From ec9a540c158f353fd41b33318bc95f858315bc7c Mon Sep 17 00:00:00 2001
From: Gabriele Zambelli <8271353+forensenellanebbia@users.noreply.github.com>
Date: Wed, 13 Jul 2022 11:15:03 +0200
Subject: [PATCH] Update
 Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map

---
 ...oft-Windows-TerminalServices-ClientActiveXCore_1027.map | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map
index 61b12add..9c8e948e 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1027.map
@@ -11,6 +11,13 @@ Maps:
       -
         Name: DomainName
         Value: "/Event/EventData/Data[@Name=\"DomainName\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Session ID: %SessionId%"
+    Values:
+      -
+        Name: SessionId
+        Value: "/Event/EventData/Data[@Name=\"SessionId\"]"
   -
     Property: PayloadData6
     PropertyValue: "ActivityID: %ActivityID%"