Windows Event 4738 mapping
I wanted to share my conditionalmap for Windows 2008 event id 4738. This will help in parsing the User Account Control information to something usable.
#Event id 4738
conditionalmap.mappings.event.deviceCustomString3=__ifThenElse(__regexToken(__replaceAll(__stringTrim(Changed Attributes:User Account Control),"\\s+","||"),(%%2060)),"%%2060","Smartcard Required Disabled","")
conditionalmap.mappings.event.deviceCustomString3Label=__stringConstant(User Account Control)
This takes the data in User Account Control and looks for the %%2060 information and writes back, in human words, the action that was taken on the user account. In this case it's Smartcard Disabled. You could change the %%2060 and add other User Account Control information.
You just have to add this in a file named security.sdkkeyvaluefilereader.properties after that put the file in fcp/windowsfg/windows_2008
You could do the same with windows 2012, here is the mapping number for the exact same event in windows 2012:
There you go... and have fun.