From 5fb8b179a351a222db532e5a093bb393ce3bc25b Mon Sep 17 00:00:00 2001 From: rathbuna <36825567+rathbuna@users.noreply.github.com> Date: Sat, 19 Dec 2020 16:27:52 -0500 Subject: [PATCH] Standardization of Map Naming Convention, Update README Channel-Name_Provider-Name_EventID.map, and updated README --- evtx/Maps/!!!!README.md | 18 +++-- ... => Application_Application-Hang_1002.map} | 0 ...ap => Application_HitmanPro-Alert_911.map} | 0 ...ication_Microsoft-Windows-Audit-CVE_1.map} | 0 ...map => Application_MsiInstaller_10002.map} | 0 ....map => Application_MsiInstaller_1033.map} | 0 ....map => Application_MsiInstaller_1034.map} | 0 ...map => Application_MsiInstaller_11707.map} | 0 ...map => Application_MsiInstaller_11708.map} | 0 ...map => Application_MsiInstaller_11724.map} | 0 ...p => Application_Sophos-Anti-Virus_32.map} | 0 ...plication_Sophos-System-Protection_42.map} | 0 ...ecure-Mobility-Client_acvpnagent_2048.map} | 74 +++++++++---------- ...ecure-Mobility-Client_acvpnagent_2086.map} | 74 +++++++++---------- ...ecure-Mobility-Client_acvpnagent_2127.map} | 0 ...-Mobility-Client_acvpndownloader_5005.map} | 72 +++++++++--------- ...rosoft-DriverFrameworks-UserMode_2100.map} | 0 ...rational_Microsoft-Windows-AppID_4004.map} | 0 ...-DLL_Microsoft-Windows-AppLocker_8002.map} | 0 ...-DLL_Microsoft-Windows-AppLocker_8004.map} | 0 ...ript_Microsoft-Windows-AppLocker_8005.map} | 0 ...ript_Microsoft-Windows-AppLocker_8007.map} | 0 ...tion_Microsoft-Windows-AppLocker_8020.map} | 0 ...ft-Windows-Application-Experience_500.map} | 0 ...ft-Windows-Application-Experience_505.map} | 0 ...onal_Microsoft-Windows-Bits-Client_59.map} | 0 ...t-Windows-Diagnostics-Performance_100.map} | 0 ...t-Windows-Diagnostics-Performance_200.map} | 0 ...icrosoft-Windows-Hyper-V-Worker_13002.map} | 0 ...icrosoft-Windows-Hyper-V-Worker_18500.map} | 0 ...icrosoft-Windows-Hyper-V-Worker_18502.map} | 0 ...icrosoft-Windows-Hyper-V-Worker_18508.map} | 0 ...icrosoft-Windows-Hyper-V-Worker_18514.map} | 0 ...icrosoft-Windows-NetworkProfile_10000.map} | 0 ...icrosoft-Windows-NetworkProfile_10001.map} | 0 ...stic_Microsoft-Windows-Partition_1006.map} | 0 ...nal_Microsoft-Windows-PowerShell_4104.map} | 0 ...al_Microsoft-Windows-PrintService_307.map} | 0 ...s-RemoteDesktopServices-RdpCoreTS_131.map} | 0 ...s-RemoteDesktopServices-RdpCoreTS_140.map} | 0 ...ws-RemoteDesktopServices-RdpCoreTS_98.map} | 0 ...al_Microsoft-Windows-Shell-Core_28115.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9701.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9702.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9703.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9704.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9705.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9706.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9707.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9708.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9709.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9710.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9711.map} | 0 ...nal_Microsoft-Windows-Shell-Core_9712.map} | 0 ...perational_Microsoft-Windows-Sysmon_1.map} | 0 ...erational_Microsoft-Windows-Sysmon_10.map} | 0 ...erational_Microsoft-Windows-Sysmon_11.map} | 0 ...erational_Microsoft-Windows-Sysmon_12.map} | 0 ...erational_Microsoft-Windows-Sysmon_13.map} | 0 ...erational_Microsoft-Windows-Sysmon_14.map} | 0 ...erational_Microsoft-Windows-Sysmon_15.map} | 0 ...erational_Microsoft-Windows-Sysmon_16.map} | 0 ...erational_Microsoft-Windows-Sysmon_17.map} | 0 ...erational_Microsoft-Windows-Sysmon_18.map} | 0 ...erational_Microsoft-Windows-Sysmon_19.map} | 0 ...perational_Microsoft-Windows-Sysmon_2.map} | 0 ...erational_Microsoft-Windows-Sysmon_20.map} | 0 ...erational_Microsoft-Windows-Sysmon_21.map} | 0 ...erational_Microsoft-Windows-Sysmon_22.map} | 0 ...erational_Microsoft-Windows-Sysmon_23.map} | 0 ...perational_Microsoft-Windows-Sysmon_3.map} | 0 ...perational_Microsoft-Windows-Sysmon_4.map} | 0 ...perational_Microsoft-Windows-Sysmon_5.map} | 0 ...perational_Microsoft-Windows-Sysmon_6.map} | 0 ...perational_Microsoft-Windows-Sysmon_7.map} | 0 ...perational_Microsoft-Windows-Sysmon_8.map} | 0 ...perational_Microsoft-Windows-Sysmon_9.map} | 0 ...l_Microsoft-Windows-TaskScheduler_100.map} | 0 ...l_Microsoft-Windows-TaskScheduler_102.map} | 0 ...l_Microsoft-Windows-TaskScheduler_106.map} | 0 ...l_Microsoft-Windows-TaskScheduler_119.map} | 0 ...l_Microsoft-Windows-TaskScheduler_140.map} | 0 ...l_Microsoft-Windows-TaskScheduler_141.map} | 0 ...l_Microsoft-Windows-TaskScheduler_200.map} | 0 ...l_Microsoft-Windows-TaskScheduler_201.map} | 0 ...rminalServices-LocalSessionManager_21.map} | 0 ...rminalServices-LocalSessionManager_22.map} | 0 ...rminalServices-LocalSessionManager_23.map} | 0 ...rminalServices-LocalSessionManager_24.map} | 0 ...rminalServices-LocalSessionManager_25.map} | 0 ...rminalServices-LocalSessionManager_39.map} | 0 ...rminalServices-LocalSessionManager_40.map} | 0 ...rminalServices-ClientActiveXCore_1024.map} | 0 ...rminalServices-ClientActiveXCore_1025.map} | 0 ...rminalServices-ClientActiveXCore_1026.map} | 0 ...rminalServices-ClientActiveXCore_1027.map} | 0 ...rminalServices-ClientActiveXCore_1029.map} | 0 ...rminalServices-ClientActiveXCore_1102.map} | 0 ...rminalServices-ClientActiveXCore_1103.map} | 0 ...Services-RemoteConnectionManager_1149.map} | 0 ...lServices-RemoteConnectionManager_261.map} | 0 ...Operational_Microsoft-Windows-VHDMP_2.map} | 0 ...icrosoft-Windows-WLAN-AutoConfig_8000.map} | 0 ...icrosoft-Windows-WLAN-AutoConfig_8001.map} | 0 ...icrosoft-Windows-WLAN-AutoConfig_8002.map} | 0 ...icrosoft-Windows-WLAN-AutoConfig_8003.map} | 0 ...l_Microsoft-Windows-WMI-Activity_5857.map} | 0 ...l_Microsoft-Windows-WMI-Activity_5860.map} | 0 ...l_Microsoft-Windows-WMI-Activity_5861.map} | 0 ...erational_Microsoft-Windows-WinRM_169.map} | 0 ...crosoft-Windows-Windows Defender_1000.map} | 0 ...crosoft-Windows-Windows Defender_1001.map} | 0 ...crosoft-Windows-Windows Defender_1002.map} | 0 ...crosoft-Windows-Windows Defender_1003.map} | 0 ...crosoft-Windows-Windows Defender_1004.map} | 0 ...crosoft-Windows-Windows Defender_1005.map} | 0 ...crosoft-Windows-Windows Defender_1006.map} | 0 ...crosoft-Windows-Windows Defender_1008.map} | 0 ...crosoft-Windows-Windows Defender_1011.map} | 0 ...crosoft-Windows-Windows Defender_1013.map} | 0 ...crosoft-Windows-Windows Defender_1116.map} | 0 ...crosoft-Windows-Windows Defender_1117.map} | 0 ...crosoft-Windows-Windows Defender_1150.map} | 0 ...crosoft-Windows-Windows Defender_5000.map} | 0 ...crosoft-Windows-Windows Defender_5001.map} | 0 ...crosoft-Windows-Windows Defender_5007.map} | 0 ...-Firewall-With-Advanced-Security_2004.map} | 0 ...Alerts_Microsoft-Office-16-Alerts_300.map} | 0 ....map => OpenSSH-Operational_OpenSSH_4.map} | 0 ...urity_Microsoft-Windows-Eventlog_1100.map} | 0 ...urity_Microsoft-Windows-Eventlog_1102.map} | 0 ...rosoft-Windows-Security-Auditing_4608.map} | 0 ...rosoft-Windows-Security-Auditing_4616.map} | 0 ...rosoft-Windows-Security-Auditing_4624.map} | 0 ...rosoft-Windows-Security-Auditing_4625.map} | 0 ...rosoft-Windows-Security-Auditing_4634.map} | 0 ...rosoft-Windows-Security-Auditing_4647.map} | 0 ...rosoft-Windows-Security-Auditing_4648.map} | 0 ...rosoft-Windows-Security-Auditing_4657.map} | 0 ...rosoft-Windows-Security-Auditing_4661.map} | 0 ...rosoft-Windows-Security-Auditing_4662.map} | 0 ...rosoft-Windows-Security-Auditing_4663.map} | 0 ...rosoft-Windows-Security-Auditing_4672.map} | 0 ...rosoft-Windows-Security-Auditing_4688.map} | 0 ...rosoft-Windows-Security-Auditing_4697.map} | 0 ...rosoft-Windows-Security-Auditing_4698.map} | 0 ...rosoft-Windows-Security-Auditing_4699.map} | 0 ...rosoft-Windows-Security-Auditing_4700.map} | 0 ...rosoft-Windows-Security-Auditing_4701.map} | 0 ...rosoft-Windows-Security-Auditing_4702.map} | 0 ...rosoft-Windows-Security-Auditing_4719.map} | 0 ...rosoft-Windows-Security-Auditing_4720.map} | 0 ...rosoft-Windows-Security-Auditing_4722.map} | 0 ...rosoft-Windows-Security-Auditing_4723.map} | 0 ...rosoft-Windows-Security-Auditing_4724.map} | 0 ...rosoft-Windows-Security-Auditing_4725.map} | 0 ...rosoft-Windows-Security-Auditing_4726.map} | 0 ...rosoft-Windows-Security-Auditing_4738.map} | 0 ...rosoft-Windows-Security-Auditing_4740.map} | 0 ...rosoft-Windows-Security-Auditing_4742.map} | 0 ...rosoft-Windows-Security-Auditing_4768.map} | 0 ...rosoft-Windows-Security-Auditing_4769.map} | 0 ...rosoft-Windows-Security-Auditing_4776.map} | 0 ...rosoft-Windows-Security-Auditing_4778.map} | 0 ...rosoft-Windows-Security-Auditing_4779.map} | 0 ...rosoft-Windows-Security-Auditing_4798.map} | 0 ...rosoft-Windows-Security-Auditing_4799.map} | 2 +- ...rosoft-Windows-Security-Auditing_4800.map} | 0 ...rosoft-Windows-Security-Auditing_4801.map} | 0 ...rosoft-Windows-Security-Auditing_4802.map} | 0 ...rosoft-Windows-Security-Auditing_4803.map} | 0 ...rosoft-Windows-Security-Auditing_5136.map} | 0 ...rosoft-Windows-Security-Auditing_5140.map} | 0 ...rosoft-Windows-Security-Auditing_5142.map} | 0 ...rosoft-Windows-Security-Auditing_5144.map} | 0 ...rosoft-Windows-Security-Auditing_5145.map} | 0 ...rosoft-Windows-Security-Auditing_5156.map} | 0 ...ymantec-Endpoint-Protection-Client_51.map} | 0 ...stem_6005.map => System_EventLog_6005.map} | 0 ...stem_6006.map => System_EventLog_6006.map} | 0 ...stem_6008.map => System_EventLog_6008.map} | 0 ...stem_6013.map => System_EventLog_6013.map} | 0 ... System_Microsoft-Windows-Audit-CVE_2.map} | 0 ...ndows-DriverFrameworks-UserMode_10000.map} | 1 - ...ystem_Microsoft-Windows-Eventllog_104.map} | 0 ...m_Microsoft-Windows-Kernel-General_12.map} | 0 ...m_Microsoft-Windows-Kernel-General_13.map} | 0 ...tem_Microsoft-Windows-Kernel-Power_42.map} | 0 ...rosoft-Windows-Power-Troubleshooter_1.map} | 0 ...> System_Service-Control-Manager_7034.map} | 0 ...> System_Service-Control-Manager_7035.map} | 0 ...> System_Service-Control-Manager_7036.map} | 0 ...> System_Service-Control-Manager_7045.map} | 0 ... => Windows-PowerShell_PowerShell_400.map} | 0 ... => Windows-PowerShell_PowerShell_403.map} | 0 ... => Windows-PowerShell_PowerShell_600.map} | 0 196 files changed, 121 insertions(+), 120 deletions(-) rename evtx/Maps/{Application_1002.map => Application_Application-Hang_1002.map} (100%) rename evtx/Maps/{Application-HitmanPro-Alert_911.map => Application_HitmanPro-Alert_911.map} (100%) rename evtx/Maps/{Application_Audit-CVE_1.map => Application_Microsoft-Windows-Audit-CVE_1.map} (100%) rename evtx/Maps/{Application_10002.map => Application_MsiInstaller_10002.map} (100%) rename evtx/Maps/{Application_1033.map => Application_MsiInstaller_1033.map} (100%) rename evtx/Maps/{Application_1034.map => Application_MsiInstaller_1034.map} (100%) rename evtx/Maps/{Application_11707.map => Application_MsiInstaller_11707.map} (100%) rename evtx/Maps/{Application_11708.map => Application_MsiInstaller_11708.map} (100%) rename evtx/Maps/{Application_11724.map => Application_MsiInstaller_11724.map} (100%) rename evtx/Maps/{Application-Sophos-Alert_32.map => Application_Sophos-Anti-Virus_32.map} (100%) rename evtx/Maps/{Application-Sophos-Alert_42.map => Application_Sophos-System-Protection_42.map} (100%) rename evtx/Maps/{Cisco-AnyConnect-Secure-Mobility-Client-2048.map => Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2048.map} (96%) rename evtx/Maps/{Cisco-AnyConnect-Secure-Mobility-Client-2086.map => Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2086.map} (96%) rename evtx/Maps/{Cisco-AnyConnect-Secure-Mobility-Client-2127.map => Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2127.map} (100%) rename evtx/Maps/{Cisco-AnyConnect-Secure-Mobility-Client-5005.map => Cisco-AnyConnect-Secure-Mobility-Client_acvpndownloader_5005.map} (96%) rename evtx/Maps/{Microsoft-DriverFrameworks-UserMode_2100.map => Microsoft-DriverFrameworks-UserMode-Operational_Microsoft-DriverFrameworks-UserMode_2100.map} (100%) rename evtx/Maps/{Microsoft-Windows-AppID_4004.map => Microsoft-Windows-AppID-Operational_Microsoft-Windows-AppID_4004.map} (100%) rename evtx/Maps/{Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map => Microsoft-Windows-AppLocker-EXE-and-DLL_Microsoft-Windows-AppLocker_8002.map} (100%) rename evtx/Maps/{Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map => Microsoft-Windows-AppLocker-EXE-and-DLL_Microsoft-Windows-AppLocker_8004.map} (100%) rename evtx/Maps/{Microsoft-Windows-AppLocker-MSI_and_Script_8005.map => Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8005.map} (100%) rename evtx/Maps/{Microsoft-Windows-AppLocker-MSI_and_Script_8007.map => Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8007.map} (100%) rename evtx/Maps/{Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map => Microsoft-Windows-AppLocker-PackagedApp-Execution_Microsoft-Windows-AppLocker_8020.map} (100%) rename evtx/Maps/{Microsoft-Windows-Application-Experience_Program-Telemetry_500.map => Microsoft-Windows-Application-Experience-Program-Telemetry_Microsoft-Windows-Application-Experience_500.map} (100%) rename evtx/Maps/{Microsoft-Windows-Application-Experience_Program-Telemetry_505.map => Microsoft-Windows-Application-Experience-Program-Telemetry_Microsoft-Windows-Application-Experience_505.map} (100%) rename evtx/Maps/{Microsoft-Windows-Bits-Client_Operational_59.map => Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map} (100%) rename evtx/Maps/{Microsoft-Windows-Diagnostics-Performance_Operational_100.map => Microsoft-Windows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_100.map} (100%) rename evtx/Maps/{Microsoft-Windows-Diagnostics-Performance_Operational_200.map => Microsoft-Windows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_200.map} (100%) rename evtx/Maps/{Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map => Microsoft-Windows-Hyper-V-VMMS-Admin_Microsoft-Windows-Hyper-V-Worker_13002.map} (100%) rename evtx/Maps/{Microsoft-Windows-Hyper-V-Worker-Admin_18500.map => Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18500.map} (100%) rename evtx/Maps/{Microsoft-Windows-Hyper-V-Worker-Admin_18502.map => Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18502.map} (100%) rename evtx/Maps/{Microsoft-Windows-Hyper-V-Worker-Admin_18508.map => Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18508.map} (100%) rename evtx/Maps/{Microsoft-Windows-Hyper-V-Worker-Admin_18514.map => Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18514.map} (100%) rename evtx/Maps/{Microsoft-Windows-NetworkProfile_Operational_10000.map => Microsoft-Windows-NetworkProfile-Operational_Microsoft-Windows-NetworkProfile_10000.map} (100%) rename evtx/Maps/{Microsoft-Windows-NetworkProfile_Operational_10001.map => Microsoft-Windows-NetworkProfile-Operational_Microsoft-Windows-NetworkProfile_10001.map} (100%) rename evtx/Maps/{Microsoft-Windows-Partition-Diagnostic_1006.map => Microsoft-Windows-Partition-Diagnostic_Microsoft-Windows-Partition_1006.map} (100%) rename evtx/Maps/{Microsoft-Windows-PowerShell_Operational_4104.map => Microsoft-Windows-PowerShell-Operational_Microsoft-Windows-PowerShell_4104.map} (100%) rename evtx/Maps/{Microsoft-Windows-PrintService_Operational_307.map => Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map} (100%) rename evtx/Maps/{Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_131.map => Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_131.map} (100%) rename evtx/Maps/{Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_140.map => Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_140.map} (100%) rename evtx/Maps/{Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_98.map => Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_98.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_28115.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_28115.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9701.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9701.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9702.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9702.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9703.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9703.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9704.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9704.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9705.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9705.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9706.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9706.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9707.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9707.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9708.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9708.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9709.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9709.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9710.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9710.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9711.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9711.map} (100%) rename evtx/Maps/{Microsoft-Windows-Shell-Core_Operational_9712.map => Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9712.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_1.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_10.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_11.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_12.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_13.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_14.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_15.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_16.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_16.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_17.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_18.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_19.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_19.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_2.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_20.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_20.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_21.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_21.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_22.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_23.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_23.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_3.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_4.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_4.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_5.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_6.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_6.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_7.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_8.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map} (100%) rename evtx/Maps/{Microsoft-Windows-SysMon_Operational_9.map => Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_100.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_102.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_106.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_106.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_119.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_140.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_140.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_141.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_141.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_200.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map} (100%) rename evtx/Maps/{Microsoft-Windows-TaskScheduler_Operational_201.map => Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_21.map => Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_21.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_22.map => Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_22.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_23.map => Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_23.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_24.map => Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_24.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_25.map => Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_25.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_39.map => Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_39.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_40.map => Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RDPClient_Operational_1024.map => Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1024.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RDPClient_Operational_1025.map => Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1025.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RDPClient_Operational_1026.map => Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1026.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RDPClient_Operational_1027.map => Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RDPClient_Operational_1029.map => Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RDPClient_Operational_1102.map => Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RDPClient_Operational_1103.map => Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1103.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_1149.map => Microsoft-Windows-TerminalServices-RemoteConnectionManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_1149.map} (100%) rename evtx/Maps/{Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_261.map => Microsoft-Windows-TerminalServices-RemoteConnectionManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_261.map} (100%) rename evtx/Maps/{Microsoft-Windows-VHDMP-Operational_2.map => Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2.map} (100%) rename evtx/Maps/{Microsoft-Windows-WLAN-AutoConfig_Operational_8000.map => Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8000.map} (100%) rename evtx/Maps/{Microsoft-Windows-WLAN-AutoConfig_Operational_8001.map => Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8001.map} (100%) rename evtx/Maps/{Microsoft-Windows-WLAN-AutoConfig_Operational_8002.map => Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8002.map} (100%) rename evtx/Maps/{Microsoft-Windows-WLAN-AutoConfig_Operational_8003.map => Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8003.map} (100%) rename evtx/Maps/{Microsoft-Windows-WMI-Activity_Operational_5857.map => Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5857.map} (100%) rename evtx/Maps/{Microsoft-Windows-WMI-Activity_Operational_5860.map => Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5860.map} (100%) rename evtx/Maps/{Microsoft-Windows-WMI-Activity_Operational_5861.map => Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5861.map} (100%) rename evtx/Maps/{Microsoft-Windows-WinRM_169.map => Microsoft-Windows-WinRM-Operational_Microsoft-Windows-WinRM_169.map} (100%) rename evtx/Maps/{WindowsDefender_1000.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1000.map} (100%) rename evtx/Maps/{WindowsDefender_1001.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1001.map} (100%) rename evtx/Maps/{WindowsDefender_1002.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1002.map} (100%) rename evtx/Maps/{WindowsDefender_1003.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1003.map} (100%) rename evtx/Maps/{WindowsDefender_1004.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1004.map} (100%) rename evtx/Maps/{WindowsDefender_1005.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1005.map} (100%) rename evtx/Maps/{WindowsDefender_1006.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1006.map} (100%) rename evtx/Maps/{WindowsDefender_1008.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1008.map} (100%) rename evtx/Maps/{WindowsDefender_1011.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1011.map} (100%) rename evtx/Maps/{WindowsDefender_1013.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1013.map} (100%) rename evtx/Maps/{WindowsDefender_1116.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1116.map} (100%) rename evtx/Maps/{WindowsDefender_1117.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1117.map} (100%) rename evtx/Maps/{WindowsDefender_1150.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1150.map} (100%) rename evtx/Maps/{WindowsDefender_5000.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5000.map} (100%) rename evtx/Maps/{WindowsDefender_5001.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5001.map} (100%) rename evtx/Maps/{WindowsDefender_5007.map => Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5007.map} (100%) rename evtx/Maps/{Microsoft-Windows-Windows_Firewall_With_Advanced_Security_2004.map => Microsoft-Windows-Windows-Firewall-With-Advanced-Security-Firewall_Microsoft-Windows-Windows-Firewall-With-Advanced-Security_2004.map} (100%) rename evtx/Maps/{OAlerts_300.map => OAlerts_Microsoft-Office-16-Alerts_300.map} (100%) rename evtx/Maps/{OpenSSH_4.map => OpenSSH-Operational_OpenSSH_4.map} (100%) rename evtx/Maps/{Security_1100.map => Security_Microsoft-Windows-Eventlog_1100.map} (100%) rename evtx/Maps/{Security_1102.map => Security_Microsoft-Windows-Eventlog_1102.map} (100%) rename evtx/Maps/{Security_4608.map => Security_Microsoft-Windows-Security-Auditing_4608.map} (100%) rename evtx/Maps/{Security_4616.map => Security_Microsoft-Windows-Security-Auditing_4616.map} (100%) rename evtx/Maps/{Security_4624.map => Security_Microsoft-Windows-Security-Auditing_4624.map} (100%) rename evtx/Maps/{Security_4625.map => Security_Microsoft-Windows-Security-Auditing_4625.map} (100%) rename evtx/Maps/{Security_4634.map => Security_Microsoft-Windows-Security-Auditing_4634.map} (100%) rename evtx/Maps/{Security_4647.map => Security_Microsoft-Windows-Security-Auditing_4647.map} (100%) rename evtx/Maps/{Security_4648.map => Security_Microsoft-Windows-Security-Auditing_4648.map} (100%) rename evtx/Maps/{Security_4657.map => Security_Microsoft-Windows-Security-Auditing_4657.map} (100%) rename evtx/Maps/{Security_4661.map => Security_Microsoft-Windows-Security-Auditing_4661.map} (100%) rename evtx/Maps/{Security_4662.map => Security_Microsoft-Windows-Security-Auditing_4662.map} (100%) rename evtx/Maps/{Security_4663.map => Security_Microsoft-Windows-Security-Auditing_4663.map} (100%) rename evtx/Maps/{Security_4672.map => Security_Microsoft-Windows-Security-Auditing_4672.map} (100%) rename evtx/Maps/{Security_4688.map => Security_Microsoft-Windows-Security-Auditing_4688.map} (100%) rename evtx/Maps/{Security_4697.map => Security_Microsoft-Windows-Security-Auditing_4697.map} (100%) rename evtx/Maps/{Security_4698.map => Security_Microsoft-Windows-Security-Auditing_4698.map} (100%) rename evtx/Maps/{Security_4699.map => Security_Microsoft-Windows-Security-Auditing_4699.map} (100%) rename evtx/Maps/{Security_4700.map => Security_Microsoft-Windows-Security-Auditing_4700.map} (100%) rename evtx/Maps/{Security_4701.map => Security_Microsoft-Windows-Security-Auditing_4701.map} (100%) rename evtx/Maps/{Security_4702.map => Security_Microsoft-Windows-Security-Auditing_4702.map} (100%) rename evtx/Maps/{Security_4719.map => Security_Microsoft-Windows-Security-Auditing_4719.map} (100%) rename evtx/Maps/{Security_4720.map => Security_Microsoft-Windows-Security-Auditing_4720.map} (100%) rename evtx/Maps/{Security_4722.map => Security_Microsoft-Windows-Security-Auditing_4722.map} (100%) rename evtx/Maps/{Security_4723.map => Security_Microsoft-Windows-Security-Auditing_4723.map} (100%) rename evtx/Maps/{Security_4724.map => Security_Microsoft-Windows-Security-Auditing_4724.map} (100%) rename evtx/Maps/{Security_4725.map => Security_Microsoft-Windows-Security-Auditing_4725.map} (100%) rename evtx/Maps/{Security_4726.map => Security_Microsoft-Windows-Security-Auditing_4726.map} (100%) rename evtx/Maps/{Security_4738.map => Security_Microsoft-Windows-Security-Auditing_4738.map} (100%) rename evtx/Maps/{Security_4740.map => Security_Microsoft-Windows-Security-Auditing_4740.map} (100%) rename evtx/Maps/{Security_4742.map => Security_Microsoft-Windows-Security-Auditing_4742.map} (100%) rename evtx/Maps/{Security_4768.map => Security_Microsoft-Windows-Security-Auditing_4768.map} (100%) rename evtx/Maps/{Security_4769.map => Security_Microsoft-Windows-Security-Auditing_4769.map} (100%) rename evtx/Maps/{Security_4776.map => Security_Microsoft-Windows-Security-Auditing_4776.map} (100%) rename evtx/Maps/{Security_4778.map => Security_Microsoft-Windows-Security-Auditing_4778.map} (100%) rename evtx/Maps/{Security_4779.map => Security_Microsoft-Windows-Security-Auditing_4779.map} (100%) rename evtx/Maps/{Security_4798.map => Security_Microsoft-Windows-Security-Auditing_4798.map} (100%) rename evtx/Maps/{Security_4799.map => Security_Microsoft-Windows-Security-Auditing_4799.map} (97%) rename evtx/Maps/{Security_4800.map => Security_Microsoft-Windows-Security-Auditing_4800.map} (100%) rename evtx/Maps/{Security_4801.map => Security_Microsoft-Windows-Security-Auditing_4801.map} (100%) rename evtx/Maps/{Security_4802.map => Security_Microsoft-Windows-Security-Auditing_4802.map} (100%) rename evtx/Maps/{Security_4803.map => Security_Microsoft-Windows-Security-Auditing_4803.map} (100%) rename evtx/Maps/{Security_5136.map => Security_Microsoft-Windows-Security-Auditing_5136.map} (100%) rename evtx/Maps/{Security_5140.map => Security_Microsoft-Windows-Security-Auditing_5140.map} (100%) rename evtx/Maps/{Security_5142.map => Security_Microsoft-Windows-Security-Auditing_5142.map} (100%) rename evtx/Maps/{Security_5144.map => Security_Microsoft-Windows-Security-Auditing_5144.map} (100%) rename evtx/Maps/{Security_5145.map => Security_Microsoft-Windows-Security-Auditing_5145.map} (100%) rename evtx/Maps/{Security_5156.map => Security_Microsoft-Windows-Security-Auditing_5156.map} (100%) rename evtx/Maps/{Symantec-Endpoint-Protection-Client_51.map => Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map} (100%) rename evtx/Maps/{System_6005.map => System_EventLog_6005.map} (100%) rename evtx/Maps/{System_6006.map => System_EventLog_6006.map} (100%) rename evtx/Maps/{System_6008.map => System_EventLog_6008.map} (100%) rename evtx/Maps/{System_6013.map => System_EventLog_6013.map} (100%) rename evtx/Maps/{System-Audit-CVE_2.map => System_Microsoft-Windows-Audit-CVE_2.map} (100%) rename evtx/Maps/{System_10000.map => System_Microsoft-Windows-DriverFrameworks-UserMode_10000.map} (96%) rename evtx/Maps/{System_104.map => System_Microsoft-Windows-Eventllog_104.map} (100%) rename evtx/Maps/{System_12.map => System_Microsoft-Windows-Kernel-General_12.map} (100%) rename evtx/Maps/{System_13.map => System_Microsoft-Windows-Kernel-General_13.map} (100%) rename evtx/Maps/{System_42.map => System_Microsoft-Windows-Kernel-Power_42.map} (100%) rename evtx/Maps/{System_1.map => System_Microsoft-Windows-Power-Troubleshooter_1.map} (100%) rename evtx/Maps/{System_7034.map => System_Service-Control-Manager_7034.map} (100%) rename evtx/Maps/{System_7035.map => System_Service-Control-Manager_7035.map} (100%) rename evtx/Maps/{System_7036.map => System_Service-Control-Manager_7036.map} (100%) rename evtx/Maps/{System_7045.map => System_Service-Control-Manager_7045.map} (100%) rename evtx/Maps/{Windows_Powershell_400.map => Windows-PowerShell_PowerShell_400.map} (100%) rename evtx/Maps/{Windows_Powershell_403.map => Windows-PowerShell_PowerShell_403.map} (100%) rename evtx/Maps/{Windows_Powershell_600.map => Windows-PowerShell_PowerShell_600.map} (100%) diff --git a/evtx/Maps/!!!!README.md b/evtx/Maps/!!!!README.md index f8bd1afe..47be66fb 100644 --- a/evtx/Maps/!!!!README.md +++ b/evtx/Maps/!!!!README.md @@ -88,21 +88,23 @@ It is that simple! Be sure to surround things in double quotes and/or escape quo NOTE! The filenames for maps should be in the following format: -Channel_EventID.map +Channel-Name_Provider-Name_EventID.map -Where Channel is EXACTLY what is in the XML element with any '/' characters replaced with an underscore. +Where Channel is EXACTLY what is in the XML element with any '/' characters, hyphens, or spaces replaced with a hyphen. Hyphens are the catch all for each element of the map filename. -For example, for Event ID '201' and Channel 'Microsoft-Windows-TaskScheduler/Operational' the file should be named: +Only underscores should separate each element (Channel Name, Provider Name, EventID). Hyphens separates words. Underscores separate elements. -`Microsoft-Windows-TaskScheduler_Operational_201.map` +For example, for Event ID '201' and Channel 'Microsoft-Windows-TaskScheduler/Operational' the file should be named: -As of v06 or so, you can also add optional properties `Provider` and `Lookups` +`Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map` -Provider is used at the header level and looks like this: +`Provider` is now mandatory. Provider is used at the header level and looks like this: `Provider: "Microsoft-Windows-Power-Troubleshooter"` -This lets you further narrow down when a map will be used. See System_1.map for an example. +This lets you further narrow down when a map will be used. Every map will have a working example of this now. + +As of v06 or so, you can also add optional properties such as `Lookups`. Lookups allow you to define lookup tables that match one value and replace them with another. Here is an example, also from System_1.map: @@ -211,4 +213,4 @@ This also allows you to update default maps without having your customizations b TIPS: -If you are looking to make an Application.evtx map, please includence a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add +If you are looking to make an Application.evtx map, please include a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add diff --git a/evtx/Maps/Application_1002.map b/evtx/Maps/Application_Application-Hang_1002.map similarity index 100% rename from evtx/Maps/Application_1002.map rename to evtx/Maps/Application_Application-Hang_1002.map diff --git a/evtx/Maps/Application-HitmanPro-Alert_911.map b/evtx/Maps/Application_HitmanPro-Alert_911.map similarity index 100% rename from evtx/Maps/Application-HitmanPro-Alert_911.map rename to evtx/Maps/Application_HitmanPro-Alert_911.map diff --git a/evtx/Maps/Application_Audit-CVE_1.map b/evtx/Maps/Application_Microsoft-Windows-Audit-CVE_1.map similarity index 100% rename from evtx/Maps/Application_Audit-CVE_1.map rename to evtx/Maps/Application_Microsoft-Windows-Audit-CVE_1.map diff --git a/evtx/Maps/Application_10002.map b/evtx/Maps/Application_MsiInstaller_10002.map similarity index 100% rename from evtx/Maps/Application_10002.map rename to evtx/Maps/Application_MsiInstaller_10002.map diff --git a/evtx/Maps/Application_1033.map b/evtx/Maps/Application_MsiInstaller_1033.map similarity index 100% rename from evtx/Maps/Application_1033.map rename to evtx/Maps/Application_MsiInstaller_1033.map diff --git a/evtx/Maps/Application_1034.map b/evtx/Maps/Application_MsiInstaller_1034.map similarity index 100% rename from evtx/Maps/Application_1034.map rename to evtx/Maps/Application_MsiInstaller_1034.map diff --git a/evtx/Maps/Application_11707.map b/evtx/Maps/Application_MsiInstaller_11707.map similarity index 100% rename from evtx/Maps/Application_11707.map rename to evtx/Maps/Application_MsiInstaller_11707.map diff --git a/evtx/Maps/Application_11708.map b/evtx/Maps/Application_MsiInstaller_11708.map similarity index 100% rename from evtx/Maps/Application_11708.map rename to evtx/Maps/Application_MsiInstaller_11708.map diff --git a/evtx/Maps/Application_11724.map b/evtx/Maps/Application_MsiInstaller_11724.map similarity index 100% rename from evtx/Maps/Application_11724.map rename to evtx/Maps/Application_MsiInstaller_11724.map diff --git a/evtx/Maps/Application-Sophos-Alert_32.map b/evtx/Maps/Application_Sophos-Anti-Virus_32.map similarity index 100% rename from evtx/Maps/Application-Sophos-Alert_32.map rename to evtx/Maps/Application_Sophos-Anti-Virus_32.map diff --git a/evtx/Maps/Application-Sophos-Alert_42.map b/evtx/Maps/Application_Sophos-System-Protection_42.map similarity index 100% rename from evtx/Maps/Application-Sophos-Alert_42.map rename to evtx/Maps/Application_Sophos-System-Protection_42.map diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2048.map similarity index 96% rename from evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map rename to evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2048.map index 10eb51ac..8a493911 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2048.map @@ -1,37 +1,37 @@ -Author: Mike Brewer -Description: Cisco AnyConnect VPN encrypted connection type -EventId: 2048 -Channel: "Cisco AnyConnect Secure Mobility Client" -Provider: acvpnagent -Maps: - - - Property: PayloadData1 - PropertyValue: "%PayloadData1%" - Values: - - - Name: PayloadData1 - Value: "/Event/EventData/Data" - Refine: "(?<=, )[^,\\d]+(?=,)" - -# Valid properties include: -# -# PayloadData1 - -# - # - # - # 2048 - # 4 - # 0 - # 0x80000000000000 - # - # 32685 - # Cisco AnyConnect Secure Mobility Client - # My-Laptop123.domain.local - # - # - # - #A SSL connection has been established using cipher AES256-SHA256 - # - # - # +Author: Mike Brewer +Description: Cisco AnyConnect VPN encrypted connection type +EventId: 2048 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpnagent +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# + # + # + # 2048 + # 4 + # 0 + # 0x80000000000000 + # + # 32685 + # Cisco AnyConnect Secure Mobility Client + # My-Laptop123.domain.local + # + # + # + #A SSL connection has been established using cipher AES256-SHA256 + # + # + # diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2086.map similarity index 96% rename from evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map rename to evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2086.map index d02f90e9..68dfd251 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2086.map @@ -1,37 +1,37 @@ -Author: Mike Brewer -Description: Cisco AnyConnect VPN reading host's IP -EventId: 2085 -Channel: "Cisco AnyConnect Secure Mobility Client" -Provider: acvpnagent -Maps: - - - Property: PayloadData1 - PropertyValue: "%PayloadData1%" - Values: - - - Name: PayloadData1 - Value: "/Event/EventData/Data" - Refine: "(?<=, )[^,\\d]+(?=,)" - -# Valid properties include: -# -# PayloadData1 - -# - # - # - # 2085 - # 4 - # 0 - # 0x80000000000000 - # - # 32628 - # Cisco AnyConnect Secure Mobility Client - # My-Laptop123.domain.local - # - # - # - #The client's public address is now set to 192.168.1.235 - # - # - # +Author: Mike Brewer +Description: Cisco AnyConnect VPN reading host's IP +EventId: 2085 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpnagent +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# + # + # + # 2085 + # 4 + # 0 + # 0x80000000000000 + # + # 32628 + # Cisco AnyConnect Secure Mobility Client + # My-Laptop123.domain.local + # + # + # + #The client's public address is now set to 192.168.1.235 + # + # + # diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2127.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2127.map similarity index 100% rename from evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2127.map rename to evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2127.map diff --git a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpndownloader_5005.map similarity index 96% rename from evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map rename to evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpndownloader_5005.map index c0574892..86a2cbce 100644 --- a/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map +++ b/evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpndownloader_5005.map @@ -1,37 +1,37 @@ -Author: Mike Brewer -Description: Cisco AnyConnect VPN connecting to target gateway X -EventId: 5005 -Channel: "Cisco AnyConnect Secure Mobility Client" -Provider: acvpndownloader -Maps: - - - Property: PayloadData1 - PropertyValue: "%PayloadData1%" - Values: - - - Name: PayloadData1 - Value: "/Event/EventData/Data" - Refine: "(?<=, )[^,\\d]+(?=,)" - -# Valid properties include: -# -# PayloadData1 - -# - # - # - # 5005 - # 4 - # 0 - # 0x80000000000000 - # - # 32628 - # Cisco AnyConnect Secure Mobility Client - # My-Laptop123.domain.local - # - # - # - #Connecting to mdgegtwy1.acme.com. - # - # +Author: Mike Brewer +Description: Cisco AnyConnect VPN connecting to target gateway X +EventId: 5005 +Channel: "Cisco AnyConnect Secure Mobility Client" +Provider: acvpndownloader +Maps: + - + Property: PayloadData1 + PropertyValue: "%PayloadData1%" + Values: + - + Name: PayloadData1 + Value: "/Event/EventData/Data" + Refine: "(?<=, )[^,\\d]+(?=,)" + +# Valid properties include: +# +# PayloadData1 + +# + # + # + # 5005 + # 4 + # 0 + # 0x80000000000000 + # + # 32628 + # Cisco AnyConnect Secure Mobility Client + # My-Laptop123.domain.local + # + # + # + #Connecting to mdgegtwy1.acme.com. + # + # # \ No newline at end of file diff --git a/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map b/evtx/Maps/Microsoft-DriverFrameworks-UserMode-Operational_Microsoft-DriverFrameworks-UserMode_2100.map similarity index 100% rename from evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map rename to evtx/Maps/Microsoft-DriverFrameworks-UserMode-Operational_Microsoft-DriverFrameworks-UserMode_2100.map diff --git a/evtx/Maps/Microsoft-Windows-AppID_4004.map b/evtx/Maps/Microsoft-Windows-AppID-Operational_Microsoft-Windows-AppID_4004.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-AppID_4004.map rename to evtx/Maps/Microsoft-Windows-AppID-Operational_Microsoft-Windows-AppID_4004.map diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map b/evtx/Maps/Microsoft-Windows-AppLocker-EXE-and-DLL_Microsoft-Windows-AppLocker_8002.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map rename to evtx/Maps/Microsoft-Windows-AppLocker-EXE-and-DLL_Microsoft-Windows-AppLocker_8002.map diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map b/evtx/Maps/Microsoft-Windows-AppLocker-EXE-and-DLL_Microsoft-Windows-AppLocker_8004.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map rename to evtx/Maps/Microsoft-Windows-AppLocker-EXE-and-DLL_Microsoft-Windows-AppLocker_8004.map diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8005.map b/evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8005.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8005.map rename to evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8005.map diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8007.map b/evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8007.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8007.map rename to evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8007.map diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map b/evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Execution_Microsoft-Windows-AppLocker_8020.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map rename to evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Execution_Microsoft-Windows-AppLocker_8020.map diff --git a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map b/evtx/Maps/Microsoft-Windows-Application-Experience-Program-Telemetry_Microsoft-Windows-Application-Experience_500.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map rename to evtx/Maps/Microsoft-Windows-Application-Experience-Program-Telemetry_Microsoft-Windows-Application-Experience_500.map diff --git a/evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map b/evtx/Maps/Microsoft-Windows-Application-Experience-Program-Telemetry_Microsoft-Windows-Application-Experience_505.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map rename to evtx/Maps/Microsoft-Windows-Application-Experience-Program-Telemetry_Microsoft-Windows-Application-Experience_505.map diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client_Operational_59.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Bits-Client_Operational_59.map rename to evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_59.map diff --git a/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_100.map b/evtx/Maps/Microsoft-Windows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_100.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_100.map rename to evtx/Maps/Microsoft-Windows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_100.map diff --git a/evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_200.map b/evtx/Maps/Microsoft-Windows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_200.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_200.map rename to evtx/Maps/Microsoft-Windows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_200.map diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map b/evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_Microsoft-Windows-Hyper-V-Worker_13002.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map rename to evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_Microsoft-Windows-Hyper-V-Worker_13002.map diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18500.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18500.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18500.map rename to evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18500.map diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18502.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18502.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18502.map rename to evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18502.map diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18508.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18508.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18508.map rename to evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18508.map diff --git a/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18514.map b/evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18514.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18514.map rename to evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_Microsoft-Windows-Hyper-V-Worker_18514.map diff --git a/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10000.map b/evtx/Maps/Microsoft-Windows-NetworkProfile-Operational_Microsoft-Windows-NetworkProfile_10000.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10000.map rename to evtx/Maps/Microsoft-Windows-NetworkProfile-Operational_Microsoft-Windows-NetworkProfile_10000.map diff --git a/evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10001.map b/evtx/Maps/Microsoft-Windows-NetworkProfile-Operational_Microsoft-Windows-NetworkProfile_10001.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10001.map rename to evtx/Maps/Microsoft-Windows-NetworkProfile-Operational_Microsoft-Windows-NetworkProfile_10001.map diff --git a/evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map b/evtx/Maps/Microsoft-Windows-Partition-Diagnostic_Microsoft-Windows-Partition_1006.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map rename to evtx/Maps/Microsoft-Windows-Partition-Diagnostic_Microsoft-Windows-Partition_1006.map diff --git a/evtx/Maps/Microsoft-Windows-PowerShell_Operational_4104.map b/evtx/Maps/Microsoft-Windows-PowerShell-Operational_Microsoft-Windows-PowerShell_4104.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-PowerShell_Operational_4104.map rename to evtx/Maps/Microsoft-Windows-PowerShell-Operational_Microsoft-Windows-PowerShell_4104.map diff --git a/evtx/Maps/Microsoft-Windows-PrintService_Operational_307.map b/evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-PrintService_Operational_307.map rename to evtx/Maps/Microsoft-Windows-PrintService-Operational_Microsoft-Windows-PrintService_307.map diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_131.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_131.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_131.map rename to evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_131.map diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_140.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_140.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_140.map rename to evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_140.map diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_98.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_98.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_Operational_98.map rename to evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_98.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_28115.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_28115.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_28115.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_28115.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9701.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9701.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9701.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9701.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9702.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9702.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9702.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9702.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9703.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9703.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9703.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9703.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9704.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9704.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9704.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9704.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9705.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9705.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9705.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9705.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9706.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9706.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9706.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9706.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9707.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9707.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9707.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9707.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9708.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9708.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9708.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9708.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9709.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9709.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9709.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9709.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9710.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9710.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9710.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9710.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9711.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9711.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9711.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9711.map diff --git a/evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9712.map b/evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9712.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Shell-Core_Operational_9712.map rename to evtx/Maps/Microsoft-Windows-Shell-Core-Operational_Microsoft-Windows-Shell-Core_9712.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_1.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_10.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_10.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_10.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_11.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_11.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_11.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_12.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_12.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_12.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_13.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_13.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_13.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_14.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_14.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_14.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_15.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_15.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_15.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_16.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_16.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_16.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_16.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_17.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_17.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_17.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_18.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_18.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_18.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_19.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_19.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_2.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_2.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_2.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_20.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_20.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_21.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_21.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_22.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_22.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_22.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_23.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_23.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_23.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_23.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_3.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_4.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_4.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_4.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_4.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_5.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_5.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_5.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_6.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_6.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_6.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_6.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_7.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_7.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_7.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_8.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_8.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_8.map diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_9.map b/evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-SysMon_Operational_9.map rename to evtx/Maps/Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_9.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_106.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_106.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_140.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_140.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_140.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_140.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_141.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_141.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map rename to evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_21.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_21.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_21.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_21.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_22.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_22.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_22.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_22.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_23.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_23.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_23.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_23.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_24.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_24.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_24.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_24.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_25.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_25.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_25.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_25.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_39.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_39.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_39.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_39.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_40.map b/evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager_Operational_40.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-LocalSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1024.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1024.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1024.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1024.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1025.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1025.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1025.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1025.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1026.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1026.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1026.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1026.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1027.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1027.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1029.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1029.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1102.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1102.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1103.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1103.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient_Operational_1103.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1103.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_1149.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_1149.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_1149.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_1149.map diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_261.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_261.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager_Operational_261.map rename to evtx/Maps/Microsoft-Windows-TerminalServices-RemoteConnectionManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_261.map diff --git a/evtx/Maps/Microsoft-Windows-VHDMP-Operational_2.map b/evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-VHDMP-Operational_2.map rename to evtx/Maps/Microsoft-Windows-VHDMP-Operational_Microsoft-Windows-VHDMP_2.map diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8000.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8000.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8000.map rename to evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8000.map diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8001.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8001.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8001.map rename to evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8001.map diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8002.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8002.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8002.map rename to evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8002.map diff --git a/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8003.map b/evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8003.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WLAN-AutoConfig_Operational_8003.map rename to evtx/Maps/Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8003.map diff --git a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5857.map b/evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5857.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5857.map rename to evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5857.map diff --git a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5860.map b/evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5860.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5860.map rename to evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5860.map diff --git a/evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5861.map b/evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5861.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WMI-Activity_Operational_5861.map rename to evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5861.map diff --git a/evtx/Maps/Microsoft-Windows-WinRM_169.map b/evtx/Maps/Microsoft-Windows-WinRM-Operational_Microsoft-Windows-WinRM_169.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-WinRM_169.map rename to evtx/Maps/Microsoft-Windows-WinRM-Operational_Microsoft-Windows-WinRM_169.map diff --git a/evtx/Maps/WindowsDefender_1000.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1000.map similarity index 100% rename from evtx/Maps/WindowsDefender_1000.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1000.map diff --git a/evtx/Maps/WindowsDefender_1001.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1001.map similarity index 100% rename from evtx/Maps/WindowsDefender_1001.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1001.map diff --git a/evtx/Maps/WindowsDefender_1002.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1002.map similarity index 100% rename from evtx/Maps/WindowsDefender_1002.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1002.map diff --git a/evtx/Maps/WindowsDefender_1003.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1003.map similarity index 100% rename from evtx/Maps/WindowsDefender_1003.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1003.map diff --git a/evtx/Maps/WindowsDefender_1004.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1004.map similarity index 100% rename from evtx/Maps/WindowsDefender_1004.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1004.map diff --git a/evtx/Maps/WindowsDefender_1005.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1005.map similarity index 100% rename from evtx/Maps/WindowsDefender_1005.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1005.map diff --git a/evtx/Maps/WindowsDefender_1006.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1006.map similarity index 100% rename from evtx/Maps/WindowsDefender_1006.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1006.map diff --git a/evtx/Maps/WindowsDefender_1008.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1008.map similarity index 100% rename from evtx/Maps/WindowsDefender_1008.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1008.map diff --git a/evtx/Maps/WindowsDefender_1011.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1011.map similarity index 100% rename from evtx/Maps/WindowsDefender_1011.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1011.map diff --git a/evtx/Maps/WindowsDefender_1013.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1013.map similarity index 100% rename from evtx/Maps/WindowsDefender_1013.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1013.map diff --git a/evtx/Maps/WindowsDefender_1116.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1116.map similarity index 100% rename from evtx/Maps/WindowsDefender_1116.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1116.map diff --git a/evtx/Maps/WindowsDefender_1117.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1117.map similarity index 100% rename from evtx/Maps/WindowsDefender_1117.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1117.map diff --git a/evtx/Maps/WindowsDefender_1150.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1150.map similarity index 100% rename from evtx/Maps/WindowsDefender_1150.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1150.map diff --git a/evtx/Maps/WindowsDefender_5000.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5000.map similarity index 100% rename from evtx/Maps/WindowsDefender_5000.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5000.map diff --git a/evtx/Maps/WindowsDefender_5001.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5001.map similarity index 100% rename from evtx/Maps/WindowsDefender_5001.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5001.map diff --git a/evtx/Maps/WindowsDefender_5007.map b/evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5007.map similarity index 100% rename from evtx/Maps/WindowsDefender_5007.map rename to evtx/Maps/Microsoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5007.map diff --git a/evtx/Maps/Microsoft-Windows-Windows_Firewall_With_Advanced_Security_2004.map b/evtx/Maps/Microsoft-Windows-Windows-Firewall-With-Advanced-Security-Firewall_Microsoft-Windows-Windows-Firewall-With-Advanced-Security_2004.map similarity index 100% rename from evtx/Maps/Microsoft-Windows-Windows_Firewall_With_Advanced_Security_2004.map rename to evtx/Maps/Microsoft-Windows-Windows-Firewall-With-Advanced-Security-Firewall_Microsoft-Windows-Windows-Firewall-With-Advanced-Security_2004.map diff --git a/evtx/Maps/OAlerts_300.map b/evtx/Maps/OAlerts_Microsoft-Office-16-Alerts_300.map similarity index 100% rename from evtx/Maps/OAlerts_300.map rename to evtx/Maps/OAlerts_Microsoft-Office-16-Alerts_300.map diff --git a/evtx/Maps/OpenSSH_4.map b/evtx/Maps/OpenSSH-Operational_OpenSSH_4.map similarity index 100% rename from evtx/Maps/OpenSSH_4.map rename to evtx/Maps/OpenSSH-Operational_OpenSSH_4.map diff --git a/evtx/Maps/Security_1100.map b/evtx/Maps/Security_Microsoft-Windows-Eventlog_1100.map similarity index 100% rename from evtx/Maps/Security_1100.map rename to evtx/Maps/Security_Microsoft-Windows-Eventlog_1100.map diff --git a/evtx/Maps/Security_1102.map b/evtx/Maps/Security_Microsoft-Windows-Eventlog_1102.map similarity index 100% rename from evtx/Maps/Security_1102.map rename to evtx/Maps/Security_Microsoft-Windows-Eventlog_1102.map diff --git a/evtx/Maps/Security_4608.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4608.map similarity index 100% rename from evtx/Maps/Security_4608.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4608.map diff --git a/evtx/Maps/Security_4616.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4616.map similarity index 100% rename from evtx/Maps/Security_4616.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4616.map diff --git a/evtx/Maps/Security_4624.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4624.map similarity index 100% rename from evtx/Maps/Security_4624.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4624.map diff --git a/evtx/Maps/Security_4625.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4625.map similarity index 100% rename from evtx/Maps/Security_4625.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4625.map diff --git a/evtx/Maps/Security_4634.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4634.map similarity index 100% rename from evtx/Maps/Security_4634.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4634.map diff --git a/evtx/Maps/Security_4647.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4647.map similarity index 100% rename from evtx/Maps/Security_4647.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4647.map diff --git a/evtx/Maps/Security_4648.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4648.map similarity index 100% rename from evtx/Maps/Security_4648.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4648.map diff --git a/evtx/Maps/Security_4657.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4657.map similarity index 100% rename from evtx/Maps/Security_4657.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4657.map diff --git a/evtx/Maps/Security_4661.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4661.map similarity index 100% rename from evtx/Maps/Security_4661.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4661.map diff --git a/evtx/Maps/Security_4662.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4662.map similarity index 100% rename from evtx/Maps/Security_4662.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4662.map diff --git a/evtx/Maps/Security_4663.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4663.map similarity index 100% rename from evtx/Maps/Security_4663.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4663.map diff --git a/evtx/Maps/Security_4672.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4672.map similarity index 100% rename from evtx/Maps/Security_4672.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4672.map diff --git a/evtx/Maps/Security_4688.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4688.map similarity index 100% rename from evtx/Maps/Security_4688.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4688.map diff --git a/evtx/Maps/Security_4697.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4697.map similarity index 100% rename from evtx/Maps/Security_4697.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4697.map diff --git a/evtx/Maps/Security_4698.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4698.map similarity index 100% rename from evtx/Maps/Security_4698.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4698.map diff --git a/evtx/Maps/Security_4699.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4699.map similarity index 100% rename from evtx/Maps/Security_4699.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4699.map diff --git a/evtx/Maps/Security_4700.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4700.map similarity index 100% rename from evtx/Maps/Security_4700.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4700.map diff --git a/evtx/Maps/Security_4701.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4701.map similarity index 100% rename from evtx/Maps/Security_4701.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4701.map diff --git a/evtx/Maps/Security_4702.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4702.map similarity index 100% rename from evtx/Maps/Security_4702.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4702.map diff --git a/evtx/Maps/Security_4719.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4719.map similarity index 100% rename from evtx/Maps/Security_4719.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4719.map diff --git a/evtx/Maps/Security_4720.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4720.map similarity index 100% rename from evtx/Maps/Security_4720.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4720.map diff --git a/evtx/Maps/Security_4722.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4722.map similarity index 100% rename from evtx/Maps/Security_4722.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4722.map diff --git a/evtx/Maps/Security_4723.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4723.map similarity index 100% rename from evtx/Maps/Security_4723.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4723.map diff --git a/evtx/Maps/Security_4724.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4724.map similarity index 100% rename from evtx/Maps/Security_4724.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4724.map diff --git a/evtx/Maps/Security_4725.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4725.map similarity index 100% rename from evtx/Maps/Security_4725.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4725.map diff --git a/evtx/Maps/Security_4726.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4726.map similarity index 100% rename from evtx/Maps/Security_4726.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4726.map diff --git a/evtx/Maps/Security_4738.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4738.map similarity index 100% rename from evtx/Maps/Security_4738.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4738.map diff --git a/evtx/Maps/Security_4740.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4740.map similarity index 100% rename from evtx/Maps/Security_4740.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4740.map diff --git a/evtx/Maps/Security_4742.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4742.map similarity index 100% rename from evtx/Maps/Security_4742.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4742.map diff --git a/evtx/Maps/Security_4768.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4768.map similarity index 100% rename from evtx/Maps/Security_4768.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4768.map diff --git a/evtx/Maps/Security_4769.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4769.map similarity index 100% rename from evtx/Maps/Security_4769.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4769.map diff --git a/evtx/Maps/Security_4776.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4776.map similarity index 100% rename from evtx/Maps/Security_4776.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4776.map diff --git a/evtx/Maps/Security_4778.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4778.map similarity index 100% rename from evtx/Maps/Security_4778.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4778.map diff --git a/evtx/Maps/Security_4779.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4779.map similarity index 100% rename from evtx/Maps/Security_4779.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4779.map diff --git a/evtx/Maps/Security_4798.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4798.map similarity index 100% rename from evtx/Maps/Security_4798.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4798.map diff --git a/evtx/Maps/Security_4799.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4799.map similarity index 97% rename from evtx/Maps/Security_4799.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4799.map index 010eccb8..40abaf9b 100644 --- a/evtx/Maps/Security_4799.map +++ b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4799.map @@ -1,5 +1,5 @@ Author: Andrew Rathbun -Description: A security-enabled local group membership was enumerated +Description: A security-enabled local group membership was enumerated EventId: 4799 Channel: Security Provider: Microsoft-Windows-Security-Auditing diff --git a/evtx/Maps/Security_4800.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4800.map similarity index 100% rename from evtx/Maps/Security_4800.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4800.map diff --git a/evtx/Maps/Security_4801.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4801.map similarity index 100% rename from evtx/Maps/Security_4801.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4801.map diff --git a/evtx/Maps/Security_4802.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4802.map similarity index 100% rename from evtx/Maps/Security_4802.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4802.map diff --git a/evtx/Maps/Security_4803.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4803.map similarity index 100% rename from evtx/Maps/Security_4803.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4803.map diff --git a/evtx/Maps/Security_5136.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5136.map similarity index 100% rename from evtx/Maps/Security_5136.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5136.map diff --git a/evtx/Maps/Security_5140.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5140.map similarity index 100% rename from evtx/Maps/Security_5140.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5140.map diff --git a/evtx/Maps/Security_5142.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5142.map similarity index 100% rename from evtx/Maps/Security_5142.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5142.map diff --git a/evtx/Maps/Security_5144.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5144.map similarity index 100% rename from evtx/Maps/Security_5144.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5144.map diff --git a/evtx/Maps/Security_5145.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5145.map similarity index 100% rename from evtx/Maps/Security_5145.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5145.map diff --git a/evtx/Maps/Security_5156.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5156.map similarity index 100% rename from evtx/Maps/Security_5156.map rename to evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5156.map diff --git a/evtx/Maps/Symantec-Endpoint-Protection-Client_51.map b/evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map similarity index 100% rename from evtx/Maps/Symantec-Endpoint-Protection-Client_51.map rename to evtx/Maps/Symantec-Endpoint-Protection-Client_Symantec-Endpoint-Protection-Client_51.map diff --git a/evtx/Maps/System_6005.map b/evtx/Maps/System_EventLog_6005.map similarity index 100% rename from evtx/Maps/System_6005.map rename to evtx/Maps/System_EventLog_6005.map diff --git a/evtx/Maps/System_6006.map b/evtx/Maps/System_EventLog_6006.map similarity index 100% rename from evtx/Maps/System_6006.map rename to evtx/Maps/System_EventLog_6006.map diff --git a/evtx/Maps/System_6008.map b/evtx/Maps/System_EventLog_6008.map similarity index 100% rename from evtx/Maps/System_6008.map rename to evtx/Maps/System_EventLog_6008.map diff --git a/evtx/Maps/System_6013.map b/evtx/Maps/System_EventLog_6013.map similarity index 100% rename from evtx/Maps/System_6013.map rename to evtx/Maps/System_EventLog_6013.map diff --git a/evtx/Maps/System-Audit-CVE_2.map b/evtx/Maps/System_Microsoft-Windows-Audit-CVE_2.map similarity index 100% rename from evtx/Maps/System-Audit-CVE_2.map rename to evtx/Maps/System_Microsoft-Windows-Audit-CVE_2.map diff --git a/evtx/Maps/System_10000.map b/evtx/Maps/System_Microsoft-Windows-DriverFrameworks-UserMode_10000.map similarity index 96% rename from evtx/Maps/System_10000.map rename to evtx/Maps/System_Microsoft-Windows-DriverFrameworks-UserMode_10000.map index 74d68681..cabf8d31 100644 --- a/evtx/Maps/System_10000.map +++ b/evtx/Maps/System_Microsoft-Windows-DriverFrameworks-UserMode_10000.map @@ -3,7 +3,6 @@ Description: Device driver was installed. (Device was connected.) EventId: 10000 Channel: "System" Provider: "Microsoft-Windows-DriverFrameworks-UserMode" -Provider: Microsoft-Windows-DriverFrameworks-UserMode Maps: - Property: PayloadData1 diff --git a/evtx/Maps/System_104.map b/evtx/Maps/System_Microsoft-Windows-Eventllog_104.map similarity index 100% rename from evtx/Maps/System_104.map rename to evtx/Maps/System_Microsoft-Windows-Eventllog_104.map diff --git a/evtx/Maps/System_12.map b/evtx/Maps/System_Microsoft-Windows-Kernel-General_12.map similarity index 100% rename from evtx/Maps/System_12.map rename to evtx/Maps/System_Microsoft-Windows-Kernel-General_12.map diff --git a/evtx/Maps/System_13.map b/evtx/Maps/System_Microsoft-Windows-Kernel-General_13.map similarity index 100% rename from evtx/Maps/System_13.map rename to evtx/Maps/System_Microsoft-Windows-Kernel-General_13.map diff --git a/evtx/Maps/System_42.map b/evtx/Maps/System_Microsoft-Windows-Kernel-Power_42.map similarity index 100% rename from evtx/Maps/System_42.map rename to evtx/Maps/System_Microsoft-Windows-Kernel-Power_42.map diff --git a/evtx/Maps/System_1.map b/evtx/Maps/System_Microsoft-Windows-Power-Troubleshooter_1.map similarity index 100% rename from evtx/Maps/System_1.map rename to evtx/Maps/System_Microsoft-Windows-Power-Troubleshooter_1.map diff --git a/evtx/Maps/System_7034.map b/evtx/Maps/System_Service-Control-Manager_7034.map similarity index 100% rename from evtx/Maps/System_7034.map rename to evtx/Maps/System_Service-Control-Manager_7034.map diff --git a/evtx/Maps/System_7035.map b/evtx/Maps/System_Service-Control-Manager_7035.map similarity index 100% rename from evtx/Maps/System_7035.map rename to evtx/Maps/System_Service-Control-Manager_7035.map diff --git a/evtx/Maps/System_7036.map b/evtx/Maps/System_Service-Control-Manager_7036.map similarity index 100% rename from evtx/Maps/System_7036.map rename to evtx/Maps/System_Service-Control-Manager_7036.map diff --git a/evtx/Maps/System_7045.map b/evtx/Maps/System_Service-Control-Manager_7045.map similarity index 100% rename from evtx/Maps/System_7045.map rename to evtx/Maps/System_Service-Control-Manager_7045.map diff --git a/evtx/Maps/Windows_Powershell_400.map b/evtx/Maps/Windows-PowerShell_PowerShell_400.map similarity index 100% rename from evtx/Maps/Windows_Powershell_400.map rename to evtx/Maps/Windows-PowerShell_PowerShell_400.map diff --git a/evtx/Maps/Windows_Powershell_403.map b/evtx/Maps/Windows-PowerShell_PowerShell_403.map similarity index 100% rename from evtx/Maps/Windows_Powershell_403.map rename to evtx/Maps/Windows-PowerShell_PowerShell_403.map diff --git a/evtx/Maps/Windows_Powershell_600.map b/evtx/Maps/Windows-PowerShell_PowerShell_600.map similarity index 100% rename from evtx/Maps/Windows_Powershell_600.map rename to evtx/Maps/Windows-PowerShell_PowerShell_600.map