diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4733.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4733.map
new file mode 100644
index 00000000..ef0b933b
--- /dev/null
+++ b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4733.map
@@ -0,0 +1,96 @@
+Author: Andrew Rathbun
+Description: A member was removed from a security-enabled local group
+EventId: 4733
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "Target: %TargetDomainName%\\%TargetUserName% (%TargetSid%)"
+    Values: 
+      - 
+        Name: TargetUserName
+        Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
+      - 
+        Name: TargetDomainName
+        Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
+      - 
+        Name: TargetSid
+        Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "SubjectLogonId: %SubjectLogonId%"
+    Values: 
+      - 
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "MemberName: %MemberName%"
+    Values: 
+      - 
+        Name: MemberName
+        Value: "/Event/EventData/Data[@Name=\"MemberName\"]"
+  - 
+    Property: PayloadData4
+    PropertyValue: "MemberSid: %MemberSid%"
+    Values: 
+      - 
+        Name: MemberSid
+        Value: "/Event/EventData/Data[@Name=\"MemberSid\"]"
+  - 
+    Property: PayloadData5
+    PropertyValue: "PrivilegeList: %PrivilegeList%"
+    Values: 
+      - 
+        Name: PrivilegeList
+        Value: "/Event/EventData/Data[@Name=\"PrivilegeList\"]"
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4733</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13826</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-19T16:51:00.376806500Z" /> 
+# <EventRecordID>175037</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="520" ThreadID="1524" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+# <EventData>
+# <Data Name="MemberName">CN=Auditor,CN=Users,DC=contoso,DC=local</Data> 
+# <Data Name="MemberSid">S-1-5-21-3457937927-2839227994-823803824-2104</Data> 
+# <Data Name="TargetUserName">AccountOperators</Data> 
+# <Data Name="TargetDomainName">CONTOSO</Data> 
+# <Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6605</Data> 
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x35e38</Data> 
+# <Data Name="PrivilegeList">-</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4781.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4781.map
new file mode 100644
index 00000000..ffd8002f
--- /dev/null
+++ b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4781.map
@@ -0,0 +1,82 @@
+Author: Andrew Rathbun
+Description: The name of an account was changed
+EventId: 4781
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "OldTargetUserName: %OldTargetUserName%"
+    Values: 
+      - 
+        Name: OldTargetUserName
+        Value: "/Event/EventData/Data[@Name=\"OldTargetUserName\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "NewTargetUserName: %NewTargetUserName%"
+    Values: 
+      - 
+        Name: NewTargetUserName
+        Value: "/Event/EventData/Data[@Name=\"NewTargetUserName\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "TargetDomainName: %TargetDomainName%"
+    Values: 
+      - 
+        Name: TargetDomainName
+        Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
+  - 
+    Property: PayloadData4
+    PropertyValue: "TargetSid: %TargetSid%"
+    Values: 
+      - 
+        Name: TargetSid
+        Value: "/Event/EventData/Data[@Name=\"TargetSid\"]"
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781
+#
+# Example Event Data:
+#<Event>
+#  <System>
+#    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54856625-5478-7794-a5ba-3e3b0328c30d" />
+#    <EventID>4781</EventID>
+#    <Version>0</Version>
+#    <Level>0</Level>
+#    <Task>13784</Task>
+#    <Opcode>0</Opcode>
+#    <Keywords>0x8020000000000000</Keywords>
+#    <TimeCreated SystemTime="2020-10-02 02:02:00.0351195" />
+#    <EventRecordID>210012591</EventRecordID>
+#    <Correlation ActivityID="f145a4ae-985f-0000-a1a4-61h15f98d601" />
+#    <Execution ProcessID="774" ThreadID="768" />
+#    <Channel>Security</Channel>
+#    <Computer>hostname</Computer>
+#    <Security />
+#  </System>
+#  <EventData>
+#    <Data Name="OldTargetUserName">Administrators</Data>
+#    <Data Name="NewTargetUserName">Administrators</Data>
+#    <Data Name="TargetDomainName">Builtin</Data>
+#    <Data Name="TargetSid">S-1-5-32-123</Data>
+#    <Data Name="SubjectUserSid">S-1-5-18</Data>
+#    <Data Name="SubjectUserName">username</Data>
+#    <Data Name="SubjectDomainName">domain</Data>
+#    <Data Name="SubjectLogonId">0x3E7</Data>
+#    <Data Name="PrivilegeList">-</Data>
+#  </EventData>
+#</Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4782.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4782.map
new file mode 100644
index 00000000..59c0139f
--- /dev/null
+++ b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4782.map
@@ -0,0 +1,69 @@
+Author: Andrew Rathbun
+Description: The password hash of an account was accessed
+EventId: 4782
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "Target: %TargetDomainName%\\%TargetUserName%"
+    Values: 
+      - 
+        Name: TargetUserName
+        Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
+      - 
+        Name: TargetDomainName
+        Value: "/Event/EventData/Data[@Name=\"TargetDomainName\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "SubjectLogonId: %SubjectLogonId%"
+    Values: 
+      - 
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782
+#
+# Example Event Data:
+#<Event>
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4782</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13829</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-18T21:23:46.435367800Z" /> 
+# <EventRecordID>174829</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="512" ThreadID="1232" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+# <EventData>
+# <Data Name="TargetUserName">Andrei</Data> 
+# <Data Name="TargetDomainName">CONTOSO</Data> 
+# <Data Name="SubjectUserSid">S-1-5-18</Data> 
+# <Data Name="SubjectUserName">DC01$</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x3e7</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4793.map b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4793.map
new file mode 100644
index 00000000..82eab0d8
--- /dev/null
+++ b/evtx/Maps/Security_Microsoft-Windows-Security-Auditing_4793.map
@@ -0,0 +1,80 @@
+Author: Andrew Rathbun
+Description: The Password Policy Checking API was called
+EventId: 4793
+Channel: Security
+Provider: Microsoft-Windows-Security-Auditing
+Maps: 
+  - 
+    Property: UserName
+    PropertyValue: "%domain%\\%user% (%sid%)"
+    Values: 
+      - 
+        Name: domain
+        Value: "/Event/EventData/Data[@Name=\"SubjectDomainName\"]"
+      - 
+        Name: user
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserName\"]"
+      - 
+        Name: sid
+        Value: "/Event/EventData/Data[@Name=\"SubjectUserSid\"]"
+  - 
+    Property: PayloadData1
+    PropertyValue: "Target: %TargetUserName%"
+    Values: 
+      - 
+        Name: TargetUserName
+        Value: "/Event/EventData/Data[@Name=\"TargetUserName\"]"
+  - 
+    Property: PayloadData2
+    PropertyValue: "Workstation: %Workstation%"
+    Values: 
+      - 
+        Name: Workstation
+        Value: "/Event/EventData/Data[@Name=\"Workstation\"]"
+  - 
+    Property: PayloadData3
+    PropertyValue: "Status: %Status%"
+    Values: 
+      - 
+        Name: Status
+        Value: "/Event/EventData/Data[@Name=\"Status\"]"
+  - 
+    Property: PayloadData4
+    PropertyValue: "SubjectLogonId: %SubjectLogonId%"
+    Values: 
+      - 
+        Name: SubjectLogonId
+        Value: "/Event/EventData/Data[@Name=\"SubjectLogonId\"]"
+
+# Documentation:
+# https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793
+# https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+# <System>
+# <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
+# <EventID>4793</EventID> 
+# <Version>0</Version> 
+# <Level>0</Level> 
+# <Task>13829</Task> 
+# <Opcode>0</Opcode> 
+# <Keywords>0x8020000000000000</Keywords> 
+# <TimeCreated SystemTime="2015-08-18T02:37:46.322424300Z" /> 
+# <EventRecordID>172342</EventRecordID> 
+# <Correlation /> 
+# <Execution ProcessID="520" ThreadID="2964" /> 
+# <Channel>Security</Channel> 
+# <Computer>DC01.contoso.local</Computer> 
+# <Security /> 
+# </System>
+# <EventData>
+# <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
+# <Data Name="SubjectUserName">dadmin</Data> 
+# <Data Name="SubjectDomainName">CONTOSO</Data> 
+# <Data Name="SubjectLogonId">0x36f67</Data> 
+# <Data Name="Workstation">DC01</Data> 
+# <Data Name="TargetUserName">-</Data> 
+# <Data Name="Status">0x0</Data> 
+# </EventData>
+# </Event>
diff --git a/evtx/Maps/System_Service-Control-Manager_7036.map b/evtx/Maps/System_Service-Control-Manager_7036.map
index 220929ad..e13208d6 100644
--- a/evtx/Maps/System_Service-Control-Manager_7036.map
+++ b/evtx/Maps/System_Service-Control-Manager_7036.map
@@ -6,7 +6,7 @@ Provider: Service Control Manager
 Maps: 
   - 
     Property: PayloadData1
-    PropertyValue: "Name: %ServiceName%%ServiceName2%" #This is a special case in that data may exist in several forms. Here we look for both and use the one we find. =)
+    PropertyValue: "Name: %ServiceName% | %ServiceName2%" #This is a special case in that data may exist in several forms. Here we look for both and use the one we find. =)
     Values: 
       - 
         Name: ServiceName