diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map index dee17864..d533e70b 100644 --- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map +++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map @@ -6,14 +6,11 @@ Provider: Microsoft-Windows-Bits-Client Maps: - Property: UserName - PropertyValue: "jobOwner: %jobOwner%%string2%" + PropertyValue: "%jobOwner%" Values: - Name: jobOwner Value: "/Event/EventData/Data[@Name=\"jobOwner\"]" - - - Name: string2 - Value: "/Event/EventData/Data[@Name=\"string2\"]" - Property: ExecutableInfo PropertyValue: "%processPath%" @@ -23,14 +20,11 @@ Maps: Value: "/Event/EventData/Data[@Name=\"processPath\"]" - Property: PayloadData1 - PropertyValue: "jobTitle: %jobTitle%%string%" + PropertyValue: "jobTitle: %jobTitle%" Values: - Name: jobTitle Value: "/Event/EventData/Data[@Name=\"jobTitle\"]" - - - Name: string - Value: "/Event/EventData/Data[@Name=\"string\"]" - Property: PayloadData2 PropertyValue: "jobId: %jobId%" diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map index e5220e46..4fed2cc2 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map @@ -4,6 +4,13 @@ EventId: 100 Channel: "Microsoft-Windows-TaskScheduler/Operational" Provider: Microsoft-Windows-TaskScheduler Maps: + - + Property: UserName + PropertyValue: "Context: %UserContext%" + Values: + - + Name: UserContext + Value: "/Event/EventData/Data[@Name=\"UserContext\"]" - Property: PayloadData1 PropertyValue: "Task: %TaskName%" @@ -11,15 +18,8 @@ Maps: - Name: TaskName Value: "/Event/EventData/Data[@Name=\"TaskName\"]" - - - Property: PayloadData2 - PropertyValue: "Context: %UserContext%" - Values: - - - Name: UserContext - Value: "/Event/EventData/Data[@Name=\"UserContext\"]" - - Property: PayloadData3 + Property: PayloadData2 PropertyValue: "Instance Id: %InstanceId%" Values: - diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map index 8656103b..2b53b054 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map @@ -4,6 +4,13 @@ EventId: 102 Channel: "Microsoft-Windows-TaskScheduler/Operational" Provider: Microsoft-Windows-TaskScheduler Maps: + - + Property: UserName + PropertyValue: "Context: %UserContext%" + Values: + - + Name: UserContext + Value: "/Event/EventData/Data[@Name=\"UserContext\"]" - Property: PayloadData1 PropertyValue: "Task: %TaskName%" @@ -11,15 +18,8 @@ Maps: - Name: TaskName Value: "/Event/EventData/Data[@Name=\"TaskName\"]" - - - Property: PayloadData2 - PropertyValue: "Context: %UserContext%" - Values: - - - Name: UserContext - Value: "/Event/EventData/Data[@Name=\"UserContext\"]" - - Property: PayloadData3 + Property: PayloadData2 PropertyValue: "Instance Id: %InstanceId%" Values: - diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map index d2b5f6a1..659d5bbe 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map @@ -19,7 +19,7 @@ Maps: Name: UserName Value: "/Event/EventData/Data[@Name=\"UserName\"]" - - Property: PayloadData3 + Property: PayloadData2 PropertyValue: "Instance Id: %InstanceId%" Values: - diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map index b7d7530e..3d747d95 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map @@ -19,7 +19,7 @@ Maps: Name: Path Value: "/Event/EventData/Data[@Name=\"Path\"]" - - Property: PayloadData3 + Property: PayloadData2 PropertyValue: "ProcessID: %ProcessID%" Values: - diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map index ae604e61..d96bf5f1 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map @@ -19,7 +19,7 @@ Maps: Name: ActionName Value: "/Event/EventData/Data[@Name=\"ActionName\"]" - - Property: PayloadData3 + Property: PayloadData2 PropertyValue: "Instance Id: %TaskInstanceId%" Values: - diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map index a1374bbc..ac2cea82 100644 --- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map +++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map @@ -19,7 +19,7 @@ Maps: Name: ActionName Value: "/Event/EventData/Data[@Name=\"ActionName\"]" - - Property: PayloadData3 + Property: PayloadData2 PropertyValue: "Instance Id: %TaskInstanceId%" Values: -