title: Splunk used in Falcon Portal
order: 20
backends:
  - crowdstrike
logsources:
  windows-sysmon:
    product: windows
    service: sysmon
    conditions:
      EventID: 1
  process_creation_1:
    category: process_creation
    product: windows

fieldmappings:
  EventID: EventID
  CommandLine: Commandline
  Command_Line: Commandline
  cmdline: Commandline
  Image: ImageFileName
  TargetFilename: TargetFilename
  image: ImageFileName
  image_path: ImageFileName
  OriginalFileName: ImageFileName
  sha1: SHA1HashData
  user: UserName
  TaskName: TaskName
  ParentImage: ParentBaseFileName
  parent_image: ParentBaseFileName
  ServiceName: ServiceName