diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map
index 61b12add..9c8e948e 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map
@@ -11,6 +11,13 @@ Maps:
       -
         Name: DomainName
         Value: "/Event/EventData/Data[@Name=\"DomainName\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Session ID: %SessionId%"
+    Values:
+      -
+        Name: SessionId
+        Value: "/Event/EventData/Data[@Name=\"SessionId\"]"
   -
     Property: PayloadData6
     PropertyValue: "ActivityID: %ActivityID%"