From f9427534b20677cc1d4da2c0bfee2d5bf22f415f Mon Sep 17 00:00:00 2001
From: reece394 <31659691+reece394@users.noreply.github.com>
Date: Fri, 31 May 2024 22:33:54 +0100
Subject: [PATCH 1/2] System Name Changed Map

---
 evtx/Maps/System_EventLog_6011.map | 47 ++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 evtx/Maps/System_EventLog_6011.map

diff --git a/evtx/Maps/System_EventLog_6011.map b/evtx/Maps/System_EventLog_6011.map
new file mode 100644
index 0000000..a92523a
--- /dev/null
+++ b/evtx/Maps/System_EventLog_6011.map
@@ -0,0 +1,47 @@
+Author: Reece394
+Description: System Name Changed
+EventId: 6011
+Channel: System
+Provider: EventLog
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "The NetBIOS name and DNS host name of this machine have been changed from %OriginalName% to %NewName%"
+    Values:
+      -
+        Name: OriginalName
+        Value: "/Event/EventData/Data"
+        Refine: "^(.*?)(?=,|$)"
+      -
+        Name: NewName
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, ).*"
+
+# Documentation:
+# http://eventopedia.cloudapp.net/EventDetails.aspx?id=a4c6ad3e-0b56-40ea-aa6d-c84adcf24897
+# https://community.spiceworks.com/t/finding-old-computer-name-from-dc/826502
+# https://learn.microsoft.com/en-us/answers/questions/1060679/recall-previous-device-names-on-endpoint-manager
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="EventLog" />
+#    <EventID Qualifiers="32768">6011</EventID>
+#    <Version>0</Version>
+#    <Level>4</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x80000000000000</Keywords>
+#    <TimeCreated SystemTime="2024-05-28 00:46:49.8687258" />
+#    <EventRecordID>148</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="2592" ThreadID="2676" />
+#    <Channel>System</Channel>
+#    <Computer>DESKTOP-F3BMVE4</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data>WIN-76PGSVBIM7I, DESKTOP-F3BMVE4</Data>
+#    <Binary></Binary>
+#  </EventData>
+#</Event>

From 43af558309577d4cfc0af30192c40ac2990e612f Mon Sep 17 00:00:00 2001
From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com>
Date: Sun, 2 Jun 2024 08:33:05 -0400
Subject: [PATCH 2/2] Update System_EventLog_6011.map

fix comment spacing issue
---
 evtx/Maps/System_EventLog_6011.map | 44 +++++++++++++++---------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/evtx/Maps/System_EventLog_6011.map b/evtx/Maps/System_EventLog_6011.map
index a92523a..c3f6cde 100644
--- a/evtx/Maps/System_EventLog_6011.map
+++ b/evtx/Maps/System_EventLog_6011.map
@@ -23,25 +23,25 @@ Maps:
 # https://learn.microsoft.com/en-us/answers/questions/1060679/recall-previous-device-names-on-endpoint-manager
 #
 # Example Event Data:
-#<Event>
-#  <System>
-#    <Provider Name="EventLog" />
-#    <EventID Qualifiers="32768">6011</EventID>
-#    <Version>0</Version>
-#    <Level>4</Level>
-#    <Task>0</Task>
-#    <Opcode>0</Opcode>
-#    <Keywords>0x80000000000000</Keywords>
-#    <TimeCreated SystemTime="2024-05-28 00:46:49.8687258" />
-#    <EventRecordID>148</EventRecordID>
-#    <Correlation />
-#    <Execution ProcessID="2592" ThreadID="2676" />
-#    <Channel>System</Channel>
-#    <Computer>DESKTOP-F3BMVE4</Computer>
-#    <Security />
-#  </System>
-#  <EventData>
-#    <Data>WIN-76PGSVBIM7I, DESKTOP-F3BMVE4</Data>
-#    <Binary></Binary>
-#  </EventData>
-#</Event>
+# <Event>
+#   <System>
+#     <Provider Name="EventLog" />
+#     <EventID Qualifiers="32768">6011</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2024-05-28 00:46:49.8687258" />
+#     <EventRecordID>148</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="2592" ThreadID="2676" />
+#     <Channel>System</Channel>
+#     <Computer>DESKTOP-F3BMVE4</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>WIN-76PGSVBIM7I, DESKTOP-F3BMVE4</Data>
+#     <Binary></Binary>
+#   </EventData>
+# </Event>