From 78beb8a18b059a222f49e88a61901fd2c729763d Mon Sep 17 00:00:00 2001
From: Eamon Walsh <eamonwalsh@google.com>
Date: Wed, 6 Mar 2024 12:25:00 -0500
Subject: [PATCH] Combine PowerShell Logs into a single artifact

---
 artifacts/data/windows.yaml | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/artifacts/data/windows.yaml b/artifacts/data/windows.yaml
index f85ed591..68c5dd8d 100644
--- a/artifacts/data/windows.yaml
+++ b/artifacts/data/windows.yaml
@@ -3545,20 +3545,10 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx'
     - '%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx'
-    separator: '\'
-supported_os: [Windows]
-urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']
----
-name: WindowsPowerShellLogs2
-doc: Windows PowerShell Logs Part 2
-sources:
-- type: FILE
-  attributes:
-    paths:
-    - '%%environ_systemroot%%\System32\winevt\Logs\Windows PowerShell.evtx'
+    - '%%environ_systemroot%%\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx'
     - '%%environ_systemroot%%\System32\winevt\Logs\PowerShellCore Operational.evtx'
+    - '%%environ_systemroot%%\System32\winevt\Logs\Windows PowerShell.evtx'
     separator: '\'
 supported_os: [Windows]
 urls: ['https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html']