WINC Conditional Mappings

I have a problem mapping more info from event ID 400 (PowerShell Version).

Raw Event : {"System":{"EventId":"400","Version":"","Channel":"Windows PowerShell","ProviderName":"PowerShell","Computer":"COMPUTERNAME","EventRecordID":"3628","Keywords":"Classic","Level":"Information","Opcode":"","Task":"Engine Lifecycle","ProcessID":"","ThreadID":"","TimeCreated":"1522976977881","UserId":""},"EventData":{"%1":"Available","%2":"None","%3":"\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=000000000\n\tEngineVersion=2.0\n\tRunspaceId=000000000\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="}}

I tried using a conditional map, but I'm not sure I'm doing this correctly.

current\user\agent\fcp\winc\windows_powershell\powershell.sdkkeyvaluefilereader.properties
# PowerShell Version Number
conditionalmap[0].mappings[92].event.flexString1=EngineVersion
conditionalmap[0].mappings[92].event.flexString1=__stringConstant(PowerShell Engine Version)


Anyone have any ideas? I would greatly appreciate it!

  • If my issue is too specific, perhaps someone can provide some more general info. 

    Powershell log aside, anyone have any detail on how to do this for an event out of the Security event log?  Say I wanted to add an event that isn't parsed by default, how would I go about doing that for WINC?