Merge pull request #75 from hyuunnn/master

fix maps
EricZimmerman · Dec 27, 2020 · 24bf675 · 24bf675
2 parents 922c5d9 + c425d3f
commit 24bf675
Show file tree

Hide file tree

Showing 9 changed files with 16 additions and 15 deletions.
diff --git a/evtx/Maps/Application_Application-Hang_1002.map b/evtx/Maps/Application_Application-Hang_1002.map
@@ -10,7 +10,7 @@ Maps:
     Values:
       -
         Name: Data
-        Value: "/Event/EventData/Data[text()]"
+        Value: "/Event/EventData/Data"
 
 # Documentation:
 # https://www.manageengine.com/products/eventlog/kb/event-1002-application-hang-error-help.html

diff --git a/evtx/Maps/Application_MsiInstaller_10002.map b/evtx/Maps/Application_MsiInstaller_10002.map
@@ -24,7 +24,7 @@ Maps:
     Values:
       -
         Name: Files
-        Value: "/Event/UserData/RmApplicationEvent/Files/File[text()]"
+        Value: "/Event/UserData/RmApplicationEvent/Files/File"
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_10002_Microsoft-Windows-RestartManager_62090.asp

diff --git a/evtx/Maps/Application_MsiInstaller_1033.map b/evtx/Maps/Application_MsiInstaller_1033.map
@@ -10,7 +10,7 @@ Maps:
     Values:
       -
         Name: Data
-        Value: "/Event/EventData/Data[text()]"
+        Value: "/Event/EventData/Data"
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_1033_MsiInstaller_63308.asp

diff --git a/evtx/Maps/Application_MsiInstaller_1034.map b/evtx/Maps/Application_MsiInstaller_1034.map
@@ -10,7 +10,7 @@ Maps:
     Values:
       -
         Name: Data
-        Value: "/Event/EventData/Data[text()]"
+        Value: "/Event/EventData/Data"
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_1034_MsiInstaller_63315.asp

diff --git a/evtx/Maps/Application_MsiInstaller_11707.map b/evtx/Maps/Application_MsiInstaller_11707.map
@@ -6,11 +6,11 @@ Provider: "MsiInstaller"
 Maps:
   -
     Property: PayloadData1
-    PropertyValue: "Data: %Data%"
+    PropertyValue: "%Data%"
     Values:
       -
         Name: Data
-        Value: "/Event/EventData/Data[1]"
+        Value: "/Event/EventData/Data"
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_11707_MsiInstaller_47299.asp

diff --git a/evtx/Maps/Application_MsiInstaller_11708.map b/evtx/Maps/Application_MsiInstaller_11708.map
@@ -6,11 +6,11 @@ Provider: "MsiInstaller"
 Maps:
   -
     Property: PayloadData1
-    PropertyValue: "Data: %Data%"
+    PropertyValue: "%Data%"
     Values:
       -
         Name: Data
-        Value: "/Event/EventData/Data[1]"
+        Value: "/Event/EventData/Data"
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_11708_MsiInstaller_46225.asp

diff --git a/evtx/Maps/Application_MsiInstaller_11724.map b/evtx/Maps/Application_MsiInstaller_11724.map
@@ -6,11 +6,11 @@ Provider: "MsiInstaller"
 Maps:
   -
     Property: PayloadData1
-    PropertyValue: "Data: %Data%"
+    PropertyValue: "%Data%"
     Values:
       -
         Name: Data
-        Value: "/Event/EventData/Data[1]"
+        Value: "/Event/EventData/Data"
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_11724_Msiinstaller_52366.asp

diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_28115.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_28115.map
@@ -5,14 +5,14 @@ Channel: "Microsoft-Windows-Shell-Core/Operational"
 Provider: "Microsoft-Windows-Shell-Core"
 Maps:
   -
-    Property: PayloadData1
-    PropertyValue: "Name: %Name%"
+    Property: ExecutableInfo
+    PropertyValue: "%Name%"
     Values:
       -
         Name: Name
         Value: "/Event/EventData/Data[@Name=\"Name\"]"
   -
-    Property: PayloadData2
+    Property: PayloadData1
     PropertyValue: "AppID: %AppID%"
     Values:
       -

diff --git a/...t-Windows-User Profile Service-Operational_Microsoft-Windows-User Profiles Service_67.map b/...t-Windows-User Profile Service-Operational_Microsoft-Windows-User Profiles Service_67.map
@@ -5,12 +5,13 @@ Channel: "Microsoft-Windows-User Profile Service/Operational"
 Provider: "Microsoft-Windows-User Profiles Service"
 Maps:
   -
-    Property: PayloadData1
-    PropertyValue: "LocalPath: %LocalPath%"
+    Property: UserName
+    PropertyValue: "%LocalPath%"
     Values:
       -
         Name: LocalPath
         Value: "/Event/EventData/Data[@Name=\"LocalPath\"]"
+        Refine: "(?<=Users\\\\).*"
 
 # Documentation:
 # N/A