New maps, various fixes

evtx/Maps/Microsoft-Windows-Partition-Diagnostic_1006.map

@@ -1,4 +1,4 @@
-Author: Mark Hallman mark.hallman@gmail.com, Hyun Yi @hyuunnn
+Author: Mark Hallman mark.hallman@gmail.com, Hyun Yi @hyuunnn, Andrew Rathbun
 Description: USB Insertion/Removal - EventId 1006
 EventId: 1006
 Channel: "Microsoft-Windows-Partition/Diagnostic"
@@ -44,4 +44,6 @@ Maps:
     Values:
       -
         Name: ParentId
-        Value: "/Event/EventData/Data[@Name=\"ParentId\"]"
+        Value: "/Event/EventData/Data[@Name=\"ParentId\"]"
+
+# Frankly, there is too much data to fit within 6 PayloadData columns. As always, all data is in the Payload column but there isn't enough room to map out all the information cleanly. There is a great blog post with more information here: https://www.atropos4n6.com/windows/extract-vsns-that-reside-in-windows-partition4diagnostic-evtx/. 

evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map

@@ -61,7 +61,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"ParentCommandLine\"]"
   - 
     Property: UserName
-    PropertyValue: "Account: %User%"
+"%User%"
     Values: 
       - 
         Name: User

evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map

@@ -47,7 +47,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"EventNamespace\"]"   
   - 
     Property: UserName
-    PropertyValue: "Account: %User%"
+"%User%"
     Values: 
       - 
         Name: User

evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map

@@ -55,7 +55,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"Destination\"]"   
   - 
     Property: UserName
-    PropertyValue: "Account: %User%"
+"%User%"
     Values: 
       - 
         Name: User

evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map

@@ -41,7 +41,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"Filter\"]"   
   - 
     Property: UserName
-    PropertyValue: "Account: %User%"
+"%User%"
     Values: 
       - 
         Name: User

evtx/Maps/Microsoft-Windows-SysMon_Operational_23.map

@@ -58,7 +58,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"Archived\"]"
   - 
     Property: UserName
-    PropertyValue: "Account: %User%"
+    PropertyValue: "%User%"
     Values: 
       - 
         Name: User

evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map

@@ -51,7 +51,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"DestinationIp\"]"  
   - 
     Property: UserName
-    PropertyValue: "Account: %User%"
+"%User%"
     Values: 
       - 
         Name: User

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map

@@ -5,21 +5,21 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName
         Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
   - 
     Property: PayloadData2
-    PropertyValue: Context %UserContext%
+    PropertyValue: Context: %UserContext%
     Values: 
       - 
         Name: UserContext
         Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
   -
     Property: PayloadData3
-    PropertyValue: Instance Id %InstanceId%
+    PropertyValue: Instance Id: %InstanceId%
     Values: 
       - 
         Name: InstanceId

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map

@@ -5,21 +5,21 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName
         Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
   - 
     Property: PayloadData2
-    PropertyValue: Context %UserContext%
+    PropertyValue: Context: %UserContext%
     Values: 
       - 
         Name: UserContext
         Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
   -
     Property: PayloadData3
-    PropertyValue: Instance Id %InstanceId%
+    PropertyValue: Instance Id: %InstanceId%
     Values: 
       - 
         Name: InstanceId

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map

@@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map

@@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName
@@ -19,7 +19,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"UserName\"]"
   -
     Property: PayloadData3
-    PropertyValue: Instance Id %InstanceId%
+    PropertyValue: Instance Id: %InstanceId%
     Values: 
       - 
         Name: InstanceId

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_140.map

@@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+    PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map

@@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map

@@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName
@@ -19,7 +19,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"ActionName\"]"
   -
     Property: PayloadData3
-    PropertyValue: Instance Id %TaskInstanceId%
+    PropertyValue: Instance Id: %TaskInstanceId%
     Values: 
       - 
         Name: TaskInstanceId

evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map

@@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: Task %TaskName%
+PropertyValue: "Task: %TaskName%"
     Values: 
       - 
         Name: TaskName
@@ -19,7 +19,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"ActionName\"]"
   -
     Property: PayloadData3
-    PropertyValue: Instance Id %TaskInstanceId%
+    PropertyValue: Instance Id: %TaskInstanceId%
     Values: 
       - 
         Name: TaskInstanceId

evtx/Maps/Security_1102.map

@@ -15,7 +15,7 @@ Maps:
         Value: "/Event/UserData/LogFileCleared/SubjectUserName"
   - 
     Property: PayloadData1
-    PropertyValue: SID (%SubjectUserSid%)
+PropertyValue: "SID: (%SubjectUserSid%)"
     Values: 
       - 
         Name: SubjectUserSid

evtx/Maps/Security_4624.map

@@ -35,7 +35,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
   - 
     Property: PayloadData2
-    PropertyValue: LogonType %LogonType%
+    PropertyValue: "LogonType %LogonType%"
     Values: 
       - 
         Name: LogonType

evtx/Maps/Security_4625.map

@@ -35,7 +35,7 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
   - 
     Property: PayloadData2
-    PropertyValue: LogonType %LogonType%
+    PropertyValue: "LogonType %LogonType%"
     Values: 
       - 
         Name: LogonType

evtx/Maps/Security_4722.map

@@ -0,0 +1,75 @@
+Author: Andrew Rathbun
+Description: A user account was enabled
+EventId: 4722
+Channel: Security
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)"
+    Values: 
+      - 
+        Name: TargetUserName
+        Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
+      - 
+        Name: TargetDomainName
+        Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
+      - 
+        Name: TargetSid
+        Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "SubjectLogonId: %SubjectLogonId%"
+    Values: 
+      - 
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#   <EventData>
+#     <Data Name="TargetUserName">defaultuser1</Data>
+#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
+#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
+#     <Data Name="SubjectUserSid">S-1-5-18</Data>
+#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
+#     <Data Name="SubjectDomainName">TEMP</Data>
+#     <Data Name="SubjectLogonId">0x3E7</Data>
+#     <Data Name="PrivilegeList">-</Data>
+#     <Data Name="SamAccountName">defaultuser1</Data>
+#     <Data Name="DisplayName">%%1793</Data>
+#     <Data Name="UserPrincipalName">-</Data>
+#     <Data Name="HomeDirectory">%%1793</Data>
+#     <Data Name="HomePath">%%1793</Data>
+#     <Data Name="ScriptPath">%%1793</Data>
+#     <Data Name="ProfilePath">%%1793</Data>
+#     <Data Name="UserWorkstations">%%1793</Data>
+#     <Data Name="PasswordLastSet">%%1794</Data>
+#     <Data Name="AccountExpires">%%1794</Data>
+#     <Data Name="PrimaryGroupId">513</Data>
+#     <Data Name="AllowedToDelegateTo">-</Data>
+#     <Data Name="OldUacValue">0x0</Data>
+#     <Data Name="NewUacValue">0x15</Data>
+#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
+#     <Data Name="UserParameters">%%1793</Data>
+#     <Data Name="SidHistory">-</Data>
+#     <Data Name="LogonHours">%%1797</Data>
+#   </EventData>

evtx/Maps/Security_4723.map

@@ -0,0 +1,75 @@
+Author: Andrew Rathbun
+Description: An attempt was made to change an account's password
+EventId: 4723
+Channel: Security
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)"
+    Values: 
+      - 
+        Name: TargetUserName
+        Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
+      - 
+        Name: TargetDomainName
+        Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
+      - 
+        Name: TargetSid
+        Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "SubjectLogonId: %SubjectLogonId%"
+    Values: 
+      - 
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+
+
+# Valid properties include:
+# UserName
+# RemoteHost
+# ExecutableInfo --> used for things like process command line, scheduled task, info from service install, etc.
+# PayloadData1 through PayloadData6
+
+# Example payload data
+#   <EventData>
+#     <Data Name="TargetUserName">defaultuser1</Data>
+#     <Data Name="TargetDomainName">MICROSO-F9QCQ4I</Data>
+#     <Data Name="TargetSid">S-1-5-21-3634127885-2815721165-4177678784-1004</Data>
+#     <Data Name="SubjectUserSid">S-1-5-18</Data>
+#     <Data Name="SubjectUserName">MICROSO-F9QCQ4I$</Data>
+#     <Data Name="SubjectDomainName">TEMP</Data>
+#     <Data Name="SubjectLogonId">0x3E7</Data>
+#     <Data Name="PrivilegeList">-</Data>
+#     <Data Name="SamAccountName">defaultuser1</Data>
+#     <Data Name="DisplayName">%%1793</Data>
+#     <Data Name="UserPrincipalName">-</Data>
+#     <Data Name="HomeDirectory">%%1793</Data>
+#     <Data Name="HomePath">%%1793</Data>
+#     <Data Name="ScriptPath">%%1793</Data>
+#     <Data Name="ProfilePath">%%1793</Data>
+#     <Data Name="UserWorkstations">%%1793</Data>
+#     <Data Name="PasswordLastSet">%%1794</Data>
+#     <Data Name="AccountExpires">%%1794</Data>
+#     <Data Name="PrimaryGroupId">513</Data>
+#     <Data Name="AllowedToDelegateTo">-</Data>
+#     <Data Name="OldUacValue">0x0</Data>
+#     <Data Name="NewUacValue">0x15</Data>
+#     <Data Name="UserAccountControl">%%2080%%2082%%2084</Data>
+#     <Data Name="UserParameters">%%1793</Data>
+#     <Data Name="SidHistory">-</Data>
+#     <Data Name="LogonHours">%%1797</Data>
+#   </EventData>