Merge pull request #49 from rathbuna/master

Standardize Providers in all maps

evtx/Maps/Application-HitmanPro-Alert_911.map

@@ -2,6 +2,7 @@ Author: Mike Stewart mstew1968@gmail.com
 Description: HitmanPro ALERT Identified
 EventId: 911
 Channel: Application
+Provider: HitmanPro.Alert
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Application-Sophos-Alert_32.map

@@ -2,6 +2,7 @@ Author: Mike Stewart mstew1968@gmail.com
 Description: Sophos Alert Identified
 EventId: 32
 Channel: Application
+Provider: "Sophos Anti-Virus"
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map

@@ -1,8 +1,8 @@
-
 Author: Mike Brewer 
 Description: Cisco AnyConnect VPN encrypted connection type
 EventId: 2048
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map

@@ -2,6 +2,7 @@ Author: Mike Brewer
 Description: Cisco AnyConnect VPN reading host's IP 
 EventId: 2085
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2127.map

@@ -2,6 +2,7 @@ Author: Mike Brewer
 Description: Cisco AnyConnect VPN IP assigned
 EventId: 2127
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map

@@ -2,6 +2,7 @@ Author: Mike Brewer
 Description: Cisco AnyConnect VPN connecting to target gateway X
 EventId: 5005
 Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpndownloader
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-AppID_4004.map

@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Code Signature Verification
 EventId: 4004
 Channel: "Microsoft-Windows-AppID/Operational"
+Provider: Microsoft-Windows-AppID
 Maps: 
   - 
     Property: ExecutableInfo

evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8002.map

@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: An executable was allowed to run
 EventId: 8002
 Channel: Microsoft-Windows-AppLocker/EXE and DLL
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo

evtx/Maps/Microsoft-Windows-AppLocker-EXE_and_DLL_8004.map

@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: An executable was prevented from running.
 EventId: 8004
 Channel: Microsoft-Windows-AppLocker/EXE and DLL
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo

evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8005.map

@@ -2,6 +2,7 @@ Author: Phill Moore\Troy Larson
 Description: A script or MSI was allowed to run.
 EventId: 8005
 Channel: Microsoft-Windows-AppLocker/MSI and Script
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo

evtx/Maps/Microsoft-Windows-AppLocker-MSI_and_Script_8007.map

@@ -2,6 +2,7 @@ Author: Troy Larson
 Description: A script or MSI was prevented from running.
 EventId: 8007
 Channel: Microsoft-Windows-AppLocker/MSI and Script
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo

evtx/Maps/Microsoft-Windows-AppLocker-PackagedApp-Exec_8020.map

@@ -1,7 +1,8 @@
 Author: Troy Larson
 Description: A packaged app was allowed to run.
 EventId: 8020
-Channel: Microsoft-Windows-AppLocker/Packaged app-Execution
+Channel: "Microsoft-Windows-AppLocker/Packaged app-Execution"
+Provider: Microsoft-Windows-AppLocker
 Maps: 
   - 
     Property: ExecutableInfo

evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_500.map

@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Application Experience Program Telemetry
 EventId: 500
 Channel: "Microsoft-Windows-Application-Experience/Program-Telemetry"
+Provider: Microsoft-Windows-Application-Experience
 Maps:
   - 
     Property: ExecutableInfo
@@ -30,15 +31,33 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
-
+#
 # Example payload data
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Application-Experience" Guid="eef99e71-0661-422d-9a98-82fd4940b820" />
+#    <EventID>500</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x1000000000090000</Keywords>
+#    <TimeCreated SystemTime="2018-06-25 01:16:27.4365335" />
+#    <EventRecordID>5108</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="13764" ThreadID="48912" />
+#    <Channel>Microsoft-Windows-Application-Experience/Program-Telemetry</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-20" />
+#  </System>
 #  <UserData>
 #    <CompatibilityFixEvent>
-#      <ProcessId>3724</ProcessId>
-#      <StartTime>2019-03-19 20:48:33.4095392</StartTime>
-#      <FixID>8a23a24a-9a8d-44b6-a6d4-556c53a289b5</FixID>
-#      <Flags>0x10205</Flags>
-#      <ExePath>C:\Windows\System32\osk.exe</ExePath>
-#      <FixName>CorrectFilePaths</FixName>
+#      <ProcessId>13764</ProcessId>
+#      <StartTime>2018-06-25 01:16:27.4365335</StartTime>
+#      <FixID>1c2d23t3-dcd2-41e3-bd0b-25f05028c655</FixID>
+#      <Flags>0x40679</Flags>
+#      <ExePath>C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-btba83b0.exe</ExePath>
+#      <FixName>RunAsInvoker</FixName>
 #    </CompatibilityFixEvent>
-#  </UserData>
+#  </UserData>
+#</Event>

evtx/Maps/Microsoft-Windows-Application-Experience_Program-Telemetry_505.map

@@ -2,6 +2,7 @@ Author: Mike Pilkington
 Description: Application Experience Program Telemetry
 EventId: 505
 Channel: "Microsoft-Windows-Application-Experience/Program-Telemetry"
+Provider: Microsoft-Windows-Application-Experience
 Maps:
   - 
     Property: ExecutableInfo
@@ -32,13 +33,31 @@ Maps:
 # PayloadData1 through PayloadData6
 
 # Example payload data
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Application-Experience" Guid="eef578991-0661-422d-9a98-82fd4940b820" />
+#    <EventID>505</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x800000000009000</Keywords>
+#    <TimeCreated SystemTime="2020-06-04 04:17:46.8612022" />
+#    <EventRecordID>1026</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="679" ThreadID="844" />
+#    <Channel>Microsoft-Windows-Application-Experience/Program-Telemetry</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
 #  <UserData>
 #    <CompatibilityFixEvent>
-#      <ProcessId>3724</ProcessId>
-#      <StartTime>2019-03-19 20:48:33.4095392</StartTime>
-#      <FixID>8a23a24a-9a8d-44b6-a6d4-556c53a289b5</FixID>
-#      <Flags>0x10205</Flags>
-#      <ExePath>C:\Windows\System32\osk.exe</ExePath>
-#      <FixName>CorrectFilePaths</FixName>
+#      <ProcessId>679</ProcessId>
+#      <StartTime>2020-06-04 04:17:46.6533916</StartTime>
+#      <FixID>f62f1235-e0e3-43b9-8e00-3e2fdff449ab</FixID>
+#      <Flags>0x80013101</Flags>
+#      <ExePath>C:\Program Files\Microsoft Security Client\MsMpEng.exe</ExePath>
+#      <FixName>Microsoft Forefront Endpoint Protection 2010</FixName>
 #    </CompatibilityFixEvent>
-#  </UserData>
+#  </UserData>
+#</Event>

evtx/Maps/Microsoft-Windows-Bits-Client_Operational_59.map

@@ -2,14 +2,8 @@ Author: Mark Hallman mark.hallman@gmail.com
 Description: Potential artifacts for Bitsadminexec
 EventId: 59
 Channel: Microsoft-Windows-Bits-Client/Operational
+Provider: Microsoft-Windows-Bits-Client
 Maps:
-#   -  
-#     Property: PayloadData1
-#     PropertyValue: desc "%desc%"
-#     Values: 
-#       - 
-#         Name: desc
-#         Value: "/Event/EventData/Data[@Name=\"name\"]"
    -
     Property: PayloadData2
     PropertyValue: url "%url%"
@@ -32,16 +26,40 @@ Maps:
         Name: fileLength
         Value: "/Event/EventData/Data[@Name=\"fileLength\"]" 
 
-#       <EventData>
-#       <Data Name="transferId">{2515f08c-3969-4086-b4ec-6e8eca6b722e}</Data>
-#       <Data Name="name">backdoor</Data>
-#       <Data Name="Id">{b35c4a1d-4425-45be-92d1-b67183ae222f}</Data>
-#       <Data Name="url">C:\Windows\system32\cmd.exe</Data>
-#       <Data Name="peer">
-#       </Data>
-#       <Data Name="fileTime">2010-11-20T12:17:00.401000000Z</Data>
-#       <Data Name="fileLength">302592</Data>
-#       <Data Name="bytesTotal">302592</Data>
-#       <Data Name="bytesTransferred">0</Data>
-#       <Data Name="bytesTransferredFromPeer">0</Data>
-#     </EventData>
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Bits-Client" Guid="ef6y679b-46c1-414e-bb95-e76b077bd51e" />
+#    <EventID>59</EventID>
+#    <Version>1</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>1</Opcode>
+#    <Keywords>0x4000900000000000</Keywords>
+#    <TimeCreated SystemTime="2019-02-17 11:23:12.2815793" />
+#    <EventRecordID>16907</EventRecordID>
+#    <Correlation ActivityID="f56796f9-02a6-4bdf-9967-f21c8f1d4b54" />
+#    <Execution ProcessID="679" ThreadID="2580" />
+#    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
+#    <Computer>HOSTNAME.domain.com</Computer>
+#    <Security UserID="S-1-5-18" />
+#  </System>
+#  <EventData>
+#    <Data Name="transferId">f5e116f9-02a6-4bdf-9967-f21c8f1d4b54</Data>
+#    <Data Name="name">name</Data>
+#    <Data Name="Id">c29ef679-6c03-4644-992d-b7fe884e117b</Data>
+#    <Data Name="url">URL</Data>
+#    <Data Name="peer"></Data>
+#    <Data Name="fileTime">2001-01-01 00:00:00.0000000</Data>
+#    <Data Name="fileLength">679</Data>
+#    <Data Name="bytesTotal">679</Data>
+#    <Data Name="bytesTransferred">0</Data>
+#    <Data Name="bytesTransferredFromPeer">0</Data>
+#  </EventData>
+#</Event>

evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_100.map

@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: Windows System was started.
 EventId: 100
 Channel: "Microsoft-Windows-Diagnostics-Performance/Operational"
+Provider: Microsoft-Windows-Diagnostics-Performance
 Maps:
   -
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-Diagnostics-Performance_Operational_200.map

@@ -2,6 +2,7 @@ Author: Hyun Yi @hyuunnn
 Description: Windows System was shutdown.
 EventId: 200
 Channel: "Microsoft-Windows-Diagnostics-Performance/Operational"
+Provider: Microsoft-Windows-Diagnostics-Performance
 Maps:
   -
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-Hyper-V-VMMS-Admin_13002.map

@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: A new Hyper-V VM was created
 EventId: 13002
 Channel: "Microsoft-Windows-Hyper-V-VMMS-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18500.map

@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM started successfully
 EventId: 18500
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18502.map

@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM shutdown
 EventId: 18502
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18508.map

@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM started successfully
 EventId: 18508
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-Hyper-V-Worker-Admin_18514.map

@@ -2,6 +2,7 @@ Author: Phill Moore
 Description: Hyper-V VM reset by guest OS
 EventId: 18514
 Channel: "Microsoft-Windows-Hyper-V-Worker-Admin"
+Provider: Microsoft-Windows-Hyper-V-Worker
 Maps:
   - 
     Property: PayloadData1
@@ -19,3 +20,28 @@ Maps:
 # RemoteHost
 # ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
 # PayloadData1 through PayloadData6
+#
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Hyper-V-Worker" Guid="51hhfa29-d5c8-4803-be4b-2ecb715570fe" />
+#    <EventID>18514</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8000009000000000</Keywords>
+#    <TimeCreated SystemTime="2017-06-29 16:11:21.4060164" />
+#    <EventRecordID>11</EventRecordID>
+#    <Correlation ActivityID="26u7845f-f0e5-0002-36d2-1426e5hu67201" />
+#    <Execution ProcessID="3679" ThreadID="4160" />
+#    <Channel>Microsoft-Windows-Hyper-V-Worker-Admin</Channel>
+#    <Computer>hostname.local</Computer>
+#    <Security UserID="S-1-5-83-1-13653876587404322-7657865864-353797533-86545485" />
+#  </System>
+#  <UserData>
+#    <VmlEventLog>
+#      <VmName>VMName</VmName>
+#      <VmId>5160E402-6A79-4E1B-9A91-16151255B886</VmId>
+#    </VmlEventLog>
+#  </UserData>
+#</Event>

evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10000.map

@@ -2,6 +2,7 @@ Author: Mike Brewer michealb40@gmail.com
 Description: Connect to the Internet
 EventId: 10000
 Channel: "Microsoft-Windows-NetworkProfile/Operational"
+Provider: Microsoft-Windows-NetworkProfile
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-NetworkProfile_Operational_10001.map

@@ -2,6 +2,7 @@ Author: Mike Brewer michealb40@gmail.com
 Description: Disconnect from the Internet
 EventId: 10001
 Channel: "Microsoft-Windows-NetworkProfile/Operational"
+Provider: Microsoft-Windows-NetworkProfile
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map

@@ -1,7 +1,8 @@
 Author: Mark Hallman mark.hallman@gmail.com, Hyun Yi @hyuunnn, Andrew Rathbun
-Description: USB Insertion/Removal - EventId 1006
+Description: USB Insertion/Removal
 EventId: 1006
 Channel: "Microsoft-Windows-Partition/Diagnostic"
+Provider: Microsoft-Windows-Partition
 Maps:
   -
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-PowerShell_Operational_4104.map

@@ -2,6 +2,7 @@ Author: Mark Hallman mark.hallman@gmail.com
 Description: Contains contents of scripts run
 EventId: 4104
 Channel: "Microsoft-Windows-PowerShell/Operational"
+Provider: Microsoft-Windows-PowerShell
 Maps: 
   - 
     Property: PayloadData1

evtx/Maps/Microsoft-Windows-PrintService_Operational_307.map

@@ -2,6 +2,7 @@ Author: Barrie Hill barrie0482@gmail.com
 Description: Printing a document
 EventId: 307
 Channel: "Microsoft-Windows-PrintService/Operational"
+Provider: Microsoft-Windows-PrintService
 Maps: 
   - 
     Property: PayloadData1