Merge pull request #24 from chadtilbury/master

EricZimmerman · web-flow · commit e4dacb301746 · 2020-06-06T19:46:43.000Z
Update 4624/4625 maps to include process name
diff --git a/evtx/Maps/Security_4624.map b/evtx/Maps/Security_4624.map
@@ -40,7 +40,14 @@ Maps:
       - 
         Name: LogonType
         Value: "/Event/EventData/Data[@Name=\"LogonType\"]"
-
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ProcessName%"
+    Values: 
+      - 
+        Name: ProcessName
+        Value: "/Event/EventData/Data[@Name=\"ProcessName\"]"
+		
 # Valid properties include:
 # UserName
 # RemoteHost
diff --git a/evtx/Maps/Security_4625.map b/evtx/Maps/Security_4625.map
@@ -40,6 +40,14 @@ Maps:
       - 
         Name: LogonType
         Value: "/Event/EventData/Data[@Name=\"LogonType\"]"
+  - 
+    Property: ExecutableInfo
+    PropertyValue: "%ProcessName%"
+    Values: 
+      - 
+        Name: ProcessName
+        Value: "/Event/EventData/Data[@Name=\"ProcessName\"]"
+		
 
 # Valid properties include:
 # UserName
