diff --git a/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map new file mode 100644 index 00000000..c0613ee5 --- /dev/null +++ b/evtx/Maps/Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_Microsoft-Windows-RemoteDesktopServices-RdpCoreTS_104.map @@ -0,0 +1,36 @@ +Author: Andrew Rathbun +Description: Client timezone bias from UTC +EventId: 104 +Channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational +Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS +Maps: + - + Property: PayloadData1 + PropertyValue: "TimeZoneBias: %TimezoneBiasHour%" + Values: + - + Name: TimezoneBiasHour + Value: "/Event/EventData/Data[@Name=\"TimezoneBiasHour\"]" + +# Documentation: +# +# +# +# 104 +# 0 +# 4 +# 4 +# 15 +# 0x4000000000000000 +# +# 147284 +# +# +# Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational +# HOSTNAME.domain +# +# +# +# [-7] +# +#