added new section

windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md

@@ -1,16 +1,16 @@
 ---
-title: How to get a list of XML elements in <EventData> (Windows 10)
-description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML elements that can appear in <EventData>.
+title: How to get a list of XML data name elements in <EventData> (Windows 10)
+description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in <EventData>.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: tedhardyMSFT
-ms.date: 10/15/2018
+ms.date: 10/18/2018
 ---
 
-# How to get a list of XML elements in EventData
+# How to get a list of XML data name elements in EventData
 
 **Applies to**
 -   Windows 10
@@ -82,3 +82,48 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
 </template>
 
 ```
+
+## Mapping data name elements to the names in an event description
+
+You can use the <Template> and <Description> to map the data name element that appears in XML view to the name that appears in the event description.
+
+The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
+
+Using Security event 4734 as an example:
+
+```xml
+Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
+                <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="TargetSid" inType="win:SID" outType="xs:string"/>
+                <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
+                <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
+                <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
+              </template>
+
+Description : A security-enabled local group was deleted.
+
+              Subject:
+                Security ID:            %4
+                Account Name:           %5
+                Account Domain:         %6
+                Logon ID:               %7
+
+              Group:
+                Security ID:            %3
+                Group Name:             %1
+                Group Domain:           %2
+
+              Additional Information:
+                Privileges:             %8
+
+```
+
+For the "Subject: Security Id:" text element, it will use the fourth element in the Template, "SubjectUserSid".
+
+For "Additional Information Privileges:", it would use the eighth element "PrivelegeList".
+
+A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
+