-
Notifications
You must be signed in to change notification settings - Fork 59
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #234 from randomaccess3/master
Screenconnect maps
- Loading branch information
Showing
4 changed files
with
221 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| Author: Phill Moore | ||
| Description: Session connected | ||
| EventId: 100 | ||
| Channel: Application | ||
| Provider: Screenconnect | ||
| Maps: | ||
| - | ||
| Property: ExecutableInfo | ||
| PropertyValue: "%ExecutablePath%" | ||
| Values: | ||
| - | ||
| Name: ExecutablePath | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "Executable Path: (.*)" | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%message%" | ||
| Values: | ||
| - | ||
| Name: message | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "^(.*)" | ||
|
|
||
| # Documentation: | ||
| # N/A if no link(s) can be found. One link per line, please. | ||
| # | ||
| # Example Event Data: | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="ScreenConnect" /> | ||
| # <EventID Qualifiers="0">100</EventID> | ||
| # <Version>0</Version> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Opcode>0</Opcode> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2024-02-26 03:25:21.6791347" /> | ||
| # <EventRecordID>55884</EventRecordID> | ||
| # <Correlation /> | ||
| # <Execution ProcessID="5316" ThreadID="0" /> | ||
| # <Channel>Application</Channel> | ||
| # <Computer>COMPUTER</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>USERNAME Connected | ||
| # | ||
| # Version: 23.8.6.8735 | ||
| # Executable Path: C:\Program Files (x86)\ScreenConnect Client (XXXXX)\ScreenConnect.ClientService.exe | ||
| # </Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| Author: Phill Moore | ||
| Description: Session disconnected | ||
| EventId: 101 | ||
| Channel: Application | ||
| Provider: Screenconnect | ||
| Maps: | ||
| - | ||
| Property: ExecutableInfo | ||
| PropertyValue: "%ExecutablePath%" | ||
| Values: | ||
| - | ||
| Name: ExecutablePath | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "Executable Path: (.*)" | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%message%" | ||
| Values: | ||
| - | ||
| Name: message | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "^(.*)" | ||
|
|
||
| # Documentation: | ||
| # N/A if no link(s) can be found. One link per line, please. | ||
| # | ||
| # Example Event Data: | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="ScreenConnect" /> | ||
| # <EventID Qualifiers="0">101</EventID> | ||
| # <Version>0</Version> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Opcode>0</Opcode> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2024-02-26 05:30:16.9918361" /> | ||
| # <EventRecordID>55941</EventRecordID> | ||
| # <Correlation /> | ||
| # <Execution ProcessID="5064" ThreadID="0" /> | ||
| # <Channel>Application</Channel> | ||
| # <Computer>COMPUTER</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>USER Disconnected | ||
| # | ||
| # Version: 23.8.6.8735 | ||
| # Executable Path: C:\Program Files (x86)\ScreenConnect Client (XXXXXXXXX)\ScreenConnect.ClientService.exe | ||
| # </Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| Author: Phill Moore | ||
| Description: Transferred files with action | ||
| EventId: 201 | ||
| Channel: Application | ||
| Provider: Screenconnect | ||
| Maps: | ||
| - | ||
| Property: ExecutableInfo | ||
| PropertyValue: "%ExecutablePath%" | ||
| Values: | ||
| - | ||
| Name: ExecutablePath | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "Executable Path: (.*)" | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "Action: %action%" | ||
| Values: | ||
| - | ||
| Name: action | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "'([^']*)':" | ||
| - | ||
| Property: PayloadData2 | ||
| PropertyValue: "Transferred File: %transferredFile%" | ||
| Values: | ||
| - | ||
| Name: transferredFile | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "(?<=^.*(?:\r\n?|\n)).+" | ||
|
|
||
| # Documentation: | ||
| # N/A if no link(s) can be found. One link per line, please. | ||
| # | ||
| # Example Event Data: | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="ScreenConnect" /> | ||
| # <EventID Qualifiers="0">201</EventID> | ||
| # <Version>0</Version> | ||
| # <Level>4</Level> | ||
| # <Task>0</Task> | ||
| # <Opcode>0</Opcode> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2024-02-25 21:54:32.0244362" /> | ||
| # <EventRecordID>55737</EventRecordID> | ||
| # <Correlation /> | ||
| # <Execution ProcessID="5316" ThreadID="0" /> | ||
| # <Channel>Application</Channel> | ||
| # <Computer>COMPUTER</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Transferred files with action 'RunElevated': | ||
| # file.exe | ||
| # | ||
| # Version: 23.8.6.8735 | ||
| # Executable Path: C:\Program Files (x86)\ScreenConnect Client (XXXXXXXXX)\ScreenConnect.ClientService.exe | ||
| # </Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| Author: Phill Moore | ||
| Description: Screenconnect error - Your host has ended the remote session. | ||
| EventId: 30 | ||
| Channel: Application | ||
| Provider: Screenconnect | ||
| Maps: | ||
| - | ||
| Property: ExecutableInfo | ||
| PropertyValue: "%ExecutablePath%" | ||
| Values: | ||
| - | ||
| Name: ExecutablePath | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "Executable Path: (.*)" | ||
| - | ||
| Property: PayloadData1 | ||
| PropertyValue: "%message%" | ||
| Values: | ||
| - | ||
| Name: message | ||
| Value: "/Event/EventData/Data" | ||
| Refine: "^(.*)" | ||
|
|
||
| # Documentation: | ||
| # N/A if no link(s) can be found. One link per line, please. | ||
| # | ||
| # Example Event Data: | ||
| # <Event> | ||
| # <System> | ||
| # <Provider Name="ScreenConnect" /> | ||
| # <EventID Qualifiers="0">30</EventID> | ||
| # <Version>0</Version> | ||
| # <Level>2</Level> | ||
| # <Task>0</Task> | ||
| # <Opcode>0</Opcode> | ||
| # <Keywords>0x80000000000000</Keywords> | ||
| # <TimeCreated SystemTime="2024-02-26 05:30:17.3931449" /> | ||
| # <EventRecordID>55944</EventRecordID> | ||
| # <Correlation /> | ||
| # <Execution ProcessID="5064" ThreadID="0" /> | ||
| # <Channel>Application</Channel> | ||
| # <Computer>COMPUTER</Computer> | ||
| # <Security /> | ||
| # </System> | ||
| # <EventData> | ||
| # <Data>Your host has ended the remote session. This application will now close. | ||
| # | ||
| # Version: 23.8.6.8735 | ||
| # Executable Path: C:\Program Files (x86)\ScreenConnect Client (XXXXXXXXX)\ScreenConnect.ClientService.exe | ||
| # </Data> | ||
| # <Binary></Binary> | ||
| # </EventData> | ||
| # </Event> |