diff --git a/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4004.map b/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4004.map
new file mode 100644
index 00000000..91240410
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4004.map
@@ -0,0 +1,82 @@
+Author: Tony Knutson
+Description: Starting manual processing of policy for COMPUTER
+EventId: 4004
+Channel: Microsoft-Windows-GroupPolicy/Operational
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+ -
+ Property: UserName
+ PropertyValue: "%PrincipalSamName%"
+ Values:
+ -
+ Name: PrincipalSamName
+ Value: "/Event/EventData/Data[@Name=\"PrincipalSamName\"]"
+ -
+ Property: PayloadData1
+ PropertyValue: "DomainJoined: %IsDomainJoined%"
+ Values:
+ -
+ Name: IsDomainJoined
+ Value: "/Event/EventData/Data[@Name=\"IsDomainJoined\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "BackgroundProcessing: %IsBackgroundProcessing%"
+ Values:
+ -
+ Name: IsBackgroundProcessing
+ Value: "/Event/EventData/Data[@Name=\"IsBackgroundProcessing\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "AsyncProcessing: %IsAsyncProcessing%"
+ Values:
+ -
+ Name: IsAsyncProcessing
+ Value: "/Event/EventData/Data[@Name=\"IsAsyncProcessing\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "ServiceRestart: %IsServiceRestart%"
+ Values:
+ -
+ Name: IsServiceRestart
+ Value: "/Event/EventData/Data[@Name=\"IsServiceRestart\"]"
+ -
+ Property: PayloadData5
+ PropertyValue: "Reasonforsyncing: %ReasonForSyncProcessing%"
+ Values:
+ -
+ Name: ReasonForSyncProcessing
+ Value: "/Event/EventData/Data[@Name=\"ReasonForSyncProcessing\"]"
+
+# Documentation:
+# Starting manual processing of policy for computer {PrincipalSamName}. Activity id: {PolicyActivityId}
+#
+# Example Event Data:
+#
+#
+#
+# 4004
+# 1
+# 4
+# 0
+# 1
+# 0x4000000000000000
+#
+# 512864
+#
+#
+# Microsoft-Windows-GroupPolicy/Operational
+# COMPUTER
+#
+#
+#
+# {41242399-fbd6-42f2-a8ce-48300011574d}
+# USERNAME
+# 1
+# true
+# true
+# false
+# false
+# 0
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4005.map b/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4005.map
new file mode 100644
index 00000000..8a6e9aff
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4005.map
@@ -0,0 +1,82 @@
+Author: Tony Knutson
+Description: Starting manual processing of policy for USER
+EventId: 4005
+Channel: Microsoft-Windows-GroupPolicy/Operational
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+ -
+ Property: UserName
+ PropertyValue: "%PrincipalSamName%"
+ Values:
+ -
+ Name: PrincipalSamName
+ Value: "/Event/EventData/Data[@Name=\"PrincipalSamName\"]"
+ -
+ Property: PayloadData1
+ PropertyValue: "DomainJoined: %IsDomainJoined%"
+ Values:
+ -
+ Name: IsDomainJoined
+ Value: "/Event/EventData/Data[@Name=\"IsDomainJoined\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "BackgroundProcessing: %IsBackgroundProcessing%"
+ Values:
+ -
+ Name: IsBackgroundProcessing
+ Value: "/Event/EventData/Data[@Name=\"IsBackgroundProcessing\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "AsyncProcessing: %IsAsyncProcessing%"
+ Values:
+ -
+ Name: IsAsyncProcessing
+ Value: "/Event/EventData/Data[@Name=\"IsAsyncProcessing\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "ServiceRestart: %IsServiceRestart%"
+ Values:
+ -
+ Name: IsServiceRestart
+ Value: "/Event/EventData/Data[@Name=\"IsServiceRestart\"]"
+ -
+ Property: PayloadData5
+ PropertyValue: "Reasonforsyncing: %ReasonForSyncProcessing%"
+ Values:
+ -
+ Name: ReasonForSyncProcessing
+ Value: "/Event/EventData/Data[@Name=\"ReasonForSyncProcessing\"]"
+
+# Documentation:
+# Starting manual processing of policy for user {PrincipalSamName}. Activity id: {PolicyActivityId}
+#
+# Example Event Data:
+#
+#
+#
+# 4005
+# 1
+# 4
+# 0
+# 1
+# 0x4000000000000000
+#
+# 511656
+#
+#
+# Microsoft-Windows-GroupPolicy/Operational
+# COMPUTER NAME
+#
+#
+#
+# {384ca94a-510c-4ce3-b104-9ef593805492}
+# USERNAME
+# 0
+# false
+# true
+# false
+# false
+# 0
+#
+#
diff --git a/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4016.map b/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4016.map
new file mode 100644
index 00000000..a50100bb
--- /dev/null
+++ b/evtx/Maps/Microsoft-Windows-Group-Policy-Operational_Microsoft-Windows-GroupPolicy_4016.map
@@ -0,0 +1,68 @@
+Author: Tony Knutson
+Description: List of applicable Group Policy objects
+EventId: 4016
+Channel: Microsoft-Windows-GroupPolicy/Operational
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+ -
+ Property: PayloadData1
+ PropertyValue: "GPO Title: %DescriptionString%"
+ Values:
+ -
+ Name: DescriptionString
+ Value: "/Event/EventData/Data[@Name=\"DescriptionString\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "GPO List: %ApplicableGPOList%"
+ Values:
+ -
+ Name: ApplicableGPOList
+ Value: "/Event/EventData/Data[@Name=\"ApplicableGPOList\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "GPOChange: %IsGPOListChanged%"
+ Values:
+ -
+ Name: IsGPOListChanged
+ Value: "/Event/EventData/Data[@Name=\"IsGPOListChanged\"]"
+ -
+ Property: PayloadData4
+ PropertyValue: "CSEExtensionName: %CSEExtensionName%"
+ Values:
+ -
+ Name: CSEExtensionName
+ Value: "/Event/EventData/Data[@Name=\"CSEExtensionName\"]"
+
+# Documentation:
+# Events 4016 and 5016 show the start and end of processing of groups of policies, including how long it took to apply each one in the end event.
+# https://itworldjd.wordpress.com/2014/03/10/gpo-troubleshooting-using-log-files-on-win7-and-win-2008-r2/
+#
+# Example Event Data:
+#
+#
+#
+# 4016
+# 0
+# 4
+# 0
+# 1
+# 0x4000000000000000
+#
+# 515206
+#
+#
+# Microsoft-Windows-GroupPolicy/Operational
+# COMPUTER
+#
+#
+#
+# {35378eac-683f-11d2-a89a-00c04fbbcfa2}
+# Registry
+# false
+# true
+# %%4102
+# GPO TITLE
+#
+#-
+#
+# 4017
+# 0
+# 4
+# 0
+# 0
+# 0x4000000000000000
+#
+# 513752
+#
+#
+# Microsoft-Windows-GroupPolicy/Operational
+# COMPUTER NAME
+#
+#
+#-
+# %%4119
+# DOMAIN
+#
+#
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5379.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5379.map
new file mode 100644
index 00000000..4e2ffddb
--- /dev/null
+++ b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_5379.map
@@ -0,0 +1,79 @@
+Author: Tony Knutson
+Description: Credential Manager credentials were read
+EventId: 5379
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps:
+ -
+ Property: ExecutableInfo
+ PropertyValue: "%TargetName%"
+ Values:
+ -
+ Name: TargetName
+ Value: "/Event/EventData/Data[@Name=\"TargetName\"]"
+ -
+ Property: UserName
+ PropertyValue: "%SubjectUserName%"
+ Values:
+ -
+ Name: SubjectUserName
+ Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+ -
+ Property: PayloadData1
+ PropertyValue: "SID: %SubjectUserSid%"
+ Values:
+ -
+ Name: SubjectUserSid
+ Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+ -
+ Property: PayloadData2
+ PropertyValue: "Domain: %SubjectDomainName%"
+ Values:
+ -
+ Name: SubjectDomainName
+ Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+ -
+ Property: PayloadData3
+ PropertyValue: "LogonID: %SubjectLogonId%"
+ Values:
+ -
+ Name: SubjectLogonId
+ Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+
+
+#Documentation:
+#https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5379
+#https://www.socinvestigation.com/windows-event-id-5379-to-detect-malicious-password-protected-file-unlock/
+#
+#Example Event Data:
+#-
+# -
+#
+# 5379
+# 0
+# 0
+# 13824
+# 0
+# 0x8020000000000000
+#
+# 772430
+#
+#
+# Security
+# COMPUTER NAME
+#
+#
+#-
+# SID
+# Username
+# Domain
+# 0x3e7
+# TARGET
+# 0
+# 0
+# %%8100
+# 3221226021
+# YYYY-MM-DD hh:mm:ssZ
+# 1448
+#
+#
diff --git a/evtx/Maps/System_Microsoft-GroupPolicy_1129.map b/evtx/Maps/System_Microsoft-GroupPolicy_1129.map
new file mode 100644
index 00000000..e9a7ce4c
--- /dev/null
+++ b/evtx/Maps/System_Microsoft-GroupPolicy_1129.map
@@ -0,0 +1,45 @@
+Author: Tony Knutson
+Description: Absence of network connectivity
+EventId: 1129
+Channel: System
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+ -
+ Property: PayloadData1
+ PropertyValue: "%ErrorDescription%"
+ Values:
+ -
+ Name: ErrorDescription
+ Value: "/Event/EventData/Data[@Name=\"ErrorDescription\"]"
+
+# Documentation:
+# https://social.technet.microsoft.com/wiki/contents/articles/1416.event-id-1129-microsoft-windows-grouppolicy.aspx
+#
+# Example Event Data:
+#
+#
+#
+# 1129
+# 0
+# 2
+# 0
+# 0
+# 0x8000000000000000
+#
+# 72378
+#
+#
+# System
+# COMPUTER
+#
+#
+#
+# 1
+# 2057
+# 0
+# 15000
+# 1222
+# The network is not present or not started.
+#
+#
diff --git a/evtx/Maps/System_Microsoft-Windows-GroupPolicy_1500.map b/evtx/Maps/System_Microsoft-Windows-GroupPolicy_1500.map
new file mode 100644
index 00000000..d6c28669
--- /dev/null
+++ b/evtx/Maps/System_Microsoft-Windows-GroupPolicy_1500.map
@@ -0,0 +1,44 @@
+Author: Tony Knutson
+Description: Group Policy Settings processed successfully for COMPUTER
+EventId: 1500
+Channel: System
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+ -
+ Property: PayloadData1
+ PropertyValue: "%DCName%"
+ Values:
+ -
+ Name: DCName
+ Value: "/Event/EventData/Data[@Name=\"DCName\"]"
+
+# Documentation:
+# https://intelligentsystemsmonitoring.com/knowledgebase/windows-operating-system/event-id-application-of-group-policy-16706/#:~:text=Group%20Policy%20uses%20the%20information,sharing%20the%20previous%20collected%20information
+#
+# Example Event Data:
+#
+#
+#
+# 1500
+# 0
+# 4
+# 0
+# 1
+# 0x8000000000000000
+#
+# 49779
+#
+#
+# System
+# COMPUTER NAME
+#
+#
+#
+# 1
+# 4292
+# 0
+# 11797
+# DOMAIN ATTEMPTING TO JOIN
+#
+#
diff --git a/evtx/Maps/System_Microsoft-Windows-GroupPolicy_1501.map b/evtx/Maps/System_Microsoft-Windows-GroupPolicy_1501.map
new file mode 100644
index 00000000..6c9b3974
--- /dev/null
+++ b/evtx/Maps/System_Microsoft-Windows-GroupPolicy_1501.map
@@ -0,0 +1,44 @@
+Author: Tony Knutson
+Description: Group Policy Settings processed successfully for USER
+EventId: 1501
+Channel: System
+Provider: Microsoft-Windows-GroupPolicy
+Maps:
+
+ -
+ Property: PayloadData1
+ PropertyValue: "%DCName%"
+ Values:
+ -
+ Name: DCName
+ Value: "/Event/EventData/Data[@Name=\"DCName\"]"
+
+# Documentation:
+# https://kb.eventtracker.com/evtpass/evtpages/EventId_1501_Microsoft-Windows-GroupPolicy_62070.asp#:~:text=The%20Group%20Policy%20settings%20for,successful%20processing%20of%20Group%20Policy.
+#
+# Example Event Data:
+#
+#
+#
+# 1501
+# 0
+# 4
+# 0
+# 1
+# 0x8000000000000000
+#
+# 64750
+#
+#
+# System
+# COMPUTER NAME
+#
+#
+#
+# 1
+# 4292
+# 0
+# 7579
+# DOMAIN NAME
+#
+#