Standardization of Map Naming Convention, Update README

evtx/Maps/!!!!README.md

@@ -88,21 +88,23 @@ It is that simple! Be sure to surround things in double quotes and/or escape quo
 
 NOTE! The filenames for maps should be in the following format:
 
-Channel_EventID.map
+Channel-Name_Provider-Name_EventID.map
 
-Where Channel is EXACTLY what is in the XML <Channel> element with any '/' characters replaced with an underscore.
+Where Channel is EXACTLY what is in the XML <Channel> element with any '/' characters, hyphens, or spaces replaced with a hyphen. Hyphens are the catch all for each element of the map filename. 
 
-For example, for Event ID '201' and Channel 'Microsoft-Windows-TaskScheduler/Operational' the file should be named:
+Only underscores should separate each element (Channel Name, Provider Name, EventID). Hyphens separates words. Underscores separate elements. 
 
-`Microsoft-Windows-TaskScheduler_Operational_201.map`
+For example, for Event ID '201' and Channel 'Microsoft-Windows-TaskScheduler/Operational' the file should be named:
 
-As of v06 or so, you can also add optional properties `Provider` and `Lookups`
+`Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-TaskScheduler_201.map`
 
-Provider is used at the header level and looks like this:
+`Provider` is now mandatory. Provider is used at the header level and looks like this:
 
 `Provider: "Microsoft-Windows-Power-Troubleshooter"`
 
-This lets you further narrow down when a map will be used. See System_1.map for an example.
+This lets you further narrow down when a map will be used. Every map will have a working example of this now.
+
+As of v06 or so, you can also add optional properties such as `Lookups`.
 
 Lookups allow you to define lookup tables that match one value and replace them with another. Here is an example, also from System_1.map:
 
@@ -211,4 +213,4 @@ This also allows you to update default maps without having your customizations b
 
 TIPS:
 
-If you are looking to make an Application.evtx map, please includence a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add
+If you are looking to make an Application.evtx map, please include a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2048.map → evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2048.map

@@ -1,37 +1,37 @@
-Author: Mike Brewer 
-Description: Cisco AnyConnect VPN encrypted connection type
-EventId: 2048
-Channel: "Cisco AnyConnect Secure Mobility Client"
-Provider: acvpnagent
-Maps: 
-  - 
-    Property: PayloadData1
-    PropertyValue: "%PayloadData1%"
-    Values: 
-      - 
-        Name: PayloadData1
-        Value: "/Event/EventData/Data"
-        Refine: "(?<=, )[^,\\d]+(?=,)"
-
-# Valid properties include:
-# 
-# PayloadData1
-
-# <Event>
-  # <System>
-    # <Provider Name="acvpnagent" />
-    # <EventID Qualifiers="25600">2048</EventID>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Keywords>0x80000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
-    # <EventRecordID>32685</EventRecordID>
-    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
-    # <Computer>My-Laptop123.domain.local</Computer>
-    # <Security />
-  # </System>
-    # <EventData>
-      #<Data>A SSL connection has been established using cipher AES256-SHA256</Data>
-        # <Binary></Binary>
-        # </EventData>
-    # </Event>
+Author: Mike Brewer 
+Description: Cisco AnyConnect VPN encrypted connection type
+EventId: 2048
+Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values: 
+      - 
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, )[^,\\d]+(?=,)"
+
+# Valid properties include:
+# 
+# PayloadData1
+
+# <Event>
+  # <System>
+    # <Provider Name="acvpnagent" />
+    # <EventID Qualifiers="25600">2048</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
+    # <EventRecordID>32685</EventRecordID>
+    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
+    # <Computer>My-Laptop123.domain.local</Computer>
+    # <Security />
+  # </System>
+    # <EventData>
+      #<Data>A SSL connection has been established using cipher AES256-SHA256</Data>
+        # <Binary></Binary>
+        # </EventData>
+    # </Event>

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-2086.map → evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpnagent_2086.map

@@ -1,37 +1,37 @@
-Author: Mike Brewer 
-Description: Cisco AnyConnect VPN reading host's IP 
-EventId: 2085
-Channel: "Cisco AnyConnect Secure Mobility Client"
-Provider: acvpnagent
-Maps: 
-  - 
-    Property: PayloadData1
-    PropertyValue: "%PayloadData1%"
-    Values: 
-      - 
-        Name: PayloadData1
-        Value: "/Event/EventData/Data"
-        Refine: "(?<=, )[^,\\d]+(?=,)"
-
-# Valid properties include:
-# 
-# PayloadData1
-
-# <Event>
-  # <System>
-    # <Provider Name="acvpnagent" />
-    # <EventID Qualifiers="25600">2085</EventID>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Keywords>0x80000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
-    # <EventRecordID>32628</EventRecordID>
-    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
-    # <Computer>My-Laptop123.domain.local</Computer>
-    # <Security />
-  # </System>
-    # <EventData>
-      #<Data>The client's public address is now set to 192.168.1.235</Data>
-        # <Binary></Binary>
-        # </EventData>
-    # </Event>
+Author: Mike Brewer 
+Description: Cisco AnyConnect VPN reading host's IP 
+EventId: 2085
+Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpnagent
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values: 
+      - 
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, )[^,\\d]+(?=,)"
+
+# Valid properties include:
+# 
+# PayloadData1
+
+# <Event>
+  # <System>
+    # <Provider Name="acvpnagent" />
+    # <EventID Qualifiers="25600">2085</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
+    # <EventRecordID>32628</EventRecordID>
+    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
+    # <Computer>My-Laptop123.domain.local</Computer>
+    # <Security />
+  # </System>
+    # <EventData>
+      #<Data>The client's public address is now set to 192.168.1.235</Data>
+        # <Binary></Binary>
+        # </EventData>
+    # </Event>

evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client-5005.map → evtx/Maps/Cisco-AnyConnect-Secure-Mobility-Client_acvpndownloader_5005.map

@@ -1,37 +1,37 @@
-Author: Mike Brewer 
-Description: Cisco AnyConnect VPN connecting to target gateway X
-EventId: 5005
-Channel: "Cisco AnyConnect Secure Mobility Client"
-Provider: acvpndownloader
-Maps: 
-  - 
-    Property: PayloadData1
-    PropertyValue: "%PayloadData1%"
-    Values: 
-      - 
-        Name: PayloadData1
-        Value: "/Event/EventData/Data"
-        Refine: "(?<=, )[^,\\d]+(?=,)"
-
-# Valid properties include:
-# 
-# PayloadData1
-
-# <Event>
-  # <System>
-    # <Provider Name="acvpndownloader" />
-    # <EventID Qualifiers="25600">5005</EventID>
-    # <Level>4</Level>
-    # <Task>0</Task>
-    # <Keywords>0x80000000000000</Keywords>
-    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
-    # <EventRecordID>32628</EventRecordID>
-    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
-    # <Computer>My-Laptop123.domain.local</Computer>
-    # <Security />
-  # </System>
-    # <EventData>
-      #<Data>Connecting to mdgegtwy1.acme.com.</Data>
-        # <Binary></Binary>
-        # </EventData>
+Author: Mike Brewer 
+Description: Cisco AnyConnect VPN connecting to target gateway X
+EventId: 5005
+Channel: "Cisco AnyConnect Secure Mobility Client"
+Provider: acvpndownloader
+Maps: 
+  - 
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values: 
+      - 
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, )[^,\\d]+(?=,)"
+
+# Valid properties include:
+# 
+# PayloadData1
+
+# <Event>
+  # <System>
+    # <Provider Name="acvpndownloader" />
+    # <EventID Qualifiers="25600">5005</EventID>
+    # <Level>4</Level>
+    # <Task>0</Task>
+    # <Keywords>0x80000000000000</Keywords>
+    # <TimeCreated SystemTime="2020-04-14 15:35:05.9153410" />
+    # <EventRecordID>32628</EventRecordID>
+    # <Channel>Cisco AnyConnect Secure Mobility Client</Channel>
+    # <Computer>My-Laptop123.domain.local</Computer>
+    # <Security />
+  # </System>
+    # <EventData>
+      #<Data>Connecting to mdgegtwy1.acme.com.</Data>
+        # <Binary></Binary>
+        # </EventData>
     # </Event>

evtx/Maps/Security_4799.map → evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4799.map

@@ -1,5 +1,5 @@
 Author: Andrew Rathbun
-Description:  A security-enabled local group membership was enumerated 
+Description: A security-enabled local group membership was enumerated 
 EventId: 4799
 Channel: Security
 Provider: Microsoft-Windows-Security-Auditing

evtx/Maps/System_10000.map → evtx/Maps/System_Microsoft-Windows-DriverFrameworks-UserMode_10000.map

@@ -3,7 +3,6 @@ Description: Device driver was installed. (Device was connected.)
 EventId: 10000
 Channel: "System"
 Provider: "Microsoft-Windows-DriverFrameworks-UserMode"
-Provider: Microsoft-Windows-DriverFrameworks-UserMode
 Maps:
   -
     Property: PayloadData1