From f9eeb603f617d092a8a845e843d9c5ef79b2ded7 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 20 Jan 2021 11:30:44 -0500
Subject: [PATCH 1/4] Update
 Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map

---
 ...ent-Operational_Microsoft-Windows-Bits-Client_3.map | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
index dee17864..d533e70b 100644
--- a/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
+++ b/evtx/Maps/Microsoft-Windows-Bits-Client-Operational_Microsoft-Windows-Bits-Client_3.map
@@ -6,14 +6,11 @@ Provider: Microsoft-Windows-Bits-Client
 Maps:
    -
     Property: UserName
-    PropertyValue: "jobOwner: %jobOwner%%string2%"
+    PropertyValue: "%jobOwner%"
     Values: 
       - 
         Name: jobOwner
         Value: "/Event/EventData/Data[@Name=\"jobOwner\"]"
-      - 
-        Name: string2
-        Value: "/Event/EventData/Data[@Name=\"string2\"]"
    -
     Property: ExecutableInfo
     PropertyValue: "%processPath%"
@@ -23,14 +20,11 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"processPath\"]"
    -
     Property: PayloadData1
-    PropertyValue: "jobTitle: %jobTitle%%string%"
+    PropertyValue: "jobTitle: %jobTitle%"
     Values: 
       - 
         Name: jobTitle
         Value: "/Event/EventData/Data[@Name=\"jobTitle\"]"
-      - 
-        Name: string
-        Value: "/Event/EventData/Data[@Name=\"string\"]"
    -
     Property: PayloadData2
     PropertyValue: "jobId: %jobId%"

From 9544aa5f4f2ef38589fa8eee3f7e1f2c39ec5865 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 20 Jan 2021 11:34:49 -0500
Subject: [PATCH 2/4] Update
 Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map

---
 ...ational_Microsoft-Windows-TaskScheduler_102.map | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map
index 8656103b..0142ade8 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map
@@ -4,6 +4,13 @@ EventId: 102
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Provider: Microsoft-Windows-TaskScheduler
 Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "Context: %UserContext%"
+    Values: 
+      - 
+        Name: UserContext
+        Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
   - 
     Property: PayloadData1
     PropertyValue: "Task: %TaskName%"
@@ -11,13 +18,6 @@ Maps:
       - 
         Name: TaskName
         Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
-  - 
-    Property: PayloadData2
-    PropertyValue: "Context: %UserContext%"
-    Values: 
-      - 
-        Name: UserContext
-        Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
   -
     Property: PayloadData3
     PropertyValue: "Instance Id: %InstanceId%"

From 1e895a6489d2db2330d880cce4869802c78cc738 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 20 Jan 2021 11:34:52 -0500
Subject: [PATCH 3/4] Update
 Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map

---
 ...ational_Microsoft-Windows-TaskScheduler_100.map | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map
index e5220e46..d3caedcb 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map
@@ -4,6 +4,13 @@ EventId: 100
 Channel: "Microsoft-Windows-TaskScheduler/Operational"
 Provider: Microsoft-Windows-TaskScheduler
 Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "Context: %UserContext%"
+    Values: 
+      - 
+        Name: UserContext
+        Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
   - 
     Property: PayloadData1
     PropertyValue: "Task: %TaskName%"
@@ -11,13 +18,6 @@ Maps:
       - 
         Name: TaskName
         Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
-  - 
-    Property: PayloadData2
-    PropertyValue: "Context: %UserContext%"
-    Values: 
-      - 
-        Name: UserContext
-        Value: "/Event/EventData/Data[@Name=\"UserContext\"]"
   -
     Property: PayloadData3
     PropertyValue: "Instance Id: %InstanceId%"

From adbaaa070e24c78e9c841ac47e43ecf05fa29674 Mon Sep 17 00:00:00 2001
From: rathbuna <36825567+rathbuna@users.noreply.github.com>
Date: Wed, 20 Jan 2021 11:38:30 -0500
Subject: [PATCH 4/4] Remap PayloadData3 to PayloadData2

---
 ...cheduler-Operational_Microsoft-Windows-TaskScheduler_100.map | 2 +-
 ...cheduler-Operational_Microsoft-Windows-TaskScheduler_102.map | 2 +-
 ...cheduler-Operational_Microsoft-Windows-TaskScheduler_119.map | 2 +-
 ...cheduler-Operational_Microsoft-Windows-TaskScheduler_129.map | 2 +-
 ...cheduler-Operational_Microsoft-Windows-TaskScheduler_200.map | 2 +-
 ...cheduler-Operational_Microsoft-Windows-TaskScheduler_201.map | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map
index d3caedcb..4fed2cc2 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_100.map
@@ -19,7 +19,7 @@ Maps:
         Name: TaskName
         Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
   -
-    Property: PayloadData3
+    Property: PayloadData2
     PropertyValue: "Instance Id: %InstanceId%"
     Values: 
       - 
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map
index 0142ade8..2b53b054 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_102.map
@@ -19,7 +19,7 @@ Maps:
         Name: TaskName
         Value: "/Event/EventData/Data[@Name=\"TaskName\"]"
   -
-    Property: PayloadData3
+    Property: PayloadData2
     PropertyValue: "Instance Id: %InstanceId%"
     Values: 
       - 
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map
index d2b5f6a1..659d5bbe 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_119.map
@@ -19,7 +19,7 @@ Maps:
         Name: UserName
         Value: "/Event/EventData/Data[@Name=\"UserName\"]"
   -
-    Property: PayloadData3
+    Property: PayloadData2
     PropertyValue: "Instance Id: %InstanceId%"
     Values: 
       - 
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map
index b7d7530e..3d747d95 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_129.map
@@ -19,7 +19,7 @@ Maps:
         Name: Path
         Value: "/Event/EventData/Data[@Name=\"Path\"]"
   -
-    Property: PayloadData3
+    Property: PayloadData2
     PropertyValue: "ProcessID: %ProcessID%"
     Values: 
       - 
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map
index ae604e61..d96bf5f1 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_200.map
@@ -19,7 +19,7 @@ Maps:
         Name: ActionName
         Value: "/Event/EventData/Data[@Name=\"ActionName\"]"
   -
-    Property: PayloadData3
+    Property: PayloadData2
     PropertyValue: "Instance Id: %TaskInstanceId%"
     Values: 
       - 
diff --git a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map
index a1374bbc..ac2cea82 100644
--- a/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map
+++ b/evtx/Maps/Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map
@@ -19,7 +19,7 @@ Maps:
         Name: ActionName
         Value: "/Event/EventData/Data[@Name=\"ActionName\"]"
   -
-    Property: PayloadData3
+    Property: PayloadData2
     PropertyValue: "Instance Id: %TaskInstanceId%"
     Values: 
       -