update: windows event log macros

Author: nasbench

macros/ms_defender.yml

@@ -1,4 +1,4 @@
-definition: source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" 
+definition: (source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" OR source="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational")
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: ms_defender

macros/powershell.yml

@@ -1,4 +1,4 @@
-definition: (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational")
+definition: (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" OR source=WinEventLog:PowerShellCore/Operational OR source="XmlWinEventLog:PowerShellCore/Operational")
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: powershell

macros/printservice.yml

@@ -1,4 +1,4 @@
-definition: source="wineventlog:microsoft-windows-printservice/operational" OR source="WinEventLog:Microsoft-Windows-PrintService/Admin"
+definition: (source="Wineventlog:microsoft-windows-printservice/operational" OR source="XmlWineventlog:microsoft-windows-printservice/operational" OR source="WinEventLog:Microsoft-Windows-PrintService/Admin" OR source="XmlWinEventLog:Microsoft-Windows-PrintService/Admin")
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: printservice

macros/remoteconnectionmanager.yml

@@ -1,4 +1,4 @@
-definition: source="WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
+definition: (source="WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" OR source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational")
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: remoteconnectionmanager

macros/sysmon.yml

@@ -1,4 +1,4 @@
-definition: sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational
+definition: (source=WinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=Syslog:Linux-Sysmon/Operational)
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: sysmon

macros/wineventlog_application.yml

@@ -1,4 +1,4 @@
-definition: eventtype=wineventlog_application OR source="XmlWinEventLog:Application"
+definition: eventtype="wineventlog_application" OR Channel="application" OR source="XmlWinEventLog:Application" OR source="WinEventLog:Application"
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: wineventlog_application

macros/wineventlog_rdp.yml

@@ -1,4 +1,4 @@
-definition: source="WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational"
+definition: (source="WinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational" OR source="XmlWinEventLog:Microsoft-Windows-TerminalServices-RDPClient/Operational")
 description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environmnent.
+  Replace the macro definition with configurations for your Splunk environment.
 name: wineventlog_rdp

macros/wineventlog_security.yml

@@ -1,4 +1,4 @@
-definition: eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security
+definition: eventtype="wineventlog_security" OR Channel="security" OR source="XmlWinEventLog:Security" OR source="WinEventLog:Security"
 description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
+  Replace the macro definition with configurations for your Splunk environment.
 name: wineventlog_security

macros/wineventlog_system.yml

@@ -1,4 +1,4 @@
-definition: eventtype=wineventlog_system
+definition: eventtype="wineventlog_system" OR Channel="system" OR source="XmlWinEventLog:System" OR source="WinEventLog:System"
 description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
+  Replace the macro definition with configurations for your Splunk environment.
 name: wineventlog_system

macros/wineventlog_task_scheduler.yml

@@ -1,4 +1,4 @@
 definition: (source="XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational" OR source="WinEventLog:Microsoft-Windows-TaskScheduler/Operational")
 description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
+  Replace the macro definition with configurations for your Splunk environment.
 name: wineventlog_task_scheduler

macros/wmi.yml

@@ -1,4 +1,4 @@
-definition: sourcetype="wineventlog:microsoft-windows-wmi-activity/operational"
+definition: (source="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" OR source="XmlWinEventLog:Microsoft-Windows-WMI-Activity/Operational")
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: wmi