaiW@3EA#G$gvV3ELHzL-L
zS<<&(TGA<6I}iVOMVbBfaAUi8lTvgrmjiST&y0Oxk#CT%6m0x~_m=H5St=6NbFbtH
z*YTx#e0!!uR^Ggm{WLr;Wg1Mmdp&`Kc-TR$!^8h#$AhfM^SamxTGvIWW7Kcp1lnG{
zB5K4sz-5*9Iz%B%uj!;wB{k#%H&BdQ^tBHZ)E-I=OtI)RF|5ZCtyBgNo06i)F1En(
z6Bn?eot1BRFHDr7s5K_;T@jTa0LGG%b}!eTI>qEFJUlPF@?vwtC-JNgBMyfxu1q^}
zPORyn&=U!qh9(i{Edil=?o-Y3*g=UmxY-YnGnSq%h8C{Btna&ec{e8d34(*qU-%SD
zxGjgUDC^+3Qg?t-h)0|ru21d}UsekamsekHdBk4$&LPT*{T_MyKr>6SB=FU3zyfa=
z$OMoWD7=?Z+C755vO2zF+lp)2%U-GbEO|prosje(T>1)Smzpqvn%Cm~+xskJCxKBV
zr~UKw!?#Wfpl=%hG<jFHb&9tYdETOPj0#`7M1E2gFJh*4<!6=4#ZzUB;F(t~=Fu&<
z{Hk`AP?=CX?iq1E%Gi)k(n(xBS<II1p+R6^4$ZbOGebN^4?sy0{N*bQuAuWU06*mt
z>>b)VE9}{df;xa4pgEOyf~^``ty;U?0{kyK?W(do%u(WAnEmkcM-SwNp;ncKBj&#V
DQ5yUX

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/static/appIconLg.png b/deployment-apps/Splunk_TA_windows/static/appIconLg.png
new file mode 100644
index 0000000000000000000000000000000000000000..c638b3f159fc4047a35e86d577c49cb0234f6933
GIT binary patch
literal 6738
zcma)Bby!sC+a6LH1W6HwMrs(kTV&{^Lt=mdhMHj*O36V$1OaJ8LMf4uP6?$`9h8t1
z7(i5F5NY_(-Tm!;*X|eRx=y|4zVGLLo;Ut@Pn@ygO==1@3IG5=4bjmuxwz~6JjqBe
zuIAtBZeH97{7i0Y0IJ5=KVQ6%BXz9(002scpC<v}(PI_>fEWWevqD=L=qorQyv3j{
z2q&0WkT>!I4FD(wDO@~y!_ZJ*khhnQpF)r__b-IP#q-Z*5I67_1nsHJZDn8#)I^|Q
zKxr{4F>!7c3Lp@ugmQ6JFwxTfgMRU*%<YawBNafPz`#JUKuIwK$_)gTmzM{LOMoOK
zL@yAce!)IyXppFnAJ6Y1f9hz#{G3s6BpQzJ0shp5IwAbg%G}&P1O4at!>2dWz~Dcj
zeEj~%>mox?5EKali;080y+QxR^h2A#{xbQmOh2<=Bn)H%^F#QfoM9Jmo_`ZU!(IOe
zou6NRS@<{FMZN!b-~Xw}MaoJSXafTUEf@+O0CUksA-sPT1_?#^!G4-l=Kj;=-&sG2
zztU8I`}m=uKF%<Rmdb^a7#!}RASEFwEe(^B5(P^^p`ub?33*XDCrLR`n4B{dChaOO
zCo3hb1o{X4zxBZ%>MjUpe{Yx%`VV!N3w3QxS#2;_R!Uq}LR>};3|0rrXliQ7Yu=ER
zm(|pklKNBmZ`8k(l|cVU_tzl%z3>05#Xo~e%4vY*<h9kMG^FLh;2Y9%5)xWBWW=>4
z)MX{XQgRpR{Gt07^>0Cc{|5PIrT&nW|G#AaM*WAZ5en`G_knt8{T2FWNBsXv^}Dlw
zk@#DfpJPqo0&>v}(4P}W1*`=6N88`<7n%y1C>RutK$#&BUMlK8*8`xjI|7aHb4MV7
znwmffaj+Cn&;aTT_xag){a5+^8|e={CD6}V`nOs8`;zdh^<qs>p}1iFxxT1SluW}i
z002ffL`&T)hyZtsG9kCuUuC~#e{+03cK@^8i*I&6BEexqGQIvzRL>L0b#<|X8V?Gd
zLKqsJK7VTQ{0bku+@jcEyySY?-6C^$v)>A?lTd)cpi5VsoujD37Mt2VU+f15ZrwQ!
zbvrxU3g4Rd&oF;q-&S`L=sNaTUUDtRZ*1gb-)SMUvq|}CQgP23!_Hyoqe9-`xDSw6
z3A^d>$Xfovt?gES+9amwv6TS}6(hTu`=KL_G#@L~I`o7~;w8s;`Bk!eiSl%;buh$h
z@7qr46N&f8iBFek4++xJ?Y(0BlC&Lb%PL&3){wsOqk6k09ZV0G7E<>R0FGFuU5u1&
zfzvlG`b|vR2C!04WR!}79CJ(>PE6UVG_nlxxtD6IA9*Q!(IevBQKSKoVbJABUf`!^
zH9$fwVeUDD2|Jzb47(T%26ugga;n5k^gJ!5oX&N;^qyR+IqBj75r9m$){qLbQrt_7
zAt2$WlW4Iqrr|N{=0{9pDg1^_vzYOW6Qbc<ryhIL-v=`<k=Fxz7^!n3(SR(Mv`b>E
zn!QT(?4j$f_LM`+vI3qegm<-uYl7&mHUOEV1iPJBQb$rH^X21oB2C0OKIACAh`$tc
z1=vuIp-I?iHDG?b=JJ8XD9?k50nlSX%(q&wAs;dIHsU^dBvm3-h*;|ZhUM9kSs2z?
z-37Uik|+%A2x9fWA(5;Gclz`eW9UOh!NXQFet1$c{_>zcf{w~2nTVpUfG8(YpOp-f
z7}s!KDRuQlo<aWgBe||-t7qhqlxP7RMf=iqR%93}_}=bGGh8P0{(~oD%kLbPFS9TL
z;~zr_%~|8)vb&{jx;Z)S6g2i>)WDY?^Y*ug{idh+@SHY<P}Ajr^OY09pf8x7k&XJT
z%l3}0Qy|y};dfZ;p*~2q$>ss{0EwwlWWdFnYc#{Y*G1GOHI3Y^aS5i_b$V(42)B<7
zvk#UDEg6zh7&okF5HuRY%#tSDl);(h1@A!7CG(_+s4I2}YJx!GKGD|`t0ZDoDfV-I
zYEvv)FMdN->;d=tfR-cdqH@|!OG#1D%Nm<9h`Ax|GJ@M2)|dBW=Cwdi8(5s*mdD7v
zb`nV)9E9>T%#ESavZqp-nk47V+pN#ZB^af~N{kG(3~%-ln}e9VqDferhO#ruj%!&y
zQftZYp^9h4$J0e#jFv9feb2^QhppCqUjFui9#~`?-oUN1-^_B;`KvFW&g3gqvsq_F
zkNk+sNjCmB+86eM!fGMqI#g4u^<TtF+=H*K`@9@g)E{v3H7-&sUEuWz_)#!8h~uke
z)n@M~S*!CK{1SivS~vD0&bR0m+*(Om^c(R@KvD)b=5C;vhgbCjdF$sDm6%U!VglQ}
z@rZE1wYmenavkBWQ7-;PN<zg>7Xit|VLD->TE;}TNB11nh1N~qDtJpf<ZXBxBWoNj
z*9yp7Nd{N>PmJ%<f?_ad^wJ~&1NtSrsRng&-cRX2dzqxK9@}+d)EH_h#+{A(FYL*o
zLgtnz9YvIqb&bhw#OZtwsw<9e6D%vD4snd~s)iD)aD796j8B=DM!)RQxUmSSb|aB-
z7*Y0tG}$XI79NH*E_bTEg0yHR2&8&e(1<UWm91C*8BjEjBR$S6|1Ke;35O4$ciToK
zfX8upkO1OBS|s&e@ZF+DgKUFPf->7yrtiQ2p;kVK_n~8@+1)P$u4KEqW%`~*?Bf~N
za|Xvo-;V?l$H^$m`O?JacFk@;d$}$ZvC9!B3{qp$v>m++k+staRbF}@bR+1ayAl$5
zK$<(3LzY=cg|B4{Qaz8-?9;lf<72yHiyaSWzs0ec$+;D(q0K-<Pm`hHs!MoQ-2)iG
zxYvDc-XVZjd8Y3hT}x)B4Rg>X#IXp75-rCTOJK#?shjj*=qLKT&ZvNG%@(;vOD65x
zyzKV~o258BFqd{=<ht9YsbQwh!Z8@uWo?Qtwr2B@!NhzSENN)|xUdLjJ5f??7J!NV
z_7iF<0y$Q&aWo+ximUOajOgjhkRJ@RI<P}RlCPstZ7Vgo;Xum5Zwkg1g*Hr4(T^c+
zFkWB7Du)jHs!rG3gq|2&F_F<At|qA<gw>*)*uskB%X;el6pt2ouWMO(Ri=)d(3@}P
zG*62-CuBuz+d2eoEzTd+ON*wvL(J&Qif%QdE$kJyYnAplRk;fcb;;tHwlC2UYNR|(
zc`L+1#?y}>cxlF81-mV<=RBix^74IJ<8ahW2e&k(2ksK+r2S>^l0#ABcbmJ>zI}8!
zKGhnqnD#p@BfleezzEz*xAS{r<->`-fcmU@r)eSU`cg|$CxN0?bX?ImID$2u7q3@C
z%llA86dV$rqdQKbm13NbF_5J`%$nB>wB$D&iu=T4V%s>2(<?4>G(PIH&ph@yNt|uK
zaa@0p=45Zp%69EFq4^*-g9eVU7o!|1$F;ScSv?Pl=gZ)T@XzbQ>^Yi}4fQ^3pQ5iC
zzzld?2bGOm>C9y{`|?VHb8p%%o1|M4d|@}ryBz*mcm0ic*OYs;c<4ddl_)D2O3#Sn
zggy|&?lX05MR7bk>Szg)<)pje$yVIvdo3-5_H>(C<Rp+-H;IqHwOeL->I_yEC+5pI
z*<8?;$61hPcGeKzG%Q+~-)&ay$jY$ITJ(l$E8V}6cJP~QsP3y4sVRXZ)#E^XY|^|y
zlFI2MRuy@<W<a26zS_>m>pbCBVmoLLmy5Lv7g!;Mxi2-}n*0v8I^E(aF&}13=<h8#
z2CjI@uM2C^2pc&0b#d-dA9`{zJG9J<_Q=!zwsk8x#+J3ti5D87#9wY3ZfbKi0|<0o
zX<t4r<~4f?@R!=Ve-7+?Gd2)JSbi0r@@DR&t@gQRWm=}iK+D;}tBA2l?$&q`z?h2u
zi5|YpU|;uU4#BC{0z6K8NRHP0gd)M+bYCVbEEgMAyB2)-aSSy0e8c{*Fqc*j_L;Ed
zc;c9kFw=IS!8%X=fVyS3?-&MKW1BvI#nF7r$|CTErLu~`9sRu7!)NT9Gtp|d1WIq(
zlhSb=BBl7s;qSyLJQO5U1mEmAWO#qJtX}UnVctl)_x|~4L>xd~rT?)a^Bm>b<B<d%
z%iTQ_Hqq2qp9rQygG!|)>IK#Gaui*BaTasrwW*Mnz}-n)MuV+++0;Rn6v##d8c{~R
zIs}-xRb#z5^Mk~?vDtL6u;#M${Ot#Qbo9++-(Zx*WmPw3UO0~I8+G#7;iR!9{<*V+
z@(9j5=00t{v1XPZFo+tn7@=ZP+{SaZ>6e=p4Wu?OAYB?`ZaH1lX6C}3r5UV!Xs4IM
zZfH-fME1S@YQf?oWI>LlSE|6(+jK;FPud0|Y4-;_x0Hp?Dr)K<lf2tn+?vHZ?QoTm
z`4380PMX9Zi#uD7b5L{i#P(JYJ<S}nbVcgT`J<Q+-_h>s$9qG8D?NAcM(2B$wbk|7
z9L>AXGTUYyOUaC8?k4mC4pZm3rH7{loy2{$Ixd(!EDzL!$YHE9v}e~NJ=4o8f}Aw?
z>7A{ldS0)vjC=q&??55E3?Ik3>^SWCotF!3O83s!s!CTDZz2YjXE;*$Mu%M>;}Y<)
zX6r{x^+Tmi^My=>BY8<VmWZAA+vT;!*(YD#oM}AL6!yPl8Sy?(9MGhHw4rnI?7PfD
z<h3F@#Yv5K`6}O2q$XrM+n-jLwAxteE*L&+ypf9(E_}bK*|xHfq$GAZXi{Ku(>TKY
zNrJgI^>F>x+x3Ez{h2odv`OuelB3+y=u;+mmBYw~NIVZ<h<G1Z0lZhRnQ20P9PHSG
z$U-8iNHv56B3bCWeFiHZ!QEHxpX^qtW`-*^7|Gb*DJNXnKQ1nNu4(9?!heUR;|bFh
zBg3xNZfr}@&A@(IBaRHH7vU4fdjjF|0Y}yEyZA^l{Wsr^*-`Bl-cf%@Wr0$X=A9cY
zFP?}adEh_#x<4la)S;~)tj6_>ZbWO>`>xxkNhzf1?lBvdbzGzM^icu3UV<*@NJ3CT
zM}nl_VCPemgm?(#%LhsiKv-<Z)*Pi=9o6ur-Z4&iF8@PrELA8G^UAE1s>O7Vg1#mb
z)bhk-j$j0G!_mV!E@l{4nVK|Q#@S9JYdA1i!+^E*iwfDLG!j-bYR3~De%w?|7yXbs
z1yxPMtI>)Cm-Y0I8gzy1QAO5sv@+91D!r(e^?wdZ>ea?QI8{y8(+s7v68dr*k<$CX
z8*4nn+f@HG*);TKjWeILTGhrZ@J)wl(ziCtD8*6;p!wL2V`I|V(p)6%!Ccc2&vAb8
zrAHR<6GtM;JAnD!&38?()B6uvhioTi#RRy*Cu<PHF9PRd=f2Q1JI7Uh?cizi1;UV)
zHAk;}V;ETDY5Qb+(<v>iotWg}7*vdwNqZs600(Bq2&@qF6-4D*cjYT$UkZOGI--U+
z)l31JLHv<7_QQO6l>N&P`;N2s0WIQOs4HvF)>O{x343x~cN+o+ctA_Q;7tPS`HAaS
zEqqcC=AA+?WJ}CP?QcfWug{*59(rGG`XUxMQ*sTj-VY@{A;s}IlQF$FwH7|F*+RJV
z;y<8vABkdXiu5?n9=sS*&J45Nr~x)mj&A-q>abkt4eS&iz3d$PkyA{=MM7MMgCqNO
zfp00s<2GJEbX|BdiZ4*<ql}#lG2rvq%lzUU**Hyp(G<uxQ(-g+$lU*`JoL9rGjkE+
zm}R%bje>kDJnLb)M+EvPl=W_>WW!Q*FUiTL_@u#X%2IT>{lv#eZ#nKewBIH)xoHy^
zAF@sRpMZl`1yoJKLEU3h<T%zOnrqQ|Kt2=Sim&wgUM3vjXCPekWEj=Fy7IRl0TpJ*
z<{XvtjXM0gUw911J;Nu(NY4s3?12_ltYZ(A{=FRt++A<^@r`6`^HLG=9qw9UhD;)|
zOVdjteen~kcZ?ycJ`->uYT;vs^3IPNr_r7e;!L&hTTGMwdT*9KP)yZO#;&~YQor8a
z0L;4^tnFD;8eA#z>{<HRD?ilAiHf}9No|E!i=_o<rpT>0FtPLc+NGr7n8eE4j!MW4
ze|G-kPaT=CQ*7J!M480FPTv)h?VB}<KFRTxV*^hl5nbjyw{;90pG=6f=mo6`C0Pt1
zy^Is{RCy8kx9Kg@Wv*XZk2BM6eI%o!=iQc&NIQ6D`eNypj7YBBfSC6>p|{n%;x1EP
zN725T(AbxokY{EVjovBP6qJ0>h8qh0U8>@xS)j>TvS~P}QeH~2Cz}?5LI*QIz7s_q
z?fW8|J=L$~G);gSrrazkiseysHWO0h3ax2!VTo-$au?l{o)iC^{5|Pf$`h?ldk0}n
z^)jIrrofg{aodL__^aO)URyFUBhwwf7LZJ8e|*c4URT3o!dw<rAy&a|*f>>5|JgTT
zmtTY}LCUm9P^q*dq_DB{iJ(!ZCIcsAp@)@SPu#NJ*Yav&e(G+Gvq>bt#G!-Wl2)H+
z9lV-$m>HZTrz6VfIYPqPALqr^i8gTKjU?ya5wX>aI18}-F*Q$VLf;Ex03JdMUpX3E
zW=JmIxhB+?d#@?bp8Oy$MqT>B;^V%tu10aO#91ck3}{M-!RtZp*3Zvt9sqXf^(EIJ
zIg_M$edOYZ?avAF%hj~b8iHi@&19gwuU}}19UuDoGq+Nw#$AJ&E0krLCM<s+brLXu
z9d-<o3x15^Joqe$USv1PCU={kGT!DvopQ-{LG+7U4nJx$6oEMzpJI@RClbC{2(cad
ze)W)zwQR4d2MoC5^tksdj+hoT_?>t|d5SvD^O0eh2<l{T!4ICf;eIe=8J>q8D&o$D
z2ojPc@Q(HK;#c-%L-!bCYUNhfwsWZ5#H^k{N^)E8a4JT)G4p8B2paNcenq3M*h+M<
z7CWjw4+?WY*@$I~5@w|YQkjg%1xO8nC9drwS69;e>|0#!tO{C`WTrR-^q~o!QuMrj
zYZqZAt1Rn?C0j{7bBe;n=T*s!=Skw~mP2lZ%^<Yp{Z~mzsYVoX-T{(h)gIkQT8N)^
z(SI%SxXEjV(hr|JgU5Q6*apxzuR4t+OWT6dY%6^Fg(iN0-95mmsYj-F(&prw7b>t%
zb&4$#{hzq3CT`I}WEc^_t>nqE*ZURQhvqZb!!HlId>64v>`u%moNC#Sy8q)hd*O#I
z@AC6Ve1Tc59h;85T+g$gd~Ie{l;GO8iD>d-DGB>{-NxQFe<<6i=H$?<$<=LzUaqCA
zc6SOdl$TiIZc9x%fuS;95myaYe+5-bl=lG5n3Dtx&)3Qro-PJXxCoDwqE<~s!d3P*
z8m7Nz3%#ph>r!(bEL$grqYHG8SV$REZmG|k<1_3?nXb?muPa*U`UQFC_1hPjJO&9g
z=`aUUZ5{L;P*rA$V6S9V)BpvY#5JNQlZ)SCu2h_W1%GX*%+A8=m7-gQWer~8jo^8W
zuNIf^4$)g1O6%_Drq%4~6v^OgPsvzU@L5^H{)x<HZhelIh)j{912xy{g`9o$@@MF*
zyOHA6+Dlf+>WS;0ySuSU$DA7@Z^BS=Z&R}#v$!OKCp3jM;=2oO?Jn|^wq1&6S0k0b
z8tzq)cd5Bq$Yu-7A{S&8@!qEEQy(WT;CL(v6P4V+`$fGaiW@3EA#G$gvV3ELHzL-L
zS<<&(TGA<6I}iVOMVbBfaAUi8lTvgrmjiST&y0Oxk#CT%6m0x~_m=H5St=6NbFbtH
z*YTx#e0!!uR^Ggm{WLr;Wg1Mmdp&`Kc-TR$!^8h#$AhfM^SamxTGvIWW7Kcp1lnG{
zB5K4sz-5*9Iz%B%uj!;wB{k#%H&BdQ^tBHZ)E-I=OtI)RF|5ZCtyBgNo06i)F1En(
z6Bn?eot1BRFHDr7s5K_;T@jTa0LGG%b}!eTI>qEFJUlPF@?vwtC-JNgBMyfxu1q^}
zPORyn&=U!qh9(i{Edil=?o-Y3*g=UmxY-YnGnSq%h8C{Btna&ec{e8d34(*qU-%SD
zxGjgUDC^+3Qg?t-h)0|ru21d}UsekamsekHdBk4$&LPT*{T_MyKr>6SB=FU3zyfa=
z$OMoWD7=?Z+C755vO2zF+lp)2%U-GbEO|prosje(T>1)Smzpqvn%Cm~+xskJCxKBV
zr~UKw!?#Wfpl=%hG<jFHb&9tYdETOPj0#`7M1E2gFJh*4<!6=4#ZzUB;F(t~=Fu&<
z{Hk`AP?=CX?iq1E%Gi)k(n(xBS<II1p+R6^4$ZbOGebN^4?sy0{N*bQuAuWU06*mt
z>>b)VE9}{df;xa4pgEOyf~^``ty;U?0{kyK?W(do%u(WAnEmkcM-SwNp;ncKBj&#V
DQ5yUX

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/static/appIconLg_2x.png b/deployment-apps/Splunk_TA_windows/static/appIconLg_2x.png
new file mode 100644
index 0000000000000000000000000000000000000000..b67ed66dba9c459cdeb380f469b39378789f8f19
GIT binary patch
literal 15057
zcmajG18}8J5HA{MW82=?=Ek<o6Wg|J+qUhEwXrtI#<r7p{&jENci+49>eZ?5Ox1kV
z-7`J?b^oTPCsI*f0s$5m76b$YK}u3o8Q3QL_xykY{vV6)cK{n=6G>$`5D+g)5RiZn
z5Rf-uSHKAfh$|Ba$eAGs2u}tG2$n-mml7ZF1(dOjgeb`Of4_p>@?>BSjDw_>GYCjW
z%zqE)^iww@uoK!vN=^*=7y=p^ms_mVyA=cktjbGO(?!|Ho!G(29$;x>M(pD0U`Fg=
z>i_~G8JVj7t1X)ee(M~aKPb_3T>x>k;oMvA>4g9X6^;0Vya#zajjgybq|o30Ymw0>
z>{o`VwANTkZJFV+u`(Xli+{F_{JynvrY%$J=vq<C`Nxu%(UA~8Jf(lP%(S-2-vVQq
zATsDkzUY0t3^PPB=zgI<lr7Vk8fh!&57!0me<dA3F$22F?>9MyBhJB+J->-Z8TBQD
zm?*KIyPyW^OM)5-a#=K>Zw_Y<e@iZtQZNsST2^9IFa_@cK=iQJ6o+txBhrQ5Y0WmG
z&!jDvz2s{ev%3Fci~OpV<PLVf`4dJ-O6mJX=n73EMF!@^ev0=8+9Ig}#&`g5>yThh
z@^io;!rBMxQAED3!gtET`7CGF;Q^{1<~#PpW%^r}ajxpLdxNGNBlZ{ahm<V+PO}s7
z-vq8sKz2^8CC4u!Fa5v;IKb|og`T$2>dhR#KSeb6ldv!tx-`W<qx8w8$qi|6n~JQr
zEC(c+0S^kPHg-q0sLYr(!;nm3P2_80nLXI}c~>{PSVMvQB~&ij4^+{dr-6NS4;Y-|
zAajMcKlb(T=S$X){~X8uVO62-kibUoAeP9#XyLuWc^b^phiP}~SU250I8QlMCBmv0
zH}wTiNmLZ44Ev*cI~^xE&N}L62s%?1)hHztR8trA5@$@W&*V3>$i12E)mKTsfw2l_
zbOW(B_qqtV7jJDfm;U#JO1SZ#7|ii0>tOt{*y`b<i0kF6J=;m%cy<V(!ng#shazup
zTd*XcA@dE*(f-BC9jbr<XX_&*dIl7<$XVAWN$VYrdBku%4M1Z12hkk^=^v~S912#s
zz#_WN+&W;gwEB*aCgxawlVJE*#p4@x!L~j9hk>qAd_5<^sh}J#!YBOWP&3ewLG7L7
zRYB*9+_OMH*nOo$f2n$GT=r_D<4dI-KeO)9xRgM!ph2db)LosO3h>L!?)gFVB^=+V
z+$8RXU4Njyk4emC>RmYj%3Y}os)&`%O-~%$Sr3Av9pWQoLDYVx=C;$I>=9l8jsUCI
zp9V&N{qL9lFRb$zGC8^xE@VU!2-EN5{2&@`j)acA@pgWHm4(#v?aAA*-Q9}$86*mI
zKX?1JS<b3!-iP7rw(rfA?nX&yhHKShe6B!MuuG{B)RQ1j%q56q%@7C@Na2VJG~`3U
z>xST+rh}-n+)bbFjq6=UkjXo{m(SW$^8umiL+)dTfM$kwJA&DuJ90KYHdH;Pxf5e?
zJ{cwHf)-J$$QqWUX)m>&xWubdbGgivO4is`#B6O@E9S9137+nby~0|@j1km1WuVYn
zib;*12Z}T%gqi+;s>{5<E4I!YN7*s1S)Le2ocob5wpNe~{5y*f5y^zke@cC#-l&Ia
zB?-DLien<QvMG^+rHbhF+}|rmt;&e?++THkUv(RwDwW4_*$4P_ih3(BnXHLSm?Y9{
zDRAgQTrP!0DQOl4MSP(&0;||RP4c{PTsS9`m=x-UQigHE6EnrsdMc%-lnX4J$`Z5-
zWGOvU^uI9R$(^A{(}nS@!?OpsyAxsU8NzqO?E9wf{4Tt9N~m$5_wY57D;Y^(Syxm0
zW$2}4^su1PrW@mw!79m>&BmJy^P+Hdy#Kbh_Vn3O^;7rK0(><NKi3|6#B^Z)(m`m7
zFnB`DN~O4RwW3pk{r=nX^CnhQGLuz~q0AI;Jp~IzL)0=WYInJ1d%XJvs(~_mIlkK~
zvTN%p=*HjPUijf6|2Je9_80;&P>d#1%S4$}TF_|4P_Iqbbil&0En1nzcIel$%X0<O
zUL)~TGuUxe-!GapkH|nxuzy>LKjFfQYBKJGdoopS^Ze4tb;E*lKx8PjL(n8o8=6QB
zVL??5i7T>CLL+GA)H<&9-?ofUNe_s#<6E6+dlZ+2j3Wa@TLbp351n!FCf6_XBCp7~
zkADZ{$7L7T4U&y=cWVD;c~X0&z5c8NE%bh?RI!br<x|wut1j7_sWm-@r9Sr4t=`Mq
z;ZFs8=;-y4209_@moe55Y%T3VA0Aw;^w%{7*6sYIu{oJ^29pSzw|6DnS=uh78AkWn
zOOseOIJ|3`+{TlpweL31;gzwITeSHLdDc^;;aANRQE{7P_&QoEUF`k#nq2L_awyBO
zW_O4Sa>{|ezoiXxo)6SYWmF(XOn-0`MAdiNd6${~F)m`4c}cefr>5~0W<ayuST}<I
z>#O$BU@vU9&OddgD_iY~J2m^B8}-}$of*2&e6CN$peHJ_`E7*VDQDWP<nM`P@0`tm
zqAl3)&l3f2g<ZT(*b^<s@6;u4n)KD$hM^Vr(L?`!zXGDOTfd}j&3lrrEk;eYw%K1z
zUaMK?v>8=JMAx4}?&-Q>H#Kp-1cr>6LiOoQA2qLmG_wWXlwAicEKlv74i95^t3HBi
z7i3rT4c*deJvw;z7!#_6ESPOB${LQyu2*Q;aGmA6;??@6S+4qrsbJu0WOaDCptNIa
z{M&NcqeARb|I}}k+`QyM=>>Ju3iH#Ij0>_s=ezX<{<<FaU%hlM?&i`~2=IdM*$gs;
zg7)uBW)W3P>ahz@moCxEi$13v_s<M>wsZNdKKdFws3e{(Gw(1xS$qECu6+rtg67mR
z;@mHY#rK+ewZDyMb<%hLs5^h}I|;8kw#7>&!BpZ_@v(UVKkU~iozBvHJLNy&?-kJ|
zxSm`U=BZr-!2E-)(PQqNtiJ-96i=;1@kWMyk`U)xWYr#m=B#c{dAC$uQDA{_(lSG(
z?^)Jb)rO^-eM$Em<Xd;qvZfU~)X|xPczqcy56AjDBm)g4=GU5nhr%v2y@`=4rB>Le
zdd_r26_JHlXQwoq-zbs`W5CtV<xinj3!l%T!$#fSeoV)D&r&0H0Vf6b2=#-!(Pt|<
z8*qr7lgK*pt!h~c(aR+7uIiS$m^3PN{sn7zC9`HZ$Zgiy?NT-B=KT$==y?_L<$90{
z8V}UvAS=HDPMw^acb2UyaHHK+yVFiN^$Z>Ed;<mzG1<y<b-smAS2xDME2eGJ&}EMz
z#ESG+A?uZ8O4@0)ATqn&ry1L~zPv~8+T(C91;3Byg<2oibM-apfdw`4iMKQSSLs7`
zMq@FsZDh&b@_aPgMRMz}ye`7(Td~lG8P|U?2OKYfBhuh@;lG|ARLGvQ?$uJo%$Cy-
zS_Ep%AtlXABTK)~f@0xP)#g6&S0eSJZ#zEJZ=Vi*H;;Qx``nl9>#OZWa;m4HyCR9y
zOA_j$SlgAIK)ui4T@O5>@K{_{x)0@Wj1Thg>NjsrZO<#iq0`%aHt%-+c4a@IcAkC_
zp|a48Yp2Mc$R_+*m}0?9Bf@eHu)^=SgMbX!=~x~NE3X-m)l~Dge`BiN)xh+m^RH@J
z)>&?Lq@LjXdF^)F*rT`QciwLI++M1)p|Qk6D?p@ioEY?QxlA`j!!%F-DumJhOi%xX
zsE}vxukn#yJ01^i19Q6z80J=@v)65;*m82^cz)X|Uk!vA#1lo_Rr~Id(?}EO%icj~
zXAt06^b%f=>YJiLEk#GeI}Sbc(bW>{umMD#?ar7)R}n3#y?@bD@$op6>J%;JVpQLA
zppGt<w(=R!_#UW-eklY^rZX9!b&d7LW$~IX6Scsa6&MywzPV5BvJxpadc9f+C{Ad<
zX48ezU=`HGC5;9&cjEosbO#KkrP&O#+5ixuT4_ZO_v{(WC$`FZc)Z8Dq&HhI!jVx)
z&{=ez{nx2e@uCD;X8$&%4!#-r%o&#w!CKOWPLkWz$u&LIGI>M3cSuv$DeDii9=-|L
zJ&s9(mJ&1UtZe8|I%w9g)-;;e*`&R^btgI_9-!99Fmr(73rm*F|2#d;y+1O|9o#@a
zK+TzID^pS?3k^rdB{983z*s(ZO#4&HWq$8{c}GKnQt_ceNAV&KJ^d_l&c%nPdT<fD
zN~b4?q23ut73FPBQ^U}ermne+mP?P)o5F^JMO6ZbbA+prkv=U6iBBVuhWc5EBAkM4
z@*4KX(m94UU0~MOM%cKV91t~J6cVnkM2VtE%dvcU-R&GUGAlKWesJ^yBF}1n0!p|_
z8xF39JY<AN#0sm#P2Q>;yZa{vj-=_=mbSPDi|_=W{hSuQTPG>sxy4^OJ*#?ik#<Uv
zSQ)9yA|IoWc@G*<n0}TryI_c_`;ji#>b6NWI89I;`IJp+bhtRi(R`tTgrP=N`_2gW
zx)D5AW<Qm2I^GTsXF5!3@|l8QWxWu#&fH2S%*8)OHq2ags$#9BZ^Y>-#GxZ9C<y(L
zs)!_u7q_+H%n4Z#CUVqoj$qM)8{A`**y+Z(zld*D8%RyaXStP|2RhL$`BUJLg_Sa?
zR6P4=R%`k+ufp0d9-G?c38&l+Z4S@YW|R;umLq<?`^_+_lKAR8LPF74V_|e?87a~G
z2-ioZ;4u6omwPG$5agb2)C{Me^w(XbJ+8DPv2&2LGS@at4PQZDxFMZ#bX$~aku#?k
zv+C>e9a=esIWi-L3o~*eO{nF%hW()f39KjM*+YcZiC?$7Ui?88!>+4P$KCBWI#taW
zxkMuEQA#6ond9jc>Ifsv_M?{rp<m{N{U$XWIp_~A=0uJbA0Q1rg90mn_|K+CRc7_N
zEM!`*11*Ox5!<ae$2SkA>X67eQ+gSx|EpYGSY`H=9r*7ZAq<Qo^^&=}`k$g)fz!}K
zYmmy4VB2K`whQ)`i}1W2lXE;<T9^|t3m;kMr#Qi<FpfOq$t1!jUd6DTnq8UyPz!jN
zO0e;YQ;qB0N5bFx&HBF+29Pot%6y!kxQ9;z&L<#O%D8OCrhn^dMa7`tlXF8U3NJ;r
zdGx$9Utju(cCVAjp~*v!OBQky@tbo+qbLVKo-5bL+`3BseLN9GI$?i4Wq+~^)dM3S
z4IyV|Uh<fB@ETlxz|csp&twqCww9U!(;KuZO+qmiD`kAA1n;TleOLQnTXwe(onW!a
zl2WH&OI$75-6+R!Q<O%da)wHF7H^gTO#HA$Q1<wtiukcUfcDts3X?*^rxL+Z1D@GG
z%D}2a0efzIbV|{OxQ>YEVgHWh<MIO2{TU9SACLljOn0yzaS)B=<9SCVevh{A67mPO
zl5L1S)Y=F%LibXtFhQ6sbfi-jOv`*;x@mdm$nZGg^Afy>*qCrm>LO;&z!h28$Tn!y
z)JyL~x7Lae$1vf?Sb&gBzWUnX;0j6n6VX!42DxR7Iw4Tq+SD;}$Uos>A~VsvP`odn
zxlj7%_JHQ}jC9iKZV^V$cWI9LyJQ+uMSKa=JlI4(&wt`Rn$d&%C27JKVz$sMLC2|S
zM137D8T?(?Ds9CU680Zd^yoijn{92nhAd}}^p1iQiTcLj`uMNJ;oR{Mzu$&V6Xm-f
ziS_c|Lmr8}e+zen_su+JxLLp#Qx_`$4vFC`(uV(N_FGz3Xu76AC2M3NXOI;{sLt*j
z&Y6k$J}{8n5pP@KQ*fZL<s?M)v$gpCRo@FTW#kwEw{&ttBE&MX%64!Eck<*jpyoq-
z1dWpQ%yvk-_m<+e8?hWl$a|gwu??Z>gkXU)dQgx*fv#0IXaHpsC)qRtJt}Nlm^NN~
ztz`RT-lioY88R6d$>SB3jcj6=om=iKU+AB@;$JPkpZV6m*(JKK8@D%$w=E95L0NV+
zrnn`NC}oe)p1LJ2T98iI+!B;;t!`4*jfIT?78r$-#|o0np4k`)TK1UD5GS($#)cb|
z3T2+us~<`@YK<Q=YuLxcia~(+J%?i$A_6~QvIs7Mo_%A7!P`TXnq1U!6R>45NyrR}
zqslvBHQG+ApT(qH)%jxGutf3B49y|a5Y$;NI=*h*NT;rCmh8NT*{VGVyxRnBT}Y?m
zNFCVv#us22B(37Gkex)rFu6z`(pJYK0AZ_fY+iuT*z{6{Ws{6C<{Ca7FZ398jMS8K
zrv?ozo|Cm@pmUfd&%TvkR2oTQyPUCc40Gxo{>ss~q;j`mV&2j+FaDGNcs=4bS-;nZ
zH=_G)F-9xQCvq+S@60jKyr&y}qEd7t<b`vah4TlPPpG|n%KZEffB13@oB~WkU0GvF
za<>Q})CvJ@c4T4W3!w9nG7jfz7n%$Zy8K(spbc4?LcJ^}=4;k{1gL6HfXPF&5VP&7
zB`hRj(Ta)ufRdJq$u_=#$T2$gns`#E?J`m)K%ph>+LxT<u4CGSBe1nG%JqQI&(^mN
z_w&vMtcgmASt;i@Ta@1R2Dmj(se7mU-IK_Db89r)OR7Yd<Nn-BFIqQrm`%vSKHtC4
zOCeN#!9EYnHj&NJk)Y<lI-XsJy-yIVp=gCkNXm%uOi}ir8Bjq%jcpBMlascdIwIXX
zVwB90mz=?;VDBAcxW4uuVvP42PlhI1xV9rfCbyh6beXX5nsMM6;FjoKD8+EK6sH#!
zB!?yCyF7p|0Sqqx!?^cIlY&Zo%`+W^G;(e=Vb;Vl4<>K+Llr*2e{Bv#@7hOT)X&2g
zIkK|h_JXCx(DwG&5V4L`*S~sB>MZy<saP82x|T%3;koiid8DOc#DEn!n+S|dJU*==
zynIEg8|6zEMX3^2%416?vs$=HXtjJp#3f4?%}ahlyk}0#pR~~~^23|LzbTb1l-r5r
z%u8EtR3)i=g#NWEqK-v7%ZnTAPl*HMkKvo+2v|>(H!?c$lpdu1wVsH1OIDshX^dFL
zFb?C}o61UFMJ14S`{U;)twDO%B6;@QD**i*FX5$N;kFGKGF=jP`s%UI=Na{Gj_*YE
zpa$3R+BKnL%R8t7q2F(L`*@~^h@gn!UWw^sX7knYX)L%|afL`Z>7`w&dENnmO1X%c
zAg<g7CK0~F1q39^7lM`~a!RA73?_wgx<zJTNuOn5seV;6oHAvc;ev#h*Dy!!JT~gF
z5-zZ)9F+t~;S^aGWO^2;6by+otEhV(a5Y6Y6r@V-<dBihkhPe`S>#iJ?UMjM>vZ+v
zVD&66EeC!=!x~T$3o#rH%P`xw8GarmBx;1p+@m#e?*khK(3ZPXHm`^5_Y2qj`B=Bx
zmN`>L;H*$$8^p>RW0SPjN>aE(wa(xxa}6)R3|b>T5HBm{)XzcRw<RF-gMq;nS0N&q
z+q)NBm{A*Sp$Go}KG`$~v~5$tqvak6-$u}=x?AKgG~GUA@E(Oiyx_4x{+D?k;dko!
zEzAmcRxH5|5rMfMZROh46*3e`u6p`stw>y(|KR$gjQn`MQN+5{Wz(i-{=9v{8sus+
z>sU0LF>47*i|5)W#rBwhw%2qrb^3t`gG7DDG)1N>luc6qU+Ttea722xMmg;9;+S8e
zze#g}Sm*q1KB~Ed(g>I=pa{Dq6`!;wO+_tdUcnAoHZ<M#KTI<?^ERu=vWDz%CABvc
zPC`snUVK10<s_Q7z63f|MQP?d#tvNle=9LVDuhaF#1A4~GxS}tgn4(!kUI`xY<dY@
z5Y#?x+3!9#f6)l9eMf?8B_1|(UU&=>Wjpb64Qq=x*GS;WN>WPy{LD#P8J$jI4MDcy
z1lr9f%(dVPML2K#`spPaBti^3Flvo0k!Zg@Z1PH$T4@oi3=Z)qqI7SQA+{4P**?O2
zfCPB*9W1}XeLXz(-_9v~+w1H3O6iDULmvk#yaJw*2H-5;<Zz9GnIe#d=YM2hJR+@K
zUF^ppNW;Xr3I1IT|3=g4)r*ni>hu}(;2D6CDPK4Mdhc978H@RCO7$N1++5z>dbHr(
z*%|HFEo5Wl0?WV}&cO?0WNtyIu^oQ;E!d5e+@z_al-0pvVg~3JWbkN8c{26zE5<DD
z#-vHw>>!Qs`e=Eq)1I`IG!C5e`7c%tqq3w<T||d*h^Ak>7mM~+3wACrJ+k<-M`*M4
z3K0j8Kxg}d760#PfPAw|eW%RQt`WI8m$lR)PGjc2W&Y)gNZ!R~)NaqS0-xs%TwC`h
z8y<bjV#(Nz!&e5^L{3QHadB!@G3Rju2df0`uk7JVq}P|5XCIdbYecuWlNK*C-UE+8
zQ-MM4;A_a2jj7ScMN29rQT^cBCq$h~f}#SY753c!6fzopU!DV>$C8t~Xe9tfo($ah
z>^bM<^B<aBGb6bnp0>S9k^nJSeXCsi^4w-UP_K6u*WiRUf)JoOwR&au)Y3HCu^ha;
zdRa<n$N146gB|Wdv=@6dBONKX>&($EA;;G!Ui2wDgA2kkGg|>sDg)-c7fX>|FP+^a
z!x>S(?dNT6nm7I8f7>?@K((ZrCXQi~DRKn;A&b2qu<rCrsi<m*n(A_jL5oPzvAsgk
zN3Mk07S9KM>_07tOUdPpfrdks&X_UIx)F=myMkFOj;CO~F@yN|B+z>Tvw8q=fG@>E
z&hE?;%RnUX5(3nx;N3#8LGz}6!1Zh9(xNs*koX!gEbfnAP*AC}9~2l$F)ATm`Jc07
zexE0THxmcD_lEBY^3~Dh{2+^LVzhGQ>oe^QX+KMyB99toi$V%&eRJ+k#BFhn$fC_b
zfzt=ZjM1Bv2^S$1X_vK9qASvnd>rIO6TZ&BE;m674_V~v<Ii9z%4|cFwH0zDWHrqp
zeqo72#3Rq(V1mT#)WSbn?tXlLls0vhs(R>;fvji&j)LmzzCuS$g*f>P+do76-ia*3
z5L)h-R+tq~bI?TnMiypGyk>HzXM%>Gg`eJ_Kdw%Q)~&A5s8lxc;_K08xdHb$tHss~
zQ06%Z`Ux30vsMoJkzCdQAClmzvaFvq<kn1MK}!%_nOX+5^k9tBJ8`2iOXn(IK6hAv
zXzE%(e(nzVTkb`cda+!8>$v(ozdTgB?rfaYc2L^tWXaqYqv!V?<N7%;Hj*u}?Rl{n
zGIbdyPT!_TkXbEQK1JNMSN!#`Mu^lR4k;ocaO!xZ&EtE?ka$<HVBeG^$z%k;mxD8e
zmup&|vc0$9@n<Ok_%Ug=c%nrY=WAszA?SSsMJHo2li2`m8O(V|kq6WQ1!_VCq$%*H
zo&-6pbeL#$<r<m0RC3bant!1)rLJ40me`yPek3UGA7UyWNlgB^SawL1DMnOU8+rEW
zx}-;3OwkAy5$=yn5=h(y^uH7KbA12-m~YBr=F})T*Ri7Xf}PuGTbokn1L9`_^k#U7
z{s?q567yJ5iufem7E7M){l|lK$U9m2ssXEvxW#ISZY~VT`6mCe2(}nH&;5A`<(OtP
zsx9sp;pYnBwmOl*J9aWluAGN}$DqI8YdsKp5<U>#e(i*pP?q9YW+_Gcd57mdi3oqg
z&DIMJccnmIB5|L62LVC2&9mDrzo1FpLV&$|{_Sf0cka|4cOllD!!ZgF#OV-T;G=l_
zs!WV!B|pWd$9Ug<21Xzmw|D54Y=V-M=_6Ko2L0R7DZ%^W`fr1Mw!P0@1&{B&dXJAA
z-?!Y_EmPOb5ocV5Cl-wmyMkqw<N<6EE7T-5N_H*P&7&*mW7SG&wB&>mIMifgTgtak
z<W63aAr1bV%;d5-^4LbVOaODP!t2os&iL^h(BCiq!1M8Vu_n9{C|b5CZY^83ShBuc
zKp<kiCCD|5&b<;K;(yB+?tPZ7Rq{w|?qUxlDsp||3nXgl_Z@I^H$R0%DT*;i4AZbU
zbY}JwBRz^qrqvc+g^x?6XN2QxnTDjE_f3*-U?5S{<Jl8=yX5DYVaS{1-qtSp12meJ
zyXFM(I_pqmh+mT3>t@}(3g}PR<(c>OD0a=8+(o-P6D5JlvSqBZ(B?j`XDVNhr~Nl~
zch<rLH_^9LE}OnQGXmPDQU4mSvx`#3)xG0;uRt%w$M`@F))TPG4erb9zjFP*KJvB5
zo$JO`AhPtkC1{^1vFsC_!6NgIAu%GIJp2FAICCq|u(DKf4?_y+ebF~+uMpu(f(5oR
zxa$H_6D&Epcfh5%J+A*6;MABqZFj%@fVvcqpN|KA?Z8bBge}jY!0Hz|wNDB1OJ07U
z8^o;oW2BIDqE-V&_0kfd^yFI&UZPYwlP0nUiMEvkM>OkXQ7ul(dJm5T&LVQa^c`TD
zU08^gt7z9JV>F;hotnmX_c%EB`E~be&!0jHEzd@<aCLo_uQfnD3$SKf-7C`FD7Nnt
zBNzF>kSiYl(;{V+A&J{ugNl#$HAi9YYhX1!e_twc!C9c|BV@RCoQ<Zc+@d{=u(m>k
z)~Z-dT|H+6ejNP2K(VBee_MWUPPYhIXxF^DelRhNw03%xzRHNhBAyY$40qZveMY<Q
z3L6+MS`;$toQFOXhzd*XdgYX0#v99AVkv7p=9x2j6xU;;m`r};<S}W^_#OLwck#Vv
zADqs&<u#NH-T!yu3i^RpM<~ODJRdMmp@?vFn-jf9T|aA3AbLbRt$#7yNLxz$gB0lb
zm5>WlDCJbdlda2|sV%c8#$iaBg<4W{<Dqi&a#=EC6y;Hl<kx}(@!cqJ4VFxbKC(vp
zC|`IA2%gsM1WPuzCI`(hxnhT)BzWUb#Q1C2Lw<=iCqm-D!G0vzc}Lq-D^&0so5S=F
zAKXoXlvz#!{r&Pw%=tPq5DX{}JU&nyyassYgtCg#OXr%QLFr5W4fP~mF*|c*-g9!9
z9eqi;-On1K!=7cpk+097FC*`?FG)yS!8tm`wxozQZM)FT>}~8LLVZI>fz8m7u~OdP
zXjUG-g$OCA2FvoJ_2-C9N%~WQ6Bbo2d!TgGN`==#8keR$%$MiL-??w)Gi3M{q>j#<
z8?Q<3cr-jw8ig7qWG+5!;Wv37opC~&e}9f8S;@p<mIv@F6q2}bBf1;h8-IBNmA1mX
zjXAi-;_LUAU4Mxo*PH+I3#v#eQ<f@6PuIck6V?c$(2A^9L%Vkt!>=H9UMv$SDW8>c
zrf9)WsC>b^yH%omf#fC_e*vzjA@CZ~MW=VmIH9yvH9?&)7m%LomYyrg3W%d}3e+@$
zI;XSD3X+Q~DXwJ=B$7n#EN!6<7f*<^pgvT-{0AkJG$xroe@~|l14iw9s(srA7l;gd
zpd5BffjI6VV4671ib2nUycM<KlI_daKS4aP$hk2HPjb|gm5X{3@f<vDVG&ll=)^*4
z#*xpQ7mH0lmTA7W&Z4MVfkMGYT0iBsb|B?7G%Pu<h~bk}y(A2)g~gh|e`t*B3_KHN
zJ=trRUcwpvhZ|Tzba8uL{4G?zZc^PFePhUxf46*#^^wl_9s2F|VJ~|CDq)nLhB|V}
zE|q1R40Q`uqZHB=Efu}pLywuQKv%NElx{+_2eFdH_hhOly=3`t+S(Qw1gPv=WHU+}
zDLGx7(h6vsZn{y@E=(=LX<f6jy)Eb*PDL?<cWnCIv&v1K2}z3Q7aWFYQ9+kqdg=<?
zllxKZ8~mHaFlJ|mGD#~?la8$S#Wl+QZ4ameC4uRMLg*L!3u#d~W!Q)g7HyU_8@U7-
zd>e4<BAErar7C5cshF^{&;Q&Z*}nJPXEV!!pFDBpy|^#%9|`^fovG046OEL@k%!Wa
zt;41VcuWo-UDn7qp$MCS8W1erveDDeQy>=mFgL+3z!%RZ(^B3Ba5cW1p`ODxyNnn*
zBK~wMwr<Nt%A}_(m6n$sa`2hC9p&WXe+4gog|s{%Avk1KU}(hT>kKW6brFz;(p)qv
z%A~yuq|vs?%*#5xr1QukPK4koS~>y3<l7!ucAR9EEO_o-zC$lQLzKA&4wE+ZKY;Fb
zk@juI-esjV!|K*yrDG9Q`~*ts;?n@G%=F8f-hj(1hVEWyHhtF{vvkGhQ}OEs+p9Fh
zv8tb~D@hq4uf~&ndFepdAdm})53YSaaYw}Nhu6gZ5lr8v-Q7}z=*J)hXK0y7S7XQ)
z&)qF>y#JO1+|;^kX1c@%Q9|>^zj)l?K_$xwh&b~5MmeVyAE6LkeUlLpeS(L-$6Jcm
zvJlb59p@m)bK~VO>(N<=eT`wrz!l_aPm#9L#SGVwQ>G;?Valc(4G6XVa3OM#ENtX}
zf=ImjTP>ajsc7mOC3`8M-FzTLda&@cAzBrSiV(y61B<w3mQvy0P@(i8m`ZBdA;P3G
zBr5N42ZTZEX^8j3X19wrKi{QEEk&HkY<>Le)arNYvH4uav^ibOp!AI2b%4LegN{H#
z)BqAp@J0RZ#-Y+T8D?_E-bGA$Fk?sFR~+;yO5W3tkA&?n0R_U3pyWNE$u}zev%g;$
z-n}zCk5K<Z<BJ2vVyzHSdTrq&l|v_Oxnk$Swc$O@DA9k&xuh{N5fo4K87J|6y=41*
z<BXxgl#m8%@S4GP^zRI3H^*;sQ2z+?w=gRT?<c=Nj3A|yG0!hx2t=r1#di_dD-Pbh
zUl<&}u;nL)Wkq`8%X9Yg9lCF3<m!BjV$0lT=dI|u6x%M!LbaifbS?3$;e5}XY@O->
z>_JGIG6V^=-#NCF0EE+&HwRQeY1(O`aeS1mgbx=MU=KanT!Ix{6Ckh?jpgzR6BM8v
zTseNFcP__eO=yku8MBTgF2X;r+xh;syH3#Wj<4shX`RM&j$_Qf-R*l(_&9v+XOV{=
zhNz4E8@z3BXcR^7btwQr5}4n4Pju<?d;Kq@zvt`R+7e8E_ZwB5n?S*~4cZH6w~qIZ
z*Lb!f4j^(Euy5L4KQMge$5m=}xu7ncpA?aaCzs;F!*_Oi47$BAakIq?j31(e_Ktsv
z&ja|sgP0)1zlHN%2$rnwR56*@_0i<p_7Aq|+??Gp`n)xbem#K#&k(+5hv|k3mc=5*
zMU8@iT6g4rqsno9(0RXjAZ*&)E!X>JJMJt$7w`FY$133exXa!7hPN1JaSF~?DqW^!
zERhKvo~~^)!L(kE+VrrRa&Rh&BQ~CB?)vunOqWYG91*pJkiSetu57w~rUu8F{rm4-
zNE?NCb(j<<)$%d7&=?LXD=_z}-Y}zn9^vPmuFeV`=9px*lWRb9|M5}p<9y4lE*hge
zc<Lif3`v#VZ_f0Q@tF&*J;MP~TQQ@59Uxyl&PL$CmvQ?zfyH;>`vZT`()CAh1T?Qi
zOA(<IDw$eXVTv-jrEXaQrtz8zNu?B5r=R#a-M`@G_!EwH3r=2-jpEhyA{2J+3nIgs
znR_D^cq}SM%23lMfK{cXryN*i<}{<H=PP7>{|i~+E);0@CqI~=Ns;)PVSE3a%@_0E
zh#;t6$orN^;U+xU4qmQ9Si2vob9vv18X9vMbWj!$g|G>9YUXN1e~Oc*n6;#<qsTQ0
z)><#>eJH~=`BrGL>MJI_3aiCzGFDV3_@<o$`4tx9HXgEc*oxsjFx5vb_)NL_DCN;e
z2^Oq<LVnHT_{%Gdk2Hg76w6RHGxy3LfjqP*RIe9qpZxU}NM4U%%=?bj_XtpC0pH}F
zJ#FDBp`?&Q14QF!49lb}+PJsFd@#+yCB4v$BsmE9!BUwZ_W8vtwtM>A2z*{)YM;`v
zT!oL^2A%p$TJVsv!xR!NUfY5H6AuuY!t6UsU@~LtKC++t7RrK6A~zEFhV<U__RN_Z
zUlNF|fQeJiDzzN4VA;PoODSg*JdB_FqE(3hp7!7noj@iLisV=Ud}_k09-YcJQ%iRY
zZD-)I%7~E7urkNCdLp`V1gxwt{$T_RqgVEh0nD%tb*!6_Q)liPYMnDa2)mO^+h-lv
zp{i;G##ksJh(p6sjnZDsl<OqG<rx*`wVnC<j<T1`a}4rLVkqz4T!M1x1lM#?f96lP
z3`|AapXAyY)l8u7VL68-Th};-R1J^Fdis5Fk}?X@jPvC!Twl!p!2LlIu>@Isnozw5
ziM3kpF?nEk&3suQl0(<g(MK%bl%ZgJq#LL3axvOpEGB6K;L8AXOe|^bFPn1g+c*q4
zILT#EvK4b6nTJbO{+9_c^oeB#Q{ZTpg20@GVsunDw4Ju_nq7Diar1g-8&=Ol>y?c%
z7=asWMmY{P$;<Z}Y(7wUy?aq%kf17A*{`Ntfz&)_#z*4r^hqrr2$L-XdSv;GQ56U<
z1NMYjb3Ot`4z99wi}@cqvgRi8_43$rbyBgvPz&!o&Bw~P!8>iBVy1%YZ$p{~sdJa?
zEkY1x>*PBK4Vom4AxNalxTvggva%`B)mhQ3aUzR)h@Exd3SpKJ^I|f_VW>11U(cHb
z9euuFkz>q(wTF54XZsWx5kimmoD#^tZONks|3#To`IE83Fe>zuz~YurnlW|#+dm7E
zyh1*MIW7jCM+I2&9UZ>P5I)48uzCHg%wQPHLDYBT;5+j25&tX3#{<lQn82AR&(_6v
z;^u-Um9<AV!_3KlPrC^0`*;iuK0({KyTSBE{3+3modd2E+mxL6yycT;$0K3iT_>)=
z&D}oE{VP1Z2p_@W;J=jSJ&l;7`j?}9MtlPQA-`+p&lL{faZkC=07^N|y>2Wc7Y^Uy
z>md<PRzn2AtXb8H3TS1d6zcGObA6*YaH3!e@6!i3R2p-gga*WlY>$YG9NfJ;hxG=Z
zfk1Nz#A1mDraR)e33^E7QGu|79J0s9N+ryMf1OTk;qfJDuKyKocp+f`4qL9?)9)!|
z!Y7EzOHt~%7DwI8xUkw8HM@+XTNpiy#Y}mhHM$(%K){5rd*Hr@4lJK8W0p!5%fvw-
zFGbU&QMlkPYz|W;u0D@BGxvVk60KGQB*}Evhj|z$l2J!?5me(q#pX?-PF#aeaI+Mr
zEkT(jzFap>9!Cy(`hYtRu>-%C^e&srJae2iY>8xr2W**ynHA_K7?T)*a)5G+S2xC1
zfo>3IrfDL$d6X?X6Q#w&^OkL@D&|=Bi0tSVJ#{Y8edtKja?;dq!h*+;tM6#^70aba
zKxuxuBzp?mq6?cfOW%>7f6wYJXk_H2D!e|}=?+9Wi5zA;-GDhuAN2)A88#*oh~41J
zGr^hWZ9|rFkm55((e!nF;*wap8S<F3VkKpR&=E>n0!B6tWz*@d`I2#mPazF@-mZIk
zUf?N!Aebo!A#+p(9Yy%{N4b^fe5>rS>({T3>+j=l8}nhvbjGpiapp-CU{zm>Xw@`n
z0&EDxaL^ip)HdJJ^U!!Qy-VHxq$Q=QMtB1@Cz&faYB#YfED2lSpBGZ$3Cx5UAtpEZ
zGh=*94jcnakokR^7zbPmo`3<SK~%C3k!WOv2SrjE^8#Ev^V3?p5HxCK$N(B<M0Ju|
z#i3zXkqbb;U^-#mk7iIK9DNjFL)$F=;9SEkY|*F$KftA=7Ud{!w&B!M+k8`G8j12*
z*4#)Jx(vs-fSWTujI<^nN|6{5b<tL@MI!^HBb+hsXp_*vJn2Ak??>0NtLS8!##we^
z7p*eqI8PutN#8}0Scc9vWR4?OwiyQ30n?bVvJ9?{tnm*W0iAIABKZd0{W=c4Vkcr)
zAzM^qR<k7i<TYxLyqE~S(0N?ybZVqjm|tAFY3|wbndNB4aHw)s;5BX#8{^3cKI@dD
zWODVIC9IgIF@FFmW+~_|%BU5T(q=-ASus)<5Yz)2^tk$D=BSaPWF<qLA!1o93KAu5
znlD@PG{nlbKBWz_$eY~B|8Ql5D@aKZ0ud8Pn@gIoGbfMRtp}3GMKFQqj8v`(kwP%@
zs9@W(nAVDyEC&l+Ei3g>U50jJvP&>4qaKSWRx%>(iBWu5+X)#NT0DR(#O56P(;upE
zJy3nHlbyz{I#P7!q;OI*i`2mMuVaB3+8(szVPOc}rmBpsKImL)kC%qljv04kO;lO)
zqlf5~$`9A@0c-V=m}#;_nqvo@%HL_#0k2J=Pa@iWVezoZsz)l4QL0jbq>H{_%Yz=4
zoo=z{naOlAwKookKFhy9&=TfIZ|;t=ok*k8<Tk#@aP^aPs9tRpDxDrn1_BkLf1e+!
zE94;sPaf+YZX2saZCM+%Hc56&9VM8ZVuvmyzN?kc6+b3OjHWxAz^V_=W!4;a^Wo}G
z(>>m$GdCCUtqZ-A$ob<nL~OmKbV_gaWN2(-6qt%m@s^xouxdBIn{oeYY~nQ{(X5J5
z-Amm611!KxQxRwX{WEcK>Oefn_$zg0b-eKvm%BA`1G4xB5`A$F=+E97oP&SK?~alr
zN~A(EFjZ&4nov5qQ#dLi=;v2lu+6Ln)701aBy8G{9_Z0H=x{m_O**;FKOy`C47M@n
zRN+0SzicZhOB6j=vUd(l&BPKuN>NAY)bKgt$+|XTv?i~WA*RHroy332+J#duS;2-e
zHbF*9!AynHa&UWAEk?+iRWr$OQ;*f#7?|-FO!~L-y&{yRFTA{|P34?WP+?Zva#bZ>
z9eORwBzC@mAV#yoh?mI7={b29UO5qkNm`-dr03nKK~Sabv`l8JjOrtXvzDcVj5agu
zPSNPIrapCT=(P2e4Y<@j)JI4=H^DVIMOBV1tI4Lp$<bS*zT&&fj27$uO^_bs$QQND
z(GtIkHtLIXU-@lpL$Yk=wIYXF5#@a5Q7%whZsVhuuHKk9v%PWN;@O*Z!F`GAWk8fs
zWT(T;c$TWsfMI=TtC>`1TJu=?Ts7U?`EBo!*TV|8rNYvU*4mU?&0-!JxH{Qvuj=oq
zXBOJHxzXuKm-gwcf^&rl(}Fm!aWuxL)<WCAx(e-7!;qkAyVG9inr-BpnS90*(Vp7U
ziIH84cDoVh-j2V#siik}QU*D->sPqI+55Hm_+D#fGa^(+839{mMy|fB<eM1xF*7H)
z10Wc3|3&L`tmm@uJU@2b9d@11BBi2}UvmdO)x7)|xFS=bdl7{(c~<pr{G`fV@A!F6
zQBZ}(vp^GzMo{Y@mSWl1sKzn3y1Eg=(EHc|1Nl4UB-}!0CZlSOM(a+VpyeD_rdHde
z+MhI8nv?I399&UdzW?T`v-2w_QNQIYCw<}@u)w-)?ve7)pQxzzspN1i`t3y{?Ps+j
zeTMcZfAtX{FmQ4kl7l~G&Ecx;-d>t>n{4N%tDXMYb?&~d0`|&JHdiB+gyQ?pZgv%8
zqgQfW)@wCZM-<AWG$@|_clLDJ=1ivjV+JRF|K_ikv`arYz2*n=zP>ni@pn6(OG;+_
z%K6k-XPN4rjt-{hbD1r*jEb;G8tjTRw)REh+b+&Gy`?z<n0~p}>jwI(uxrH_-%+HN
zqRyP^`wy?5#rw?+pe{<uAnwhZ_cP4%?ZuqqLf2t^CZ6^_n@DPNo7+kkSn6AU9kR##
zD2OahAE|T2OD!g*c}Pa+U3Zq|a?{i`*g4b_g=q6cdwI^xE{1Jyz_%F!`^+KLk7WAx
zZoBKQ-;0Q<^4iJMZDX27gtATSrVOnPn*sN$aAF_mzU0pjvliUF)tbJhqh9?JF$T^$
z{jPKu+r|a1cqXpHZ>t3U$8|o{cYVEbEuDGphnzl3PF7`xqe!Y+tW`Y275`xL_?2eb
z>alcjiit=t-4q1zmy2($`|BW8SJOMH*Do=$d)El(w_l|F7_oobe!Pi~?{+f!7i4d>
zf8Bapud*Ce^lWyff_RHJdFjj`iEeYc;2m!*5fn-Pv}R9&tN}gUps8i2tb{F`e7<hF
zKIQ+EwNSxt;W7Xhr$wy*yfpW8;3{;NcgwYASkjNBemk2mEn{4b?F(xR^UGMe%!#_^
zsh7@D?);X*#Ht+~s;C;qcyv>6PoKoD*o+9(IOed42vvgxmLJz#0lXC4<J19qs{QuL
z0?XTbX|l>`jX8P^j&1w=+w@MUj%B#1^&Rf&9)`Zdo!LwY6&>i;nJ0)#QO)I;TJ>KE
z3t=%MYP59jZQasV>%ExW*{X>`)k@D*ZdG3m52ESD)n~qCUD?L1Io@68Ehyj^tV!wV
zwl|{o!n+t6PyF{=dfJ0Pw(|&i7H9bFDBx<=uZ{T+d3^>>?S{lw2aM@dBV%w@0;KM9
zeC}Cy%zZfEjbpUuIFYSG9pgg&^(`>qwjE_nd%E<c6=#@Lb_Wjjq1$HK!$Rk`fA)tS
zeF{huE!bhbgCRBsM4p>j{5Br9r145*TwfDOyMCp5f|$m3uRN&mJGd$M6SXko=6^R;
ztv_tYwHBZ8d4!`)9cFADdD&adb$ivdbN`PL>trvH^qA%>c<sz1=VYP^zgNmrSD;Kw
zni{4wlRoD1n!8egTId~YaN7cJ_=lys<4X&0D6e4)pWYNJ%Ew-+x45M<Y<t|BnFWvb
zp6)cMHr&{LSM4!=s5i^idp9}l+++P{Tl!8(yROc%QLCd*eyFacmi<WmXYg92FQ?EZ
z>7V^=;txPR*U9Rak9ciDn)w^ku&WsIA{u+e-U<)f<Ql7roSsG1yE0JPb;NT37!_Bz
zZJB~@InJ2xvojaPK_NA&{lygno`fyi(A}l&0_pjd5x%-8zm-HqTYyz#<G7Pn7%U>`
zu$cT7_$jZPT7nMqaXLywmyVJhjo~&}^+lEga52)OZo|wtigd<>4o6k_7SzPG?je6s
zCteLDeLcH?s}V%FQa3>?w_PRa>k$3c3U5}tfY<u65Id69%`J3P5cIBsT##{}U9@3*
z9aLX|rZF}un$&AOyu6R5Uq9Q2yhqn{p5u29(|yd35_HHVqVd^dNvj}F>5S2;nJP`t
zv1_J?j*417BY1W=xk{|AXsGI<c>&G7{hb9nWk<s$ugXPlAiaGgTwz%8Zt>Awk{{!4
z3uC5h=h0b3?lk(GMb#y`wPF-I#o?Q}PPOLqt&o15eRj1f*)yy<JaqU3g=3K7AL=%V
zPzNun!&Et3(l(|y8=2z>(x|)tOenl7=EP1`L*rZHxJJIoyHkQ`qT6|2#?VPO!;$Ll
zHt}oah&LTJFhOyf_8{+yGL==4UgkUBF@yX7$%KWHhCGEqd8TH@4}^)uV0JYM_1&}z
z-frFHYQ?9(z2M~fKF}{gJ*8@je#Rr6S$>cY(7D{1roAtbwW9tbAO)<FLRl&Vonj8%
zsz%(NB-XD$t=m6C9&`8h1L^U@UPYdMOWy#AXLuYlTf4@!rA_!llB`wKJFsjS&htho
z-y<z8L*n=JKW&-amoy~TIic%<Jon|D&AM%e**$5hB4-9Pu3luud5cm=zkds9VA<6T
zYIT*%{>ir=S!25%ujes0_M4H{SuneQxNr6H5A+1T<u1LVw+Yh|UoSMRBC#w|Fh9PT
zy8HgZ4t0G1Z)H)qh-tc*8o8M9m^hgM8xR&I7FK#DHhLybRVGdz77iXZPFf}=9wsKq
z%)$8o2Z61<sU^Vk|4qQm!^-wQ2>!A=&H@R3{x1nGmbPZjE=It6ivNcY_WvoQ$XnA1
zNW=Oc4e&xEkH~+6vUgIox3>ZLWomD1MyzOI?_%$4VeddJB0|i<#LPzgQ_jf5((b=b
zYN}+xaUeO*|0I`_;}JD;vUD>u6?d|?1pzW-Fts%05f|YUXJ+PPW8!3C;^1Ot{>988
zA|lEyBF4$hDI(6sCadgc3FN~4zj3iQakVwGbCDALUrboJgqgXx#ecC0vvV^ui?MUD
zu!xFrFp0DL;$&rJ<6;-x{PW+fxBrcalpS#Lb|z;3lZhp8B>$5M_x~4@uoc(;?vVca
mzel3rWNB_`XJjM#e~#$?Z(4RD3XVW#AW~xTqIJTCLH`%M;40t%

literal 0
HcmV?d00001

diff --git a/deployment-apps/Splunk_TA_windows/static/appIcon_2x.png b/deployment-apps/Splunk_TA_windows/static/appIcon_2x.png
new file mode 100644
index 0000000000000000000000000000000000000000..c638b3f159fc4047a35e86d577c49cb0234f6933
GIT binary patch
literal 6738
zcma)Bby!sC+a6LH1W6HwMrs(kTV&{^Lt=mdhMHj*O36V$1OaJ8LMf4uP6?$`9h8t1
z7(i5F5NY_(-Tm!;*X|eRx=y|4zVGLLo;Ut@Pn@ygO==1@3IG5=4bjmuxwz~6JjqBe
zuIAtBZeH97{7i0Y0IJ5=KVQ6%BXz9(002scpC<v}(PI_>fEWWevqD=L=qorQyv3j{
z2q&0WkT>!I4FD(wDO@~y!_ZJ*khhnQpF)r__b-IP#q-Z*5I67_1nsHJZDn8#)I^|Q
zKxr{4F>!7c3Lp@ugmQ6JFwxTfgMRU*%<YawBNafPz`#JUKuIwK$_)gTmzM{LOMoOK
zL@yAce!)IyXppFnAJ6Y1f9hz#{G3s6BpQzJ0shp5IwAbg%G}&P1O4at!>2dWz~Dcj
zeEj~%>mox?5EKali;080y+QxR^h2A#{xbQmOh2<=Bn)H%^F#QfoM9Jmo_`ZU!(IOe
zou6NRS@<{FMZN!b-~Xw}MaoJSXafTUEf@+O0CUksA-sPT1_?#^!G4-l=Kj;=-&sG2
zztU8I`}m=uKF%<Rmdb^a7#!}RASEFwEe(^B5(P^^p`ub?33*XDCrLR`n4B{dChaOO
zCo3hb1o{X4zxBZ%>MjUpe{Yx%`VV!N3w3QxS#2;_R!Uq}LR>};3|0rrXliQ7Yu=ER
zm(|pklKNBmZ`8k(l|cVU_tzl%z3>05#Xo~e%4vY*<h9kMG^FLh;2Y9%5)xWBWW=>4
z)MX{XQgRpR{Gt07^>0Cc{|5PIrT&nW|G#AaM*WAZ5en`G_knt8{T2FWNBsXv^}Dlw
zk@#DfpJPqo0&>v}(4P}W1*`=6N88`<7n%y1C>RutK$#&BUMlK8*8`xjI|7aHb4MV7
znwmffaj+Cn&;aTT_xag){a5+^8|e={CD6}V`nOs8`;zdh^<qs>p}1iFxxT1SluW}i
z002ffL`&T)hyZtsG9kCuUuC~#e{+03cK@^8i*I&6BEexqGQIvzRL>L0b#<|X8V?Gd
zLKqsJK7VTQ{0bku+@jcEyySY?-6C^$v)>A?lTd)cpi5VsoujD37Mt2VU+f15ZrwQ!
zbvrxU3g4Rd&oF;q-&S`L=sNaTUUDtRZ*1gb-)SMUvq|}CQgP23!_Hyoqe9-`xDSw6
z3A^d>$Xfovt?gES+9amwv6TS}6(hTu`=KL_G#@L~I`o7~;w8s;`Bk!eiSl%;buh$h
z@7qr46N&f8iBFek4++xJ?Y(0BlC&Lb%PL&3){wsOqk6k09ZV0G7E<>R0FGFuU5u1&
zfzvlG`b|vR2C!04WR!}79CJ(>PE6UVG_nlxxtD6IA9*Q!(IevBQKSKoVbJABUf`!^
zH9$fwVeUDD2|Jzb47(T%26ugga;n5k^gJ!5oX&N;^qyR+IqBj75r9m$){qLbQrt_7
zAt2$WlW4Iqrr|N{=0{9pDg1^_vzYOW6Qbc<ryhIL-v=`<k=Fxz7^!n3(SR(Mv`b>E
zn!QT(?4j$f_LM`+vI3qegm<-uYl7&mHUOEV1iPJBQb$rH^X21oB2C0OKIACAh`$tc
z1=vuIp-I?iHDG?b=JJ8XD9?k50nlSX%(q&wAs;dIHsU^dBvm3-h*;|ZhUM9kSs2z?
z-37Uik|+%A2x9fWA(5;Gclz`eW9UOh!NXQFet1$c{_>zcf{w~2nTVpUfG8(YpOp-f
z7}s!KDRuQlo<aWgBe||-t7qhqlxP7RMf=iqR%93}_}=bGGh8P0{(~oD%kLbPFS9TL
z;~zr_%~|8)vb&{jx;Z)S6g2i>)WDY?^Y*ug{idh+@SHY<P}Ajr^OY09pf8x7k&XJT
z%l3}0Qy|y};dfZ;p*~2q$>ss{0EwwlWWdFnYc#{Y*G1GOHI3Y^aS5i_b$V(42)B<7
zvk#UDEg6zh7&okF5HuRY%#tSDl);(h1@A!7CG(_+s4I2}YJx!GKGD|`t0ZDoDfV-I
zYEvv)FMdN->;d=tfR-cdqH@|!OG#1D%Nm<9h`Ax|GJ@M2)|dBW=Cwdi8(5s*mdD7v
zb`nV)9E9>T%#ESavZqp-nk47V+pN#ZB^af~N{kG(3~%-ln}e9VqDferhO#ruj%!&y
zQftZYp^9h4$J0e#jFv9feb2^QhppCqUjFui9#~`?-oUN1-^_B;`KvFW&g3gqvsq_F
zkNk+sNjCmB+86eM!fGMqI#g4u^<TtF+=H*K`@9@g)E{v3H7-&sUEuWz_)#!8h~uke
z)n@M~S*!CK{1SivS~vD0&bR0m+*(Om^c(R@KvD)b=5C;vhgbCjdF$sDm6%U!VglQ}
z@rZE1wYmenavkBWQ7-;PN<zg>7Xit|VLD->TE;}TNB11nh1N~qDtJpf<ZXBxBWoNj
z*9yp7Nd{N>PmJ%<f?_ad^wJ~&1NtSrsRng&-cRX2dzqxK9@}+d)EH_h#+{A(FYL*o
zLgtnz9YvIqb&bhw#OZtwsw<9e6D%vD4snd~s)iD)aD796j8B=DM!)RQxUmSSb|aB-
z7*Y0tG}$XI79NH*E_bTEg0yHR2&8&e(1<UWm91C*8BjEjBR$S6|1Ke;35O4$ciToK
zfX8upkO1OBS|s&e@ZF+DgKUFPf->7yrtiQ2p;kVK_n~8@+1)P$u4KEqW%`~*?Bf~N
za|Xvo-;V?l$H^$m`O?JacFk@;d$}$ZvC9!B3{qp$v>m++k+staRbF}@bR+1ayAl$5
zK$<(3LzY=cg|B4{Qaz8-?9;lf<72yHiyaSWzs0ec$+;D(q0K-<Pm`hHs!MoQ-2)iG
zxYvDc-XVZjd8Y3hT}x)B4Rg>X#IXp75-rCTOJK#?shjj*=qLKT&ZvNG%@(;vOD65x
zyzKV~o258BFqd{=<ht9YsbQwh!Z8@uWo?Qtwr2B@!NhzSENN)|xUdLjJ5f??7J!NV
z_7iF<0y$Q&aWo+ximUOajOgjhkRJ@RI<P}RlCPstZ7Vgo;Xum5Zwkg1g*Hr4(T^c+
zFkWB7Du)jHs!rG3gq|2&F_F<At|qA<gw>*)*uskB%X;el6pt2ouWMO(Ri=)d(3@}P
zG*62-CuBuz+d2eoEzTd+ON*wvL(J&Qif%QdE$kJyYnAplRk;fcb;;tHwlC2UYNR|(
zc`L+1#?y}>cxlF81-mV<=RBix^74IJ<8ahW2e&k(2ksK+r2S>^l0#ABcbmJ>zI}8!
zKGhnqnD#p@BfleezzEz*xAS{r<->`-fcmU@r)eSU`cg|$CxN0?bX?ImID$2u7q3@C
z%llA86dV$rqdQKbm13NbF_5J`%$nB>wB$D&iu=T4V%s>2(<?4>G(PIH&ph@yNt|uK
zaa@0p=45Zp%69EFq4^*-g9eVU7o!|1$F;ScSv?Pl=gZ)T@XzbQ>^Yi}4fQ^3pQ5iC
zzzld?2bGOm>C9y{`|?VHb8p%%o1|M4d|@}ryBz*mcm0ic*OYs;c<4ddl_)D2O3#Sn
zggy|&?lX05MR7bk>Szg)<)pje$yVIvdo3-5_H>(C<Rp+-H;IqHwOeL->I_yEC+5pI
z*<8?;$61hPcGeKzG%Q+~-)&ay$jY$ITJ(l$E8V}6cJP~QsP3y4sVRXZ)#E^XY|^|y
zlFI2MRuy@<W<a26zS_>m>pbCBVmoLLmy5Lv7g!;Mxi2-}n*0v8I^E(aF&}13=<h8#
z2CjI@uM2C^2pc&0b#d-dA9`{zJG9J<_Q=!zwsk8x#+J3ti5D87#9wY3ZfbKi0|<0o
zX<t4r<~4f?@R!=Ve-7+?Gd2)JSbi0r@@DR&t@gQRWm=}iK+D;}tBA2l?$&q`z?h2u
zi5|YpU|;uU4#BC{0z6K8NRHP0gd)M+bYCVbEEgMAyB2)-aSSy0e8c{*Fqc*j_L;Ed
zc;c9kFw=IS!8%X=fVyS3?-&MKW1BvI#nF7r$|CTErLu~`9sRu7!)NT9Gtp|d1WIq(
zlhSb=BBl7s;qSyLJQO5U1mEmAWO#qJtX}UnVctl)_x|~4L>xd~rT?)a^Bm>b<B<d%
z%iTQ_Hqq2qp9rQygG!|)>IK#Gaui*BaTasrwW*Mnz}-n)MuV+++0;Rn6v##d8c{~R
zIs}-xRb#z5^Mk~?vDtL6u;#M${Ot#Qbo9++-(Zx*WmPw3UO0~I8+G#7;iR!9{<*V+
z@(9j5=00t{v1XPZFo+tn7@=ZP+{SaZ>6e=p4Wu?OAYB?`ZaH1lX6C}3r5UV!Xs4IM
zZfH-fME1S@YQf?oWI>LlSE|6(+jK;FPud0|Y4-;_x0Hp?Dr)K<lf2tn+?vHZ?QoTm
z`4380PMX9Zi#uD7b5L{i#P(JYJ<S}nbVcgT`J<Q+-_h>s$9qG8D?NAcM(2B$wbk|7
z9L>AXGTUYyOUaC8?k4mC4pZm3rH7{loy2{$Ixd(!EDzL!$YHE9v}e~NJ=4o8f}Aw?
z>7A{ldS0)vjC=q&??55E3?Ik3>^SWCotF!3O83s!s!CTDZz2YjXE;*$Mu%M>;}Y<)
zX6r{x^+Tmi^My=>BY8<VmWZAA+vT;!*(YD#oM}AL6!yPl8Sy?(9MGhHw4rnI?7PfD
z<h3F@#Yv5K`6}O2q$XrM+n-jLwAxteE*L&+ypf9(E_}bK*|xHfq$GAZXi{Ku(>TKY
zNrJgI^>F>x+x3Ez{h2odv`OuelB3+y=u;+mmBYw~NIVZ<h<G1Z0lZhRnQ20P9PHSG
z$U-8iNHv56B3bCWeFiHZ!QEHxpX^qtW`-*^7|Gb*DJNXnKQ1nNu4(9?!heUR;|bFh
zBg3xNZfr}@&A@(IBaRHH7vU4fdjjF|0Y}yEyZA^l{Wsr^*-`Bl-cf%@Wr0$X=A9cY
zFP?}adEh_#x<4la)S;~)tj6_>ZbWO>`>xxkNhzf1?lBvdbzGzM^icu3UV<*@NJ3CT
zM}nl_VCPemgm?(#%LhsiKv-<Z)*Pi=9o6ur-Z4&iF8@PrELA8G^UAE1s>O7Vg1#mb
z)bhk-j$j0G!_mV!E@l{4nVK|Q#@S9JYdA1i!+^E*iwfDLG!j-bYR3~De%w?|7yXbs
z1yxPMtI>)Cm-Y0I8gzy1QAO5sv@+91D!r(e^?wdZ>ea?QI8{y8(+s7v68dr*k<$CX
z8*4nn+f@HG*);TKjWeILTGhrZ@J)wl(ziCtD8*6;p!wL2V`I|V(p)6%!Ccc2&vAb8
zrAHR<6GtM;JAnD!&38?()B6uvhioTi#RRy*Cu<PHF9PRd=f2Q1JI7Uh?cizi1;UV)
zHAk;}V;ETDY5Qb+(<v>iotWg}7*vdwNqZs600(Bq2&@qF6-4D*cjYT$UkZOGI--U+
z)l31JLHv<7_QQO6l>N&P`;N2s0WIQOs4HvF)>O{x343x~cN+o+ctA_Q;7tPS`HAaS
zEqqcC=AA+?WJ}CP?QcfWug{*59(rGG`XUxMQ*sTj-VY@{A;s}IlQF$FwH7|F*+RJV
z;y<8vABkdXiu5?n9=sS*&J45Nr~x)mj&A-q>abkt4eS&iz3d$PkyA{=MM7MMgCqNO
zfp00s<2GJEbX|BdiZ4*<ql}#lG2rvq%lzUU**Hyp(G<uxQ(-g+$lU*`JoL9rGjkE+
zm}R%bje>kDJnLb)M+EvPl=W_>WW!Q*FUiTL_@u#X%2IT>{lv#eZ#nKewBIH)xoHy^
zAF@sRpMZl`1yoJKLEU3h<T%zOnrqQ|Kt2=Sim&wgUM3vjXCPekWEj=Fy7IRl0TpJ*
z<{XvtjXM0gUw911J;Nu(NY4s3?12_ltYZ(A{=FRt++A<^@r`6`^HLG=9qw9UhD;)|
zOVdjteen~kcZ?ycJ`->uYT;vs^3IPNr_r7e;!L&hTTGMwdT*9KP)yZO#;&~YQor8a
z0L;4^tnFD;8eA#z>{<HRD?ilAiHf}9No|E!i=_o<rpT>0FtPLc+NGr7n8eE4j!MW4
ze|G-kPaT=CQ*7J!M480FPTv)h?VB}<KFRTxV*^hl5nbjyw{;90pG=6f=mo6`C0Pt1
zy^Is{RCy8kx9Kg@Wv*XZk2BM6eI%o!=iQc&NIQ6D`eNypj7YBBfSC6>p|{n%;x1EP
zN725T(AbxokY{EVjovBP6qJ0>h8qh0U8>@xS)j>TvS~P}QeH~2Cz}?5LI*QIz7s_q
z?fW8|J=L$~G);gSrrazkiseysHWO0h3ax2!VTo-$au?l{o)iC^{5|Pf$`h?ldk0}n
z^)jIrrofg{aodL__^aO)URyFUBhwwf7LZJ8e|*c4URT3o!dw<rAy&a|*f>>5|JgTT
zmtTY}LCUm9P^q*dq_DB{iJ(!ZCIcsAp@)@SPu#NJ*Yav&e(G+Gvq>bt#G!-Wl2)H+
z9lV-$m>HZTrz6VfIYPqPALqr^i8gTKjU?ya5wX>aI18}-F*Q$VLf;Ex03JdMUpX3E
zW=JmIxhB+?d#@?bp8Oy$MqT>B;^V%tu10aO#91ck3}{M-!RtZp*3Zvt9sqXf^(EIJ
zIg_M$edOYZ?avAF%hj~b8iHi@&19gwuU}}19UuDoGq+Nw#$AJ&E0krLCM<s+brLXu
z9d-<o3x15^Joqe$USv1PCU={kGT!DvopQ-{LG+7U4nJx$6oEMzpJI@RClbC{2(cad
ze)W)zwQR4d2MoC5^tksdj+hoT_?>t|d5SvD^O0eh2<l{T!4ICf;eIe=8J>q8D&o$D
z2ojPc@Q(HK;#c-%L-!bCYUNhfwsWZ5#H^k{N^)E8a4JT)G4p8B2paNcenq3M*h+M<
z7CWjw4+?WY*@$I~5@w|YQkjg%1xO8nC9drwS69;e>|0#!tO{C`WTrR-^q~o!QuMrj
zYZqZAt1Rn?C0j{7bBe;n=T*s!=Skw~mP2lZ%^<Yp{Z~mzsYVoX-T{(h)gIkQT8N)^
z(SI%SxXEjV(hr|JgU5Q6*apxzuR4t+OWT6dY%6^Fg(iN0-95mmsYj-F(&prw7b>t%
zb&4$#{hzq3CT`I}WEc^_t>nqE*ZURQhvqZb!!HlId>64v>`u%moNC#Sy8q)hd*O#I
z@AC6Ve1Tc59h;85T+g$gd~Ie{l;GO8iD>d-DGB>{-NxQFe<<6i=H$?<$<=LzUaqCA
zc6SOdl$TiIZc9x%fuS;95myaYe+5-bl=lG5n3Dtx&)3Qro-PJXxCoDwqE<~s!d3P*
z8m7Nz3%#ph>r!(bEL$grqYHG8SV$REZmG|k<1_3?nXb?muPa*U`UQFC_1hPjJO&9g
z=`aUUZ5{L;P*rA$V6S9V)BpvY#5JNQlZ)SCu2h_W1%GX*%+A8=m7-gQWer~8jo^8W
zuNIf^4$)g1O6%_Drq%4~6v^OgPsvzU@L5^H{)x<HZhelIh)j{912xy{g`9o$@@MF*
zyOHA6+Dlf+>WS;0ySuSU$DA7@Z^BS=Z&R}#v$!OKCp3jM;=2oO?Jn|^wq1&6S0k0b
z8tzq)cd5Bq$Yu-7A{S&8@!qEEQy(WT;CL(v6P4V+`$fGaiW@3EA#G$gvV3ELHzL-L
zS<<&(TGA<6I}iVOMVbBfaAUi8lTvgrmjiST&y0Oxk#CT%6m0x~_m=H5St=6NbFbtH
z*YTx#e0!!uR^Ggm{WLr;Wg1Mmdp&`Kc-TR$!^8h#$AhfM^SamxTGvIWW7Kcp1lnG{
zB5K4sz-5*9Iz%B%uj!;wB{k#%H&BdQ^tBHZ)E-I=OtI)RF|5ZCtyBgNo06i)F1En(
z6Bn?eot1BRFHDr7s5K_;T@jTa0LGG%b}!eTI>qEFJUlPF@?vwtC-JNgBMyfxu1q^}
zPORyn&=U!qh9(i{Edil=?o-Y3*g=UmxY-YnGnSq%h8C{Btna&ec{e8d34(*qU-%SD
zxGjgUDC^+3Qg?t-h)0|ru21d}UsekamsekHdBk4$&LPT*{T_MyKr>6SB=FU3zyfa=
z$OMoWD7=?Z+C755vO2zF+lp)2%U-GbEO|prosje(T>1)Smzpqvn%Cm~+xskJCxKBV
zr~UKw!?#Wfpl=%hG<jFHb&9tYdETOPj0#`7M1E2gFJh*4<!6=4#ZzUB;F(t~=Fu&<
z{Hk`AP?=CX?iq1E%Gi)k(n(xBS<II1p+R6^4$ZbOGebN^4?sy0{N*bQuAuWU06*mt
z>>b)VE9}{df;xa4pgEOyf~^``ty;U?0{kyK?W(do%u(WAnEmkcM-SwNp;ncKBj&#V
DQ5yUX

literal 0
HcmV?d00001