diff --git a/contentctl.yml b/contentctl.yml
index 78902fbffb..3e1e045d52 100644
--- a/contentctl.yml
+++ b/contentctl.yml
@@ -65,9 +65,9 @@ apps:
 - uid: 742
   title: Splunk Add-on for Microsoft Windows
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS
-  version: 9.0.1
+  version: 9.1.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Splunk_TA_windows-9.0.1.spl
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Splunk_TA_910.tgz
 - uid: 5709
   title: Splunk Add-on for Sysmon
   appid: Splunk_TA_microsoft_sysmon
@@ -143,9 +143,9 @@ apps:
 - uid: 1876
   title: Splunk Add-on for AWS
   appid: Splunk_TA_aws
-  version: 7.11.0
+  version: 8.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_7110.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_800.tgz
 - uid: 3088
   title: Splunk Add-on for Google Cloud Platform
   appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM
@@ -161,9 +161,9 @@ apps:
 - uid: 3110
   title: Splunk Add-on for Microsoft Cloud Services
   appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES
-  version: 5.6.0
+  version: 6.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_560.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_600.tgz
 - uid: 4055
   title: Splunk Add-on for Microsoft Office 365
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365
@@ -185,9 +185,9 @@ apps:
 - uid: 6207
   title: Splunk Add-on for Microsoft Security
   appid: Splunk_TA_MS_Security
-  version: 2.5.4
+  version: 3.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_254.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_300.tgz
 - uid: 2734
   title: URL Toolbox
   appid: URL_TOOLBOX
@@ -221,10 +221,10 @@ apps:
 - uid: 3471
   title: Splunk Add-on for AppDynamics
   appid: Splunk_TA_AppDynamics
-  version: 3.1.4
+  version: 3.1.5
   description: The Splunk Add-on for AppDynamics enables you to easily configure data
     inputs to pull data from AppDynamics' REST APIs
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_314.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_315.tgz
 - uid: 4221
   title: Cisco NVM Add-on for Splunk
   appid: TA-Cisco-NVM
diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml
index bb4324f26c..cd1f16503b 100644
--- a/data_sources/asl_aws_cloudtrail.yml
+++ b/data_sources/asl_aws_cloudtrail.yml
@@ -23,7 +23,7 @@ separator: api.operation
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 output_fields:
 - dest
 - user
diff --git a/data_sources/aws_cloudfront.yml b/data_sources/aws_cloudfront.yml
index d43b6ae8c4..904ebb82b5 100644
--- a/data_sources/aws_cloudfront.yml
+++ b/data_sources/aws_cloudfront.yml
@@ -17,7 +17,7 @@ sourcetype: aws:cloudfront:accesslogs
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml
index b33bf24ee5..ffba794bb7 100644
--- a/data_sources/aws_cloudtrail.yml
+++ b/data_sources/aws_cloudtrail.yml
@@ -10,4 +10,4 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
index 98759f58e5..22749093fe 100644
--- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml
+++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml
@@ -18,7 +18,7 @@ separator_value: AssumeRoleWithSAML
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml
index 191f0e8f53..3f340ec018 100644
--- a/data_sources/aws_cloudtrail_consolelogin.yml
+++ b/data_sources/aws_cloudtrail_consolelogin.yml
@@ -18,7 +18,7 @@ separator_value: ConsoleLogin
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml
index 8bde3d0c94..f3ae08ed04 100644
--- a/data_sources/aws_cloudtrail_copyobject.yml
+++ b/data_sources/aws_cloudtrail_copyobject.yml
@@ -17,7 +17,7 @@ separator_value: CopyObject
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - additionalEventData.AuthenticationMethod
diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml
index d6103f7417..8974225997 100644
--- a/data_sources/aws_cloudtrail_createaccesskey.yml
+++ b/data_sources/aws_cloudtrail_createaccesskey.yml
@@ -17,7 +17,7 @@ separator_value: CreateAccessKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml
index 77f4033612..3ef4acd800 100644
--- a/data_sources/aws_cloudtrail_createkey.yml
+++ b/data_sources/aws_cloudtrail_createkey.yml
@@ -17,7 +17,7 @@ separator_value: CreateKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml
index 3b5b0f5f6c..4145a8f8f0 100644
--- a/data_sources/aws_cloudtrail_createloginprofile.yml
+++ b/data_sources/aws_cloudtrail_createloginprofile.yml
@@ -17,7 +17,7 @@ separator_value: CreateLoginProfile
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
index 32bbdfe35c..7bb38c285c 100644
--- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml
@@ -17,7 +17,7 @@ separator_value: CreateNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml
index cff1c696dc..bec1ecb68d 100644
--- a/data_sources/aws_cloudtrail_createpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_createpolicyversion.yml
@@ -17,7 +17,7 @@ separator_value: CreatePolicyVersion
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml
index 36bd8d9fd2..8d96901777 100644
--- a/data_sources/aws_cloudtrail_createsnapshot.yml
+++ b/data_sources/aws_cloudtrail_createsnapshot.yml
@@ -17,7 +17,7 @@ separator_value: CreateSnapshot
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml
index fec4ffdefc..1b11f682be 100644
--- a/data_sources/aws_cloudtrail_createtask.yml
+++ b/data_sources/aws_cloudtrail_createtask.yml
@@ -17,7 +17,7 @@ separator_value: CreateTask
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
index 700e754906..88da6499fe 100644
--- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
@@ -17,7 +17,7 @@ separator_value: CreateVirtualMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
index f2bc50603b..ff2edca9aa 100644
--- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml
+++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml
@@ -17,7 +17,7 @@ separator_value: DeactivateMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
index 8df5bf8c78..4f6b5035e8 100644
--- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml
@@ -15,7 +15,7 @@ separator_value: DeleteAccountPasswordPolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml
index 9d0ff1600a..99049a40db 100644
--- a/data_sources/aws_cloudtrail_deletealarms.yml
+++ b/data_sources/aws_cloudtrail_deletealarms.yml
@@ -17,7 +17,7 @@ separator_value: DeleteAlarms
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml
index 5a2cdaf36c..6633a0481f 100644
--- a/data_sources/aws_cloudtrail_deletedetector.yml
+++ b/data_sources/aws_cloudtrail_deletedetector.yml
@@ -17,7 +17,7 @@ separator_value: DeleteDetector
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml
index b6624cea96..ca371945cd 100644
--- a/data_sources/aws_cloudtrail_deletegroup.yml
+++ b/data_sources/aws_cloudtrail_deletegroup.yml
@@ -17,7 +17,7 @@ separator_value: DeleteGroup
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deleteguardrail.yml b/data_sources/aws_cloudtrail_deleteguardrail.yml
index ca0c189ad4..929827073a 100644
--- a/data_sources/aws_cloudtrail_deleteguardrail.yml
+++ b/data_sources/aws_cloudtrail_deleteguardrail.yml
@@ -13,7 +13,7 @@ separator_value: DeleteGuardrail
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml
index d663f0c417..d1fc575679 100644
--- a/data_sources/aws_cloudtrail_deleteipset.yml
+++ b/data_sources/aws_cloudtrail_deleteipset.yml
@@ -16,7 +16,7 @@ separator_value: DeleteIPSet
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_deleteknowledgebase.yml b/data_sources/aws_cloudtrail_deleteknowledgebase.yml
index b300a73280..96b2d6955f 100644
--- a/data_sources/aws_cloudtrail_deleteknowledgebase.yml
+++ b/data_sources/aws_cloudtrail_deleteknowledgebase.yml
@@ -13,7 +13,7 @@ separator_value: DeleteKnowledgeBase
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deleteloggingconfiguration.yml b/data_sources/aws_cloudtrail_deleteloggingconfiguration.yml
index ca5f2cae12..5be935acd0 100644
--- a/data_sources/aws_cloudtrail_deleteloggingconfiguration.yml
+++ b/data_sources/aws_cloudtrail_deleteloggingconfiguration.yml
@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 example_log: ''
diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml
index e95ae6cc6e..572db20b92 100644
--- a/data_sources/aws_cloudtrail_deleteloggroup.yml
+++ b/data_sources/aws_cloudtrail_deleteloggroup.yml
@@ -17,7 +17,7 @@ separator_value: DeleteLogGroup
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - apiVersion
diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml
index 79800c5bc6..1cd9697d2d 100644
--- a/data_sources/aws_cloudtrail_deletelogstream.yml
+++ b/data_sources/aws_cloudtrail_deletelogstream.yml
@@ -17,7 +17,7 @@ separator_value: DeleteLogStream
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - apiVersion
diff --git a/data_sources/aws_cloudtrail_deletemodelinvocationloggingconfiguration.yml b/data_sources/aws_cloudtrail_deletemodelinvocationloggingconfiguration.yml
index fff73851f0..adea53c5c5 100644
--- a/data_sources/aws_cloudtrail_deletemodelinvocationloggingconfiguration.yml
+++ b/data_sources/aws_cloudtrail_deletemodelinvocationloggingconfiguration.yml
@@ -14,7 +14,7 @@ separator_value: DeleteModelInvocationLoggingConfiguration
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
index c370577de2..831c381d2d 100644
--- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml
@@ -16,7 +16,7 @@ separator_value: DeleteNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml
index 5fa0d00fbc..db580cc15f 100644
--- a/data_sources/aws_cloudtrail_deletepolicy.yml
+++ b/data_sources/aws_cloudtrail_deletepolicy.yml
@@ -15,7 +15,7 @@ separator_value: DeletePolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml
index f042a012c1..f9f8163a3a 100644
--- a/data_sources/aws_cloudtrail_deleterule.yml
+++ b/data_sources/aws_cloudtrail_deleterule.yml
@@ -17,7 +17,7 @@ separator_value: DeleteRule
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - apiVersion
diff --git a/data_sources/aws_cloudtrail_deleterulegroup.yml b/data_sources/aws_cloudtrail_deleterulegroup.yml
index cd8d1aaad5..f89e9a2784 100644
--- a/data_sources/aws_cloudtrail_deleterulegroup.yml
+++ b/data_sources/aws_cloudtrail_deleterulegroup.yml
@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 example_log: ''
diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml
index b892915728..e48e6d6690 100644
--- a/data_sources/aws_cloudtrail_deletesnapshot.yml
+++ b/data_sources/aws_cloudtrail_deletesnapshot.yml
@@ -17,7 +17,7 @@ separator_value: DeleteSnapshot
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml
index 2089fefb11..7a2e190171 100644
--- a/data_sources/aws_cloudtrail_deletetrail.yml
+++ b/data_sources/aws_cloudtrail_deletetrail.yml
@@ -17,7 +17,7 @@ separator_value: DeleteTrail
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
index 0b9c95953b..cf42f9e78a 100644
--- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
+++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml
@@ -15,7 +15,7 @@ separator_value: DeleteVirtualMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml
index 9a2fd4f3ec..872c8535d7 100644
--- a/data_sources/aws_cloudtrail_deletewebacl.yml
+++ b/data_sources/aws_cloudtrail_deletewebacl.yml
@@ -15,7 +15,7 @@ separator_value: DeleteWebACL
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - apiVersion
diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml
index 3664b4301c..72c9342b28 100644
--- a/data_sources/aws_cloudtrail_describeeventaggregates.yml
+++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml
@@ -15,7 +15,7 @@ separator_value: DescribeEventAggregates
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
index 3400093588..ea6037c256 100644
--- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml
+++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml
@@ -16,7 +16,7 @@ separator_value: DescribeImageScanFindings
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_describesnapshotattribute.yml b/data_sources/aws_cloudtrail_describesnapshotattribute.yml
index 4008f9a3e5..ac523d2ad6 100644
--- a/data_sources/aws_cloudtrail_describesnapshotattribute.yml
+++ b/data_sources/aws_cloudtrail_describesnapshotattribute.yml
@@ -10,7 +10,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - action
 - app
diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
index 976f5b48db..45a573a9b1 100644
--- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml
@@ -15,7 +15,7 @@ separator_value: GetAccountPasswordPolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml
index fc81d85ade..3c09d0d5f1 100644
--- a/data_sources/aws_cloudtrail_getobject.yml
+++ b/data_sources/aws_cloudtrail_getobject.yml
@@ -16,7 +16,7 @@ separator_value: GetObject
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - additionalEventData.AuthenticationMethod
diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml
index ef38ee3110..e4d90bc79a 100644
--- a/data_sources/aws_cloudtrail_getpassworddata.yml
+++ b/data_sources/aws_cloudtrail_getpassworddata.yml
@@ -15,7 +15,7 @@ separator_value: GetPasswordData
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_invokemodel.yml b/data_sources/aws_cloudtrail_invokemodel.yml
index bf1f93d57e..14b69c98d8 100644
--- a/data_sources/aws_cloudtrail_invokemodel.yml
+++ b/data_sources/aws_cloudtrail_invokemodel.yml
@@ -13,7 +13,7 @@ separator_value: InvokeModel
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml
index 8593885177..d611f77fe6 100644
--- a/data_sources/aws_cloudtrail_jobcreated.yml
+++ b/data_sources/aws_cloudtrail_jobcreated.yml
@@ -14,7 +14,7 @@ separator_value: JobCreated
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_listfoundationmodels.yml b/data_sources/aws_cloudtrail_listfoundationmodels.yml
index b98bd993da..bf7924b242 100644
--- a/data_sources/aws_cloudtrail_listfoundationmodels.yml
+++ b/data_sources/aws_cloudtrail_listfoundationmodels.yml
@@ -14,7 +14,7 @@ separator_value: ListFoundationModels
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml
index d58556749c..457642a533 100644
--- a/data_sources/aws_cloudtrail_modifydbinstance.yml
+++ b/data_sources/aws_cloudtrail_modifydbinstance.yml
@@ -16,7 +16,7 @@ separator_value: ModifyDBInstance
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml
index 472768d7c1..dba31077b4 100644
--- a/data_sources/aws_cloudtrail_modifyimageattribute.yml
+++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml
@@ -15,7 +15,7 @@ separator_value: ModifyImageAttribute
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
index 9362228f2b..1a61dcddab 100644
--- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
+++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml
@@ -14,7 +14,7 @@ separator_value: ModifySnapshotAttribute
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml
index bd560a8a68..4901e51c94 100644
--- a/data_sources/aws_cloudtrail_putbucketacl.yml
+++ b/data_sources/aws_cloudtrail_putbucketacl.yml
@@ -15,7 +15,7 @@ separator_value: PutBucketAcl
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
index f9ec4743f1..db238fc1f5 100644
--- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml
+++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml
@@ -15,7 +15,7 @@ separator_value: PutBucketLifecycle
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - additionalEventData.AuthenticationMethod
diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml
index bad8b16e5b..a5123ee502 100644
--- a/data_sources/aws_cloudtrail_putbucketreplication.yml
+++ b/data_sources/aws_cloudtrail_putbucketreplication.yml
@@ -14,7 +14,7 @@ separator_value: PutBucketReplication
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - additionalEventData.AuthenticationMethod
diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml
index 7102a965c7..1a3c9cf2d6 100644
--- a/data_sources/aws_cloudtrail_putbucketversioning.yml
+++ b/data_sources/aws_cloudtrail_putbucketversioning.yml
@@ -14,7 +14,7 @@ separator_value: PutBucketVersioning
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - additionalEventData.AuthenticationMethod
diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml
index 8fadbb3c45..2b1ddc57d0 100644
--- a/data_sources/aws_cloudtrail_putimage.yml
+++ b/data_sources/aws_cloudtrail_putimage.yml
@@ -15,7 +15,7 @@ separator_value: PutImage
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml
index 58c4565737..b3c039bd31 100644
--- a/data_sources/aws_cloudtrail_putkeypolicy.yml
+++ b/data_sources/aws_cloudtrail_putkeypolicy.yml
@@ -11,7 +11,7 @@ separator: eventName
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
index a41415a4d0..87902a69f7 100644
--- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
+++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml
@@ -14,7 +14,7 @@ separator_value: ReplaceNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
index d23063911e..543646e0ef 100644
--- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
+++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml
@@ -15,7 +15,7 @@ separator_value: SetDefaultPolicyVersion
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml
index 20eea3e2cf..cdc53b20e8 100644
--- a/data_sources/aws_cloudtrail_stoplogging.yml
+++ b/data_sources/aws_cloudtrail_stoplogging.yml
@@ -14,7 +14,7 @@ separator_value: StopLogging
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
index 04ced13847..f3a6eb061c 100644
--- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
+++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml
@@ -14,7 +14,7 @@ separator_value: UpdateAccountPasswordPolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml
index 64115cda43..f82ab5b649 100644
--- a/data_sources/aws_cloudtrail_updateloginprofile.yml
+++ b/data_sources/aws_cloudtrail_updateloginprofile.yml
@@ -14,7 +14,7 @@ separator_value: UpdateLoginProfile
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml
index cff9fdc6e3..63df76fe13 100644
--- a/data_sources/aws_cloudtrail_updatesamlprovider.yml
+++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml
@@ -15,7 +15,7 @@ separator_value: UpdateSAMLProvider
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - action
diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml
index 5936758d9c..39e1384186 100644
--- a/data_sources/aws_cloudtrail_updatetrail.yml
+++ b/data_sources/aws_cloudtrail_updatetrail.yml
@@ -15,7 +15,7 @@ separator_value: UpdateTrail
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - app
diff --git a/data_sources/aws_cloudwatchlogs_vpcflow.yml b/data_sources/aws_cloudwatchlogs_vpcflow.yml
index 3d80e2c05b..c21ea9d857 100644
--- a/data_sources/aws_cloudwatchlogs_vpcflow.yml
+++ b/data_sources/aws_cloudwatchlogs_vpcflow.yml
@@ -13,7 +13,7 @@ source: aws_cloudwatchlogs_vpcflow
 sourcetype: aws:cloudwatchlogs:vpcflow
 supported_TA:
 - name: Splunk Add-on for AWS
-  version: 7.11.0
+  version: 8.0.0
   url: https://splunkbase.splunk.com/app/1876
 fields:
 - _raw
diff --git a/data_sources/aws_security_hub.yml b/data_sources/aws_security_hub.yml
index dc57550d33..5608934709 100644
--- a/data_sources/aws_security_hub.yml
+++ b/data_sources/aws_security_hub.yml
@@ -15,7 +15,7 @@ sourcetype: aws:securityhub:finding
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
-  version: 7.11.0
+  version: 8.0.0
 fields:
 - _time
 - AwsAccountId
diff --git a/data_sources/azure_active_directory.yml b/data_sources/azure_active_directory.yml
index 8a77883262..9dfb93a24a 100644
--- a/data_sources/azure_active_directory.yml
+++ b/data_sources/azure_active_directory.yml
@@ -10,7 +10,7 @@ separator: operationName
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 output_fields:
 - dest
 - user
diff --git a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
index 13f65760a2..708e4995ca 100644
--- a/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
+++ b/data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml
@@ -18,7 +18,7 @@ separator_value: Add app role assignment to service principal
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_add_member_to_role.yml b/data_sources/azure_active_directory_add_member_to_role.yml
index a9702440d7..6adf01340e 100644
--- a/data_sources/azure_active_directory_add_member_to_role.yml
+++ b/data_sources/azure_active_directory_add_member_to_role.yml
@@ -18,7 +18,7 @@ separator_value: Add member to role
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_add_owner_to_application.yml b/data_sources/azure_active_directory_add_owner_to_application.yml
index 772d0ee0bb..4c78ee255a 100644
--- a/data_sources/azure_active_directory_add_owner_to_application.yml
+++ b/data_sources/azure_active_directory_add_owner_to_application.yml
@@ -18,7 +18,7 @@ separator_value: Add owner to application
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_add_service_principal.yml b/data_sources/azure_active_directory_add_service_principal.yml
index 20044b7ccf..1ad23ccbf4 100644
--- a/data_sources/azure_active_directory_add_service_principal.yml
+++ b/data_sources/azure_active_directory_add_service_principal.yml
@@ -18,7 +18,7 @@ separator_value: Add service principal
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_add_unverified_domain.yml b/data_sources/azure_active_directory_add_unverified_domain.yml
index 221cbd3dda..6a06d028aa 100644
--- a/data_sources/azure_active_directory_add_unverified_domain.yml
+++ b/data_sources/azure_active_directory_add_unverified_domain.yml
@@ -17,7 +17,7 @@ separator_value: Add unverified domain
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_consent_to_application.yml b/data_sources/azure_active_directory_consent_to_application.yml
index 71e21afa7d..9d9fb1481a 100644
--- a/data_sources/azure_active_directory_consent_to_application.yml
+++ b/data_sources/azure_active_directory_consent_to_application.yml
@@ -18,7 +18,7 @@ separator_value: Consent to application
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_disable_strong_authentication.yml b/data_sources/azure_active_directory_disable_strong_authentication.yml
index ad82a59bee..15c3a92224 100644
--- a/data_sources/azure_active_directory_disable_strong_authentication.yml
+++ b/data_sources/azure_active_directory_disable_strong_authentication.yml
@@ -16,7 +16,7 @@ separator_value: Disable Strong Authentication
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_enable_account.yml b/data_sources/azure_active_directory_enable_account.yml
index b644839858..15d7bce4de 100644
--- a/data_sources/azure_active_directory_enable_account.yml
+++ b/data_sources/azure_active_directory_enable_account.yml
@@ -15,7 +15,7 @@ separator_value: Enable account
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_invite_external_user.yml b/data_sources/azure_active_directory_invite_external_user.yml
index cb5af3cd50..761498601d 100644
--- a/data_sources/azure_active_directory_invite_external_user.yml
+++ b/data_sources/azure_active_directory_invite_external_user.yml
@@ -16,7 +16,7 @@ separator_value: Invite external user
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml b/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml
index 61ad73cb6a..762d980c6a 100644
--- a/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml
+++ b/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml
@@ -10,7 +10,7 @@ separator: operationName
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 example_log: '{"time": "2024-04-30T01:22:46.4948958Z", "resourceId": "/TENANTS/225E05A1-5914-4688-A404-7030E60F3143/PROVIDERS/MICROSOFT.AADIAM",
diff --git a/data_sources/azure_active_directory_noninteractiveusersigninlogs.yml b/data_sources/azure_active_directory_noninteractiveusersigninlogs.yml
index 68d1b32230..fbaad385f4 100644
--- a/data_sources/azure_active_directory_noninteractiveusersigninlogs.yml
+++ b/data_sources/azure_active_directory_noninteractiveusersigninlogs.yml
@@ -10,7 +10,7 @@ separator: operationName
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - action
 - additional_details
diff --git a/data_sources/azure_active_directory_reset_password_(by_admin).yml b/data_sources/azure_active_directory_reset_password_(by_admin).yml
index 5a9a948e61..71dd3b2643 100644
--- a/data_sources/azure_active_directory_reset_password_(by_admin).yml
+++ b/data_sources/azure_active_directory_reset_password_(by_admin).yml
@@ -16,7 +16,7 @@ separator_value: Reset password (by admin)
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_set_domain_authentication.yml b/data_sources/azure_active_directory_set_domain_authentication.yml
index 186e8b96a0..68e8b68a15 100644
--- a/data_sources/azure_active_directory_set_domain_authentication.yml
+++ b/data_sources/azure_active_directory_set_domain_authentication.yml
@@ -16,7 +16,7 @@ separator_value: Set domain authentication
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_sign_in_activity.yml b/data_sources/azure_active_directory_sign_in_activity.yml
index 189a101f84..fa7d5b0285 100644
--- a/data_sources/azure_active_directory_sign_in_activity.yml
+++ b/data_sources/azure_active_directory_sign_in_activity.yml
@@ -16,7 +16,7 @@ separator_value: Sign-in activity
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_update_application.yml b/data_sources/azure_active_directory_update_application.yml
index 9e99985c97..3c9cd38c51 100644
--- a/data_sources/azure_active_directory_update_application.yml
+++ b/data_sources/azure_active_directory_update_application.yml
@@ -16,7 +16,7 @@ separator_value: Update application
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_update_authorization_policy.yml b/data_sources/azure_active_directory_update_authorization_policy.yml
index 2ff766979b..e16f5ee89f 100644
--- a/data_sources/azure_active_directory_update_authorization_policy.yml
+++ b/data_sources/azure_active_directory_update_authorization_policy.yml
@@ -16,7 +16,7 @@ separator_value: Update authorization policy
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_update_user.yml b/data_sources/azure_active_directory_update_user.yml
index 0e9b09fbe3..50024c80c8 100644
--- a/data_sources/azure_active_directory_update_user.yml
+++ b/data_sources/azure_active_directory_update_user.yml
@@ -14,7 +14,7 @@ separator_value: Update user
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_active_directory_user_registered_security_info.yml b/data_sources/azure_active_directory_user_registered_security_info.yml
index cf92d0872a..b8d2986c36 100644
--- a/data_sources/azure_active_directory_user_registered_security_info.yml
+++ b/data_sources/azure_active_directory_user_registered_security_info.yml
@@ -15,7 +15,7 @@ separator_value: User registered security info
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - Level
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
index 3e48f5c792..75ef1a10b8 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_account.yml
@@ -15,7 +15,7 @@ separator_value: Create or Update an Azure Automation account
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - authorization.action
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
index 23a1b54f38..9505880b61 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_runbook.yml
@@ -15,7 +15,7 @@ separator_value: Create or Update an Azure Automation Runbook
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - authorization.action
diff --git a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
index ff938be39c..2c20c3bfca 100644
--- a/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
+++ b/data_sources/azure_audit_create_or_update_an_azure_automation_webhook.yml
@@ -15,7 +15,7 @@ separator_value: Create or Update an Azure Automation webhook
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - _time
 - authorization.action
diff --git a/data_sources/azure_monitor_activity.yml b/data_sources/azure_monitor_activity.yml
index 33e5dcecb9..f2969ac67f 100644
--- a/data_sources/azure_monitor_activity.yml
+++ b/data_sources/azure_monitor_activity.yml
@@ -13,7 +13,7 @@ separator: operationName
 supported_TA:
 - name: Splunk Add-on for Microsoft Cloud Services
   url: https://splunkbase.splunk.com/app/3110
-  version: 5.6.0
+  version: 6.0.0
 fields:
 - column
 - action
diff --git a/data_sources/ms365_defender_incident_alerts.yml b/data_sources/ms365_defender_incident_alerts.yml
index aba72667f3..30df1652af 100644
--- a/data_sources/ms365_defender_incident_alerts.yml
+++ b/data_sources/ms365_defender_incident_alerts.yml
@@ -16,7 +16,7 @@ sourcetype: ms365:defender:incident:alerts
 supported_TA:
 - name: Splunk Add-on for Microsoft Security
   url: https://splunkbase.splunk.com/app/6207
-  version: 2.5.4
+  version: 3.0.0
 fields:
 - actorName
 - alertId
diff --git a/data_sources/ms_defender_atp_alerts.yml b/data_sources/ms_defender_atp_alerts.yml
index bc9f72cf8f..e619308ab3 100644
--- a/data_sources/ms_defender_atp_alerts.yml
+++ b/data_sources/ms_defender_atp_alerts.yml
@@ -16,7 +16,7 @@ sourcetype: ms:defender:atp:alerts
 supported_TA:
 - name: Splunk Add-on for Microsoft Security
   url: https://splunkbase.splunk.com/app/6207
-  version: 2.5.4
+  version: 3.0.0
 fields:
 - column
 - accountName
diff --git a/data_sources/ntlm_operational_8004.yml b/data_sources/ntlm_operational_8004.yml
index c46d335ca7..9ede4919d4 100644
--- a/data_sources/ntlm_operational_8004.yml
+++ b/data_sources/ntlm_operational_8004.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -95,6 +95,10 @@ fields:
 - _sourcetype
 - _subsecond
 - _time
-example_log: |-
- <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Netlogon' Guid='{E5BA83F6-07D0-46B1-8BC7-7E669A1D31DC}'/><EventID>8004</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-01-18T05:04:59.727635000Z'/><EventRecordID>2728229667</EventRecordID><Correlation/><Execution ProcessID='812' ThreadID='3684'/><Channel>Microsoft-Windows-NTLM/Operational</Channel><Computer>attack_dc.attack_range.lan</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='SChannelName'>VICTIM_PC</Data><Data Name='UserName'>backup</Data><Data Name='DomainName'>NULL</Data><Data Name='WorkstationName'>WIN-SHKRDLDI338</Data><Data Name='SChannelType'>2</Data></EventData></Event>
-
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Netlogon' Guid='{E5BA83F6-07D0-46B1-8BC7-7E669A1D31DC}'/><EventID>8004</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2024-01-18T05:04:59.727635000Z'/><EventRecordID>2728229667</EventRecordID><Correlation/><Execution
+  ProcessID='812' ThreadID='3684'/><Channel>Microsoft-Windows-NTLM/Operational</Channel><Computer>attack_dc.attack_range.lan</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='SChannelName'>VICTIM_PC</Data><Data
+  Name='UserName'>backup</Data><Data Name='DomainName'>NULL</Data><Data Name='WorkstationName'>WIN-SHKRDLDI338</Data><Data
+  Name='SChannelType'>2</Data></EventData></Event>
diff --git a/data_sources/ntlm_operational_8005.yml b/data_sources/ntlm_operational_8005.yml
index 31feb1faa2..927e613593 100644
--- a/data_sources/ntlm_operational_8005.yml
+++ b/data_sources/ntlm_operational_8005.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -95,4 +95,4 @@ fields:
 - _sourcetype
 - _subsecond
 - _time
-example_log: |-
+example_log: ''
diff --git a/data_sources/ntlm_operational_8006.yml b/data_sources/ntlm_operational_8006.yml
index a3ae5c9027..6e70f444f8 100644
--- a/data_sources/ntlm_operational_8006.yml
+++ b/data_sources/ntlm_operational_8006.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -95,4 +95,4 @@ fields:
 - _sourcetype
 - _subsecond
 - _time
-example_log: |-
+example_log: ''
diff --git a/data_sources/powershell_script_block_logging_4104.yml b/data_sources/powershell_script_block_logging_4104.yml
index 3b21995c15..a8d0dc8139 100644
--- a/data_sources/powershell_script_block_logging_4104.yml
+++ b/data_sources/powershell_script_block_logging_4104.yml
@@ -3,8 +3,8 @@ id: 5cfd0c72-d989-47a0-92f9-6edc6f8d3564
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs detailed content of PowerShell script blocks as they are 
-  executed, including the full command text and context for the execution.
+description: Logs detailed content of PowerShell script blocks as they are executed,
+  including the full command text and context for the execution.
 mitre_components:
 - Script Execution
 - Command Execution
@@ -18,7 +18,7 @@ separator_value: '4104'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -102,14 +102,11 @@ field_mappings:
     ScriptBlockId: process.uid
     ScriptBlockText: process.cmd_line
     UserID: actor.user.uid
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-PowerShell' 
-  Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4104</EventID><Version>1</Version><Level>5</Level><Task>2</Task><Opcode>15</Opcode><Keywords>0x0</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>4104</EventID><Version>1</Version><Level>5</Level><Task>2</Task><Opcode>15</Opcode><Keywords>0x0</Keywords><TimeCreated
   SystemTime='2022-05-02T12:39:41.710158900Z'/><EventRecordID>112748</EventRecordID><Correlation
-  ActivityID='{547232D9-5B2B-0007-6CA6-72542B5BD801}'/><Execution 
-  ProcessID='5336' 
+  ActivityID='{547232D9-5B2B-0007-6CA6-72542B5BD801}'/><Execution ProcessID='5336'
   ThreadID='2228'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>win-dc-mhaag-attack-range-270.attackrange.local</Computer><Security
   UserID='S-1-5-21-2059343465-2300599999-2417073716-500'/></System><EventData><Data
-  Name='MessageNumber'>1</Data><Data Name='MessageTotal'>1</Data><Data 
-  Name='ScriptBlockText'>function New-Mutex($MutexName) {
+  Name='MessageNumber'>1</Data><Data Name='MessageTotal'>1</Data><Data Name='ScriptBlockText'>function
+  New-Mutex($MutexName) {
diff --git a/data_sources/splunk_appdynamics_secure_application_alert.yml b/data_sources/splunk_appdynamics_secure_application_alert.yml
index fa20121066..299d98b32e 100644
--- a/data_sources/splunk_appdynamics_secure_application_alert.yml
+++ b/data_sources/splunk_appdynamics_secure_application_alert.yml
@@ -9,7 +9,7 @@ sourcetype: appdynamics_security
 supported_TA:
 - name: Splunk Add-on for AppDynamics
   url: https://splunkbase.splunk.com/app/3471
-  version: 3.1.4
+  version: 3.1.5
 fields:
 - SourceType
 - apiServerExternal
diff --git a/data_sources/windows_active_directory_admon.yml b/data_sources/windows_active_directory_admon.yml
index cb22e42655..0b43727302 100644
--- a/data_sources/windows_active_directory_admon.yml
+++ b/data_sources/windows_active_directory_admon.yml
@@ -16,7 +16,7 @@ sourcetype: ActiveDirectory
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Guid
diff --git a/data_sources/windows_event_log_application_15457.yml b/data_sources/windows_event_log_application_15457.yml
index a3ba0e565e..bffe8e6bdc 100644
--- a/data_sources/windows_event_log_application_15457.yml
+++ b/data_sources/windows_event_log_application_15457.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -95,5 +95,8 @@ fields:
 - user_group_id
 - user_id
 - vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>15457</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-04T19:46:19.5339693Z'/><EventRecordID>15827</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>show advanced options</Data><Data>1</Data><Data>0</Data><Binary>613C00000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
-
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='MSSQLSERVER'/><EventID Qualifiers='16384'>15457</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated
+  SystemTime='2025-02-04T19:46:19.5339693Z'/><EventRecordID>15827</EventRecordID><Correlation/><Execution
+  ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>show
+  advanced options</Data><Data>1</Data><Data>0</Data><Binary>613C00000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
diff --git a/data_sources/windows_event_log_application_17135.yml b/data_sources/windows_event_log_application_17135.yml
index fae93b3183..112aabfe09 100644
--- a/data_sources/windows_event_log_application_17135.yml
+++ b/data_sources/windows_event_log_application_17135.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -92,5 +92,7 @@ fields:
 - user_group_id
 - user_id
 - vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>17135</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T16:38:42.6969829Z'/><EventRecordID>16509</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>sp_add_sysadmin</Data><Binary>EF4200000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
-
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='MSSQLSERVER'/><EventID Qualifiers='16384'>17135</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated
+  SystemTime='2025-02-10T16:38:42.6969829Z'/><EventRecordID>16509</EventRecordID><Correlation/><Execution
+  ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>sp_add_sysadmin</Data><Binary>EF4200000A00000009000000610072002D00770069006E002D0032000000070000006D00610073007400650072000000</Binary></EventData></Event>
diff --git a/data_sources/windows_event_log_application_2282.yml b/data_sources/windows_event_log_application_2282.yml
index 238feadcce..80711e4ccf 100644
--- a/data_sources/windows_event_log_application_2282.yml
+++ b/data_sources/windows_event_log_application_2282.yml
@@ -16,7 +16,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
diff --git a/data_sources/windows_event_log_application_3000.yml b/data_sources/windows_event_log_application_3000.yml
index 2d14269d08..c545bba795 100644
--- a/data_sources/windows_event_log_application_3000.yml
+++ b/data_sources/windows_event_log_application_3000.yml
@@ -17,7 +17,7 @@ separator_value: '3000'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
diff --git a/data_sources/windows_event_log_application_8128.yml b/data_sources/windows_event_log_application_8128.yml
index 36bf0f0d29..a092131323 100644
--- a/data_sources/windows_event_log_application_8128.yml
+++ b/data_sources/windows_event_log_application_8128.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -84,5 +84,7 @@ fields:
 - user_group_id
 - user_id
 - vendor_product
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQLSERVER'/><EventID Qualifiers='16384'>8128</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2025-02-10T20:03:14.2006851Z'/><EventRecordID>16635</EventRecordID><Correlation/><Execution ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>odsole70.dll</Data><Data>2022.160.1000</Data><Data>sp_OACreate</Data><Binary>C01F00000A00000009000000610072002D00770069006E002D0032000000050000006D007300640062000000</Binary></EventData></Event>
-
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='MSSQLSERVER'/><EventID Qualifiers='16384'>8128</EventID><Version>0</Version><Level>4</Level><Task>2</Task><Opcode>0</Opcode><Keywords>0x80000000000000</Keywords><TimeCreated
+  SystemTime='2025-02-10T20:03:14.2006851Z'/><EventRecordID>16635</EventRecordID><Correlation/><Execution
+  ProcessID='0' ThreadID='0'/><Channel>Application</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data>odsole70.dll</Data><Data>2022.160.1000</Data><Data>sp_OACreate</Data><Binary>C01F00000A00000009000000610072002D00770069006E002D0032000000050000006D007300640062000000</Binary></EventData></Event>
diff --git a/data_sources/windows_event_log_appxdeployment_server_400.yml b/data_sources/windows_event_log_appxdeployment_server_400.yml
index 8239948b16..8b5ea14b99 100644
--- a/data_sources/windows_event_log_appxdeployment_server_400.yml
+++ b/data_sources/windows_event_log_appxdeployment_server_400.yml
@@ -3,19 +3,31 @@ id: 3e5f9d2a-b8c7-4d1e-a6f3-7b9c8d5e4f2a
 version: 1
 date: '2025-08-05'
 author: Michael Haag, Splunk
-description: |
-  This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational channel, specifically focusing on EventCode 400. These events are generated when a package deployment operation begins, providing details about the package being deployed.
+description: 'This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational
+  channel, specifically focusing on EventCode 400. These events are generated when
+  a package deployment operation begins, providing details about the package being
+  deployed.
 
-  Event ID 400 is particularly significant for security monitoring as it includes information about whether the package has full trust privileges. Full trust packages run with elevated privileges outside the normal AppX container restrictions, allowing them to access system resources that regular AppX packages cannot.
 
-  Adversaries have been observed leveraging full trust MSIX packages to deliver malware, as documented in recent threat intelligence reports. Monitoring these events can help identify potentially malicious package installations that request elevated privileges.
+  Event ID 400 is particularly significant for security monitoring as it includes
+  information about whether the package has full trust privileges. Full trust packages
+  run with elevated privileges outside the normal AppX container restrictions, allowing
+  them to access system resources that regular AppX packages cannot.
+
+
+  Adversaries have been observed leveraging full trust MSIX packages to deliver malware,
+  as documented in recent threat intelligence reports. Monitoring these events can
+  help identify potentially malicious package installations that request elevated
+  privileges.
+
+  '
 source: XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational
 sourcetype: XmlWinEventLog
 separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -59,4 +71,20 @@ references:
 - https://learn.microsoft.com/en-us/windows/msix/desktop/desktop-to-uwp-behind-the-scenes
 - https://learn.microsoft.com/en-us/windows/msix/package/package-identity
 - https://redcanary.com/blog/threat-intelligence/msix-installers/
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXDeployment-Server' Guid='{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}'/><EventID>400</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>2</Opcode><Keywords>0x4000000000000001</Keywords><TimeCreated SystemTime='2025-08-06T16:21:23.2487289Z'/><EventRecordID>16489</EventRecordID><Correlation ActivityID='{df6fb197-9b7b-0003-0230-a39ded06dc01}'/><Execution ProcessID='5820' ThreadID='5960'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>HaagMSIX</Computer><Security UserID='S-1-5-21-2568234075-4274264167-1034506908-500'/></System><EventData><Data Name='DeploymentOperation'>6</Data><Data Name='PackageFullName'>Microsoft.DesktopAppInstaller_2025.717.1857.0_neutral_~_8wekyb3d8bbwe</Data><Data Name='Path'> (AppxBundleManifest.xml) </Data><Data Name='MountPoint'>C:</Data><Data Name='TargetPlatform'>0x0</Data><Data Name='SystemVolume'>true</Data><Data Name='StorageId'>\\?\Volume{de26f417-916d-40a6-aaa9-9675b36f2d21}</Data><Data Name='IsCentennial'>false</Data><Data Name='PackageType'>0x8</Data><Data Name='IsPackageEncrypted'>false</Data><Data Name='DeploymentOptions'>0x40040040</Data><Data Name='IsStreamingPackage'>false</Data><Data Name='IsInRelatedSet'>false</Data><Data Name='IsPackageUsingBDC'>false</Data><Data Name='MainPackageFamilyName'>NULL</Data><Data Name='CallingProcess'>sihost.exe</Data><Data Name='IsOptional'>false</Data><Data Name='PackageFlags'>0x400</Data><Data Name='PackageFlags2'>0x800</Data><Data Name='HasWin32alacarte'>false</Data><Data Name='HasFullTrust'>false</Data><Data Name='ExternalLocation'></Data><Data Name='PackageSourceUri'>x-windowsupdate://05C4B27B-6E00-4A05-9B94-15C77E54E690/F855810C-9F77-45FF-A0F5-CD0FEAA945C6/508bfda4dcfb262c40e6f5d8e8811b3f47ee98a2</Data><Data Name='PackageDisplayName'> </Data></EventData></Event>
\ No newline at end of file
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-AppXDeployment-Server' Guid='{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}'/><EventID>400</EventID><Version>0</Version><Level>4</Level><Task>3</Task><Opcode>2</Opcode><Keywords>0x4000000000000001</Keywords><TimeCreated
+  SystemTime='2025-08-06T16:21:23.2487289Z'/><EventRecordID>16489</EventRecordID><Correlation
+  ActivityID='{df6fb197-9b7b-0003-0230-a39ded06dc01}'/><Execution ProcessID='5820'
+  ThreadID='5960'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>HaagMSIX</Computer><Security
+  UserID='S-1-5-21-2568234075-4274264167-1034506908-500'/></System><EventData><Data
+  Name='DeploymentOperation'>6</Data><Data Name='PackageFullName'>Microsoft.DesktopAppInstaller_2025.717.1857.0_neutral_~_8wekyb3d8bbwe</Data><Data
+  Name='Path'> (AppxBundleManifest.xml) </Data><Data Name='MountPoint'>C:</Data><Data
+  Name='TargetPlatform'>0x0</Data><Data Name='SystemVolume'>true</Data><Data Name='StorageId'>\\?\Volume{de26f417-916d-40a6-aaa9-9675b36f2d21}</Data><Data
+  Name='IsCentennial'>false</Data><Data Name='PackageType'>0x8</Data><Data Name='IsPackageEncrypted'>false</Data><Data
+  Name='DeploymentOptions'>0x40040040</Data><Data Name='IsStreamingPackage'>false</Data><Data
+  Name='IsInRelatedSet'>false</Data><Data Name='IsPackageUsingBDC'>false</Data><Data
+  Name='MainPackageFamilyName'>NULL</Data><Data Name='CallingProcess'>sihost.exe</Data><Data
+  Name='IsOptional'>false</Data><Data Name='PackageFlags'>0x400</Data><Data Name='PackageFlags2'>0x800</Data><Data
+  Name='HasWin32alacarte'>false</Data><Data Name='HasFullTrust'>false</Data><Data
+  Name='ExternalLocation'></Data><Data Name='PackageSourceUri'>x-windowsupdate://05C4B27B-6E00-4A05-9B94-15C77E54E690/F855810C-9F77-45FF-A0F5-CD0FEAA945C6/508bfda4dcfb262c40e6f5d8e8811b3f47ee98a2</Data><Data
+  Name='PackageDisplayName'> </Data></EventData></Event>
diff --git a/data_sources/windows_event_log_appxdeployment_server_854.yml b/data_sources/windows_event_log_appxdeployment_server_854.yml
index bf716250ba..aa4eec0cb1 100644
--- a/data_sources/windows_event_log_appxdeployment_server_854.yml
+++ b/data_sources/windows_event_log_appxdeployment_server_854.yml
@@ -3,19 +3,30 @@ id: 4d2e6f8a-c9b7-5a3e-8d1f-2e9c7b5a4f3d
 version: 1
 date: '2025-08-05'
 author: Michael Haag, Splunk
-description: |
-  This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational channel, specifically focusing on EventCode 854. These events are generated when an MSIX/AppX package has been successfully installed on a system.
+description: 'This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational
+  channel, specifically focusing on EventCode 854. These events are generated when
+  an MSIX/AppX package has been successfully installed on a system.
 
-  Event ID 854 provides information about successful package installations, including the path to the installed package and the user who performed the installation. This data is valuable for security monitoring as it can help identify unauthorized or suspicious package installations.
 
-  While most package installations are legitimate, monitoring these events can help identify potentially malicious activity, especially when correlated with other events such as unsigned package installations (EventID 603 with Flags=8388608) or full trust package installations (EventID 400 with HasFullTrust=true).
+  Event ID 854 provides information about successful package installations, including
+  the path to the installed package and the user who performed the installation. This
+  data is valuable for security monitoring as it can help identify unauthorized or
+  suspicious package installations.
+
+
+  While most package installations are legitimate, monitoring these events can help
+  identify potentially malicious activity, especially when correlated with other events
+  such as unsigned package installations (EventID 603 with Flags=8388608) or full
+  trust package installations (EventID 400 with HasFullTrust=true).
+
+  '
 source: XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational
 sourcetype: XmlWinEventLog
 separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -52,4 +63,9 @@ references:
 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 - https://www.appdeploynews.com/packaging-types/msix/troubleshooting-an-msix-package/
 - https://www.advancedinstaller.com/msix-installation-or-launching-errors-and-fixes.html
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXDeploymentServer' Guid='{8127f6d4-59f9-4abf-8952-3e3a02073d5f}'/><EventID>854</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2025-08-05T12:34:56.7890123Z'/><EventRecordID>123456</EventRecordID><Correlation/><Execution ProcessID='1234' ThreadID='5678'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>DESKTOP-EXAMPLE</Computer><Security UserID='S-1-5-21-1234567890-1234567890-1234567890-1001'/></System><EventData><Data Name='Path'>C:\Users\User\Downloads\App.msix</Data></EventData></Event>
\ No newline at end of file
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-AppXDeploymentServer' Guid='{8127f6d4-59f9-4abf-8952-3e3a02073d5f}'/><EventID>854</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated
+  SystemTime='2025-08-05T12:34:56.7890123Z'/><EventRecordID>123456</EventRecordID><Correlation/><Execution
+  ProcessID='1234' ThreadID='5678'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>DESKTOP-EXAMPLE</Computer><Security
+  UserID='S-1-5-21-1234567890-1234567890-1234567890-1001'/></System><EventData><Data
+  Name='Path'>C:\Users\User\Downloads\App.msix</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_appxdeployment_server_855.yml b/data_sources/windows_event_log_appxdeployment_server_855.yml
index 79de4365f6..1a27d2d199 100644
--- a/data_sources/windows_event_log_appxdeployment_server_855.yml
+++ b/data_sources/windows_event_log_appxdeployment_server_855.yml
@@ -3,19 +3,30 @@ id: 4491537c-521c-46f7-9209-f56f852aa231
 version: 1
 date: '2025-08-05'
 author: Michael Haag, Splunk
-description: |
-  This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational channel, specifically focusing on EventCode 855. These events are generated when a package deployment operation completes successfully, providing details about the packages that were installed or updated.
-  
-  Event ID 855 is particularly valuable for security monitoring as it confirms the successful installation of MSIX packages, including information about the package identifiers. This can help identify potentially malicious package installations in an environment.
-  
-  Monitoring these events can help track MSIX package installations across an environment, which is important given that MSIX packages have been leveraged by threat actors such as FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113) for malware delivery.
+description: 'This data source captures Windows Event Logs from the Microsoft-Windows-AppXDeploymentServer/Operational
+  channel, specifically focusing on EventCode 855. These events are generated when
+  a package deployment operation completes successfully, providing details about the
+  packages that were installed or updated.
+
+
+  Event ID 855 is particularly valuable for security monitoring as it confirms the
+  successful installation of MSIX packages, including information about the package
+  identifiers. This can help identify potentially malicious package installations
+  in an environment.
+
+
+  Monitoring these events can help track MSIX package installations across an environment,
+  which is important given that MSIX packages have been leveraged by threat actors
+  such as FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113) for malware delivery.
+
+  '
 source: XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational
 sourcetype: XmlWinEventLog
 separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -50,4 +61,12 @@ references:
 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 - https://www.advancedinstaller.com/msix-installation-or-launching-errors-and-fixes.html
 - https://redcanary.com/blog/msix-installers/
-example_log: "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXDeployment-Server' Guid='{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}'/><EventID>855</EventID><Version>0</Version><Level>4</Level><Task>4</Task><Opcode>0</Opcode><Keywords>0x4000000000000001</Keywords><TimeCreated SystemTime='2025-08-06T16:20:58.5814488Z'/><EventRecordID>16417</EventRecordID><Correlation ActivityID='{df6fb197-9b7b-0002-d0dd-a29ded06dc01}'/><Execution ProcessID='5820' ThreadID='5960'/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>HaagMSIX</Computer><Security UserID='S-1-5-21-2568234075-4274264167-1034506908-500'/></System><EventData><Data Name='PackageMoniker'> addPackageList: Microsoft.DesktopAppInstaller_1.26.430.0_neutral_split.scale-100_8wekyb3d8bbwe Microsoft.DesktopAppInstaller_2025.717.1857.0_neutral_~_8wekyb3d8bbwe updateList: Microsoft.DesktopAppInstaller_1.26.429.0_x64__8wekyb3d8bbwe is updating to Microsoft.DesktopAppInstaller_1.26.430.0_x64__8wekyb3d8bbwe</Data></EventData></Event>"
+example_log: '<Event xmlns=''http://schemas.microsoft.com/win/2004/08/events/event''><System><Provider
+  Name=''Microsoft-Windows-AppXDeployment-Server'' Guid=''{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}''/><EventID>855</EventID><Version>0</Version><Level>4</Level><Task>4</Task><Opcode>0</Opcode><Keywords>0x4000000000000001</Keywords><TimeCreated
+  SystemTime=''2025-08-06T16:20:58.5814488Z''/><EventRecordID>16417</EventRecordID><Correlation
+  ActivityID=''{df6fb197-9b7b-0002-d0dd-a29ded06dc01}''/><Execution ProcessID=''5820''
+  ThreadID=''5960''/><Channel>Microsoft-Windows-AppXDeploymentServer/Operational</Channel><Computer>HaagMSIX</Computer><Security
+  UserID=''S-1-5-21-2568234075-4274264167-1034506908-500''/></System><EventData><Data
+  Name=''PackageMoniker''> addPackageList: Microsoft.DesktopAppInstaller_1.26.430.0_neutral_split.scale-100_8wekyb3d8bbwe
+  Microsoft.DesktopAppInstaller_2025.717.1857.0_neutral_~_8wekyb3d8bbwe updateList:
+  Microsoft.DesktopAppInstaller_1.26.429.0_x64__8wekyb3d8bbwe is updating to Microsoft.DesktopAppInstaller_1.26.430.0_x64__8wekyb3d8bbwe</Data></EventData></Event>'
diff --git a/data_sources/windows_event_log_appxpackaging_171.yml b/data_sources/windows_event_log_appxpackaging_171.yml
index bcd5a18608..3126071b3b 100644
--- a/data_sources/windows_event_log_appxpackaging_171.yml
+++ b/data_sources/windows_event_log_appxpackaging_171.yml
@@ -3,19 +3,31 @@ id: 2d0f8e3c-a2d7-4b9e-8f1c-6a5d7e3e9f2b
 version: 1
 date: '2025-08-05'
 author: Michael Haag, Splunk
-description: |
-  This data source captures Windows Event Logs from the Microsoft-Windows-AppXPackaging/Operational channel, specifically focusing on EventCode 171. These events are generated when a user clicks on or attempts to interact with an MSIX package, even if the package is not fully installed.
+description: 'This data source captures Windows Event Logs from the Microsoft-Windows-AppXPackaging/Operational
+  channel, specifically focusing on EventCode 171. These events are generated when
+  a user clicks on or attempts to interact with an MSIX package, even if the package
+  is not fully installed.
 
-  Event ID 171 provides information about user interactions with MSIX packages, including the package full name and the user who initiated the interaction. This data is valuable for security monitoring as it can help identify what MSIX packages users are attempting to open in an environment, which may help detect malicious MSIX packages before they're fully installed.
 
-  MSIX package abuse has been observed in various threat campaigns, including those from FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113). Monitoring these interactions can provide early warning of potential MSIX package abuse.
+  Event ID 171 provides information about user interactions with MSIX packages, including
+  the package full name and the user who initiated the interaction. This data is valuable
+  for security monitoring as it can help identify what MSIX packages users are attempting
+  to open in an environment, which may help detect malicious MSIX packages before
+  they''re fully installed.
+
+
+  MSIX package abuse has been observed in various threat campaigns, including those
+  from FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113). Monitoring these interactions
+  can provide early warning of potential MSIX package abuse.
+
+  '
 source: XmlWinEventLog:Microsoft-Windows-AppxPackaging/Operational
 sourcetype: XmlWinEventLog
 separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -45,4 +57,9 @@ references:
 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 - https://www.appdeploynews.com/packaging-types/msix/troubleshooting-an-msix-package/
 - https://redcanary.com/blog/msix-installers/
-example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXPackaging' Guid='{4bfe0fde-99d6-5630-8a47-da7bfaefd876}'/><EventID>171</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2025-08-05T12:34:56.7890123Z'/><EventRecordID>123456</EventRecordID><Correlation/><Execution ProcessID='1234' ThreadID='5678'/><Channel>Microsoft-Windows-AppXPackaging/Operational</Channel><Computer>DESKTOP-EXAMPLE</Computer><Security UserID='S-1-5-21-1234567890-1234567890-1234567890-1001'/></System><EventData><Data Name='packageFullName'>MaliciousApp_1.0.0.0_x64__abcd1234</Data></EventData></Event>
\ No newline at end of file
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-AppXPackaging' Guid='{4bfe0fde-99d6-5630-8a47-da7bfaefd876}'/><EventID>171</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated
+  SystemTime='2025-08-05T12:34:56.7890123Z'/><EventRecordID>123456</EventRecordID><Correlation/><Execution
+  ProcessID='1234' ThreadID='5678'/><Channel>Microsoft-Windows-AppXPackaging/Operational</Channel><Computer>DESKTOP-EXAMPLE</Computer><Security
+  UserID='S-1-5-21-1234567890-1234567890-1234567890-1001'/></System><EventData><Data
+  Name='packageFullName'>MaliciousApp_1.0.0.0_x64__abcd1234</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_capi2_70.yml b/data_sources/windows_event_log_capi2_70.yml
index abbad4899e..c84837af86 100644
--- a/data_sources/windows_event_log_capi2_70.yml
+++ b/data_sources/windows_event_log_capi2_70.yml
@@ -3,8 +3,8 @@ id: 821de0a6-c5b4-491b-a27e-187552792817
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: This event log records events related to cryptographic operations, 
-  including the deletion and export of certificates.
+description: This event log records events related to cryptographic operations, including
+  the deletion and export of certificates.
 mitre_components:
 - Certificate Registration
 - Process Metadata
@@ -18,7 +18,7 @@ separator_value: '70'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -67,18 +67,12 @@ fields:
 - timestartpos
 - user_id
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-CAPI2' 
-  Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>70</EventID><Version>0</Version><Level>4</Level><Task>70</Task><Opcode>0</Opcode><Keywords>0x4000000000000080</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>70</EventID><Version>0</Version><Level>4</Level><Task>70</Task><Opcode>0</Opcode><Keywords>0x4000000000000080</Keywords><TimeCreated
   SystemTime='2023-02-09T20:57:21.815339400Z'/><EventRecordID>308332</EventRecordID><Correlation/><Execution
-  ProcessID='3680' 
-  ThreadID='212'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security
+  ProcessID='3680' ThreadID='212'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security
   UserID='S-1-5-21-2690122726-1172718210-436210976-500'/></System><UserData><CryptAcquireCertificatePrivateKey><Certificate
-  fileRef='5A752C9207730D787A9AF0A11FDFD59F68A6EB8C.cer' 
-  subjectName='test.atomic.com'/><Flags value='10001' 
-  CRYPT_ACQUIRE_CACHE_FLAG='true' 
-  CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG='true'/><EventAuxInfo 
-  ProcessName='rundll32.exe'/><CorrelationAuxInfo 
-  TaskId='{09F7E1D8-FE03-4AFA-8B1F-A38A574E44C9}' SeqNumber='2'/><Result 
-  value='0'/></CryptAcquireCertificatePrivateKey></UserData></Event>
+  fileRef='5A752C9207730D787A9AF0A11FDFD59F68A6EB8C.cer' subjectName='test.atomic.com'/><Flags
+  value='10001' CRYPT_ACQUIRE_CACHE_FLAG='true' CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG='true'/><EventAuxInfo
+  ProcessName='rundll32.exe'/><CorrelationAuxInfo TaskId='{09F7E1D8-FE03-4AFA-8B1F-A38A574E44C9}'
+  SeqNumber='2'/><Result value='0'/></CryptAcquireCertificatePrivateKey></UserData></Event>
diff --git a/data_sources/windows_event_log_capi2_81.yml b/data_sources/windows_event_log_capi2_81.yml
index c847f56249..a61f5fc88c 100644
--- a/data_sources/windows_event_log_capi2_81.yml
+++ b/data_sources/windows_event_log_capi2_81.yml
@@ -3,9 +3,8 @@ id: 463ff898-8135-4c0e-811e-f8629dfc5027
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an error when attempting to verify the digital signature of a 
-  file, including details about the file path, signature failure, and the 
-  process involved.
+description: Logs an error when attempting to verify the digital signature of a file,
+  including details about the file path, signature failure, and the process involved.
 mitre_components:
 - File Access
 - File Metadata
@@ -19,7 +18,7 @@ separator_value: '81'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -68,32 +67,22 @@ fields:
 - timestartpos
 - user_id
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-CAPI2' 
-  Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>81</EventID><Version>0</Version><Level>2</Level><Task>80</Task><Opcode>2</Opcode><Keywords>0x4000000000000040</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-CAPI2' Guid='{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}'/><EventID>81</EventID><Version>0</Version><Level>2</Level><Task>80</Task><Opcode>2</Opcode><Keywords>0x4000000000000040</Keywords><TimeCreated
   SystemTime='2023-10-10T21:05:45.047550700Z'/><EventRecordID>2400597</EventRecordID><Correlation/><Execution
-  ProcessID='2424' 
-  ThreadID='2868'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>mswin-server.attackrange.local</Computer><Security
+  ProcessID='2424' ThreadID='2868'/><Channel>Microsoft-Windows-CAPI2/Operational</Channel><Computer>mswin-server.attackrange.local</Computer><Security
   UserID='S-1-5-18'/></System><UserData><WinVerifyTrust><ActionID>{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}</ActionID><UIChoice
-  value='2'>WTD_UI_NONE</UIChoice><RevocationCheck value='0'/><StateAction 
-  value='1'>WTD_STATEACTION_VERIFY</StateAction><Flags value='80001000' 
-  WTD_CACHE_ONLY_URL_RETRIEVAL='true' CPD_USE_NT5_CHAIN_FLAG='true'/><FileInfo 
+  value='2'>WTD_UI_NONE</UIChoice><RevocationCheck value='0'/><StateAction value='1'>WTD_STATEACTION_VERIFY</StateAction><Flags
+  value='80001000' WTD_CACHE_ONLY_URL_RETRIEVAL='true' CPD_USE_NT5_CHAIN_FLAG='true'/><FileInfo
   filePath='C:\Users\Administrator\Downloads\metatwin-master\metatwin-master\20231010_210331\20231010_210331_signed_mimikatz.exe'
-  hasFileHandle='true'/><DigestInfo digestAlgorithm='SHA256' 
-  digest='140E97430439F7B8E2332E928581996A701C28D3D33FBC80BCAA2F731F9FEE8D'/><RegPolicySetting
-  value='23C00' WTPF_OFFLINEOK_IND='true' WTPF_OFFLINEOK_COM='true' 
-  WTPF_OFFLINEOKNBU_IND='true' WTPF_OFFLINEOKNBU_COM='true' 
-  WTPF_IGNOREREVOCATIONONTS='true'/><SignatureSettingsFlags value='20000000' 
-  WSS_OUT_FILE_SUPPORTS_SEAL='true'/><SignerInfo><DigestAlgorithm 
-  oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/></SignerInfo><CertificateChain
-  chainRef='{D7D21F37-6E0D-440C-9DF2-E73BC40CD4BF}'/><TimestampInfo format='RFC 
-  3161'><DigestAlgorithm oid='2.16.840.1.101.3.4.2.1' 
-  hashName='SHA256'/><SignTime>2021-01-07T23:21:42.655Z</SignTime></TimestampInfo><TimestampChain
-  chainRef='{2BDF7F75-D825-45BA-BC57-1F5E52274842}'/><StepError stepID='32' 
-  stepName='TRUSTERROR_STEP_FINAL_OBJPROV'><Result value='80096010'>The digital 
-  signature of the object did not verify.</Result></StepError><EventAuxInfo 
-  ProcessName='sysmon64.exe'/><CorrelationAuxInfo 
-  TaskId='{44B713F2-FA74-49B2-B3C1-99E5FD2F1667}' SeqNumber='9'/><Result 
-  value='80096010'>The digital signature of the object did not 
-  verify.</Result></WinVerifyTrust></UserData></Event>
+  hasFileHandle='true'/><DigestInfo digestAlgorithm='SHA256' digest='140E97430439F7B8E2332E928581996A701C28D3D33FBC80BCAA2F731F9FEE8D'/><RegPolicySetting
+  value='23C00' WTPF_OFFLINEOK_IND='true' WTPF_OFFLINEOK_COM='true' WTPF_OFFLINEOKNBU_IND='true'
+  WTPF_OFFLINEOKNBU_COM='true' WTPF_IGNOREREVOCATIONONTS='true'/><SignatureSettingsFlags
+  value='20000000' WSS_OUT_FILE_SUPPORTS_SEAL='true'/><SignerInfo><DigestAlgorithm
+  oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/></SignerInfo><CertificateChain chainRef='{D7D21F37-6E0D-440C-9DF2-E73BC40CD4BF}'/><TimestampInfo
+  format='RFC 3161'><DigestAlgorithm oid='2.16.840.1.101.3.4.2.1' hashName='SHA256'/><SignTime>2021-01-07T23:21:42.655Z</SignTime></TimestampInfo><TimestampChain
+  chainRef='{2BDF7F75-D825-45BA-BC57-1F5E52274842}'/><StepError stepID='32' stepName='TRUSTERROR_STEP_FINAL_OBJPROV'><Result
+  value='80096010'>The digital signature of the object did not verify.</Result></StepError><EventAuxInfo
+  ProcessName='sysmon64.exe'/><CorrelationAuxInfo TaskId='{44B713F2-FA74-49B2-B3C1-99E5FD2F1667}'
+  SeqNumber='9'/><Result value='80096010'>The digital signature of the object did
+  not verify.</Result></WinVerifyTrust></UserData></Event>
diff --git a/data_sources/windows_event_log_certificateservicesclient_1007.yml b/data_sources/windows_event_log_certificateservicesclient_1007.yml
index f3ba7e5eaa..22b3c9a8ee 100644
--- a/data_sources/windows_event_log_certificateservicesclient_1007.yml
+++ b/data_sources/windows_event_log_certificateservicesclient_1007.yml
@@ -18,7 +18,7 @@ separator_value: '1007'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
diff --git a/data_sources/windows_event_log_defender_1121.yml b/data_sources/windows_event_log_defender_1121.yml
index dea94f39f6..9e37dac616 100644
--- a/data_sources/windows_event_log_defender_1121.yml
+++ b/data_sources/windows_event_log_defender_1121.yml
@@ -3,8 +3,8 @@ id: 84a254c5-7900-4b52-a324-a176adb7c11d
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a Windows Defender attack surface reduction rule
-  fires in block mode.
+description: Logs an event when a Windows Defender attack surface reduction rule fires
+  in block mode.
 mitre_components:
 - Application Log Content
 - Host Status
@@ -16,7 +16,7 @@ separator_value: '1121'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -73,26 +73,17 @@ fields:
 - timestamp
 - user_id
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Windows Defender' 
-  Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1121</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1121</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2023-11-20T16:29:48.9847638Z'/><EventRecordID>2975</EventRecordID><Correlation
-  ActivityID='{fb36f2d9-5b89-4566-8af5-7c1212b4797f}'/><Execution 
-  ProcessID='3488' ThreadID='7496'/><Channel>Microsoft-Windows-Windows 
-  Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security 
-  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft 
-  Defender Antivirus</Data><Data Name='Product 
-  Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data 
-  Name='ID'>3B576869-A4EC-4529-8536-B80A7769E899</Data><Data Name='Detection 
-  Time'>2023-11-20T16:29:48.984Z</Data><Data 
-  Name='User'>researchvmhaa\research</Data><Data 
-  Name='Path'>C:\Users\research\AppData\Local\Temp\script.vbs</Data><Data 
-  Name='Process Name'>C:\Program Files\Microsoft 
-  Office\root\Office16\WINWORD.EXE</Data><Data Name='Security intelligence 
-  Version'>1.401.912.0</Data><Data Name='Engine 
-  Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data 
-  Name='Target Commandline'></Data><Data Name='Parent Commandline'>"C:\Program 
-  Files\Microsoft Office\root\Office16\WINWORD.EXE" </Data><Data Name='Involved 
-  File'></Data><Data Name='Inhertiance 
-  Flags'>0x00000000</Data></EventData></Event>
+  ActivityID='{fb36f2d9-5b89-4566-8af5-7c1212b4797f}'/><Execution ProcessID='3488'
+  ThreadID='7496'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
+  Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data
+  Name='ID'>3B576869-A4EC-4529-8536-B80A7769E899</Data><Data Name='Detection Time'>2023-11-20T16:29:48.984Z</Data><Data
+  Name='User'>researchvmhaa\research</Data><Data Name='Path'>C:\Users\research\AppData\Local\Temp\script.vbs</Data><Data
+  Name='Process Name'>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE</Data><Data
+  Name='Security intelligence Version'>1.401.912.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data
+  Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent
+  Commandline'>"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" </Data><Data
+  Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_defender_1122.yml b/data_sources/windows_event_log_defender_1122.yml
index 48058366cb..8a9345be66 100644
--- a/data_sources/windows_event_log_defender_1122.yml
+++ b/data_sources/windows_event_log_defender_1122.yml
@@ -3,8 +3,8 @@ id: 4a2d0499-f489-4557-82f4-f357025cf3e7
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a process attempts to load a DLL that is blocked
-  by an attack surface reduction rule.
+description: Logs an event when a process attempts to load a DLL that is blocked by
+  an attack surface reduction rule.
 mitre_components:
 - Application Log Content
 - Process Creation
@@ -16,7 +16,7 @@ separator_value: '1122'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -70,24 +70,16 @@ fields:
 - timestamp
 - user_id
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Windows Defender' 
-  Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2023-11-26T23:43:08.7101401Z'/><EventRecordID>3701</EventRecordID><Correlation
-  ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution 
-  ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows 
-  Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security 
-  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft 
-  Defender Antivirus</Data><Data Name='Product 
-  Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data 
-  Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection 
-  Time'>2023-11-26T23:43:08.709Z</Data><Data Name='User'>(unknown 
-  user)</Data><Data Name='Path'></Data><Data Name='Process 
-  Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data 
-  Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine 
-  Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data 
-  Name='Target Commandline'></Data><Data Name='Parent 
+  ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution ProcessID='3512'
+  ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
+  Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data
+  Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection Time'>2023-11-26T23:43:08.709Z</Data><Data
+  Name='User'>(unknown user)</Data><Data Name='Path'></Data><Data Name='Process Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
+  Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data
+  Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent
   Commandline'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
-  Name='Involved File'></Data><Data Name='Inhertiance 
-  Flags'>0x00000000</Data></EventData></Event>
+  Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_defender_1125.yml b/data_sources/windows_event_log_defender_1125.yml
index 24576ad25b..feacad4036 100644
--- a/data_sources/windows_event_log_defender_1125.yml
+++ b/data_sources/windows_event_log_defender_1125.yml
@@ -10,8 +10,19 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
-example_log: |-
-  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-11-26T23:43:08.7101401Z'/><EventRecordID>3701</EventRecordID><Correlation ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection Time'>2023-11-26T23:43:08.709Z</Data><Data Name='User'>(unknown user)</Data><Data Name='Path'></Data><Data Name='Process Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent Commandline'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1122</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+  SystemTime='2023-11-26T23:43:08.7101401Z'/><EventRecordID>3701</EventRecordID><Correlation
+  ActivityID='{b68511a1-ec5f-4bc7-a9bb-2bd601338de2}'/><Execution ProcessID='3512'
+  ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
+  Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Unused'></Data><Data
+  Name='ID'>E6DB77E5-3DF2-4CF1-B95A-636979351E5B</Data><Data Name='Detection Time'>2023-11-26T23:43:08.709Z</Data><Data
+  Name='User'>(unknown user)</Data><Data Name='Path'></Data><Data Name='Process Name'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
+  Name='Security intelligence Version'>1.401.1247.0</Data><Data Name='Engine Version'>1.1.23100.2009</Data><Data
+  Name='RuleType'>ENT\ConsR</Data><Data Name='Target Commandline'></Data><Data Name='Parent
+  Commandline'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data
+  Name='Involved File'></Data><Data Name='Inhertiance Flags'>0x00000000</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_defender_1126.yml b/data_sources/windows_event_log_defender_1126.yml
index f3d8f75d05..100a0c0a2d 100644
--- a/data_sources/windows_event_log_defender_1126.yml
+++ b/data_sources/windows_event_log_defender_1126.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -98,4 +98,4 @@ fields:
 - _serial
 - _si
 - _sourcetype
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_defender_1129.yml b/data_sources/windows_event_log_defender_1129.yml
index 2a16abb577..b3ebd4c501 100644
--- a/data_sources/windows_event_log_defender_1129.yml
+++ b/data_sources/windows_event_log_defender_1129.yml
@@ -3,8 +3,8 @@ id: 0572e119-a48a-4c70-bc58-90e453edacd2
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a user overrides a security policy set by an 
-  Attack Surface Reduction rule in Microsoft Defender.
+description: Logs an event when a user overrides a security policy set by an Attack
+  Surface Reduction rule in Microsoft Defender.
 mitre_components:
 - User Account Authentication
 - Security Policy Modification
@@ -16,7 +16,7 @@ separator_value: '1129'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ComputerName
@@ -64,4 +64,4 @@ fields:
 - timeendpos
 - timestartpos
 - vendor_product
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_defender_1131.yml b/data_sources/windows_event_log_defender_1131.yml
index 7be846557a..3a7610c298 100644
--- a/data_sources/windows_event_log_defender_1131.yml
+++ b/data_sources/windows_event_log_defender_1131.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - ActivityID
 - CategoryString
@@ -98,4 +98,4 @@ fields:
 - _si
 - _sourcetype
 - _time
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_defender_1132.yml b/data_sources/windows_event_log_defender_1132.yml
index 4f180ad359..d18891e7b0 100644
--- a/data_sources/windows_event_log_defender_1132.yml
+++ b/data_sources/windows_event_log_defender_1132.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - ActivityID
 - CategoryString
@@ -98,4 +98,4 @@ fields:
 - _si
 - _sourcetype
 - _time
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_defender_1133.yml b/data_sources/windows_event_log_defender_1133.yml
index 1597f199e3..26fe2f290d 100644
--- a/data_sources/windows_event_log_defender_1133.yml
+++ b/data_sources/windows_event_log_defender_1133.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - ActivityID
 - CategoryString
@@ -98,4 +98,4 @@ fields:
 - _si
 - _sourcetype
 - _time
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_defender_1134.yml b/data_sources/windows_event_log_defender_1134.yml
index 63a3b9b599..1bfed08a18 100644
--- a/data_sources/windows_event_log_defender_1134.yml
+++ b/data_sources/windows_event_log_defender_1134.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - ActivityID
 - CategoryString
@@ -98,4 +98,4 @@ fields:
 - _si
 - _sourcetype
 - _time
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_defender_5007.yml b/data_sources/windows_event_log_defender_5007.yml
index 4b97f6a7cb..9ea6a3c89f 100644
--- a/data_sources/windows_event_log_defender_5007.yml
+++ b/data_sources/windows_event_log_defender_5007.yml
@@ -3,8 +3,7 @@ id: 27f18792-8d95-4871-8853-874b7faf023f
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when Windows Defender antimalware settings are 
-  modified.
+description: Logs an event when Windows Defender antimalware settings are modified.
 mitre_components:
 - Service Modification
 - Service Metadata
@@ -14,7 +13,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -58,15 +57,11 @@ fields:
 - timestamp
 - user_id
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Windows Defender' 
-  Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>5007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>5007</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated
   SystemTime='2023-11-27T10:39:16.1740105Z'/><EventRecordID>3726</EventRecordID><Correlation/><Execution
-  ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows 
-  Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security 
-  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft 
-  Defender Antivirus</Data><Data Name='Product 
-  Version'>4.18.23100.2009</Data><Data Name='Old 
-  Value'>HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 
-  0x1</Data><Data Name='New Value'></Data></EventData></Event>
+  ProcessID='3512' ThreadID='5936'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>researchvmhaa</Computer><Security
+  UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender
+  Antivirus</Data><Data Name='Product Version'>4.18.23100.2009</Data><Data Name='Old
+  Value'>HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1</Data><Data
+  Name='New Value'></Data></EventData></Event>
diff --git a/data_sources/windows_event_log_printservice_316.yml b/data_sources/windows_event_log_printservice_316.yml
index 46e5fea881..fbec35afe3 100644
--- a/data_sources/windows_event_log_printservice_316.yml
+++ b/data_sources/windows_event_log_printservice_316.yml
@@ -14,7 +14,7 @@ separator_value: '316'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ComputerName
diff --git a/data_sources/windows_event_log_printservice_4909.yml b/data_sources/windows_event_log_printservice_4909.yml
index eb9c0f20f9..f443bf87a2 100644
--- a/data_sources/windows_event_log_printservice_4909.yml
+++ b/data_sources/windows_event_log_printservice_4909.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_printservice_808.yml b/data_sources/windows_event_log_printservice_808.yml
index c989e88ce2..7e84babd6f 100644
--- a/data_sources/windows_event_log_printservice_808.yml
+++ b/data_sources/windows_event_log_printservice_808.yml
@@ -16,7 +16,7 @@ separator_value: '808'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ComputerName
diff --git a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
index c3352c16bd..924fe49ec9 100644
--- a/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
+++ b/data_sources/windows_event_log_remoteconnectionmanager_1149.yml
@@ -15,7 +15,7 @@ separator_value: '1149'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
diff --git a/data_sources/windows_event_log_security_1100.yml b/data_sources/windows_event_log_security_1100.yml
index 74d06863e0..2af420ae95 100644
--- a/data_sources/windows_event_log_security_1100.yml
+++ b/data_sources/windows_event_log_security_1100.yml
@@ -14,7 +14,7 @@ separator_value: '1100'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -93,11 +93,8 @@ output_fields:
 - status
 - subject
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Eventlog' 
-  Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1100</EventID><Version>0</Version><Level>4</Level><Task>103</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1100</EventID><Version>0</Version><Level>4</Level><Task>103</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated
   SystemTime='2024-04-08T18:48:10.378485000Z'/><EventRecordID>140874</EventRecordID><Correlation/><Execution
-  ProcessID='1108' 
-  ThreadID='4884'/><Channel>Security</Channel><Computer>ar-win-2</Computer><Security/></System><UserData><ServiceShutdown
+  ProcessID='1108' ThreadID='4884'/><Channel>Security</Channel><Computer>ar-win-2</Computer><Security/></System><UserData><ServiceShutdown
   xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'></ServiceShutdown></UserData></Event>
diff --git a/data_sources/windows_event_log_security_1102.yml b/data_sources/windows_event_log_security_1102.yml
index 24aa526d9d..aa56b7cc68 100644
--- a/data_sources/windows_event_log_security_1102.yml
+++ b/data_sources/windows_event_log_security_1102.yml
@@ -15,7 +15,7 @@ separator_value: '1102'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Caller_User_Name
@@ -99,11 +99,8 @@ output_fields:
 - subject
 - user
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Eventlog' 
-  Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1102</EventID><Version>0</Version><Level>4</Level><Task>104</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1102</EventID><Version>0</Version><Level>4</Level><Task>104</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated
   SystemTime='2024-03-05T09:18:29.313328400Z'/><EventRecordID>1826166</EventRecordID><Correlation/><Execution
-  ProcessID='412' 
-  ThreadID='1072'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><UserData><LogFileCleared
+  ProcessID='412' ThreadID='1072'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><UserData><LogFileCleared
   xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'><SubjectUserSid>ATTACKRANGE\Administrator</SubjectUserSid><SubjectUserName>Administrator</SubjectUserName><SubjectDomainName>ATTACKRANGE</SubjectDomainName><SubjectLogonId>0x34a3a27</SubjectLogonId></LogFileCleared></UserData></Event>
diff --git a/data_sources/windows_event_log_security_4624.yml b/data_sources/windows_event_log_security_4624.yml
index e36f164022..afbe6e8c0d 100644
--- a/data_sources/windows_event_log_security_4624.yml
+++ b/data_sources/windows_event_log_security_4624.yml
@@ -15,7 +15,7 @@ separator_value: '4624'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -130,32 +130,20 @@ output_fields:
 - signature_id
 - src
 - user
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-03-23T19:15:28.337312500Z'/><EventRecordID>371886</EventRecordID><Correlation
-  ActivityID='{64015806-5D92-0000-1258-0164925DD901}'/><Execution 
-  ProcessID='596' 
+  ActivityID='{64015806-5D92-0000-1258-0164925DD901}'/><Execution ProcessID='596'
   ThreadID='2428'/><Channel>Security</Channel><Computer>ar-win-7.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>NULL SID</Data><Data 
-  Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data 
-  Name='SubjectLogonId'>0x0</Data><Data 
-  Name='TargetUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data 
-  Name='TargetUserName'>ELMER_SALAS</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data 
-  Name='TargetLogonId'>0x693ef4</Data><Data Name='LogonType'>3</Data><Data 
-  Name='LogonProcessName'>Kerberos</Data><Data 
-  Name='AuthenticationPackageName'>Kerberos</Data><Data 
-  Name='WorkstationName'>-</Data><Data 
-  Name='LogonGuid'>{139F7D70-0163-38CC-676D-00AE04A0F19C}</Data><Data 
-  Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data 
-  Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data 
-  Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.1.16</Data><Data 
-  Name='IpPort'>49980</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data 
-  Name='RestrictedAdminMode'>-</Data><Data 
-  Name='TargetOutboundUserName'>-</Data><Data 
-  Name='TargetOutboundDomainName'>-</Data><Data 
-  Name='VirtualAccount'>%%1843</Data><Data 
-  Name='TargetLinkedLogonId'>0x0</Data><Data 
+  Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data
+  Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data
+  Name='TargetUserName'>ELMER_SALAS</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data
+  Name='TargetLogonId'>0x693ef4</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data
+  Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data
+  Name='LogonGuid'>{139F7D70-0163-38CC-676D-00AE04A0F19C}</Data><Data Name='TransmittedServices'>-</Data><Data
+  Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data
+  Name='ProcessName'>-</Data><Data Name='IpAddress'>10.0.1.16</Data><Data Name='IpPort'>49980</Data><Data
+  Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data
+  Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data
+  Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data
   Name='ElevatedToken'>%%1843</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4625.yml b/data_sources/windows_event_log_security_4625.yml
index 47ce36d8e1..4baf9fd4e5 100644
--- a/data_sources/windows_event_log_security_4625.yml
+++ b/data_sources/windows_event_log_security_4625.yml
@@ -14,7 +14,7 @@ separator_value: '4625'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -125,25 +125,16 @@ output_fields:
 - signature_id
 - src
 - user
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
   SystemTime='2023-03-22T20:25:15.594676400Z'/><EventRecordID>367348</EventRecordID><Correlation
-  ActivityID='{6C54D781-5C05-0000-8CD7-546C055CD901}'/><Execution 
-  ProcessID='588' 
+  ActivityID='{6C54D781-5C05-0000-8CD7-546C055CD901}'/><Execution ProcessID='588'
   ThreadID='3564'/><Channel>Security</Channel><Computer>ar-win-8.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>NULL SID</Data><Data 
-  Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data 
-  Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL 
-  SID</Data><Data Name='TargetUserName'>Administrator</Data><Data 
-  Name='TargetDomainName'>builtin</Data><Data 
-  Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data 
-  Name='SubStatus'>0xc000006a</Data><Data Name='LogonType'>3</Data><Data 
-  Name='LogonProcessName'>NtLmSsp </Data><Data 
-  Name='AuthenticationPackageName'>NTLM</Data><Data 
-  Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data 
-  Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data 
-  Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data 
-  Name='IpAddress'>10.0.1.30</Data><Data 
-  Name='IpPort'>59450</Data></EventData></Event>
+  Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data
+  Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL
+  SID</Data><Data Name='TargetUserName'>Administrator</Data><Data Name='TargetDomainName'>builtin</Data><Data
+  Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc000006a</Data><Data
+  Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data
+  Name='WorkstationName'>-</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data
+  Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data
+  Name='IpAddress'>10.0.1.30</Data><Data Name='IpPort'>59450</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4627.yml b/data_sources/windows_event_log_security_4627.yml
index 7946788248..6969044481 100644
--- a/data_sources/windows_event_log_security_4627.yml
+++ b/data_sources/windows_event_log_security_4627.yml
@@ -3,8 +3,8 @@ id: e35c7b9a-b451-4084-95a5-43b7f8965cac
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a successful account logon occurs and displays 
-  the list of groups the logged-on account belongs to.
+description: Logs an event when a successful account logon occurs and displays the
+  list of groups the logged-on account belongs to.
 mitre_components:
 - Logon Session Creation
 - Group Metadata
@@ -16,7 +16,7 @@ separator_value: '4627'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -103,19 +103,13 @@ output_fields:
 - signature_id
 - user
 - vendor_product
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4627</EventID><Version>0</Version><Level>0</Level><Task>12554</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-10-05T20:02:43.026235200Z'/><EventRecordID>186260</EventRecordID><Correlation
-  ActivityID='{58660170-f720-0003-8b01-665820f7d901}'/><Execution 
-  ProcessID='620' 
+  ActivityID='{58660170-f720-0003-8b01-665820f7d901}'/><Execution ProcessID='620'
   ThreadID='4580'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data
-  Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data 
-  Name='TargetUserSid'>S-1-5-21-2442966654-584408786-1775486684-1115</Data><Data
-  Name='TargetUserName'>lowpriv</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data 
-  Name='TargetLogonId'>0x1094dbc</Data><Data Name='LogonType'>3</Data><Data 
-  Name='EventIdx'>1</Data><Data Name='EventCountTotal'>1</Data><Data 
-  Name='GroupMembership'>
+  Name='SubjectUserSid'>S-1-0-0</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data
+  Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>S-1-5-21-2442966654-584408786-1775486684-1115</Data><Data
+  Name='TargetUserName'>lowpriv</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data
+  Name='TargetLogonId'>0x1094dbc</Data><Data Name='LogonType'>3</Data><Data Name='EventIdx'>1</Data><Data
+  Name='EventCountTotal'>1</Data><Data Name='GroupMembership'>
diff --git a/data_sources/windows_event_log_security_4648.yml b/data_sources/windows_event_log_security_4648.yml
index f3213fcaa5..90e20921d6 100644
--- a/data_sources/windows_event_log_security_4648.yml
+++ b/data_sources/windows_event_log_security_4648.yml
@@ -3,8 +3,8 @@ id: 6a367f8b-1ee0-463d-94a7-029757c6cd02
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logged when an account logon is attempted by a process by 
-  explicitly specifying the credentials of that account
+description: Logged when an account logon is attempted by a process by explicitly
+  specifying the credentials of that account
 mitre_components:
 - User Account Authentication
 - Logon Session Creation
@@ -15,7 +15,7 @@ separator_value: '4648'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -113,24 +113,15 @@ output_fields:
 - dest
 - src_ip
 - user
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4648</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4648</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-09-08T21:33:47.813673700Z'/><EventRecordID>336567</EventRecordID><Correlation
-  ActivityID='{61CE8B0D-C305-0002-148B-CE6105C3D801}'/><Execution 
-  ProcessID='644' 
+  ActivityID='{61CE8B0D-C305-0002-148B-CE6105C3D801}'/><Execution ProcessID='644'
   ThreadID='4476'/><Channel>Security</Channel><Computer>win-host-mvelazco-02713-447.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>ATTACKRANGE\REED_LARSEN</Data><Data 
-  Name='SubjectUserName'>reed_larsen</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x1360f2</Data><Data 
-  Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data 
-  Name='TargetUserName'>STEVE_BRADFORD</Data><Data 
-  Name='TargetDomainName'>attackrange.local</Data><Data 
-  Name='TargetLogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data 
+  Name='SubjectUserSid'>ATTACKRANGE\REED_LARSEN</Data><Data Name='SubjectUserName'>reed_larsen</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x1360f2</Data><Data
+  Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TargetUserName'>STEVE_BRADFORD</Data><Data
+  Name='TargetDomainName'>attackrange.local</Data><Data Name='TargetLogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data
   Name='TargetServerName'>win-dc-mvelazco-02713-392.attackrange.local</Data><Data
-  Name='TargetInfo'>win-dc-mvelazco-02713-392.attackrange.local</Data><Data 
-  Name='ProcessId'>0x4</Data><Data Name='ProcessName'></Data><Data 
-  Name='IpAddress'>10.0.1.14</Data><Data 
-  Name='IpPort'>445</Data></EventData></Event>
+  Name='TargetInfo'>win-dc-mvelazco-02713-392.attackrange.local</Data><Data Name='ProcessId'>0x4</Data><Data
+  Name='ProcessName'></Data><Data Name='IpAddress'>10.0.1.14</Data><Data Name='IpPort'>445</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4662.yml b/data_sources/windows_event_log_security_4662.yml
index dfcf7da9cd..da9e0ed698 100644
--- a/data_sources/windows_event_log_security_4662.yml
+++ b/data_sources/windows_event_log_security_4662.yml
@@ -3,8 +3,8 @@ id: f3c2cd64-0b5f-4013-8201-35dc03828ec6
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a user accessed an object within the Active 
-  Directory, such as creating, modifying, or deleting it
+description: Logs an event when a user accessed an object within the Active Directory,
+  such as creating, modifying, or deleting it
 mitre_components:
 - Active Directory Object Access
 - Active Directory Object Modification
@@ -15,7 +15,7 @@ separator_value: '4662'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccessList
@@ -98,19 +98,13 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4662</EventID><Version>0</Version><Level>0</Level><Task>14080</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4662</EventID><Version>0</Version><Level>0</Level><Task>14080</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
   SystemTime='2023-02-02T22:41:45.751175400Z'/><EventRecordID>21623198276</EventRecordID><Correlation
-  ActivityID='{7BAD94BA-268A-0000-BB94-AD7B8A26D901}'/><Execution 
-  ProcessID='848' 
+  ActivityID='{7BAD94BA-268A-0000-BB94-AD7B8A26D901}'/><Execution ProcessID='848'
   ThreadID='7136'/><Channel>Security</Channel><Computer>attack_range_dc</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>attack_range\attacker</Data><Data 
-  Name='SubjectUserName'>attacker</Data><Data 
-  Name='SubjectDomainName'>attack_range</Data><Data 
-  Name='SubjectLogonId'>0x632426dc0</Data><Data 
-  Name='ObjectServer'>DS</Data><Data Name='ObjectType'>group</Data><Data 
-  Name='ObjectName'>CN=Incoming Forest Trust 
-  Builders,CN=Users,DC=Attack_Range</Data><Data Name='OperationType'>Object 
+  Name='SubjectUserSid'>attack_range\attacker</Data><Data Name='SubjectUserName'>attacker</Data><Data
+  Name='SubjectDomainName'>attack_range</Data><Data Name='SubjectLogonId'>0x632426dc0</Data><Data
+  Name='ObjectServer'>DS</Data><Data Name='ObjectType'>group</Data><Data Name='ObjectName'>CN=Incoming
+  Forest Trust Builders,CN=Users,DC=Attack_Range</Data><Data Name='OperationType'>Object
   Access</Data><Data Name='HandleId'>0x0</Data><Data Name='AccessList'>%%7688
diff --git a/data_sources/windows_event_log_security_4663.yml b/data_sources/windows_event_log_security_4663.yml
index 55dfd25439..ab9ed5f982 100644
--- a/data_sources/windows_event_log_security_4663.yml
+++ b/data_sources/windows_event_log_security_4663.yml
@@ -3,8 +3,8 @@ id: 5d6dca8c-dad9-494f-a321-ef2b0b92fbf4
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a user or process tried to access a file, 
-  directory, registry key, or other system object on the computer
+description: Logs an event when a user or process tried to access a file, directory,
+  registry key, or other system object on the computer
 mitre_components:
 - File Access
 - File Modification
@@ -15,7 +15,7 @@ separator_value: '4663'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccessList
@@ -103,18 +103,12 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12800</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12800</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-02-21T14:08:33.452364300Z'/><EventRecordID>10525869</EventRecordID><Correlation/><Execution
-  ProcessID='4' 
-  ThreadID='1212'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>AR-WIN-2</Data><Data 
-  Name='SubjectLogonId'>0x6cfe7</Data><Data 
-  Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data 
-  Name='ObjectName'>C:\Program Files (x86)\ScreenConnect\App_Extensions\evilapp 
-  - Copy (2).aspx</Data><Data Name='HandleId'>0x2220</Data><Data 
+  ProcessID='4' ThreadID='1212'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>AR-WIN-2</Data><Data Name='SubjectLogonId'>0x6cfe7</Data><Data
+  Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Program
+  Files (x86)\ScreenConnect\App_Extensions\evilapp - Copy (2).aspx</Data><Data Name='HandleId'>0x2220</Data><Data
   Name='AccessList'>%%4424
diff --git a/data_sources/windows_event_log_security_4672.yml b/data_sources/windows_event_log_security_4672.yml
index a10e82525f..c77879744c 100644
--- a/data_sources/windows_event_log_security_4672.yml
+++ b/data_sources/windows_event_log_security_4672.yml
@@ -3,8 +3,8 @@ id: 43f189b6-369d-4a32-a34c-57e0d38d92f1
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a user with administrative privileges logs on to
-  a system.
+description: Logs an event when a user with administrative privileges logs on to a
+  system.
 mitre_components:
 - Logon Session Creation
 - User Account Authentication
@@ -15,7 +15,7 @@ separator_value: '4672'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -88,16 +88,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-03-27T18:35:15.439521100Z'/><EventRecordID>148946</EventRecordID><Correlation
-  ActivityID='{a51712a7-60c1-0000-3513-17a5c160d901}'/><Execution 
-  ProcessID='624' 
+  ActivityID='{a51712a7-60c1-0000-3513-17a5c160d901}'/><Execution ProcessID='624'
   ThreadID='728'/><Channel>Security</Channel><Computer>ar-win-6.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>ATTACKRANGE\REED_MORSE</Data><Data 
-  Name='SubjectUserName'>REED_MORSE</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x509b11</Data><Data 
+  Name='SubjectUserSid'>ATTACKRANGE\REED_MORSE</Data><Data Name='SubjectUserName'>REED_MORSE</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x509b11</Data><Data
   Name='PrivilegeList'>SeSecurityPrivilege
diff --git a/data_sources/windows_event_log_security_4688.yml b/data_sources/windows_event_log_security_4688.yml
index 45c0e15336..d7a3f638de 100644
--- a/data_sources/windows_event_log_security_4688.yml
+++ b/data_sources/windows_event_log_security_4688.yml
@@ -11,13 +11,12 @@ source: XmlWinEventLog:Security
 sourcetype: XmlWinEventLog
 separator: EventCode
 separator_value: '4688'
-configuration: Enabling Windows event log process command line logging via group
-  policy object 
-  https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
+configuration: Enabling Windows event log process command line logging via group policy
+  object https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_Windows_event_log_process_command_line_logging_via_group_policy_object
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - Caller_Domain
 - Caller_User_Name
@@ -150,25 +149,16 @@ convert_to_log_source:
     ProcessId: ParentProcessId
     ParentProcessName: ParentImage
     Computer: Computer
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-04-23T08:48:30.449376800Z'/><EventRecordID>432820</EventRecordID><Correlation/><Execution
-  ProcessID='4' 
-  ThreadID='276'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data 
-  Name='SubjectUserName'>AR-WIN-1$</Data><Data 
-  Name='SubjectDomainName'>WORKGROUP</Data><Data 
-  Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0xf84</Data><Data 
-  Name='NewProcessName'>C:\Program 
-  Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data 
-  Name='TokenElevationType'>%%1936</Data><Data 
-  Name='ProcessId'>0xb2c</Data><Data Name='CommandLine'>"C:\Program 
-  Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2</Data><Data 
-  Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data 
-  Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data 
-  Name='ParentProcessName'>C:\Program 
-  Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data 
-  Name='MandatoryLabel'>Mandatory Label\System Mandatory 
-  Level</Data></EventData></Event>
+  ProcessID='4' ThreadID='276'/><Channel>Security</Channel><Computer>ar-win-1</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-1$</Data><Data
+  Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data
+  Name='NewProcessId'>0xf84</Data><Data Name='NewProcessName'>C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</Data><Data
+  Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0xb2c</Data><Data
+  Name='CommandLine'>"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
+  --ps2</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data
+  Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program
+  Files\SplunkUniversalForwarder\bin\splunkd.exe</Data><Data Name='MandatoryLabel'>Mandatory
+  Label\System Mandatory Level</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4698.yml b/data_sources/windows_event_log_security_4698.yml
index 4da181de0a..3f7b10d843 100644
--- a/data_sources/windows_event_log_security_4698.yml
+++ b/data_sources/windows_event_log_security_4698.yml
@@ -14,7 +14,7 @@ separator_value: '4698'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_security_4699.yml b/data_sources/windows_event_log_security_4699.yml
index 58468c5d21..2d516bee22 100644
--- a/data_sources/windows_event_log_security_4699.yml
+++ b/data_sources/windows_event_log_security_4699.yml
@@ -14,7 +14,7 @@ separator_value: '4699'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_security_4700.yml b/data_sources/windows_event_log_security_4700.yml
index 06e05a80a6..c93c058165 100644
--- a/data_sources/windows_event_log_security_4700.yml
+++ b/data_sources/windows_event_log_security_4700.yml
@@ -10,10 +10,10 @@ separator: EventID
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - EventID
-example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>
+example_log: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>
   <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"
   />  <EventID>4700</EventID>  <Version>0</Version>  <Level>0</Level>  <Task>12804</Task>  <Opcode>0</Opcode>  <Keywords>0x8020000000000000</Keywords>  <TimeCreated
   SystemTime="2015-09-23T02:32:47.606423000Z" />  <EventRecordID>344861</EventRecordID>  <Correlation
@@ -33,4 +33,4 @@ example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/even
   <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle>
   <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority>
   </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command>
-  </Exec> </Actions> </Task></Data>  </EventData> </Event>'
+  </Exec> </Actions> </Task></Data>  </EventData> </Event>
diff --git a/data_sources/windows_event_log_security_4702.yml b/data_sources/windows_event_log_security_4702.yml
index 478d4e22af..e8dbadcc9a 100644
--- a/data_sources/windows_event_log_security_4702.yml
+++ b/data_sources/windows_event_log_security_4702.yml
@@ -10,10 +10,10 @@ separator: EventID
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - EventID
-example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>
+example_log: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System>
   <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"
   />  <EventID>4702</EventID>  <Version>0</Version>  <Level>0</Level>  <Task>12804</Task>  <Opcode>0</Opcode>  <Keywords>0x8020000000000000</Keywords>  <TimeCreated
   SystemTime="2015-09-23T03:00:59.343820000Z" />  <EventRecordID>344863</EventRecordID>  <Correlation
@@ -34,4 +34,4 @@ example_log: '<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/even
   <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle>
   <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority>
   </Settings> <Actions Context="Author"> <Exec> <Command>C:\\Documents\\listener.exe</Command>
-  </Exec> </Actions> </Task></Data>  </EventData> </Event>'
+  </Exec> </Actions> </Task></Data>  </EventData> </Event>
diff --git a/data_sources/windows_event_log_security_4703.yml b/data_sources/windows_event_log_security_4703.yml
index 3a90f8fa22..776ff551da 100644
--- a/data_sources/windows_event_log_security_4703.yml
+++ b/data_sources/windows_event_log_security_4703.yml
@@ -14,7 +14,7 @@ separator_value: '4703'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Caller_Domain
@@ -106,22 +106,13 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-08-31T09:47:43.137598500Z'/><EventRecordID>328761</EventRecordID><Correlation/><Execution
-  ProcessID='4' 
-  ThreadID='320'/><Channel>Security</Channel><Computer>win-host-ctus-attack-range-115</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>WIN-HOST-CTUS-A</Data><Data 
-  Name='SubjectLogonId'>0x288b91</Data><Data 
-  Name='TargetUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data 
-  Name='TargetUserName'>Administrator</Data><Data 
-  Name='TargetDomainName'>WIN-HOST-CTUS-A</Data><Data 
-  Name='TargetLogonId'>0x288b91</Data><Data 
-  Name='ProcessName'>C:\Temp\poc_2\c2_agent.exe</Data><Data 
-  Name='ProcessId'>0x570</Data><Data 
-  Name='EnabledPrivilegeList'>SeDebugPrivilege</Data><Data 
-  Name='DisabledPrivilegeList'>-</Data></EventData></Event>
+  ProcessID='4' ThreadID='320'/><Channel>Security</Channel><Computer>win-host-ctus-attack-range-115</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>WIN-HOST-CTUS-A</Data><Data Name='SubjectLogonId'>0x288b91</Data><Data
+  Name='TargetUserSid'>WIN-HOST-CTUS-A\Administrator</Data><Data Name='TargetUserName'>Administrator</Data><Data
+  Name='TargetDomainName'>WIN-HOST-CTUS-A</Data><Data Name='TargetLogonId'>0x288b91</Data><Data
+  Name='ProcessName'>C:\Temp\poc_2\c2_agent.exe</Data><Data Name='ProcessId'>0x570</Data><Data
+  Name='EnabledPrivilegeList'>SeDebugPrivilege</Data><Data Name='DisabledPrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4719.yml b/data_sources/windows_event_log_security_4719.yml
index cc7c935fc3..3da0f10e2d 100644
--- a/data_sources/windows_event_log_security_4719.yml
+++ b/data_sources/windows_event_log_security_4719.yml
@@ -3,8 +3,7 @@ id: 954033e6-dd05-4775-a1f2-1f19632f4420
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a system audit policy is modified on a Windows 
-  system.
+description: Logs an event when a system audit policy is modified on a Windows system.
 mitre_components:
 - Service Modification
 - User Account Modification
@@ -15,7 +14,7 @@ separator_value: '4719'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -94,18 +93,12 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4719</EventID><Version>0</Version><Level>0</Level><Task>13568</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4719</EventID><Version>0</Version><Level>0</Level><Task>13568</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-11-03T00:02:53.722907800Z'/><EventRecordID>353597</EventRecordID><Correlation
-  ActivityID='{03951765-EF14-0000-6E17-950314EFD801}'/><Execution 
-  ProcessID='644' 
+  ActivityID='{03951765-EF14-0000-6E17-950314EFD801}'/><Execution ProcessID='644'
   ThreadID='848'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data 
-  Name='SubjectUserName'>AR-WIN-DC$</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x3e7</Data><Data Name='CategoryId'>%%8276</Data><Data 
-  Name='SubcategoryId'>%%13312</Data><Data 
-  Name='SubcategoryGuid'>{0CCE922B-69AE-11D9-BED3-505054503030}</Data><Data 
+  Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-DC$</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data
+  Name='CategoryId'>%%8276</Data><Data Name='SubcategoryId'>%%13312</Data><Data Name='SubcategoryGuid'>{0CCE922B-69AE-11D9-BED3-505054503030}</Data><Data
   Name='AuditPolicyChanges'>%%8448, %%8450</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4720.yml b/data_sources/windows_event_log_security_4720.yml
index 59b0094595..6902546a20 100644
--- a/data_sources/windows_event_log_security_4720.yml
+++ b/data_sources/windows_event_log_security_4720.yml
@@ -3,8 +3,7 @@ id: 7ef1c9e5-691b-48c2-811b-eba91d2d2f1d
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a new user account is created on a Windows 
-  system.
+description: Logs an event when a new user account is created on a Windows system.
 mitre_components:
 - User Account Creation
 source: XmlWinEventLog:Security
@@ -14,7 +13,7 @@ separator_value: '4720'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_security_4724.yml b/data_sources/windows_event_log_security_4724.yml
index dc1c4df31f..39d78c7a08 100644
--- a/data_sources/windows_event_log_security_4724.yml
+++ b/data_sources/windows_event_log_security_4724.yml
@@ -3,8 +3,8 @@ id: 117fe51f-93f8-4589-8e8b-c6b7b7154c7d
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when an attempt is made to reset an account's 
-  password, whether successful or not.
+description: Logs an event when an attempt is made to reset an account's password,
+  whether successful or not.
 mitre_components:
 - User Account Modification
 source: XmlWinEventLog:Security
@@ -14,7 +14,7 @@ separator_value: '4724'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Caller_Domain
@@ -102,17 +102,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4724</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4724</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-02-21T18:02:22.774396900Z'/><EventRecordID>276779</EventRecordID><Correlation/><Execution
-  ProcessID='612' 
-  ThreadID='6844'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>TRUMAN_CLEMENTS</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE</Data><Data 
-  Name='TargetSid'>ATTACKRANGE\TRUMAN_CLEMENTS</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
+  ProcessID='612' ThreadID='6844'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>TRUMAN_CLEMENTS</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>ATTACKRANGE\TRUMAN_CLEMENTS</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
   Name='SubjectLogonId'>0x592d1</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4725.yml b/data_sources/windows_event_log_security_4725.yml
index 26adefeadf..52d755069c 100644
--- a/data_sources/windows_event_log_security_4725.yml
+++ b/data_sources/windows_event_log_security_4725.yml
@@ -3,8 +3,7 @@ id: 31fd887d-0d14-44cc-bb64-80063a9f2968
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a user account has been disabled in Active 
-  Directory.
+description: Logs an event when a user account has been disabled in Active Directory.
 mitre_components:
 - User Account Modification
 source: XmlWinEventLog:Security
@@ -14,7 +13,7 @@ separator_value: '4725'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Caller_Domain
@@ -102,17 +101,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4725</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-02-21T19:20:19.727858200Z'/><EventRecordID>278771</EventRecordID><Correlation/><Execution
-  ProcessID='612' 
-  ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>WILFORD_SUTTON</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE</Data><Data 
-  Name='TargetSid'>ATTACKRANGE\WILFORD_SUTTON</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
+  ProcessID='612' ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>WILFORD_SUTTON</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>ATTACKRANGE\WILFORD_SUTTON</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
   Name='SubjectLogonId'>0x592d1</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4726.yml b/data_sources/windows_event_log_security_4726.yml
index 88246b3f09..9de62a0040 100644
--- a/data_sources/windows_event_log_security_4726.yml
+++ b/data_sources/windows_event_log_security_4726.yml
@@ -13,7 +13,7 @@ separator_value: '4726'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Caller_Domain
@@ -102,18 +102,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4726</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4726</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-02-21T19:38:47.481373400Z'/><EventRecordID>279283</EventRecordID><Correlation/><Execution
-  ProcessID='612' 
-  ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>LYNN_WOLF</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE</Data><Data 
-  Name='TargetSid'>S-1-5-21-2851375338-1978525053-2422663219-2445</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x592d1</Data><Data 
-  Name='PrivilegeList'>-</Data></EventData></Event>
+  ProcessID='612' ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>LYNN_WOLF</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>S-1-5-21-2851375338-1978525053-2422663219-2445</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x592d1</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4727.yml b/data_sources/windows_event_log_security_4727.yml
index febbca6886..dbebb1a6e7 100644
--- a/data_sources/windows_event_log_security_4727.yml
+++ b/data_sources/windows_event_log_security_4727.yml
@@ -10,10 +10,17 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |-
-  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4727</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-07-30T16:51:45.175123800Z'/><EventRecordID>183204880</EventRecordID><Correlation/><Execution ProcessID='672' ThreadID='3064'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\ESX Admins</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>ESX Admins</Data><Data Name='SidHistory'>-</Data></EventData></Event>
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4727</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-07-30T16:51:45.175123800Z'/><EventRecordID>183204880</EventRecordID><Correlation/><Execution
+  ProcessID='672' ThreadID='3064'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>ATTACKRANGE\ESX Admins</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>ESX
+  Admins</Data><Data Name='SidHistory'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4728.yml b/data_sources/windows_event_log_security_4728.yml
index 2c8920ed1b..1edd4f4417 100644
--- a/data_sources/windows_event_log_security_4728.yml
+++ b/data_sources/windows_event_log_security_4728.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4730.yml b/data_sources/windows_event_log_security_4730.yml
index 3899b6944c..428638d420 100644
--- a/data_sources/windows_event_log_security_4730.yml
+++ b/data_sources/windows_event_log_security_4730.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -101,5 +101,11 @@ fields:
 - _time
 output_fields:
 - dest
-example_log: |-
-  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4730</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-07-30T16:51:39.613057200Z'/><EventRecordID>183203591</EventRecordID><Correlation/><Execution ProcessID='672' ThreadID='2420'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-560616516-1175754387-3922768235-4211</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4730</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-07-30T16:51:39.613057200Z'/><EventRecordID>183203591</EventRecordID><Correlation/><Execution
+  ProcessID='672' ThreadID='2420'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>S-1-5-21-560616516-1175754387-3922768235-4211</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4731.yml b/data_sources/windows_event_log_security_4731.yml
index 89caa888c7..407dacd28a 100644
--- a/data_sources/windows_event_log_security_4731.yml
+++ b/data_sources/windows_event_log_security_4731.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4732.yml b/data_sources/windows_event_log_security_4732.yml
index bf5c72df2d..ad6aebf42b 100644
--- a/data_sources/windows_event_log_security_4732.yml
+++ b/data_sources/windows_event_log_security_4732.yml
@@ -3,8 +3,8 @@ id: b0d61c5d-aefe-486a-9152-de45cc10fbb4
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a member is added to a security-enabled local 
-  group on a Windows system.
+description: Logs an event when a member is added to a security-enabled local group
+  on a Windows system.
 mitre_components:
 - Group Modification
 source: XmlWinEventLog:Security
@@ -14,7 +14,7 @@ separator_value: '4732'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_security_4737.yml b/data_sources/windows_event_log_security_4737.yml
index 7ebaab671a..89271bc02c 100644
--- a/data_sources/windows_event_log_security_4737.yml
+++ b/data_sources/windows_event_log_security_4737.yml
@@ -10,7 +10,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - CategoryString
 - Channel
@@ -101,6 +101,12 @@ fields:
 - _time
 output_fields:
 - dest
-example_log: |-
-  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4737</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-07-30T16:50:34.812948700Z'/><EventRecordID>183186860</EventRecordID><Correlation/><Execution ProcessID='672' ThreadID='900'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-560616516-1175754387-3922768235-4211</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='SidHistory'>-</Data></EventData></Event>
-
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4737</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+  SystemTime='2024-07-30T16:50:34.812948700Z'/><EventRecordID>183186860</EventRecordID><Correlation/><Execution
+  ProcessID='672' ThreadID='900'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>ESX Admins</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>S-1-5-21-560616516-1175754387-3922768235-4211</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0xe32f0</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data
+  Name='SidHistory'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4738.yml b/data_sources/windows_event_log_security_4738.yml
index ce328187e1..3da0e0530e 100644
--- a/data_sources/windows_event_log_security_4738.yml
+++ b/data_sources/windows_event_log_security_4738.yml
@@ -3,8 +3,8 @@ id: cb85709b-101e-41a9-bb60-d2108f79dfbd
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a user account's properties, such as permissions
-  or memberships, are modified on a Windows system.
+description: Logs an event when a user account's properties, such as permissions or
+  memberships, are modified on a Windows system.
 mitre_components:
 - User Account Modification
 source: XmlWinEventLog:Security
@@ -14,7 +14,7 @@ separator_value: '4738'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccountExpires
@@ -122,26 +122,17 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-11-17T03:25:57.674067800Z'/><EventRecordID>6389713</EventRecordID><Correlation/><Execution
-  ProcessID='640' 
-  ThreadID='1800'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='Dummy'>-</Data><Data Name='TargetUserName'>unpriv</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE</Data><Data 
-  Name='TargetSid'>S-1-5-21-945660386-2529346225-2932127451-1112</Data><Data 
-  Name='SubjectUserSid'>S-1-5-21-945660386-2529346225-2932127451-500</Data><Data
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x54bb3a</Data><Data Name='PrivilegeList'>-</Data><Data 
-  Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data 
-  Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data 
-  Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data 
-  Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data 
-  Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data 
-  Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data 
-  Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data 
-  Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data 
+  ProcessID='640' ThreadID='1800'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='Dummy'>-</Data><Data Name='TargetUserName'>unpriv</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>S-1-5-21-945660386-2529346225-2932127451-1112</Data><Data Name='SubjectUserSid'>S-1-5-21-945660386-2529346225-2932127451-500</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x54bb3a</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data
+  Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data
+  Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data
+  Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data
+  Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data
+  Name='NewUacValue'>-</Data><Data Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data
   Name='SidHistory'>
diff --git a/data_sources/windows_event_log_security_4739.yml b/data_sources/windows_event_log_security_4739.yml
index 235407215b..287433b88e 100644
--- a/data_sources/windows_event_log_security_4739.yml
+++ b/data_sources/windows_event_log_security_4739.yml
@@ -3,8 +3,8 @@ id: c1e0442a-8a97-405d-baf2-057c5d68cd9a
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an event when a domain policy, such as account or lockout 
-  policy, is modified in Active Directory or local security settings.
+description: Logs an event when a domain policy, such as account or lockout policy,
+  is modified in Active Directory or local security settings.
 mitre_components:
 - Group Modification
 - Active Directory Object Modification
@@ -15,7 +15,7 @@ separator_value: '4739'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Caller_Domain
@@ -110,25 +110,16 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4739</EventID><Version>0</Version><Level>0</Level><Task>13569</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4739</EventID><Version>0</Version><Level>0</Level><Task>13569</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-02-02T00:37:16.161168500Z'/><EventRecordID>394176</EventRecordID><Correlation/><Execution
-  ProcessID='600' 
-  ThreadID='3780'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='DomainPolicyChanged'>Lockout Policy</Data><Data 
-  Name='DomainName'>ATTACKRANGE</Data><Data 
-  Name='DomainSid'>ATTACKRANGE\</Data><Data Name='SubjectUserSid'>NT 
-  AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>AR-WIN-DC$</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>-</Data><Data 
-  Name='MinPasswordAge'>-</Data><Data Name='MaxPasswordAge'>-</Data><Data 
-  Name='ForceLogoff'>-</Data><Data Name='LockoutThreshold'>1</Data><Data 
-  Name='LockoutObservationWindow'>-</Data><Data 
-  Name='LockoutDuration'>-</Data><Data Name='PasswordProperties'>-</Data><Data 
-  Name='MinPasswordLength'>-</Data><Data 
-  Name='PasswordHistoryLength'>-</Data><Data 
-  Name='MachineAccountQuota'>-</Data><Data Name='MixedDomainMode'>-</Data><Data 
-  Name='DomainBehaviorVersion'>-</Data><Data 
+  ProcessID='600' ThreadID='3780'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='DomainPolicyChanged'>Lockout Policy</Data><Data Name='DomainName'>ATTACKRANGE</Data><Data
+  Name='DomainSid'>ATTACKRANGE\</Data><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data
+  Name='SubjectUserName'>AR-WIN-DC$</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>-</Data><Data Name='MinPasswordAge'>-</Data><Data
+  Name='MaxPasswordAge'>-</Data><Data Name='ForceLogoff'>-</Data><Data Name='LockoutThreshold'>1</Data><Data
+  Name='LockoutObservationWindow'>-</Data><Data Name='LockoutDuration'>-</Data><Data
+  Name='PasswordProperties'>-</Data><Data Name='MinPasswordLength'>-</Data><Data Name='PasswordHistoryLength'>-</Data><Data
+  Name='MachineAccountQuota'>-</Data><Data Name='MixedDomainMode'>-</Data><Data Name='DomainBehaviorVersion'>-</Data><Data
   Name='OemInformation'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4741.yml b/data_sources/windows_event_log_security_4741.yml
index 8adaeeadf8..3ca2ad1d9b 100644
--- a/data_sources/windows_event_log_security_4741.yml
+++ b/data_sources/windows_event_log_security_4741.yml
@@ -3,9 +3,8 @@ id: ef87257f-e7d1-4856-abae-097b2cfdcdb4
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the creation of a new computer account in Active Directory, 
-  including details about the account name, domain, and the user performing the 
-  action.
+description: Logs the creation of a new computer account in Active Directory, including
+  details about the account name, domain, and the user performing the action.
 mitre_components:
 - Active Directory Object Creation
 - User Account Metadata
@@ -18,7 +17,7 @@ separator_value: '4741'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccountExpires
@@ -124,25 +123,16 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4741</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4741</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-04-08T18:48:04.618400500Z'/><EventRecordID>143475</EventRecordID><Correlation/><Execution
-  ProcessID='636' 
-  ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>AR-WIN-2$</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE</Data><Data 
-  Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0xd9f04</Data><Data Name='PrivilegeList'>-</Data><Data 
-  Name='SamAccountName'>AR-WIN-2$</Data><Data Name='DisplayName'>-</Data><Data 
-  Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data 
-  Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data 
-  Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data 
-  Name='PasswordLastSet'>4/8/2024 6:48:04 PM</Data><Data 
-  Name='AccountExpires'>%%1794</Data><Data Name='PrimaryGroupId'>515</Data><Data
-  Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x0</Data><Data 
-  Name='NewUacValue'>0x80</Data><Data Name='UserAccountControl'>
+  ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>AR-WIN-2$</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data
+  Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
+  Name='SubjectLogonId'>0xd9f04</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>AR-WIN-2$</Data><Data
+  Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data
+  Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data
+  Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>4/8/2024 6:48:04 PM</Data><Data
+  Name='AccountExpires'>%%1794</Data><Data Name='PrimaryGroupId'>515</Data><Data Name='AllowedToDelegateTo'>-</Data><Data
+  Name='OldUacValue'>0x0</Data><Data Name='NewUacValue'>0x80</Data><Data Name='UserAccountControl'>
diff --git a/data_sources/windows_event_log_security_4742.yml b/data_sources/windows_event_log_security_4742.yml
index f1ef64a396..40ed4e6904 100644
--- a/data_sources/windows_event_log_security_4742.yml
+++ b/data_sources/windows_event_log_security_4742.yml
@@ -3,9 +3,8 @@ id: ea830adf-5450-489a-bcdc-fb8d2cbe674c
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs changes to the properties of a computer account in Active 
-  Directory, including details about the modified attributes and the user 
-  performing the action.
+description: Logs changes to the properties of a computer account in Active Directory,
+  including details about the modified attributes and the user performing the action.
 mitre_components:
 - Active Directory Object Modification
 - User Account Metadata
@@ -17,7 +16,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccountExpires
@@ -124,27 +123,17 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4742</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4742</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-08-04T09:26:26.793335600Z'/><EventRecordID>901860</EventRecordID><Correlation/><Execution
-  ProcessID='636' 
-  ThreadID='2340'/><Channel>Security</Channel><Computer>win-dc-root-04195-428.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='ComputerAccountChange'>-</Data><Data 
-  Name='TargetUserName'>WIN-HOST-ROOT-0$</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE</Data><Data 
-  Name='TargetSid'>S-1-5-21-199921393-3534762603-6736986-1111</Data><Data 
-  Name='SubjectUserSid'>S-1-5-21-199921393-3534762603-6736986-500</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x177304</Data><Data Name='PrivilegeList'>-</Data><Data 
-  Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data 
-  Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data 
-  Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data 
-  Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data 
-  Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data 
-  Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data 
-  Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data 
-  Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data 
-  Name='SidHistory'>
+  ProcessID='636' ThreadID='2340'/><Channel>Security</Channel><Computer>win-dc-root-04195-428.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='ComputerAccountChange'>-</Data><Data Name='TargetUserName'>WIN-HOST-ROOT-0$</Data><Data
+  Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-199921393-3534762603-6736986-1111</Data><Data
+  Name='SubjectUserSid'>S-1-5-21-199921393-3534762603-6736986-500</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x177304</Data><Data
+  Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data
+  Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data
+  Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data
+  Name='PasswordLastSet'>-</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data
+  Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>-</Data><Data Name='NewUacValue'>-</Data><Data
+  Name='UserAccountControl'>-</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>
diff --git a/data_sources/windows_event_log_security_4744.yml b/data_sources/windows_event_log_security_4744.yml
index ad6548dc61..0fe4187ee4 100644
--- a/data_sources/windows_event_log_security_4744.yml
+++ b/data_sources/windows_event_log_security_4744.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4749.yml b/data_sources/windows_event_log_security_4749.yml
index 32a3440a35..29c81257bb 100644
--- a/data_sources/windows_event_log_security_4749.yml
+++ b/data_sources/windows_event_log_security_4749.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4754.yml b/data_sources/windows_event_log_security_4754.yml
index 6b78bd5cc6..02cd403853 100644
--- a/data_sources/windows_event_log_security_4754.yml
+++ b/data_sources/windows_event_log_security_4754.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4759.yml b/data_sources/windows_event_log_security_4759.yml
index f5fe2f96a7..ebf0b44338 100644
--- a/data_sources/windows_event_log_security_4759.yml
+++ b/data_sources/windows_event_log_security_4759.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4768.yml b/data_sources/windows_event_log_security_4768.yml
index 472fd147bd..404363568e 100644
--- a/data_sources/windows_event_log_security_4768.yml
+++ b/data_sources/windows_event_log_security_4768.yml
@@ -3,8 +3,8 @@ id: 4a5fd6ed-66bd-4f34-bc74-51c00c73c298
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs Kerberos pre-authentication requests, including details about 
-  the user account, authentication type, and client IP address.
+description: Logs Kerberos pre-authentication requests, including details about the
+  user account, authentication type, and client IP address.
 mitre_components:
 - User Account Authentication
 - Active Directory Credential Request
@@ -17,7 +17,7 @@ separator_value: '4768'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -104,20 +104,13 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4768</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4768</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
   SystemTime='2022-09-08T18:16:25.601071000Z'/><EventRecordID>391562</EventRecordID><Correlation/><Execution
-  ProcessID='644' 
-  ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>RXETPKZH</Data><Data 
-  Name='TargetDomainName'>attackrange.local</Data><Data Name='TargetSid'>NULL 
-  SID</Data><Data Name='ServiceName'>krbtgt/attackrange.local</Data><Data 
-  Name='ServiceSid'>NULL SID</Data><Data 
-  Name='TicketOptions'>0x40810010</Data><Data Name='Status'>0x12</Data><Data 
-  Name='TicketEncryptionType'>0xffffffff</Data><Data 
-  Name='PreAuthType'>-</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data
-  Name='IpPort'>64568</Data><Data Name='CertIssuerName'></Data><Data 
-  Name='CertSerialNumber'></Data><Data 
-  Name='CertThumbprint'></Data></EventData></Event>
+  ProcessID='644' ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>RXETPKZH</Data><Data Name='TargetDomainName'>attackrange.local</Data><Data
+  Name='TargetSid'>NULL SID</Data><Data Name='ServiceName'>krbtgt/attackrange.local</Data><Data
+  Name='ServiceSid'>NULL SID</Data><Data Name='TicketOptions'>0x40810010</Data><Data
+  Name='Status'>0x12</Data><Data Name='TicketEncryptionType'>0xffffffff</Data><Data
+  Name='PreAuthType'>-</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>64568</Data><Data
+  Name='CertIssuerName'></Data><Data Name='CertSerialNumber'></Data><Data Name='CertThumbprint'></Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4769.yml b/data_sources/windows_event_log_security_4769.yml
index d6fe5aebd1..25bbb2a046 100644
--- a/data_sources/windows_event_log_security_4769.yml
+++ b/data_sources/windows_event_log_security_4769.yml
@@ -3,8 +3,8 @@ id: 358d5520-f40b-4fa2-b799-966c030cb731
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs Kerberos service ticket requests, including details about the 
-  requesting user, target service, and client IP address.
+description: Logs Kerberos service ticket requests, including details about the requesting
+  user, target service, and client IP address.
 mitre_components:
 - Active Directory Credential Request
 - User Account Authentication
@@ -17,7 +17,7 @@ separator_value: '4769'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -104,20 +104,12 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-04-09T01:00:49.143003800Z'/><EventRecordID>148521</EventRecordID><Correlation/><Execution
-  ProcessID='636' 
-  ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>AR-WIN-2$@ATTACKRANGE.LOCAL</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data 
-  Name='ServiceName'>AR-WIN-2$</Data><Data 
-  Name='ServiceSid'>ATTACKRANGE\AR-WIN-2$</Data><Data 
-  Name='TicketOptions'>0x40810000</Data><Data 
-  Name='TicketEncryptionType'>0x17</Data><Data 
-  Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>59191</Data><Data 
-  Name='Status'>0x0</Data><Data 
-  Name='LogonGuid'>{3b4ad75b-7184-6094-b975-ea3f91932ee0}</Data><Data 
-  Name='TransmittedServices'>-</Data></EventData></Event>
+  ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>AR-WIN-2$@ATTACKRANGE.LOCAL</Data><Data Name='TargetDomainName'>ATTACKRANGE.LOCAL</Data><Data
+  Name='ServiceName'>AR-WIN-2$</Data><Data Name='ServiceSid'>ATTACKRANGE\AR-WIN-2$</Data><Data
+  Name='TicketOptions'>0x40810000</Data><Data Name='TicketEncryptionType'>0x17</Data><Data
+  Name='IpAddress'>::ffff:10.0.1.15</Data><Data Name='IpPort'>59191</Data><Data Name='Status'>0x0</Data><Data
+  Name='LogonGuid'>{3b4ad75b-7184-6094-b975-ea3f91932ee0}</Data><Data Name='TransmittedServices'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4771.yml b/data_sources/windows_event_log_security_4771.yml
index e7c0d018b8..cf9fba2294 100644
--- a/data_sources/windows_event_log_security_4771.yml
+++ b/data_sources/windows_event_log_security_4771.yml
@@ -3,8 +3,8 @@ id: 418debbb-adf3-48ec-9efd-59d45f8861e5
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs failed Kerberos pre-authentication attempts, including details
-  about the user account, client IP, and failure reason.
+description: Logs failed Kerberos pre-authentication attempts, including details about
+  the user account, client IP, and failure reason.
 mitre_components:
 - User Account Authentication
 - Logon Session Metadata
@@ -17,7 +17,7 @@ separator_value: '4771'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -98,18 +98,12 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4771</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4771</EventID><Version>0</Version><Level>0</Level><Task>14339</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
   SystemTime='2022-09-08T17:44:20.554179400Z'/><EventRecordID>391511</EventRecordID><Correlation/><Execution
-  ProcessID='644' 
-  ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>ALLISON_WATERS</Data><Data 
-  Name='TargetSid'>ATTACKRANGE\ALLISON_WATERS</Data><Data 
-  Name='ServiceName'>krbtgt/attackrange.local</Data><Data 
-  Name='TicketOptions'>0x40810010</Data><Data Name='Status'>0x18</Data><Data 
-  Name='PreAuthType'>2</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data
-  Name='IpPort'>64134</Data><Data Name='CertIssuerName'></Data><Data 
-  Name='CertSerialNumber'></Data><Data 
+  ProcessID='644' ThreadID='3500'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='TargetUserName'>ALLISON_WATERS</Data><Data Name='TargetSid'>ATTACKRANGE\ALLISON_WATERS</Data><Data
+  Name='ServiceName'>krbtgt/attackrange.local</Data><Data Name='TicketOptions'>0x40810010</Data><Data
+  Name='Status'>0x18</Data><Data Name='PreAuthType'>2</Data><Data Name='IpAddress'>::ffff:10.0.1.15</Data><Data
+  Name='IpPort'>64134</Data><Data Name='CertIssuerName'></Data><Data Name='CertSerialNumber'></Data><Data
   Name='CertThumbprint'></Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4776.yml b/data_sources/windows_event_log_security_4776.yml
index df56eeac49..f693af90eb 100644
--- a/data_sources/windows_event_log_security_4776.yml
+++ b/data_sources/windows_event_log_security_4776.yml
@@ -3,8 +3,8 @@ id: 1da9092a-c795-4a26-ace8-d43855524e96
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs NTLM authentication attempts, including details about the 
-  account name, authentication status, and the originating workstation.
+description: Logs NTLM authentication attempts, including details about the account
+  name, authentication status, and the originating workstation.
 mitre_components:
 - User Account Authentication
 - Logon Session Metadata
@@ -17,7 +17,7 @@ separator_value: '4776'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -89,14 +89,9 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4776</EventID><Version>0</Version><Level>0</Level><Task>14336</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4776</EventID><Version>0</Version><Level>0</Level><Task>14336</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated
   SystemTime='2022-09-08T19:03:50.057600300Z'/><EventRecordID>391615</EventRecordID><Correlation/><Execution
-  ProcessID='644' 
-  ThreadID='6100'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='PackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data 
-  Name='TargetUserName'>KSYLEFUA</Data><Data 
-  Name='Workstation'>WIN-HOST-MVELAZ</Data><Data 
-  Name='Status'>0xc0000064</Data></EventData></Event>
+  ProcessID='644' ThreadID='6100'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='PackageName'>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data><Data Name='TargetUserName'>KSYLEFUA</Data><Data
+  Name='Workstation'>WIN-HOST-MVELAZ</Data><Data Name='Status'>0xc0000064</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4781.yml b/data_sources/windows_event_log_security_4781.yml
index 5a3efc1484..da66a258c7 100644
--- a/data_sources/windows_event_log_security_4781.yml
+++ b/data_sources/windows_event_log_security_4781.yml
@@ -3,8 +3,8 @@ id: 9732ffe7-ebce-4557-865c-1725a0f633cb
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs changes made to the name of a computer account, including the 
-  old and new names and the user performing the action.
+description: Logs changes made to the name of a computer account, including the old
+  and new names and the user performing the action.
 mitre_components:
 - User Account Modification
 - User Account Metadata
@@ -17,7 +17,7 @@ separator_value: '4781'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -106,20 +106,13 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4781</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4781</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-04-09T22:22:45.521723900Z'/><EventRecordID>148763</EventRecordID><Correlation
-  ActivityID='{b05ffbda-8ac8-0003-e6fb-5fb0c88ada01}'/><Execution 
-  ProcessID='620' 
+  ActivityID='{b05ffbda-8ac8-0003-e6fb-5fb0c88ada01}'/><Execution ProcessID='620'
   ThreadID='3936'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='OldTargetUserName'>AR-WIN-2$</Data><Data 
-  Name='NewTargetUserName'>Administrator</Data><Data 
-  Name='TargetDomainName'>ATTACKRANGE</Data><Data 
-  Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x141a04</Data><Data 
+  Name='OldTargetUserName'>AR-WIN-2$</Data><Data Name='NewTargetUserName'>Administrator</Data><Data
+  Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x141a04</Data><Data
   Name='PrivilegeList'>-</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4783.yml b/data_sources/windows_event_log_security_4783.yml
index e4482fc78e..ecc895d221 100644
--- a/data_sources/windows_event_log_security_4783.yml
+++ b/data_sources/windows_event_log_security_4783.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4790.yml b/data_sources/windows_event_log_security_4790.yml
index e9338d4295..7a918ca7ed 100644
--- a/data_sources/windows_event_log_security_4790.yml
+++ b/data_sources/windows_event_log_security_4790.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_security_4794.yml b/data_sources/windows_event_log_security_4794.yml
index 4366c4ab8d..08ae128bf0 100644
--- a/data_sources/windows_event_log_security_4794.yml
+++ b/data_sources/windows_event_log_security_4794.yml
@@ -3,9 +3,8 @@ id: ec7da74f-274a-4bde-aa0e-15c68aca0426
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs attempts to set the Directory Services Restore Mode (DSRM) 
-  administrator password, including details about the account name and the user 
-  performing the action.
+description: Logs attempts to set the Directory Services Restore Mode (DSRM) administrator
+  password, including details about the account name and the user performing the action.
 mitre_components:
 - User Account Modification
 - User Account Metadata
@@ -14,11 +13,11 @@ mitre_components:
 source: XmlWinEventLog:Security
 sourcetype: XmlWinEventLog
 separator: EventCode
-separator_value:
+separator_value: null
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -98,17 +97,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4794</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4794</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-08-23T04:24:05.064689300Z'/><EventRecordID>821077</EventRecordID><Correlation
-  ActivityID='{4EC0CCF2-B67B-0004-F8CC-C04E7BB6D801}'/><Execution 
-  ProcessID='612' 
+  ActivityID='{4EC0CCF2-B67B-0004-F8CC-C04E7BB6D801}'/><Execution ProcessID='612'
   ThreadID='4120'/><Channel>Security</Channel><Computer>win-dc-root-17044-552.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x959c5</Data><Data 
-  Name='Workstation'>[fe80::b907:7694:d740:91bb]</Data><Data 
-  Name='Status'>0x0</Data></EventData></Event>
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x959c5</Data><Data
+  Name='Workstation'>[fe80::b907:7694:d740:91bb]</Data><Data Name='Status'>0x0</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4798.yml b/data_sources/windows_event_log_security_4798.yml
index 4cbc0eb54b..7cc95537f6 100644
--- a/data_sources/windows_event_log_security_4798.yml
+++ b/data_sources/windows_event_log_security_4798.yml
@@ -3,9 +3,8 @@ id: 29e97f72-eb2e-400e-b0c9-81277547e43b
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs an enumeration of local group membership on a system, 
-  including details about the groups queried and the account performing the 
-  action.
+description: Logs an enumeration of local group membership on a system, including
+  details about the groups queried and the account performing the action.
 mitre_components:
 - Group Enumeration
 - Group Metadata
@@ -17,7 +16,7 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -96,20 +95,13 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-02-02T00:12:21.404799400Z'/><EventRecordID>386860</EventRecordID><Correlation
-  ActivityID='{A0011278-554F-0000-8212-01A04F55DA01}'/><Execution 
-  ProcessID='584' 
+  ActivityID='{A0011278-554F-0000-8212-01A04F55DA01}'/><Execution ProcessID='584'
   ThreadID='5616'/><Channel>Security</Channel><Computer>ar-win-2.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='TargetUserName'>Guest</Data><Data 
-  Name='TargetDomainName'>AR-WIN-2</Data><Data 
-  Name='TargetSid'>AR-WIN-2\Guest</Data><Data 
-  Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>AR-WIN-2</Data><Data 
-  Name='SubjectLogonId'>0x2f4df4</Data><Data 
-  Name='CallerProcessId'>0x1590</Data><Data 
+  Name='TargetUserName'>Guest</Data><Data Name='TargetDomainName'>AR-WIN-2</Data><Data
+  Name='TargetSid'>AR-WIN-2\Guest</Data><Data Name='SubjectUserSid'>AR-WIN-2\Administrator</Data><Data
+  Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>AR-WIN-2</Data><Data
+  Name='SubjectLogonId'>0x2f4df4</Data><Data Name='CallerProcessId'>0x1590</Data><Data
   Name='CallerProcessName'>C:\Windows\ImmersiveControlPanel\telegram\telegram.exe</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4876.yml b/data_sources/windows_event_log_security_4876.yml
index 0cc861ed56..bcc5d630ed 100644
--- a/data_sources/windows_event_log_security_4876.yml
+++ b/data_sources/windows_event_log_security_4876.yml
@@ -3,8 +3,8 @@ id: 4a78722a-9cd9-44e8-b010-dffad5c7f170
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the result of a cryptographic operation, including details 
-  about the key, algorithm used, and whether the operation succeeded or failed.
+description: Logs the result of a cryptographic operation, including details about
+  the key, algorithm used, and whether the operation succeeded or failed.
 mitre_components:
 - Certificate Registration
 - User Account Metadata
@@ -17,7 +17,7 @@ separator_value: '4876'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -90,16 +90,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4876</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4876</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-02-06T16:27:05.403719800Z'/><EventRecordID>15379961</EventRecordID><Correlation
-  ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution 
-  ProcessID='652' 
+  ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution ProcessID='652'
   ThreadID='692'/><Channel>Security</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='BackupType'>1</Data><Data 
-  Name='SubjectUserSid'>S-1-5-21-2690122726-1172718210-436210976-500</Data><Data
-  Name='SubjectUserName'>administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
+  Name='BackupType'>1</Data><Data Name='SubjectUserSid'>S-1-5-21-2690122726-1172718210-436210976-500</Data><Data
+  Name='SubjectUserName'>administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data
   Name='SubjectLogonId'>0xeb075</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_4886.yml b/data_sources/windows_event_log_security_4886.yml
index b6358b7e7e..fc9d31ec3b 100644
--- a/data_sources/windows_event_log_security_4886.yml
+++ b/data_sources/windows_event_log_security_4886.yml
@@ -3,8 +3,8 @@ id: c5abd97d-b468-451f-bd65-b4f97efa4ecc
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the deletion of a cryptographic key container, including 
-  details about the key container name and the user performing the action.
+description: Logs the deletion of a cryptographic key container, including details
+  about the key container name and the user performing the action.
 mitre_components:
 - Certificate Registration
 - User Account Metadata
@@ -17,7 +17,7 @@ separator_value: '4886'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -82,13 +82,10 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4886</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4886</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-02-06T13:13:36.529622400Z'/><EventRecordID>15379925</EventRecordID><Correlation
-  ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution 
-  ProcessID='652' 
+  ActivityID='{E37FFFB9-381B-0002-BFFF-7FE31B38D901}'/><Execution ProcessID='652'
   ThreadID='368'/><Channel>Security</Channel><Computer>win-dc-mhaag-attack-range-84.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='RequestId'>7</Data><Data 
-  Name='Requester'>ATTACKRANGE\administrator</Data><Data Name='Attributes'>
+  Name='RequestId'>7</Data><Data Name='Requester'>ATTACKRANGE\administrator</Data><Data
+  Name='Attributes'>
diff --git a/data_sources/windows_event_log_security_4887.yml b/data_sources/windows_event_log_security_4887.yml
index e59d387c89..583b07055f 100644
--- a/data_sources/windows_event_log_security_4887.yml
+++ b/data_sources/windows_event_log_security_4887.yml
@@ -3,8 +3,8 @@ id: 994c7b19-a623-4231-9818-f00e453b9a75
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs cryptographic operations performed by a Windows system, 
-  including details about the certificate or key used and the operation type.
+description: Logs cryptographic operations performed by a Windows system, including
+  details about the certificate or key used and the operation type.
 mitre_components:
 - Certificate Registration
 - User Account Metadata
@@ -17,7 +17,7 @@ separator_value: '4887'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -85,14 +85,10 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4887</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4887</EventID><Version>0</Version><Level>0</Level><Task>12805</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-06-09T14:54:02.171703300Z'/><EventRecordID>1830974609</EventRecordID><Correlation
-  ActivityID='{28AAD79F-81AB-0001-BED7-AA28AB81D901}'/><Execution 
-  ProcessID='668' 
+  ActivityID='{28AAD79F-81AB-0001-BED7-AA28AB81D901}'/><Execution ProcessID='668'
   ThreadID='3160'/><Channel>Security</Channel><Computer>cert_authority.attack_range.local</Computer><Security/></System><EventData><Data
-  Name='RequestId'>7</Data><Data 
-  Name='Requester'>attack_range\attack_user</Data><Data 
+  Name='RequestId'>7</Data><Data Name='Requester'>attack_range\attack_user</Data><Data
   Name='Attributes'>CertificateTemplate:VulnerableTemplate_ESC1
diff --git a/data_sources/windows_event_log_security_4946.yml b/data_sources/windows_event_log_security_4946.yml
index 31d304b4df..5dbf63ea52 100644
--- a/data_sources/windows_event_log_security_4946.yml
+++ b/data_sources/windows_event_log_security_4946.yml
@@ -11,7 +11,7 @@ separator_value: '4946'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - EventID
@@ -22,16 +22,12 @@ fields:
 - ProfileChanged
 - RuleName
 - RuleId
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4946</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2025-01-15T15:37:10.140309700Z'/><EventRecordID>893174</EventRecordID><Correlation
-  ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution 
-  ProcessID='592' 
+  ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592'
   ThreadID='5816'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='ProfileChanged'>All</Data><Data 
-  Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data 
+  Name='ProfileChanged'>All</Data><Data Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data
   Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
 output_fields:
 - RuleName
diff --git a/data_sources/windows_event_log_security_4947.yml b/data_sources/windows_event_log_security_4947.yml
index f871e0eba8..a81935884b 100644
--- a/data_sources/windows_event_log_security_4947.yml
+++ b/data_sources/windows_event_log_security_4947.yml
@@ -11,7 +11,7 @@ separator_value: '4947'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - EventID
@@ -22,16 +22,12 @@ fields:
 - ProfileChanged
 - RuleName
 - RuleId
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4947</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4947</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2025-01-15T15:38:08.051079400Z'/><EventRecordID>893175</EventRecordID><Correlation
-  ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution 
-  ProcessID='592' 
+  ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592'
   ThreadID='5816'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='ProfileChanged'>All</Data><Data 
-  Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data 
+  Name='ProfileChanged'>All</Data><Data Name='RuleId'>{2B6C38C7-0EBB-4010-80E5-45BF5F2CB8DD}</Data><Data
   Name='RuleName'>Allow Dummy Rules</Data></EventData></Event>
 output_fields:
 - RuleName
diff --git a/data_sources/windows_event_log_security_4948.yml b/data_sources/windows_event_log_security_4948.yml
index 2bcca90156..8f6b2bff98 100644
--- a/data_sources/windows_event_log_security_4948.yml
+++ b/data_sources/windows_event_log_security_4948.yml
@@ -11,7 +11,7 @@ separator_value: '4948'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - EventID
@@ -22,16 +22,12 @@ fields:
 - ProfileChanged
 - RuleName
 - RuleId
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4948</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4948</EventID><Version>0</Version><Level>0</Level><Task>13571</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2025-01-15T15:36:13.470225800Z'/><EventRecordID>893173</EventRecordID><Correlation
-  ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution 
-  ProcessID='592' 
+  ActivityID='{F11D9656-675C-0002-5B96-1DF15C67DB01}'/><Execution ProcessID='592'
   ThreadID='740'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='ProfileChanged'>All</Data><Data 
-  Name='RuleId'>{0A93EF88-A0FE-4A77-A5DD-4E46A51A2E2E}</Data><Data 
+  Name='ProfileChanged'>All</Data><Data Name='RuleId'>{0A93EF88-A0FE-4A77-A5DD-4E46A51A2E2E}</Data><Data
   Name='RuleName'>Allow Dummy Rule</Data></EventData></Event>
 output_fields:
 - RuleName
diff --git a/data_sources/windows_event_log_security_5136.yml b/data_sources/windows_event_log_security_5136.yml
index 2a0ec4bd3b..553257a7eb 100644
--- a/data_sources/windows_event_log_security_5136.yml
+++ b/data_sources/windows_event_log_security_5136.yml
@@ -3,8 +3,8 @@ id: 7ba3737e-231e-455d-824e-cd077749f835
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs modifications made to an Active Directory object, including 
-  details about the object name, type, and the changes applied.
+description: Logs modifications made to an Active Directory object, including details
+  about the object name, type, and the changes applied.
 mitre_components:
 - Active Directory Object Modification
 - Active Directory Object Access
@@ -17,7 +17,7 @@ separator_value: '5136'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -100,25 +100,15 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5136</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5136</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-11-17T20:51:01.321860300Z'/><EventRecordID>1997365</EventRecordID><Correlation
-  ActivityID='{F8EE8E31-F924-0000-3E8E-EEF824F9D801}'/><Execution 
-  ProcessID='652' 
+  ActivityID='{F8EE8E31-F924-0000-3E8E-EEF824F9D801}'/><Execution ProcessID='652'
   ThreadID='5112'/><Channel>Security</Channel><Computer>win-dc-mvelazco-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='OpCorrelationID'>{73C96723-504B-4F15-830A-F4DDB1C48F2E}</Data><Data 
-  Name='AppCorrelationID'>-</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x95675</Data><Data 
-  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data 
-  Name='ObjectDN'>CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local</Data><Data
-  Name='ObjectGUID'>{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}</Data><Data 
-  Name='ObjectClass'>user</Data><Data 
-  Name='AttributeLDAPDisplayName'>servicePrincipalName</Data><Data 
-  Name='AttributeSyntaxOID'>2.5.5.12</Data><Data 
-  Name='AttributeValue'>adm/srv1.attackrange.local</Data><Data 
-  Name='OperationType'>%%14674</Data></EventData></Event>
+  Name='OpCorrelationID'>{73C96723-504B-4F15-830A-F4DDB1C48F2E}</Data><Data Name='AppCorrelationID'>-</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x95675</Data><Data
+  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=DANNIE_CERVANTES,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local</Data><Data
+  Name='ObjectGUID'>{15AFB68A-679C-4F5B-AC18-4D988B3B3E44}</Data><Data Name='ObjectClass'>user</Data><Data
+  Name='AttributeLDAPDisplayName'>servicePrincipalName</Data><Data Name='AttributeSyntaxOID'>2.5.5.12</Data><Data
+  Name='AttributeValue'>adm/srv1.attackrange.local</Data><Data Name='OperationType'>%%14674</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_5137.yml b/data_sources/windows_event_log_security_5137.yml
index 3b3550d5f1..1ee4fdffdc 100644
--- a/data_sources/windows_event_log_security_5137.yml
+++ b/data_sources/windows_event_log_security_5137.yml
@@ -3,8 +3,8 @@ id: 64ed7bb1-9c3c-4355-ac08-b506ec3b053e
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the creation of a new Active Directory object, including 
-  details about the object name, type, and the user performing the action.
+description: Logs the creation of a new Active Directory object, including details
+  about the object name, type, and the user performing the action.
 mitre_components:
 - Active Directory Object Creation
 - Active Directory Object Modification
@@ -17,7 +17,7 @@ separator_value: '5137'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AppCorrelationID
@@ -95,20 +95,12 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5137</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5137</EventID><Version>0</Version><Level>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-03-27T20:59:21.097880600Z'/><EventRecordID>170140</EventRecordID><Correlation/><Execution
-  ProcessID='612' 
-  ThreadID='736'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='OpCorrelationID'>{681cac8c-b5a4-48fd-be93-4339996bd94d}</Data><Data 
-  Name='AppCorrelationID'>-</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x8561a</Data><Data 
-  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data 
-  Name='ObjectDN'>CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local</Data><Data
-  Name='ObjectGUID'>{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}</Data><Data 
-  Name='ObjectClass'>groupPolicyContainer</Data></EventData></Event>
+  ProcessID='612' ThreadID='736'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='OpCorrelationID'>{681cac8c-b5a4-48fd-be93-4339996bd94d}</Data><Data Name='AppCorrelationID'>-</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x8561a</Data><Data
+  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local</Data><Data
+  Name='ObjectGUID'>{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}</Data><Data Name='ObjectClass'>groupPolicyContainer</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_5140.yml b/data_sources/windows_event_log_security_5140.yml
index 03d93bea1d..713dcd5a0c 100644
--- a/data_sources/windows_event_log_security_5140.yml
+++ b/data_sources/windows_event_log_security_5140.yml
@@ -3,8 +3,8 @@ id: 93e0ca09-e4b8-4da6-872a-d0127c4d2b22
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs access to a network share, including details about the user, 
-  share path, and the access type.
+description: Logs access to a network share, including details about the user, share
+  path, and the access type.
 mitre_components:
 - Network Share Access
 - File Access
@@ -17,7 +17,7 @@ separator_value: '5140'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccessList
@@ -115,17 +115,12 @@ field_mappings:
     SubjectUserName: actor.user.name
     SubjectLogonId: actor.session.uid
     SubjectUserSid: actor.user.uid
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5140</EventID><Version>1</Version><Level>0</Level><Task>12808</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5140</EventID><Version>1</Version><Level>0</Level><Task>12808</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2023-03-23T15:59:26.669364000Z'/><EventRecordID>138541</EventRecordID><Correlation/><Execution
-  ProcessID='4' 
-  ThreadID='3792'/><Channel>Security</Channel><Computer>ar-win-66.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data 
-  Name='SubjectUserName'>ELMER_SALAS</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x2f259b</Data><Data Name='ObjectType'>File</Data><Data 
-  Name='IpAddress'>10.0.1.16</Data><Data Name='IpPort'>49864</Data><Data 
-  Name='ShareName'>\\*\IPC$</Data><Data Name='ShareLocalPath'></Data><Data 
-  Name='AccessMask'>0x1</Data><Data Name='AccessList'>%%4416
+  ProcessID='4' ThreadID='3792'/><Channel>Security</Channel><Computer>ar-win-66.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>ATTACKRANGE\ELMER_SALAS</Data><Data Name='SubjectUserName'>ELMER_SALAS</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x2f259b</Data><Data
+  Name='ObjectType'>File</Data><Data Name='IpAddress'>10.0.1.16</Data><Data Name='IpPort'>49864</Data><Data
+  Name='ShareName'>\\*\IPC$</Data><Data Name='ShareLocalPath'></Data><Data Name='AccessMask'>0x1</Data><Data
+  Name='AccessList'>%%4416
diff --git a/data_sources/windows_event_log_security_5141.yml b/data_sources/windows_event_log_security_5141.yml
index 5b31b3f074..f12214f322 100644
--- a/data_sources/windows_event_log_security_5141.yml
+++ b/data_sources/windows_event_log_security_5141.yml
@@ -3,8 +3,8 @@ id: eafb35fa-f034-4be3-8508-d9173a73c0a1
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the deletion of an Active Directory object, including details 
-  about the object name, type, and the user performing the action.
+description: Logs the deletion of an Active Directory object, including details about
+  the object name, type, and the user performing the action.
 mitre_components:
 - Active Directory Object Deletion
 - Active Directory Object Modification
@@ -17,7 +17,7 @@ separator_value: '5141'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActivityID
@@ -96,23 +96,15 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5141</EventID><Version>0</Version><Le>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5141</EventID><Version>0</Version><Le>0</Level><Task>14081</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2022-10-17T21:08:49.470503100Z'/><EventRecordID>670908</EventRecordID><Correlation
-  ActivityID='{5FD5D64A-DD82-0004-52D6-D55F82DDD801}'/><Execution 
-  ProcessID='648' 
+  ActivityID='{5FD5D64A-DD82-0004-52D6-D55F82DDD801}'/><Execution ProcessID='648'
   ThreadID='3328'/><Channel>Security</Channel><Computer>win-dc-range-02713-392.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='OpCorrelationID'>{A3058236-A662-445E-9BEB-DE9210B143AB}</Data><Data 
-  Name='AppCorrelationID'>-</Data><Data 
-  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data 
-  Name='SubjectUserName'>Administrator</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x978ac22</Data><Data 
-  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data 
-  Name='ObjectDN'>CN=NTDS 
+  Name='OpCorrelationID'>{A3058236-A662-445E-9BEB-DE9210B143AB}</Data><Data Name='AppCorrelationID'>-</Data><Data
+  Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data
+  Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x978ac22</Data><Data
+  Name='DSName'>attackrange.local</Data><Data Name='DSType'>%%14676</Data><Data Name='ObjectDN'>CN=NTDS
   Settings,CN=WIN-HOST-ROGUE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=attackrange,DC=local</Data><Data
-  Name='ObjectGUID'>{48387E55-8777-403F-BC63-2A38289A6BBF}</Data><Data 
-  Name='ObjectClass'>nTDSDSA</Data><Data 
+  Name='ObjectGUID'>{48387E55-8777-403F-BC63-2A38289A6BBF}</Data><Data Name='ObjectClass'>nTDSDSA</Data><Data
   Name='TreeDelete'>%%14679</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_security_5145.yml b/data_sources/windows_event_log_security_5145.yml
index e080f43136..a98255705f 100644
--- a/data_sources/windows_event_log_security_5145.yml
+++ b/data_sources/windows_event_log_security_5145.yml
@@ -3,8 +3,8 @@ id: 0746479b-7b82-4d7e-8811-0b35da00f798
 version: 4
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs detailed information about access to a network share, 
-  including the user, share path, accessed file, and access permissions.
+description: Logs detailed information about access to a network share, including
+  the user, share path, accessed file, and access permissions.
 mitre_components:
 - Network Share Access
 - File Access
@@ -17,7 +17,7 @@ separator_value: '5145'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccessList
@@ -137,19 +137,13 @@ field_mappings:
     SubjectUserSid: actor.user.uid
     ShareName: share
     Computer: device.hostname
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Microsoft-Windows-Security-Auditing' 
-  Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5145</EventID><Version>0</Version><Level>0</Level><Task>12811</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5145</EventID><Version>0</Version><Level>0</Level><Task>12811</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
   SystemTime='2024-03-11T03:06:39.742608600Z'/><EventRecordID>2018939</EventRecordID><Correlation/><Execution
-  ProcessID='4' 
-  ThreadID='304'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='SubjectUserSid'>ANONYMOUS LOGON</Data><Data 
-  Name='SubjectUserName'>ANONYMOUS LOGON</Data><Data 
-  Name='SubjectDomainName'>ATTACKRANGE</Data><Data 
-  Name='SubjectLogonId'>0x13ef1b</Data><Data Name='ObjectType'>File</Data><Data 
-  Name='IpAddress'>10.0.1.15</Data><Data Name='IpPort'>50160</Data><Data 
-  Name='ShareName'>\\*\SYSVOL</Data><Data 
-  Name='ShareLocalPath'>\??\C:\Windows\SYSVOL\sysvol</Data><Data 
-  Name='RelativeTargetName'>lsarpc</Data><Data 
-  Name='AccessMask'>0x120089</Data><Data Name='AccessList'>%%1538
+  ProcessID='4' ThreadID='304'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='SubjectUserSid'>ANONYMOUS LOGON</Data><Data Name='SubjectUserName'>ANONYMOUS
+  LOGON</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x13ef1b</Data><Data
+  Name='ObjectType'>File</Data><Data Name='IpAddress'>10.0.1.15</Data><Data Name='IpPort'>50160</Data><Data
+  Name='ShareName'>\\*\SYSVOL</Data><Data Name='ShareLocalPath'>\??\C:\Windows\SYSVOL\sysvol</Data><Data
+  Name='RelativeTargetName'>lsarpc</Data><Data Name='AccessMask'>0x120089</Data><Data
+  Name='AccessList'>%%1538
diff --git a/data_sources/windows_event_log_system_104.yml b/data_sources/windows_event_log_system_104.yml
index cbe5b6adc5..0cf5127bf2 100644
--- a/data_sources/windows_event_log_system_104.yml
+++ b/data_sources/windows_event_log_system_104.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_event_log_system_4720.yml b/data_sources/windows_event_log_system_4720.yml
index ff428bcbc8..af7e303e7b 100644
--- a/data_sources/windows_event_log_system_4720.yml
+++ b/data_sources/windows_event_log_system_4720.yml
@@ -3,8 +3,8 @@ id: f01d4758-05c8-4ac4-a9a5-33500dd5eb6c
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the creation of a new user account, including details about 
-  the account name, associated domain, and the account performing the action.
+description: Logs the creation of a new user account, including details about the
+  account name, associated domain, and the account performing the action.
 mitre_components:
 - User Account Creation
 - User Account Metadata
@@ -17,7 +17,7 @@ separator_value: '4720'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_system_4726.yml b/data_sources/windows_event_log_system_4726.yml
index bdad31d586..c228d22905 100644
--- a/data_sources/windows_event_log_system_4726.yml
+++ b/data_sources/windows_event_log_system_4726.yml
@@ -3,8 +3,8 @@ id: 05e6b2df-b50e-441b-8ac8-565f2e80d62f
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the deletion of a user account, including details about the 
-  account name, associated domain, and the account performing the action.
+description: Logs the deletion of a user account, including details about the account
+  name, associated domain, and the account performing the action.
 mitre_components:
 - User Account Deletion
 - User Account Metadata
@@ -17,7 +17,7 @@ separator_value: '4726'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_system_4728.yml b/data_sources/windows_event_log_system_4728.yml
index 9173156cbf..0b992e7831 100644
--- a/data_sources/windows_event_log_system_4728.yml
+++ b/data_sources/windows_event_log_system_4728.yml
@@ -3,8 +3,8 @@ id: 4549f0ac-3df9-4bfb-bea5-1459690c8040
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the addition of a user to a security-enabled group, including 
-  details about the group name, user account, and associated domain.
+description: Logs the addition of a user to a security-enabled group, including details
+  about the group name, user account, and associated domain.
 mitre_components:
 - Group Modification
 - Group Metadata
@@ -17,7 +17,7 @@ separator_value: '4728'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Account_Domain
diff --git a/data_sources/windows_event_log_system_7036.yml b/data_sources/windows_event_log_system_7036.yml
index 0774b03967..1f79b9bfe7 100644
--- a/data_sources/windows_event_log_system_7036.yml
+++ b/data_sources/windows_event_log_system_7036.yml
@@ -3,8 +3,8 @@ id: a6e9b34f-1507-4fa1-a4ba-684d1b676a34
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs state changes of a Windows service, including details about 
-  the service name and its new state (e.g., started or stopped).
+description: Logs state changes of a Windows service, including details about the
+  service name and its new state (e.g., started or stopped).
 mitre_components:
 - Service Metadata
 - OS API Execution
@@ -17,7 +17,7 @@ separator_value: '7036'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -77,13 +77,9 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' 
-  EventSourceName='Service Control Manager'/><EventID 
-  Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service
+  Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
   SystemTime='2024-03-11T01:38:35.892897800Z'/><EventRecordID>168530</EventRecordID><Correlation/><Execution
-  ProcessID='588' 
-  ThreadID='2272'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
-  Name='param1'>sppsvc</Data><Data 
-  Name='param2'>stopped</Data><Binary>7300700070007300760063002F0031000000</Binary></EventData></Event>
+  ProcessID='588' ThreadID='2272'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data
+  Name='param1'>sppsvc</Data><Data Name='param2'>stopped</Data><Binary>7300700070007300760063002F0031000000</Binary></EventData></Event>
diff --git a/data_sources/windows_event_log_system_7040.yml b/data_sources/windows_event_log_system_7040.yml
index 6f9d5b2b29..26c3a093f3 100644
--- a/data_sources/windows_event_log_system_7040.yml
+++ b/data_sources/windows_event_log_system_7040.yml
@@ -3,8 +3,8 @@ id: 91738e9e-d112-41c9-b91b-e5868d8993d9
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs changes to the start type of a Windows service, including 
-  details about the service name, old start type, and new start type.
+description: Logs changes to the start type of a Windows service, including details
+  about the service name, old start type, and new start type.
 mitre_components:
 - Service Modification
 - Service Metadata
@@ -17,7 +17,7 @@ separator_value: '7040'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - Channel
@@ -81,15 +81,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' 
-  EventSourceName='Service Control Manager'/><EventID 
-  Qualifiers='16384'>7040</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service
+  Control Manager'/><EventID Qualifiers='16384'>7040</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
   SystemTime='2024-03-05T08:53:41.173068700Z'/><EventRecordID>168231</EventRecordID><Correlation/><Execution
-  ProcessID='592' 
-  ThreadID='3404'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
+  ProcessID='592' ThreadID='3404'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
   UserID='S-1-5-21-3344543075-1022232225-2459664213-500'/></System><EventData><Data
-  Name='param1'>Print Spooler</Data><Data Name='param2'>demand start</Data><Data
-  Name='param3'>disabled</Data><Data 
+  Name='param1'>Print Spooler</Data><Data Name='param2'>demand start</Data><Data Name='param3'>disabled</Data><Data
   Name='param4'>Spooler</Data></EventData></Event>
diff --git a/data_sources/windows_event_log_system_7045.yml b/data_sources/windows_event_log_system_7045.yml
index de4c28ed41..9106f5599b 100644
--- a/data_sources/windows_event_log_system_7045.yml
+++ b/data_sources/windows_event_log_system_7045.yml
@@ -3,8 +3,8 @@ id: 614dedc8-8a14-4393-ba9b-6f093cbcd293
 version: 3
 date: '2025-07-10'
 author: Patrick Bareiss, Splunk
-description: Logs the successful installation of a new Windows service, 
-  including details about the service name, executable path, and service type.
+description: Logs the successful installation of a new Windows service, including
+  details about the service name, executable path, and service type.
 mitre_components:
 - Service Creation
 - Service Metadata
@@ -17,7 +17,7 @@ separator_value: '7045'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - AccountName
@@ -81,14 +81,11 @@ fields:
 - vendor_product
 output_fields:
 - dest
-example_log: <Event 
-  xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
-  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' 
-  EventSourceName='Service Control Manager'/><EventID 
-  Qualifiers='16384'>7045</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
+  Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service
+  Control Manager'/><EventID Qualifiers='16384'>7045</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated
   SystemTime='2024-03-04T10:11:25.483986000Z'/><EventRecordID>168145</EventRecordID><Correlation/><Execution
-  ProcessID='592' 
-  ThreadID='1712'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
+  ProcessID='592' ThreadID='1712'/><Channel>System</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security
   UserID='S-1-5-21-3344543075-1022232225-2459664213-500'/></System><EventData><Data
-  Name='ServiceName'>KrbSCM</Data><Data Name='ImagePath'>powershell.exe 
-  -WindowStyle Hiddenestno'
+  Name='ServiceName'>KrbSCM</Data><Data Name='ImagePath'>powershell.exe -WindowStyle
+  Hiddenestno'
diff --git a/data_sources/windows_event_log_taskscheduler_200.yml b/data_sources/windows_event_log_taskscheduler_200.yml
index 21abff2e24..b597b5bfa5 100644
--- a/data_sources/windows_event_log_taskscheduler_200.yml
+++ b/data_sources/windows_event_log_taskscheduler_200.yml
@@ -17,7 +17,7 @@ separator_value: '200'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ActionName
diff --git a/data_sources/windows_event_log_taskscheduler_201.yml b/data_sources/windows_event_log_taskscheduler_201.yml
index 3767416bf1..7fcff851fe 100644
--- a/data_sources/windows_event_log_taskscheduler_201.yml
+++ b/data_sources/windows_event_log_taskscheduler_201.yml
@@ -10,9 +10,9 @@ separator: EventCode
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 output_fields:
 - dest
-example_log: |
+example_log: ''
diff --git a/data_sources/windows_iis.yml b/data_sources/windows_iis.yml
index b1e3d0539e..0a2a6f093f 100644
--- a/data_sources/windows_iis.yml
+++ b/data_sources/windows_iis.yml
@@ -16,4 +16,4 @@ separator: EventID
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
diff --git a/data_sources/windows_iis_29.yml b/data_sources/windows_iis_29.yml
index 7eeb8eeb79..c7dbce8de5 100644
--- a/data_sources/windows_iis_29.yml
+++ b/data_sources/windows_iis_29.yml
@@ -17,7 +17,7 @@ separator_value: '29'
 supported_TA:
 - name: Splunk Add-on for Microsoft Windows
   url: https://splunkbase.splunk.com/app/742
-  version: 9.0.1
+  version: 9.1.0
 fields:
 - _time
 - ComputerName