Skip to content

Commit

Permalink
Merge pull request #42 from rathbuna/master
Browse files Browse the repository at this point in the history 
Various fixes
  • Loading branch information
@AndrewRathbun
AndrewRathbun authored Dec 5, 2020
2 parents de64438 + f3b2778 commit 92a767b
Show file tree
Hide file tree
Showing 15 changed files with 25 additions and 25 deletions.
2 changes: 1 addition & 1 deletion evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"ParentCommandLine\"]"
-
Property: UserName
"%User%"
PropertyValue: "%User%"
Values:
-
Name: User
Expand Down
2 changes: 1 addition & 1 deletion evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"EventNamespace\"]"
-
Property: UserName
"%User%"
PropertyValue: "%User%"
Values:
-
Name: User
Expand Down
2 changes: 1 addition & 1 deletion evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"Destination\"]"
-
Property: UserName
"%User%"
PropertyValue: "%User%"
Values:
-
Name: User
Expand Down
2 changes: 1 addition & 1 deletion evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"Filter\"]"
-
Property: UserName
"%User%"
PropertyValue: "%User%"
Values:
-
Name: User
Expand Down
2 changes: 1 addition & 1 deletion evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"DestinationIp\"]"
-
Property: UserName
"%User%"
PropertyValue: "%User%"
Values:
-
Name: User
Expand Down
6 changes: 3 additions & 3 deletions evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,21 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
Maps:
-
Property: PayloadData1
PropertyValue: "Task: %TaskName%"
PropertyValue: "Task: %TaskName%"
Values:
-
Name: TaskName
Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
-
Property: PayloadData2
PropertyValue: Context: %UserContext%
PropertyValue: "Context: %UserContext%"
Values:
-
Name: UserContext
Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
-
Property: PayloadData3
PropertyValue: Instance Id: %InstanceId%
PropertyValue: "Instance Id: %InstanceId%"
Values:
-
Name: InstanceId
Expand Down
6 changes: 3 additions & 3 deletions evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,21 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
Maps:
-
Property: PayloadData1
PropertyValue: "Task: %TaskName%"
PropertyValue: "Task: %TaskName%"
Values:
-
Name: TaskName
Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
-
Property: PayloadData2
PropertyValue: Context: %UserContext%
PropertyValue: "Context: %UserContext%"
Values:
-
Name: UserContext
Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
-
Property: PayloadData3
PropertyValue: Instance Id: %InstanceId%
PropertyValue: "Instance Id: %InstanceId%"
Values:
-
Name: InstanceId
Expand Down
2 changes: 1 addition & 1 deletion evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
Maps:
-
Property: PayloadData1
PropertyValue: "Task: %TaskName%"
PropertyValue: "Task: %TaskName%"
Values:
-
Name: TaskName
Expand Down
4 changes: 2 additions & 2 deletions evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
Maps:
-
Property: PayloadData1
PropertyValue: "Task: %TaskName%"
PropertyValue: "Task: %TaskName%"
Values:
-
Name: TaskName
Expand All @@ -19,7 +19,7 @@ PropertyValue: "Task: %TaskName%"
Value: "/Event/EventData/Data[@Name=\"UserName\"]"
-
Property: PayloadData3
PropertyValue: Instance Id: %InstanceId%
PropertyValue: "Instance Id: %InstanceId%"
Values:
-
Name: InstanceId
Expand Down
2 changes: 1 addition & 1 deletion evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
Maps:
-
Property: PayloadData1
PropertyValue: "Task: %TaskName%"
PropertyValue: "Task: %TaskName%"
Values:
-
Name: TaskName
Expand Down
4 changes: 2 additions & 2 deletions evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
Maps:
-
Property: PayloadData1
PropertyValue: "Task: %TaskName%"
PropertyValue: "Task: %TaskName%"
Values:
-
Name: TaskName
Expand All @@ -19,7 +19,7 @@ PropertyValue: "Task: %TaskName%"
Value: "/Event/EventData/Data[@Name=\"ActionName\"]"
-
Property: PayloadData3
PropertyValue: Instance Id: %TaskInstanceId%
PropertyValue: "Instance Id: %TaskInstanceId%"
Values:
-
Name: TaskInstanceId
Expand Down
4 changes: 2 additions & 2 deletions evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
Maps:
-
Property: PayloadData1
PropertyValue: "Task: %TaskName%"
PropertyValue: "Task: %TaskName%"
Values:
-
Name: TaskName
Expand All @@ -19,7 +19,7 @@ PropertyValue: "Task: %TaskName%"
Value: "/Event/EventData/Data[@Name=\"ActionName\"]"
-
Property: PayloadData3
PropertyValue: Instance Id: %TaskInstanceId%
PropertyValue: "Instance Id: %TaskInstanceId%"
Values:
-
Name: TaskInstanceId
Expand Down
2 changes: 1 addition & 1 deletion evtx/Maps/Security_1102.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Maps:
Value: "/Event/UserData/LogFileCleared/SubjectUserName"
-
Property: PayloadData1
PropertyValue: "SID: (%SubjectUserSid%)"
PropertyValue: "SID: (%SubjectUserSid%)"
Values:
-
Name: SubjectUserSid
Expand Down
4 changes: 2 additions & 2 deletions evtx/Maps/Security_5140.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"IpPort\"]"
-
Property: PayloadData1
PropertyValue: Share: %ShareName% (%ShareLocalPath%)
PropertyValue: "Share: %ShareName% (%ShareLocalPath%)"
Values:
-
Name: ShareName
Expand All @@ -35,7 +35,7 @@ Maps:
Value: "/Event/EventData/Data[@Name=\"ShareLocalPath\"]"
-
Property: PayloadData2
PropertyValue: Sid: %SubjectUserSid%
PropertyValue: "Sid: %SubjectUserSid%"
Values:
-
Name: SubjectUserSid
Expand Down
6 changes: 3 additions & 3 deletions evtx/Maps/System_1.map
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,21 @@ Provider: "Microsoft-Windows-Power-Troubleshooter"
Maps:
-
Property: PayloadData1
PropertyValue: Sleep duration: "%SleepDuration%"
PropertyValue: "Sleep duration: %SleepDuration%"
Values:
-
Name: SleepDuration
Value: "/Event/EventData/Data[@Name=\"SleepDuration\"]"
-
Property: PayloadData2
PropertyValue: Wake source: "%WakeSourceType%"
PropertyValue: "Wake source: %WakeSourceType%"
Values:
-
Name: WakeSourceType
Value: "/Event/EventData/Data[@Name=\"WakeSourceType\"]"
-
Property: PayloadData3
PropertyValue: Wake source text "%WakeSourceText%"
PropertyValue: "Wake source text %WakeSourceText%"
Values:
-
Name: WakeSourceText
Expand Down

0 comments on commit 92a767b

Please sign in to comment.