From a741e3f956a69ad752cd12a81616d2e65b7fa02a Mon Sep 17 00:00:00 2001
From: CluelessAtCoding <github@esupport-it.com>
Date: Thu, 25 Nov 2021 14:13:37 +0000
Subject: [PATCH 1/2] Create
 Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map

---
 ...rity_Microsoft-Windows-SMBClient_31010.map | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map

diff --git a/evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map b/evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map
new file mode 100644
index 00000000..1f09a279
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map
@@ -0,0 +1,58 @@
+Author: Paul Elliott
+Description: The SMB client failed to connect to the share
+EventId: 31010
+Channel: "Microsoft-Windows-SmbClient/Security"
+Provider: Microsoft-Windows-SMBClient
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "Share Name: %ShareName%"
+    Values:
+      -
+        Name: ShareName
+        Value: "/Event/EventData/Data[@Name=\"ShareName\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "Reason: %Reason%"
+    Values:
+      -
+        Name: Reason
+        Value: "/Event/EventData/Data[@Name=\"Reason\"]"
+
+Lookups:
+  -
+    Name: Reason
+    Default: Unknown code
+    Values:
+      12: Access Denied.
+
+# Documentation:
+# 
+#
+# Example Event Data:
+#  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#    <Provider Name="Microsoft-Windows-SMBClient" Guid="{988c59c5-0a1c-45b6-a555-0c62276e327d}" />
+#    <EventID>31010</EventID>
+#    <Version>0</Version>
+#    <Level>2</Level>
+#    <Task>0</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x200000000000100</Keywords>
+#    <TimeCreated SystemTime="1999-12-31T23:59:59.6168183Z" />
+#    <EventRecordID>123456</EventRecordID>
+#    <Correlation />
+#    <Execution ProcessID="0" ThreadID="0" />
+#    <Channel>Microsoft-Windows-SmbClient/Security</Channel>
+#    <Computer>machine.domain.tld</Computer>
+#    <Security />
+#   </System>
+#   <EventData>
+#    <Data Name="Reason">12</Data>
+#    <Data Name="Status">3221225506</Data>
+#    <Data Name="ShareNameLength">17</Data>
+#    <Data Name="ShareName">\fileserver\share</Data>
+#    <Data Name="ObjectNameLength">0</Data>
+#    <Data Name="ObjectName" />
+#   </EventData>
+#  </Event>

From a1f072c458f7a3d1b508e3608d8b763d06a597f6 Mon Sep 17 00:00:00 2001
From: CluelessAtCoding <github@esupport-it.com>
Date: Thu, 25 Nov 2021 14:32:24 +0000
Subject: [PATCH 2/2] Update
 Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map

---
 ...ows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map b/evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map
index 1f09a279..1307073b 100644
--- a/evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map
+++ b/evtx/Maps/Microsoft-Windows-SmbClient-Security_Microsoft-Windows-SMBClient_31010.map
@@ -27,7 +27,7 @@ Lookups:
       12: Access Denied.
 
 # Documentation:
-# 
+#
 #
 # Example Event Data:
 #  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">