From b8c107c0d6876cc23f758028e976b7ae8abb247e Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Tue, 22 Dec 2020 09:05:03 -0500
Subject: [PATCH] Update
 Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map

Add further documentation
---
 ...icrosoft-Windows-TerminalServices-ClientActiveXCore_1102.map | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map
index 02c5f2bb..44453b48 100644
--- a/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map
+++ b/evtx/Maps/Microsoft-Windows-TerminalServices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1102.map
@@ -16,6 +16,8 @@ Maps:
 # https://cyber-tls.blogspot.com/2019/08/rdp.html
 # https://social.technet.microsoft.com/wiki/contents/articles/37847.rdp-direct-connection-with-nla-remote-desktop-client-event-logs.aspx
 # https://nullsec.us/windows-rdp-related-event-logs-the-client-side-of-the-story/
+# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdsod/aa0449fc-9642-4206-90a8-aac72f1b72fd
+# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdsod/aa0449fc-9642-4206-90a8-aac72f1b72fd
 #
 # Example Event Data:
 #The client has initiated a multi-transport connection to the server 192.168.1.179.