diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map b/evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map index 3367c191..52d96687 100644 --- a/evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map +++ b/evtx/Maps/Microsoft-Windows-SysMon_Operational_1.map @@ -61,7 +61,7 @@ Maps: Value: "/Event/EventData/Data[@Name=\"ParentCommandLine\"]" - Property: UserName -"%User%" + PropertyValue: "%User%" Values: - Name: User diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map b/evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map index 037d5d15..1857b60e 100644 --- a/evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map +++ b/evtx/Maps/Microsoft-Windows-SysMon_Operational_19.map @@ -47,7 +47,7 @@ Maps: Value: "/Event/EventData/Data[@Name=\"EventNamespace\"]" - Property: UserName -"%User%" + PropertyValue: "%User%" Values: - Name: User diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map b/evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map index 69a25b1d..ea8b77ff 100644 --- a/evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map +++ b/evtx/Maps/Microsoft-Windows-SysMon_Operational_20.map @@ -55,7 +55,7 @@ Maps: Value: "/Event/EventData/Data[@Name=\"Destination\"]" - Property: UserName -"%User%" + PropertyValue: "%User%" Values: - Name: User diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map b/evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map index fa7bfde9..1ba70f58 100644 --- a/evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map +++ b/evtx/Maps/Microsoft-Windows-SysMon_Operational_21.map @@ -41,7 +41,7 @@ Maps: Value: "/Event/EventData/Data[@Name=\"Filter\"]" - Property: UserName -"%User%" + PropertyValue: "%User%" Values: - Name: User diff --git a/evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map b/evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map index 5e06485d..1e211d63 100644 --- a/evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map +++ b/evtx/Maps/Microsoft-Windows-SysMon_Operational_3.map @@ -51,7 +51,7 @@ Maps: Value: "/Event/EventData/Data[@Name=\"DestinationIp\"]" - Property: UserName -"%User%" + PropertyValue: "%User%" Values: - Name: User diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map index 7efcaf6d..0f39640e 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_100.map @@ -5,21 +5,21 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational" Maps: - Property: PayloadData1 -PropertyValue: "Task: %TaskName%" + PropertyValue: "Task: %TaskName%" Values: - Name: TaskName Value: "/Event/EventData/Data[@Name=\"TaskName\"]" - Property: PayloadData2 - PropertyValue: Context: %UserContext% + PropertyValue: "Context: %UserContext%" Values: - Name: UserContext Value: "/Event/EventData/Data[@Name=\"UserContext\"]" - Property: PayloadData3 - PropertyValue: Instance Id: %InstanceId% + PropertyValue: "Instance Id: %InstanceId%" Values: - Name: InstanceId diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map index 93d4ab78..ace23679 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_102.map @@ -5,21 +5,21 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational" Maps: - Property: PayloadData1 -PropertyValue: "Task: %TaskName%" + PropertyValue: "Task: %TaskName%" Values: - Name: TaskName Value: "/Event/EventData/Data[@Name=\"TaskName\"]" - Property: PayloadData2 - PropertyValue: Context: %UserContext% + PropertyValue: "Context: %UserContext%" Values: - Name: UserContext Value: "/Event/EventData/Data[@Name=\"UserContext\"]" - Property: PayloadData3 - PropertyValue: Instance Id: %InstanceId% + PropertyValue: "Instance Id: %InstanceId%" Values: - Name: InstanceId diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map index 9432431b..c6eb8672 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_106.map @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational" Maps: - Property: PayloadData1 -PropertyValue: "Task: %TaskName%" + PropertyValue: "Task: %TaskName%" Values: - Name: TaskName diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map index aac6a702..fe66d4ef 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_119.map @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational" Maps: - Property: PayloadData1 -PropertyValue: "Task: %TaskName%" + PropertyValue: "Task: %TaskName%" Values: - Name: TaskName @@ -19,7 +19,7 @@ PropertyValue: "Task: %TaskName%" Value: "/Event/EventData/Data[@Name=\"UserName\"]" - Property: PayloadData3 - PropertyValue: Instance Id: %InstanceId% + PropertyValue: "Instance Id: %InstanceId%" Values: - Name: InstanceId diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map index 5c1b68a8..fa76c738 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_141.map @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational" Maps: - Property: PayloadData1 -PropertyValue: "Task: %TaskName%" + PropertyValue: "Task: %TaskName%" Values: - Name: TaskName diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map index ea4eea8d..1456dfe6 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_200.map @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational" Maps: - Property: PayloadData1 -PropertyValue: "Task: %TaskName%" + PropertyValue: "Task: %TaskName%" Values: - Name: TaskName @@ -19,7 +19,7 @@ PropertyValue: "Task: %TaskName%" Value: "/Event/EventData/Data[@Name=\"ActionName\"]" - Property: PayloadData3 - PropertyValue: Instance Id: %TaskInstanceId% + PropertyValue: "Instance Id: %TaskInstanceId%" Values: - Name: TaskInstanceId diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map index c52de3c8..cd2bba34 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler_Operational_201.map @@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-TaskScheduler/Operational" Maps: - Property: PayloadData1 -PropertyValue: "Task: %TaskName%" + PropertyValue: "Task: %TaskName%" Values: - Name: TaskName @@ -19,7 +19,7 @@ PropertyValue: "Task: %TaskName%" Value: "/Event/EventData/Data[@Name=\"ActionName\"]" - Property: PayloadData3 - PropertyValue: Instance Id: %TaskInstanceId% + PropertyValue: "Instance Id: %TaskInstanceId%" Values: - Name: TaskInstanceId diff --git a/evtx/Maps/Security_1102.map b/evtx/Maps/Security_1102.map index a37e8c5e..d3040b4d 100644 --- a/evtx/Maps/Security_1102.map +++ b/evtx/Maps/Security_1102.map @@ -15,7 +15,7 @@ Maps: Value: "/Event/UserData/LogFileCleared/SubjectUserName" - Property: PayloadData1 -PropertyValue: "SID: (%SubjectUserSid%)" + PropertyValue: "SID: (%SubjectUserSid%)" Values: - Name: SubjectUserSid diff --git a/evtx/Maps/Security_5140.map b/evtx/Maps/Security_5140.map index 17e9d59a..d766b72a 100644 --- a/evtx/Maps/Security_5140.map +++ b/evtx/Maps/Security_5140.map @@ -25,7 +25,7 @@ Maps: Value: "/Event/EventData/Data[@Name=\"IpPort\"]" - Property: PayloadData1 - PropertyValue: Share: %ShareName% (%ShareLocalPath%) + PropertyValue: "Share: %ShareName% (%ShareLocalPath%)" Values: - Name: ShareName @@ -35,7 +35,7 @@ Maps: Value: "/Event/EventData/Data[@Name=\"ShareLocalPath\"]" - Property: PayloadData2 - PropertyValue: Sid: %SubjectUserSid% + PropertyValue: "Sid: %SubjectUserSid%" Values: - Name: SubjectUserSid diff --git a/evtx/Maps/System_1.map b/evtx/Maps/System_1.map index 7fe0149c..d765fe56 100644 --- a/evtx/Maps/System_1.map +++ b/evtx/Maps/System_1.map @@ -6,21 +6,21 @@ Provider: "Microsoft-Windows-Power-Troubleshooter" Maps: - Property: PayloadData1 - PropertyValue: Sleep duration: "%SleepDuration%" + PropertyValue: "Sleep duration: %SleepDuration%" Values: - Name: SleepDuration Value: "/Event/EventData/Data[@Name=\"SleepDuration\"]" - Property: PayloadData2 - PropertyValue: Wake source: "%WakeSourceType%" + PropertyValue: "Wake source: %WakeSourceType%" Values: - Name: WakeSourceType Value: "/Event/EventData/Data[@Name=\"WakeSourceType\"]" - Property: PayloadData3 - PropertyValue: Wake source text "%WakeSourceText%" + PropertyValue: "Wake source text %WakeSourceText%" Values: - Name: WakeSourceText