Merge pull request #60 from rathbuna/master

Standardization and Documentation Updates
EricZimmerman · Dec 24, 2020 · 0472db4 · 0472db4 · AndrewRathbun · Dec 24, 2020
2 parents 326896d + 89d9bdc
commit 0472db4
Show file tree

Hide file tree

Showing 72 changed files with 84 additions and 77 deletions.
diff --git a/evtx/Maps/!!!!README.md b/evtx/Maps/!!!!README.md
@@ -76,9 +76,9 @@ The Channel is a useful identifier for a given log type. It can be seen in the `
 
 The Maps collection contains configurations for how to look for data in an events EventData and extract out particular properties into variables. These variables are then combined and mapped to the event record's first class properties.
 
-For example, consider the first map, for `Username`, below.
+For example, consider the first map, for `UserName`, below.
 
-The `PropertyValue` defines the pattern that will be used to build the final value that will be assigned to the Username field in the CSV. Variables in patterns are surrounded by % on both sides, so we see two variables defined: `%domain%` and `%user%`
+The `PropertyValue` defines the pattern that will be used to build the final value that will be assigned to the UserName field in the CSV. Variables in patterns are surrounded by % on both sides, so we see two variables defined: `%domain%` and `%user%`
 
 In the map entries `Values` collection, we actually populate these variables by giving the value a name (domain in the first case) and an xpath query that will be used to set the value for the variable (`"/Event/EventData/Data[@Name=\"SubjectDomainName\"]"` in the first case).
 
@@ -157,7 +157,7 @@ EventId: 4624
 Channel: Security
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 
@@ -214,3 +214,10 @@ This also allows you to update default maps without having your customizations b
 TIPS:
 
 If you are looking to make an Application.evtx map, please include a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.
+
+UPDATE: As of December 2020, Provider is now mandatory to avoid the above issue!
+
+# Updating Documentation
+
+If you are looking for a way to contribute without making a map, search across the contents of all maps for "N/A" and try to find documentation for any of the maps in the repository. Ideally, each map will have as much documentation as possible that exists for that specific event. This can serve as a good reference for anyone using the tool as well as a learning tool for students and those new to the field. 
+
diff --git a/evtx/Maps/!Channel-Name_Provider-Name_EventID.guide b/evtx/Maps/!Channel-Name_Provider-Name_EventID.guide
@@ -1,19 +1,19 @@
 Author: Your name/contact information (optional) goes here
-Description: Event description goes here
+Description: Event description goes here without a period
 EventId: EventID number goes here
 Channel: Channel goes here
 Provider: Provider goes here
 # Delete all of these commented lines before submitting your map, including those after the Property values below. Below is an example of Properties and how they can be used in your map.
 # Filename for the map should follow the title of this file. _ separates Channel from Provider from EventID. - replaces any spaces or special characters in either Channel Name or Provider Name. Your filename may be long and that is okay. 
-# The value for "Property: " must be one of the following: RemoteHost, Username, ExecutableInfo, PayloadData1, PayloadData2, PayloadData3, PayloadData4, PayloadData5, or PayloadData6. 
+# The value for "Property: " must be one of the following: RemoteHost, UserName, ExecutableInfo, PayloadData1, PayloadData2, PayloadData3, PayloadData4, PayloadData5, or PayloadData6. Please stick to this same casing scheme for uniformity (i.e. UserName vs Username). 
 # The value(s) for "PropertyValue: " must match whatever you list below under Values for the Name(s). PropertyValue will determine how the data pulled from Name and Value will look to the end user within the CSV output. 
 # When organizing your PayloadData columns, if your event is similar to preexisting maps, try to follow the same pattern others follow for consistency during analysis. A good example of this is the Sysmon logs. 
 # PayloadData5 below includes an example of using regex.
 # PayloadData6 below includes an example of a Lookup Table. 
 # No space between "Provider:"" and "Maps:", please.
 Maps: 
   - 
-    Property: Username # Username --> if at all possible, try to include DOMAIN\username if that information is recorded in the event.
+    Property: UserName # UserName --> if at all possible, try to include DOMAIN\username if that information is recorded in the event.
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/!Channel-Name_Provider-Name_EventID.template b/evtx/Maps/!Channel-Name_Provider-Name_EventID.template
@@ -5,7 +5,7 @@ Channel: Channel goes here
 Provider: Provider goes here
 Maps: 
   - 
-    Property: Username 
+    Property: UserName 
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Application_Application-Hang_1002.map b/evtx/Maps/Application_Application-Hang_1002.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: The program has been terminated.
+Description: The program has been terminated
 EventId: 1002
 Channel: "Application"
 Provider: "Application Hang"

diff --git a/evtx/Maps/Application_Microsoft-Windows-Audit-CVE_1.map b/evtx/Maps/Application_Microsoft-Windows-Audit-CVE_1.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description:  An attempt to exploit a known vulnerability detected.
+Description:  An attempt to exploit a known vulnerability detected
 EventId: 1
 Channel: "Application"
 Provider: "Microsoft-Windows-Audit-CVE"

diff --git a/evtx/Maps/Application_MsiInstaller_1033.map b/evtx/Maps/Application_MsiInstaller_1033.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: A program was installed.
+Description: A program was installed
 EventId: 1033
 Channel: "Application"
 Provider: "MsiInstaller"

diff --git a/evtx/Maps/Application_MsiInstaller_1034.map b/evtx/Maps/Application_MsiInstaller_1034.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: A program was deleted.
+Description: A program was deleted
 EventId: 1034
 Channel: "Application"
 Provider: "MsiInstaller"

diff --git a/evtx/Maps/Application_MsiInstaller_11707.map b/evtx/Maps/Application_MsiInstaller_11707.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: Installation completed successfully.
+Description: Installation completed successfully
 EventId: 11707
 Channel: "Application"
 Provider: "MsiInstaller"

diff --git a/evtx/Maps/Application_MsiInstaller_11724.map b/evtx/Maps/Application_MsiInstaller_11724.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: Removal completed successfully.
+Description: Removal completed successfully
 EventId: 11724
 Channel: "Application"
 Provider: "MsiInstaller"

diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8005.map b/evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8005.map
@@ -1,5 +1,5 @@
 Author: Phill Moore\Troy Larson
-Description: A script or MSI was allowed to run.
+Description: A script or MSI was allowed to run
 EventId: 8005
 Channel: Microsoft-Windows-AppLocker/MSI and Script
 Provider: Microsoft-Windows-AppLocker

diff --git a/evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8007.map b/evtx/Maps/Microsoft-Windows-AppLocker-MSI-and-Script_Microsoft-Windows-AppLocker_8007.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: A script or MSI was prevented from running.
+Description: A script or MSI was prevented from running
 EventId: 8007
 Channel: Microsoft-Windows-AppLocker/MSI and Script
 Provider: Microsoft-Windows-AppLocker

diff --git a/...ps/Microsoft-Windows-AppLocker-PackagedApp-Execution_Microsoft-Windows-AppLocker_8020.map b/...ps/Microsoft-Windows-AppLocker-PackagedApp-Execution_Microsoft-Windows-AppLocker_8020.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: A packaged app was allowed to run.
+Description: A packaged app was allowed to run
 EventId: 8020
 Channel: "Microsoft-Windows-AppLocker/Packaged app-Execution"
 Provider: Microsoft-Windows-AppLocker

diff --git a/...ows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_200.map b/...ows-Diagnostics-Performance-Operational_Microsoft-Windows-Diagnostics-Performance_200.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: Windows System was shutdown.
+Description: Windows System was shutdown
 EventId: 200
 Channel: "Microsoft-Windows-Diagnostics-Performance/Operational"
 Provider: Microsoft-Windows-Diagnostics-Performance

diff --git a/...lSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_39.map b/...lSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_39.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Session (Payload 1) has been disconnected by session (Payload 2)
+Description: Session (PayloadData1) has been disconnected by session (PayloadData2)
 EventId: 39
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
 Provider: Microsoft-Windows-TerminalServices-LocalSessionManager

diff --git a/...lSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map b/...lSessionManager-Operational_Microsoft-Windows-TerminalServices-LocalSessionManager_40.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Session (Payload 1) has been disconnected, reason code (Payload 2)
+Description: Session (PayloadData1) has been disconnected, reason code (PayloadData2)
 EventId: 40
 Channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
 Provider: Microsoft-Windows-TerminalServices-LocalSessionManager

diff --git a/...vices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map b/...vices-RDPClient-Operational_Microsoft-Windows-TerminalServices-ClientActiveXCore_1029.map
@@ -6,10 +6,10 @@ Provider: Microsoft-Windows-TerminalServices-ClientActiveXCore
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: "Target (encoded): %Base64RDPUsernameHash%"
+    PropertyValue: "Target (encoded): %Base64RDPUserNameHash%"
     Values: 
       - 
-        Name: Base64RDPUsernameHash
+        Name: Base64RDPUserNameHash
         Value: "/Event/EventData/Data[@Name=\"TraceMessage\"]"
         Refine: "^[A-Za-z0-9+/=]*"
   - 

diff --git a/...onManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_1149.map b/...onManager-Operational_Microsoft-Windows-TerminalServices-RemoteConnectionManager_1149.map
@@ -5,7 +5,7 @@ Channel: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
 Provider: Microsoft-Windows-TerminalServices-RemoteConnectionManager
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8000.map b/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8000.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: WIFI connection was attempted.
+Description: WIFI connection was attempted
 EventId: 8000
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
 Provider: Microsoft-Windows-WLAN-AutoConfig

diff --git a/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8001.map b/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8001.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: WIFI connection was successful.
+Description: WIFI connection was successful
 EventId: 8001
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
 Provider: Microsoft-Windows-WLAN-AutoConfig

diff --git a/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8002.map b/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8002.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: WIFI connection was failed.
+Description: WIFI connection was failed
 EventId: 8002
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
 Provider: Microsoft-Windows-WLAN-AutoConfig

diff --git a/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8003.map b/.../Microsoft-Windows-WLAN-AutoConfig-Operational_Microsoft-Windows-WLAN-AutoConfig_8003.map
@@ -1,5 +1,5 @@
 Author: Hyun Yi @hyuunnn
-Description: WIFI connection was terminated.
+Description: WIFI connection was terminated
 EventId: 8003
 Channel: "Microsoft-Windows-WLAN-AutoConfig/Operational"
 Provider: Microsoft-Windows-WLAN-AutoConfig

diff --git a/evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5860.map b/evtx/Maps/Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-WMI-Activity_5860.map
@@ -1,5 +1,5 @@
 Author: Eric Zimmerman saericzimmerman@gmail.com
-Description: "Remote Desktop Services: Session logoff succeeded"
+Description: Remote Desktop Services: Session logoff succeeded
 EventId: 5860
 Channel: WMI Registration of Temporary Event Consumer
 Provider: Microsoft-Windows-WMI-Activity

diff --git a/evtx/Maps/Microsoft-Windows-WinRM-Operational_Microsoft-Windows-WinRM_169.map b/evtx/Maps/Microsoft-Windows-WinRM-Operational_Microsoft-Windows-WinRM_169.map
@@ -5,7 +5,7 @@ Channel: "Microsoft-Windows-WinRM/Operational"
 Provider: Microsoft-Windows-WinRM
 Maps:
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%username%"
     Values: 
       - 

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1002.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1002.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Warning - Scan stopped before completion.
+Description: Warning - Scan stopped before completion
 EventId: 1002
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1003.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1003.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Warning - Scan has been paused.
+Description: Warning - Scan has been paused
 EventId: 1003
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1004.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1004.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Scan has resumed.
+Description: Scan has resumed
 EventId: 1004
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1005.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1005.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Error - Scan has encountered an error and terminated.
+Description: Error - Scan has encountered an error and terminated
 EventId: 1005
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1006.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1006.map
@@ -1,5 +1,5 @@
 Author: Brian MacKenna
-Description:  Found - Malware or Potentially unwanted software.
+Description:  Found - Malware or Potentially unwanted software
 EventId: 1006
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1008.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1008.map
@@ -1,5 +1,5 @@
 Author: Brian MacKenna
-Description:  Error when taking action on malware or other potentially unwanted software.
+Description:  Error when taking action on malware or other potentially unwanted software
 EventId: 1008
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1011.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1011.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Defender has deleted an item from quarantine.
+Description: Defender has deleted an item from quarantine
 EventId: 1011
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1013.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1013.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Defender removed history of malware.
+Description: Defender removed history of malware
 EventId: 1013
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1116.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1116.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Detection - malware or other potentially unwanted software.
+Description: Detection - malware or other potentially unwanted software
 EventId: 1116
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1117.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1117.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Detection - taken action to protect this machine from malware or other potentially unwanted software.
+Description: Detection - taken action to protect this machine from malware or other potentially unwanted software
 EventId: 1117
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1150.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_1150.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Defender is up and running in a healthy state.
+Description: Defender is up and running in a healthy state
 EventId: 1150
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5000.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5000.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Real-time Protection was enabled.
+Description: Real-time Protection was enabled
 EventId: 5000
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5001.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5001.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Real-time Protection was disabled.
+Description: Real-time Protection was disabled
 EventId: 5001
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5007.map b/...icrosoft-Windows-Windows Defender-Operational_Microsoft-Windows-Windows Defender_5007.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: Defender configuration has changed.
+Description: Defender configuration has changed
 EventId: 5007
 Channel: Microsoft-Windows-Windows Defender/Operational
 Provider: Microsoft-Windows-Windows Defender

diff --git a/evtx/Maps/OpenSSH-Operational_OpenSSH_4.map b/evtx/Maps/OpenSSH-Operational_OpenSSH_4.map
@@ -1,5 +1,5 @@
 Author: Troy Larson
-Description: SSH activity.
+Description: SSH activity
 EventId: 4
 Channel: "OpenSSH/Operational"
 Provider: OpenSSH

diff --git a/evtx/Maps/Security_Microsoft-Windows-Eventlog_1102.map b/evtx/Maps/Security_Microsoft-Windows-Eventlog_1102.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Eventlog
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4608.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4608.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: "Microsoft-Windows-Security-Auditing"
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4624.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4624.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4625.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4625.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4648.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4648.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4661.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4661.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4662.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4662.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4663.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4663.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user%"
     Values: 
       - 

diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4672.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4672.map
@@ -5,7 +5,7 @@ Channel: Security
 Provider: Microsoft-Windows-Security-Auditing
 Maps: 
   - 
-    Property: Username
+    Property: UserName
     PropertyValue: "%domain%\\%user% (%sid%)"
     Values: 
       -