What's Changed
- New maps by @barrie0482 in #3
- Create OAlerts_300.map by @Lennaert89 in #5
- Create LICENSE by @EricZimmerman in #8
- bunch of new maps by @mpilking in #9
- Add new maps by @mark-hallman in #10
- Fix typo within "[...]-5861.map" by @qlemaire in #12
- Update Security_4648.map - Corrected PayloadData2/3 by @bmackalicious in #13
- Update Security_4634.map by @bmackalicious in #14
- Update Microsoft-Windows-TaskScheduler_Operational_200.map by @randomaccess3 in #17
- 1006-Threat Found and 1008-Error removing Threat by @bmackalicious in #19
- New 400,403,600 Maps for Windows PowerShell by @bmackalicious in #21
- Update 4624/4625 maps to include process name by @chadtilbury in #24
- Map Microsoft-Windows-Partition%4Diagnostic.evtx for EventID 1006 by @mark-hallman in #25
- Cisco AnyConnect Maps by @michealb401 in #27
- Update map by @esecrpm in #29
- Minor corrections by @AndrewRathbun in #30
- Create Sysmon maps, update README, etc by @AndrewRathbun in #31
- new maps by @forensenellanebbia in #32
- Modify Sysmon Event ID 5, create Sysmon Event IDs 10 and 11 by @AndrewRathbun in #33
- Add Sysmon Event IDs 2, 3, and 6. Various minor fixes. by @AndrewRathbun in #34
- Add Sysmon Event IDs 7, 8, 12, 13, 15, 19, 20, 21, 22, and 23 by @AndrewRathbun in #35
- Update Application-Sophos-Alert_42.map by @AndrewRathbun in #36
- Update Application-Audit-CVE_1.map by @AndrewRathbun in #37
- add new maps by @hyuunnn in #38
- add new maps by @hyuunnn in #40
- New maps, various fixes by @AndrewRathbun in #41
- Various fixes by @AndrewRathbun in #42
- New maps by @AndrewRathbun in #43
- New maps, various fixes by @AndrewRathbun in #44
- add new maps by @hyuunnn in #45
- add new maps by @hyuunnn in #46
- Update Sysmon Logs by @AndrewRathbun in #48
- Standardize Providers in all maps by @AndrewRathbun in #49
- Create Microsoft-DriverFrameworks-UserMode_2100.map by @AndrewRathbun in #50
- Standardization of Map Naming Convention, Update README by @AndrewRathbun in #51
- Standardized all maps. Added Documentation. by @AndrewRathbun in #52
- Rename/Standardize Microsoft-Windows-WPD-MTPClassDriver 1005 by @AndrewRathbun in #53
- Minor tweaks and standardization fixes by @AndrewRathbun in #54
- Rename map by @AndrewRathbun in #55
- Add documentation by @AndrewRathbun in #56
- Update filename by @AndrewRathbun in #57
- New maps for Citrix events by @forensenellanebbia in #58
- Added LogonIDs and ActivityIDs by @forensenellanebbia in #59
- Standardization and Documentation Updates by @AndrewRathbun in #60
- Update Documentation and Event Examples by @AndrewRathbun in #61
- Standardization Updates and Examples Added by @AndrewRathbun in #62
- Add maps, update existing by @AndrewRathbun in #63
- Fixing a missing quote in description by @anelshaer in #65
- New maps, update maps, and add documentation by @AndrewRathbun in #66
- 4625: added lookups for failure reasons by @forensenellanebbia in #67
- add new map by @hyuunnn in #68
- add new maps by @hyuunnn in #69
- Update filenames, new maps, minor fixes, etc by @AndrewRathbun in #70
- New map, add documentation by @AndrewRathbun in #72
- Create Security_Microsoft-Windows-Security-Auditing_4656.map by @AndrewRathbun in #73
- BITS maps by @forensenellanebbia in #74
- fix maps by @hyuunnn in #75
- New maps, update existing, update guide by @AndrewRathbun in #76
- Minor corrections by @AndrewRathbun in #77
- add maps by @hyuunnn in #78
- add maps by @hyuunnn in #79
- add new maps by @hyuunnn in #80
- Add new maps by @AndrewRathbun in #81
- Add new maps by @AndrewRathbun in #82
- Add new maps by @AndrewRathbun in #83
- Add new maps, minor fixes by @AndrewRathbun in #84
- Create Microsoft-Windows-TaskScheduler-Operational_Microsoft-Windows-… by @AndrewRathbun in #85
- Add Varonis Maps by @AndrewRathbun in #86
- Add new maps by @AndrewRathbun in #87
- Update Microsoft-Windows-Kernel-PnP-Configuration_Microsoft-Windows-K… by @AndrewRathbun in #88
- Add new maps, minor fixes, added documentation by @AndrewRathbun in #89
- Add new maps, minor updates by @AndrewRathbun in #91
- Update Sysmon Documentation by @AndrewRathbun in #92
- Fix Map Descriptions by @AndrewRathbun in #93
- Update maps by @AndrewRathbun in #94
- Fix Filenames by @AndrewRathbun in #95
- Fix Filenames by @AndrewRathbun in #96
- ID 6416 Audit PNP Activity by @forensenellanebbia in #97
- Create Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_151.map by @AndrewRathbun in #100
- Create Microsoft-Windows-Ntfs-Operational_Ntfs_55.map by @hyuunnn in #101
- Update mapping on various Maps for better readability during analysis by @AndrewRathbun in #102
- Update Security_Microsoft-Windows-Security-Auditing_5156.map by @AndrewRathbun in #103
- Update YAML by @AndrewRathbun in #104
- YAML fixes by @AndrewRathbun in #105
- Update PULL_REQUEST_TEMPLATE.md by @AndrewRathbun in #106
- Minor fixes by @AndrewRathbun in #107
- Update documentation/description by @AndrewRathbun in #108
- New maps by @AndrewRathbun in #109
- Add/Update Symantec Maps by @AndrewRathbun in #110
- Add CrowdStrike Maps by @AndrewRathbun in #111
- Create Microsoft-Windows-SMBServer-Audit_Microsoft-Windows-SMBServer_… by @AndrewRathbun in #112
- Modify Firewall_2006.map output by @AndrewRathbun in #113
- Create adPWDManager_adPWDManager_110.map by @AndrewRathbun in #114
- Create Microsoft-Windows-WER-Diag-Operational_Microsoft-Windows-WER-D… by @AndrewRathbun in #115
- Create Security_Microsoft-Windows-Security-Auditing_4674.map by @AndrewRathbun in #116
- Update Guide/Template with XPATH documentation, examples, etc by @AndrewRathbun in #117
- New System map, updated System map by @AndrewRathbun in #119
- Add new System:7040 map by @AndrewRathbun in #120
- Update issue templates (s/KAPE/evtx) by @Karneades in #121
- Update issue templates by @Karneades in #123
- Fix regex in EventRecord to fix missing event data by @Karneades in #122
- Add OAlerts Maps from Phill Moore by @AndrewRathbun in #125
- Create System_Service-LsaSrv_40960.map by @AndrewRathbun in #126
- Create System_LsaSrv_45057.map by @AndrewRathbun in #127
- Add Lookup Tables to Many Security Events by @AndrewRathbun in #128
- Fix regex in EventRecord class to prevent the removal of relevant data by @Karneades in #124
- Create Microsoft-Windows-PowerShell-Operational_Microsoft-Windows-PowerShell_4103.map by @AndrewRathbun in #129
- Create System_Application-Popup_26.map by @AndrewRathbun in #130
- Create SMBServer-Operational:1020, update Security:5145 and 5140 by @AndrewRathbun in #131
- Fix Bits Maps output and lint issues by @AndrewRathbun in #132
- Create Microsoft-Windows-Sysmon-Operational_Microsoft-Windows-Sysmon_… by @AndrewRathbun in #135
- Added Cylance Alerts for Events 1 and 2 by @AndrewRathbun in #137
- Add SMB Server 551 Map, and fix lookup tables by @AndrewRathbun in #138
- Update Maps by @AndrewRathbun in #139
- Update Sysmon Maps by @AndrewRathbun in #140
- Create TerminalServices-Gateway Maps by @AndrewRathbun in #141
- Create Microsoft-Windows-TerminalServices-Gateway-Operational_Microso… by @AndrewRathbun in #142
- Add Reason Codes to TS-LSM:40 Map by @AndrewRathbun in #143
- Minor Map Description fixes by @AndrewRathbun in #144
- Use standard .NET libraries instead of windows only libraries by @Eran-YT in #145
- Add new SMBServer Maps by @AndrewRathbun in #146
- Remove trailing spaces by @AndrewRathbun in #147
- Create Application_CarbonBlackDefense_17.map by @RandyRandleman in #148
- splashtop by @randomaccess3 in #149
- Add Maps for DCOM:10028, PowerShell:4100, and SMBClient\Connectivity:30807 by @AndrewRathbun in #150
- Update Microsoft-Windows-PowerShell-Operational_Microsoft-Windows-PowerShell_4100.map by @AndrewRathbun in #151
- Update PULL_REQUEST_TEMPLATE.md by @AndrewRathbun in #152
- Update Security_Microsoft-Windows-Security-Auditing_4701.map by @AndrewRathbun in #153
- Create Microsoft-Windows-PrintService-Operational_Microsoft-Windows-P… by @AndrewRathbun in #154
- Update PrintService_307.map by @esecrpm in #155
- Create System_TermDD_56.map by @RandyRandleman in #156
- Modified Firewall Event Log by @RandyRandleman in #157
- New Cisco AnyConnect/DHCP, updated PrintService maps by @esecrpm in #158
- Update README.md by @AndrewRathbun in #159
- S1 by @RandyRandleman in #160
- Sentinel One by @RandyRandleman in #161
- Create Security_Microsoft-Windows-Security-Auditing_4797.map by @AndrewRathbun in #162
- Update Security_Microsoft-Windows-Security-Auditing_4776.map by @AndrewRathbun in #163
- Update Bits:3 Map by @AndrewRathbun in #164
- Create Security_Microsoft-Windows-Security-Auditing_4728.map by @CluelessAtCoding in #165
- Fix 551 Map for SMB by @AndrewRathbun in #166
- Update documentation by @AndrewRathbun in #167
- Add CbDefense Maps by @AndrewRathbun in #168
- 5 maps for submission by @PJSnyder in #169
- Create Security_Microsoft-Windows-Security-Auditing_4743.map by @AndrewRathbun in #170
- Update Sysmon events with User fields by @AndrewRathbun in #171
- Update Security_Microsoft-Windows-Security-Auditing_4688.map by @AndrewRathbun in #172
- Update Security_Microsoft-Windows-Security-Auditing_4625.map by @AndrewRathbun in #173
- BITS 64 by @RandyRandleman in #174
- Add .NET 6 support by @Eran-YT in #175
- Update Microsoft-Windows-Partition-Diagnostic_Microsoft-Windows-Parti… by @chadtilbury in #176
- Create Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClie… by @CluelessAtCoding in #177
- Added Application_MsiInstaller_1040 and 1042 by @AndrewRathbun in #178
- Jball77/515 x by @jball77-git in #180
- Create Application_Symantec_4003.map by @HSICFA in #182
- Create System_Microsoft-Windows-GroupPolicy_1130.map by @HSICFA in #183
- Update !Channel-Name_Provider-Name_EventID.guide by @AndrewRathbun in #184
- update Regex for Application 1040 and 1042 by @AndrewRathbun in #185
- Update Security_Microsoft-Windows-Security-Auditing_4688.map by @esecrpm in #186
- Moved 5 files to Maps folder by @dfirdetective in #187
- Create Application_Microsoft-Windows-Winsrv_10001.map by @RandyRandleman in #188
- suggested change as file name != executable name by @randomaccess3 in #189
- Add new Splashtop Maps, update old Splashtop Maps by @AndrewRathbun in #190
- Added a lookup for firewall rules direction by @forensenellanebbia in #191
- Create Microsoft-Windows-WMI-Activity-Operational_Microsoft-Windows-W… by @CluelessAtCoding in #192
- GPO by @RandyRandleman in #196
- YAML linter fixes by @AndrewRathbun in #197
- Performance Operational Degradation by @RandyRandleman in #198
- Update Microsoft-Windows-TerminalServices-RDPClient-Operational_Micro… by @forensenellanebbia in #199
- Deletion of old VHDMP maps and upload of new legacy/current maps by @forensenellanebbia in #200
- New maps by @forensenellanebbia in #201
- Minor updates of 1006-4624-4648-5379-30807 by @forensenellanebbia in #202
- New maps for NTDS/Computer account creation/MSSQLSERVER events by @forensenellanebbia in #203
- Create Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational_… by @AndrewRathbun in #204
- Update Security and RdpCoreTS documentation by @AndrewRathbun in #205
- Update documentation for 280ish Maps by @AndrewRathbun in #206
- Fixed Channel and Description by @esecrpm in #207
- Sysmon 27 FileBlockExecutable by @forensenellanebbia in #209
- Create Microsoft-Windows-Windows-Firewall-With-Advanced-Security-Fire… by @AndrewRathbun in #210
- replaced deadlink by @randomaccess3 in #211
- Fix MS-W-TS-Gateway-Op-* RemoteHost field by @austinlg96 in #212
- Event 4625 - Update of Codes by @CluelessAtCoding in #213
- Bump Newtonsoft.Json from 13.0.1 to 13.0.2 in /EvtxECmd by @dependabot in #214
- remove spaces to be consistent with System:1 by @AndrewRathbun in #216
- Create Application_ESENT_216.map by @AndrewRathbun in #217
- Create Microsoft-Windows-Windows-Defender-Operational_Microsoft-Windo… by @AndrewRathbun in #219
- Create PowerShellCore-Operational_PowerShellCore_4104.map by @AndrewRathbun in #220
- add CiscoSecureEndpoint Maps (100,1300,1310) by @AndrewRathbun in #221
- Update verify.yml - v2 to v3 by @AndrewRathbun in #222
- kaspersky av logs by @randomaccess3 in #218
- Update and rename Microsoft-Windows-Hyper-V-VMMS-Admin_Microsoft-Wind… by @randomaccess3 in #223
- update dependencies by @AndrewRathbun in #225
New Contributors
- @barrie0482 made their first contribution in #3
- @Lennaert89 made their first contribution in #5
- @EricZimmerman made their first contribution in #8
- @mpilking made their first contribution in #9
- @mark-hallman made their first contribution in #10
- @qlemaire made their first contribution in #12
- @bmackalicious made their first contribution in #13
- @randomaccess3 made their first contribution in #17
- @chadtilbury made their first contribution in #24
- @michealb401 made their first contribution in #27
- @esecrpm made their first contribution in #29
- @AndrewRathbun made their first contribution in #30
- @forensenellanebbia made their first contribution in #32
- @hyuunnn made their first contribution in #38
- @anelshaer made their first contribution in #65
- @Karneades made their first contribution in #121
- @Eran-YT made their first contribution in #145
- @RandyRandleman made their first contribution in #148
- @CluelessAtCoding made their first contribution in #165
- @PJSnyder made their first contribution in #169
- @jball77-git made their first contribution in #180
- @HSICFA made their first contribution in #182
- @dfirdetective made their first contribution in #187
- @austinlg96 made their first contribution in #212
- @dependabot made their first contribution in #214
Full Changelog: https://github.com/EricZimmerman/evtx/commits/1.2.0