EricZimmerman · AndrewRathbun · Apr 15, 2021 · Apr 15, 2021 · Apr 15, 2021 · Apr 15, 2021
diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
@@ -10,7 +10,7 @@ Maps:
       Values:
          -
             Name: jobOwner
-            Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
+            Value: "/Event/EventData/Data[@Name=\"string2\"]"
    -
       Property: ExecutableInfo
       PropertyValue: "%processPath%"
@@ -24,7 +24,7 @@ Maps:
       Values:
          -
             Name: jobTitle
-            Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
+            Value: "/Event/EventData/Data[@Name=\"string\"]"
    -
       Property: PayloadData2
       PropertyValue: "jobId: %jobId%"

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_4.map
@@ -34,7 +34,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"fileCount\"]"
   -
     Property: PayloadData4
-    PropertyValue: "Bytes jobOwner: %jobOwner%"
+    PropertyValue: "jobOwner: %jobOwner%"
     Values:
       -
         Name: jobOwner

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_5.map
@@ -34,7 +34,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"fileCount\"]"
   -
     Property: PayloadData4
-    PropertyValue: "Bytes jobOwner: %jobOwner%"
+    PropertyValue: "jobOwner: %jobOwner%"
     Values:
       -
         Name: jobOwner

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_60.map
@@ -4,51 +4,51 @@ EventId: 60
 Channel: Microsoft-Windows-Bits-Client/Operational
 Provider: Microsoft-Windows-Bits-Client
 Maps:
-   -
-      Property: PayloadData1
-      PropertyValue: "jobTitle: %jobTitle%"
-      Values:
-         -
-            Name: jobTitle
-            Value: "/Event/EventData/Data[@Name=\"name\"]"
-   -
-      Property: PayloadData2
-      PropertyValue: "jobId: %jobId%"
-      Values:
-         -
-            Name: jobId
-            Value: "/Event/EventData/Data[@Name=\"Id\"]"
-   -
-      Property: PayloadData3
-      PropertyValue: "URL: %url%"
-      Values:
-         -
-            Name: url
-            Value: "/Event/EventData/Data[@Name=\"url\"]"
-   -
-      Property: PayloadData4
-      PropertyValue: "Peer: %peer%"
-      Values:
-         -
-            Name: peer
-            Value: "/Event/EventData/Data[@Name=\"peer\"]"
-   -
-      Property: PayloadData5
-      PropertyValue: "Total Bytes: %bytesTotal% (Transferred: %bytesTransferred%)"
-      Values:
-         -
-            Name: bytesTotal
-            Value: "/Event/EventData/Data[@Name=\"bytesTotal\"]"
-         -
-            Name: bytesTransferred
-            Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]"
-   -
-      Property: PayloadData6
-      PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
-      Values:
-         -
-            Name: bytesTransferredFromPeer
-            Value: "/Event/EventData/Data[@Name=\"bytesTransferredFromPeer\"]"
+  -
+    Property: PayloadData1
+    PropertyValue: "jobTitle: %jobTitle%"
+    Values:
+      -
+        Name: jobTitle
+        Value: "/Event/EventData/Data[@Name=\"name\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "jobId: %jobId%"
+    Values:
+      -
+        Name: jobId
+        Value: "/Event/EventData/Data[@Name=\"Id\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "URL: %url%"
+    Values:
+      -
+        Name: url
+        Value: "/Event/EventData/Data[@Name=\"url\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "Peer: %peer%"
+    Values:
+      -
+        Name: peer
+        Value: "/Event/EventData/Data[@Name=\"peer\"]"
+  -
+    Property: PayloadData5
+    PropertyValue: "Total Bytes: %bytesTotal% (Transferred: %bytesTransferred%)"
+    Values:
+      -
+        Name: bytesTotal
+        Value: "/Event/EventData/Data[@Name=\"bytesTotal\"]"
+      -
+        Name: bytesTransferred
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferred\"]"
+  -
+    Property: PayloadData6
+    PropertyValue: "Bytes Transferred from Peer: %bytesTransferredFromPeer%"
+    Values:
+      -
+        Name: bytesTransferredFromPeer
+        Value: "/Event/EventData/Data[@Name=\"bytesTransferredFromPeer\"]"
 
 # Documentation:
 # https://kb.eventtracker.com/evtpass/evtpages/EventId_60_Microsoft-Windows-Bits-Client_64110.asp

diff --git a/...ft-Windows-User-Profile-Service-Operational_Microsoft-Windows-User-Profiles-Service_2.map b/...ft-Windows-User-Profile-Service-Operational_Microsoft-Windows-User-Profiles-Service_2.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: An account was logged on.
+Description: An account was logged on
 EventId: 2
 Channel: "Microsoft-Windows-User Profile Service/Operational"
 Provider: "Microsoft-Windows-User Profiles Service"

diff --git a/...ft-Windows-User-Profile-Service-Operational_Microsoft-Windows-User-Profiles-Service_4.map b/...ft-Windows-User-Profile-Service-Operational_Microsoft-Windows-User-Profiles-Service_4.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: An account was logged off (User Profiles Service)
+Description: An account was logged off
 EventId: 4
 Channel: "Microsoft-Windows-User Profile Service/Operational"
 Provider: "Microsoft-Windows-User Profiles Service"