From e50ff05d8660ff7e5c95fd7dfe4217906e70dc3c Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+rathbuna@users.noreply.github.com>
Date: Sat, 19 Dec 2020 15:21:40 -0500
Subject: [PATCH] Update Microsoft-DriverFrameworks-UserMode_2100.map

---
 evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map b/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
index 2ba70968..ccd39970 100644
--- a/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
+++ b/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
@@ -20,7 +20,11 @@ Maps:
         Value: "/Event/UserData/UMDFHostDeviceRequest/LifetimeId"
         
 # Valid properties include:
-
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+#
 # <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 #   <System>
 #     <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{GUID}" />