From 7d1f069b35fe2aac14eb81bfafe7502f72838792 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 19 May 2022 03:35:40 +0000
Subject: [PATCH 01/82] Bump nokogiri from 1.13.3 to 1.13.6 in /docs

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.13.3 to 1.13.6.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.13.3...v1.13.6)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 docs/Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
index 8467cc3a..b3e66c38 100644
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -220,7 +220,7 @@ GEM
       jekyll-seo-tag (~> 2.1)
     minitest (5.11.3)
     multipart-post (2.1.1)
-    nokogiri (1.13.3)
+    nokogiri (1.13.6)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     octokit (4.21.0)

From d928619bef499328b553f02379a6eb9dae9eaa73 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 10 Jun 2022 10:12:04 -0400
Subject: [PATCH 02/82] Delete implementations directory

Added bzar as a submodule
---
 implementations/README.md | 7 -------
 1 file changed, 7 deletions(-)
 delete mode 100644 implementations/README.md

diff --git a/implementations/README.md b/implementations/README.md
deleted file mode 100644
index 6bafff2c..00000000
--- a/implementations/README.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# Analytic Implementations
-
-Some analytics are built as source code for specific products. For these analytics, rather than integrating them into the main CAR site, we've collected them under this set of implementations.
-
-## Bro/Zeek ATT&CK-Based Analytics (BZAR)
-
-[BZAR](https://github.com/mitre-attack/bzar) is a collection of analytics for Bro primarily aimed at detecting ATT&CK techniques that leverage RPC and SMB.

From 006e043c54d19610798cd36a679f9c720b87aea3 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 24 Jun 2022 11:34:04 -0400
Subject: [PATCH 03/82] Create updates.md

---
 docs/resources/updates.md | 113 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100644 docs/resources/updates.md

diff --git a/docs/resources/updates.md b/docs/resources/updates.md
new file mode 100644
index 00000000..e8583d48
--- /dev/null
+++ b/docs/resources/updates.md
@@ -0,0 +1,113 @@
+---
+title: Updates
+---
+## News
+Information about the latest CAR updates and changes can be found in this section.
+
+### February 2022
+* Updated [analytic coverage](/coverage) page, now with separate ATT&CK navigator layers for each repository.
+* New analytics added
+  * [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](/analytics/CAR-2021-11-002)
+  * [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](/analytics/CAR-2021-12-001)
+  * [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key "Common Startup"](/analytics/CAR-2021-12-002)
+
+### January 2022
+* New analytics added
+  * [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](/analytics/CAR-2021-11-001)
+
+### May 2021
+* New analytics added - special thanks to the Splunk Threat Research team for working with us to incorporate these.
+  * [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](/analytics/CAR-2021-05-001)
+  * [CAR-2021-05-002: Batch File Write to System32](/analytics/CAR-2021-05-002)
+  * [CAR-2021-05-003: BCDEdit Failure Recovery Modification](/analytics/CAR-2021-05-003)
+  * [CAR-2021-05-004: BITS Job Persistence](/analytics/CAR-2021-05-004)
+  * [CAR-2021-05-005: BITSAdmin Download File](/analytics/CAR-2021-05-005)
+  * [CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments](/analytics/CAR-2021-05-006)
+  * [CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments](/analytics/CAR-2021-05-007)
+  * [CAR-2021-05-008: Certutil exe certificate extraction](/analytics/CAR-2021-05-008)
+  * [CAR-2021-05-009: CertUtil With Decode Argument](/analytics/CAR-2021-05-009)
+  * [CAR-2021-05-010: Create local admin accounts using net exe](/analytics/CAR-2021-05-010)
+  * [CAR-2021-05-011: Create Remote Thread into LSASS](/analytics/CAR-2021-05-011)
+  * [CAR-2021-05-012: Create Service In Suspicious File Path](/analytics/CAR-2021-05-012)
+
+### April 2021
+* New analytics added
+  * [CAR-2021-04-001: Common Windows Process Masquerading](/analytics/CAR-2021-04-001)
+
+### March 2021
+* Added [Coverage Comparison](/coverage) page, which compares ATT&CK Technique/Sub-technique coverage across CAR, [Sigma](https://github.com/SigmaHQ/sigma), and [Elastic Detection](https://github.com/elastic/detection-rules) rules.
+* New analytics added
+  * [CAR-2021-01-006: Unusual Child Process Spawned using DDE Exploit](/analytics/CAR-2021-01-006)
+  * [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](/analytics/CAR-2021-01-007)
+  * [CAR-2021-01-008: Disable UAC](/analytics/CAR-2021-01-008)
+  
+### January-Feburary 2021
+* New analytics added - special thanks to all of the submissions that we've received!
+  * [CAR-2021-01-001: Identifying Port Scanning Activity](/analytics/CAR-2021-01-001)
+  * [CAR-2021-01-002: Unusually Long Command Line Strings](/analytics/CAR-2021-01-002)
+  * [CAR-2021-01-003: Clearing Windows Logs with Wevtutil](/analytics/CAR-2021-01-003)
+  * [CAR-2021-01-004: Unusual Child Process For Spoolsv.Exe Or Connhost.Exe](/analytics/CAR-2021-01-004)
+  * [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](/analytics/CAR-2021-01-009)
+  * [CAR-2021-02-001: Webshell-Indicative Process Tree](/analytics/CAR-2021-02-001)
+  * [CAR-2021-02-002: Get System Elevation](/analytics/CAR-2021-02-002)
+
+### November 2020
+* Data Model update! We're excited to roll out these changes, and we think you will like the new capabilities.
+  * [See the full new data model](data_model)
+  * Added Authentication, Email, HTTP, and Socket objects
+  * Updated other objects: 
+    * Removed several unnecessary fields
+    * Renamed some fields to make their intent more clear
+    * Added several fields that have become necessary for modern analytics
+    * Removed and added some Event types
+* New analytics added
+  * [CAR-2020-11-001: Boot or Logon Initialization Scripts](/analytics/CAR-2020-11-001)
+  * [CAR-2020-11-002: Local Network Sniffing](/analytics/CAR-2020-11-002)
+  * [CAR-2020-11-003: DLL Injection with Mavinject](/analytics/CAR-2020-11-003)
+  * [CAR-2020-11-004: Processes Started From Irregular Parent](/analytics/CAR-2020-11-004)
+  * [CAR-2020-11-005: Clear Powershell Console Command History](/analytics/CAR-2020-11-005)
+  * [CAR-2020-11-006: Local Permission Group Discovery](/analytics/CAR-2020-11-006)
+  * [CAR-2020-11-007: Network Share Connection Removal](/analytics/CAR-2020-11-007)
+  * [CAR-2020-11-008: MSBuild and msxsl](/analytics/CAR-2020-11-008)
+  * [CAR-2020-11-009: Compiled HTML Access](/analytics/CAR-2020-11-009)
+  * [CAR-2020-11-010: CMSTP](/analytics/CAR-2020-11-010)
+  * [CAR-2020-11-011: Registry Edit from Screensaver](/analytics/CAR-2020-11-011)
+  
+### September 2020
+* New analytics added
+  * [CAR-2020-09-001: Scheduled Task - File Access](/analytics/CAR-2020-09-001)
+  * [CAR-2020-09-002: Component Object Model Hijacking](/analytics/CAR-2020-09-002)
+  * [CAR-2020-09-003: Indicator Blocking - Driver Unloaded](/analytics/CAR-2020-09-003)
+  * [CAR-2020-09-004: Credentials in Files & Registry](/analytics/CAR-2020-09-004)
+  * [CAR-2020-09-005: AppInit DLLs](/analytics/CAR-2020-09-005)
+
+### August 2020
+* New analytics added
+  * [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](/analytics/CAR-2020-08-001)
+  * [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](/analytics/CAR-2020-08-002)
+  
+### July 2020
+* Updated ATT&CK Detection for all analytics for [latest ATT&CK release](https://attack.mitre.org/resources/updates/updates-july-2020/).
+
+### May 2020
+* Updated [ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/beta/enterprise/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Fmitre-attack%2Fcar%2Fmaster%2Fdocs%2Fcar_attack%2Fcar_attack.json) to incorporate sub-technique mappings for all CAR analytics.
+* Added [Sysmon 11.0](/sensors/sysmon_11.0) sensor with data model mappings and CAR analytic coverage.
+* Added one new field to the [Process object](/data_model/process)
+  * `env_vars`
+* New analytics added
+  * [CAR-2020-05-001: MiniDump of LSASS](/analytics/CAR-2020-05-001)
+  * [CAR-2020-05-003: Rare LolBAS Command Lines](/analytics/CAR-2020-05-003)
+
+### April 2020
+* All analytics have been updated to account for ATT&CK sub-techniques (wherever applicable). Check out the new sub-technique based coverage table [here](/analytics/index.html#analytic-list-by-techniquesub-technique-coverage).
+* Added Applicable Platforms to all analytics. This captures the set of platforms the analytic may be applicable for; note that this does not necessarily mean that an implementation for a particular platform exists for a given analytic.
+* Added YAML for [sensors](https://github.com/mitre-attack/car/tree/master/sensors) (those added recently) and [data models](https://github.com/mitre-attack/car/tree/master/data_model) on Github.
+* New analytics added
+  * [CAR-2020-04-001: Shadow Copy Deletion](/analytics/CAR-2020-04-001)
+
+## Methodology
+CAR analytics were developed to detect the adversary behaviors in [ATT&CK](https://attack.mitre.org/). Development of an analytic is based upon the following activities: 
+* identifying and prioritizing adversary behaviors from the ATT&CK adversary model 
+* identifying the data necessary to detect the adversary behavior
+* identification or creation of a sensor to collect the necessary data
+* the actual creation of the analytic to detect the identified behaviors

From 7de7b1eb35cd85da7e0299b6b7ee0c7dcf4520a0 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 24 Jun 2022 11:34:37 -0400
Subject: [PATCH 04/82] Update index.md

---
 docs/index.md | 104 --------------------------------------------------
 1 file changed, 104 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index e234aa6c..8bfe215a 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -15,110 +15,6 @@ Analytics stored in CAR contain the following information:
 
 In addition to the analytics, CAR also contains a [data model](data_model) for observable data used to run the analytics and [sensors](sensors) that are used to collect that data.
 
-## News
-Information about the latest CAR updates and changes can be found in this section.
-
-### February 2022
-* Updated [analytic coverage](/coverage) page, now with separate ATT&CK navigator layers for each repository.
-* New analytics added
-  * [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](/analytics/CAR-2021-11-002)
-  * [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](/analytics/CAR-2021-12-001)
-  * [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key "Common Startup"](/analytics/CAR-2021-12-002)
-
-### January 2022
-* New analytics added
-  * [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](/analytics/CAR-2021-11-001)
-
-### May 2021
-* New analytics added - special thanks to the Splunk Threat Research team for working with us to incorporate these.
-  * [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](/analytics/CAR-2021-05-001)
-  * [CAR-2021-05-002: Batch File Write to System32](/analytics/CAR-2021-05-002)
-  * [CAR-2021-05-003: BCDEdit Failure Recovery Modification](/analytics/CAR-2021-05-003)
-  * [CAR-2021-05-004: BITS Job Persistence](/analytics/CAR-2021-05-004)
-  * [CAR-2021-05-005: BITSAdmin Download File](/analytics/CAR-2021-05-005)
-  * [CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments](/analytics/CAR-2021-05-006)
-  * [CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments](/analytics/CAR-2021-05-007)
-  * [CAR-2021-05-008: Certutil exe certificate extraction](/analytics/CAR-2021-05-008)
-  * [CAR-2021-05-009: CertUtil With Decode Argument](/analytics/CAR-2021-05-009)
-  * [CAR-2021-05-010: Create local admin accounts using net exe](/analytics/CAR-2021-05-010)
-  * [CAR-2021-05-011: Create Remote Thread into LSASS](/analytics/CAR-2021-05-011)
-  * [CAR-2021-05-012: Create Service In Suspicious File Path](/analytics/CAR-2021-05-012)
-
-### April 2021
-* New analytics added
-  * [CAR-2021-04-001: Common Windows Process Masquerading](/analytics/CAR-2021-04-001)
-
-### March 2021
-* Added [Coverage Comparison](/coverage) page, which compares ATT&CK Technique/Sub-technique coverage across CAR, [Sigma](https://github.com/SigmaHQ/sigma), and [Elastic Detection](https://github.com/elastic/detection-rules) rules.
-* New analytics added
-  * [CAR-2021-01-006: Unusual Child Process Spawned using DDE Exploit](/analytics/CAR-2021-01-006)
-  * [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](/analytics/CAR-2021-01-007)
-  * [CAR-2021-01-008: Disable UAC](/analytics/CAR-2021-01-008)
-  
-### January-Feburary 2021
-* New analytics added - special thanks to all of the submissions that we've received!
-  * [CAR-2021-01-001: Identifying Port Scanning Activity](/analytics/CAR-2021-01-001)
-  * [CAR-2021-01-002: Unusually Long Command Line Strings](/analytics/CAR-2021-01-002)
-  * [CAR-2021-01-003: Clearing Windows Logs with Wevtutil](/analytics/CAR-2021-01-003)
-  * [CAR-2021-01-004: Unusual Child Process For Spoolsv.Exe Or Connhost.Exe](/analytics/CAR-2021-01-004)
-  * [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](/analytics/CAR-2021-01-009)
-  * [CAR-2021-02-001: Webshell-Indicative Process Tree](/analytics/CAR-2021-02-001)
-  * [CAR-2021-02-002: Get System Elevation](/analytics/CAR-2021-02-002)
-
-### November 2020
-* Data Model update! We're excited to roll out these changes, and we think you will like the new capabilities.
-  * [See the full new data model](data_model)
-  * Added Authentication, Email, HTTP, and Socket objects
-  * Updated other objects: 
-    * Removed several unnecessary fields
-    * Renamed some fields to make their intent more clear
-    * Added several fields that have become necessary for modern analytics
-    * Removed and added some Event types
-* New analytics added
-  * [CAR-2020-11-001: Boot or Logon Initialization Scripts](/analytics/CAR-2020-11-001)
-  * [CAR-2020-11-002: Local Network Sniffing](/analytics/CAR-2020-11-002)
-  * [CAR-2020-11-003: DLL Injection with Mavinject](/analytics/CAR-2020-11-003)
-  * [CAR-2020-11-004: Processes Started From Irregular Parent](/analytics/CAR-2020-11-004)
-  * [CAR-2020-11-005: Clear Powershell Console Command History](/analytics/CAR-2020-11-005)
-  * [CAR-2020-11-006: Local Permission Group Discovery](/analytics/CAR-2020-11-006)
-  * [CAR-2020-11-007: Network Share Connection Removal](/analytics/CAR-2020-11-007)
-  * [CAR-2020-11-008: MSBuild and msxsl](/analytics/CAR-2020-11-008)
-  * [CAR-2020-11-009: Compiled HTML Access](/analytics/CAR-2020-11-009)
-  * [CAR-2020-11-010: CMSTP](/analytics/CAR-2020-11-010)
-  * [CAR-2020-11-011: Registry Edit from Screensaver](/analytics/CAR-2020-11-011)
-  
-### September 2020
-* New analytics added
-  * [CAR-2020-09-001: Scheduled Task - File Access](/analytics/CAR-2020-09-001)
-  * [CAR-2020-09-002: Component Object Model Hijacking](/analytics/CAR-2020-09-002)
-  * [CAR-2020-09-003: Indicator Blocking - Driver Unloaded](/analytics/CAR-2020-09-003)
-  * [CAR-2020-09-004: Credentials in Files & Registry](/analytics/CAR-2020-09-004)
-  * [CAR-2020-09-005: AppInit DLLs](/analytics/CAR-2020-09-005)
-
-### August 2020
-* New analytics added
-  * [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](/analytics/CAR-2020-08-001)
-  * [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](/analytics/CAR-2020-08-002)
-  
-### July 2020
-* Updated ATT&CK Detection for all analytics for [latest ATT&CK release](https://attack.mitre.org/resources/updates/updates-july-2020/).
-
-### May 2020
-* Updated [ATT&CK Navigator layer](https://mitre-attack.github.io/attack-navigator/beta/enterprise/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Fmitre-attack%2Fcar%2Fmaster%2Fdocs%2Fcar_attack%2Fcar_attack.json) to incorporate sub-technique mappings for all CAR analytics.
-* Added [Sysmon 11.0](/sensors/sysmon_11.0) sensor with data model mappings and CAR analytic coverage.
-* Added one new field to the [Process object](/data_model/process)
-  * `env_vars`
-* New analytics added
-  * [CAR-2020-05-001: MiniDump of LSASS](/analytics/CAR-2020-05-001)
-  * [CAR-2020-05-003: Rare LolBAS Command Lines](/analytics/CAR-2020-05-003)
-
-### April 2020
-* All analytics have been updated to account for ATT&CK sub-techniques (wherever applicable). Check out the new sub-technique based coverage table [here](/analytics/index.html#analytic-list-by-techniquesub-technique-coverage).
-* Added Applicable Platforms to all analytics. This captures the set of platforms the analytic may be applicable for; note that this does not necessarily mean that an implementation for a particular platform exists for a given analytic.
-* Added YAML for [sensors](https://github.com/mitre-attack/car/tree/master/sensors) (those added recently) and [data models](https://github.com/mitre-attack/car/tree/master/data_model) on Github.
-* New analytics added
-  * [CAR-2020-04-001: Shadow Copy Deletion](/analytics/CAR-2020-04-001)
-
 ## Methodology
 CAR analytics were developed to detect the adversary behaviors in [ATT&CK](https://attack.mitre.org/). Development of an analytic is based upon the following activities: 
 * identifying and prioritizing adversary behaviors from the ATT&CK adversary model 

From 47e3fbb98072f576ba556f3beea7d2eaf9b1ba67 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 24 Jun 2022 11:35:08 -0400
Subject: [PATCH 05/82] Rename updates.md to index.md

---
 docs/resources/{updates.md => index.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename docs/resources/{updates.md => index.md} (100%)

diff --git a/docs/resources/updates.md b/docs/resources/index.md
similarity index 100%
rename from docs/resources/updates.md
rename to docs/resources/index.md

From 7ba4d3887daa2c7e35bf5f59ed3dc3c67daee2a6 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 24 Jun 2022 11:37:17 -0400
Subject: [PATCH 06/82] Update and rename docs/resources/index.md to
 docs/resources/updates/index.md

---
 docs/resources/{ => updates}/index.md | 7 -------
 1 file changed, 7 deletions(-)
 rename docs/resources/{ => updates}/index.md (93%)

diff --git a/docs/resources/index.md b/docs/resources/updates/index.md
similarity index 93%
rename from docs/resources/index.md
rename to docs/resources/updates/index.md
index e8583d48..65585d02 100644
--- a/docs/resources/index.md
+++ b/docs/resources/updates/index.md
@@ -104,10 +104,3 @@ Information about the latest CAR updates and changes can be found in this sectio
 * Added YAML for [sensors](https://github.com/mitre-attack/car/tree/master/sensors) (those added recently) and [data models](https://github.com/mitre-attack/car/tree/master/data_model) on Github.
 * New analytics added
   * [CAR-2020-04-001: Shadow Copy Deletion](/analytics/CAR-2020-04-001)
-
-## Methodology
-CAR analytics were developed to detect the adversary behaviors in [ATT&CK](https://attack.mitre.org/). Development of an analytic is based upon the following activities: 
-* identifying and prioritizing adversary behaviors from the ATT&CK adversary model 
-* identifying the data necessary to detect the adversary behavior
-* identification or creation of a sensor to collect the necessary data
-* the actual creation of the analytic to detect the identified behaviors

From f8f54cfa3d4d4956efcb1d1d037ff18fc288035c Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 24 Jun 2022 11:38:25 -0400
Subject: [PATCH 07/82] Rename docs/Glossary.md to
 docs/resources/glossary/index.md

---
 docs/{Glossary.md => resources/glossary/index.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename docs/{Glossary.md => resources/glossary/index.md} (100%)

diff --git a/docs/Glossary.md b/docs/resources/glossary/index.md
similarity index 100%
rename from docs/Glossary.md
rename to docs/resources/glossary/index.md

From 1c02e6b4d521aa79c44d5367f8e13272f8c8a2f2 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 24 Jun 2022 11:40:45 -0400
Subject: [PATCH 08/82] Create index.md

---
 docs/resources/index.md | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 docs/resources/index.md

diff --git a/docs/resources/index.md b/docs/resources/index.md
new file mode 100644
index 00000000..c3a030ee
--- /dev/null
+++ b/docs/resources/index.md
@@ -0,0 +1,8 @@
+---
+title: Resources
+---
+##Updates 
+[New Updates Found Here](/updates/index.md)
+
+##Glossary
+[Definitions Found Here](/glossary/index.md)

From 21a186160e8bc0da470bec791ea42d4daac90e36 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 24 Jun 2022 11:43:04 -0400
Subject: [PATCH 09/82] Update header.html

---
 docs/_includes/header.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/_includes/header.html b/docs/_includes/header.html
index 6e0e36b6..21ff2828 100644
--- a/docs/_includes/header.html
+++ b/docs/_includes/header.html
@@ -11,6 +11,7 @@
               <a class="page-link" href="{{ "/analytics" | relative_url }}">Analytics</a>
               <a class="page-link" href="{{ "/analytics/by_technique" | relative_url }}">Analytics (by technique)</a>
               <a class="page-link" href="{{ "/data_model" | relative_url }}">Data Model</a>
+              <a class="page-link" href="{{ "/resources" | relative_url }}">Resources</a>
               <a class="page-link" href="{{ "/sensors" | relative_url }}">Sensors</a>
               <a class="page-link" href="{{ "/coverage" | relative_url }}">Coverage Comparison</a>
           </div>

From 257fc5c5d7e647c4d38ed6eb0c70b702193c2018 Mon Sep 17 00:00:00 2001
From: Lucas <31893813+Ptylu@users.noreply.github.com>
Date: Tue, 5 Jul 2022 23:17:10 +0800
Subject: [PATCH 10/82] Update CAR-2016-04-002.yaml

Update to merge CAR-2021-01-003.yaml in CAR-2016-04-002.yaml.
New attack and detection added
---
 analytics/CAR-2016-04-002.yaml | 43 ++++++++++++++++++++++++++++------
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git a/analytics/CAR-2016-04-002.yaml b/analytics/CAR-2016-04-002.yaml
index e6317867..918f500c 100644
--- a/analytics/CAR-2016-04-002.yaml
+++ b/analytics/CAR-2016-04-002.yaml
@@ -1,3 +1,4 @@
+---
 title: User Activity from Clearing Event Logs
 submission_date: 2016/04/14
 information_domain: Host
@@ -7,12 +8,20 @@ platforms:
   - macOS
 subtypes:
   - Event Records
+  - Process
 analytic_types:
   - Anomaly
 contributors:
   - MITRE/NSA
+  - Cyware Labs
+  - Lucas Heiligenstein
 id: CAR-2016-04-002
-description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a "Clear Event Log" is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.'
+description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 
+	1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
+	2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.'
+  3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104.
+  4. Attackers may delete .evtx with `del C:\Windows\System32\winevt\logs\Security.evtx` or `Remove-Item C:\Windows\System32\winevt\logs\Security.evtx` after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset.
+  5. Attackers may use the powershell command `Remove-EventLog -LogName Security` to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.
 coverage:
   - technique: T1070
     tactics:
@@ -21,9 +30,10 @@ coverage:
       - T1070.001
     coverage: Moderate
 implementations:
-  - description: 'When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.'
+  - name: PseudoCode for dedicated EventID EventLog deletion
+    description: 'When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.'
     code: |-
-      ([log_name] == "Security" and [event_code] in [1100, 1102]) or
+      ([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or
       ([log_name] == "System" and [event_code] == 104)
     type: pseudocode
   - name: Sigma rule (System log)
@@ -32,18 +42,37 @@ implementations:
   - name: Sigma rule (Security log)
     description: '[Sigma version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml) of the above pseudocode, focusing only on the Security log.'
     type: Sigma
-  - description: LogPoint version of the above pseudocode.
+  - name: LogPoint version of the above pseudocode.
+    description: LogPoint version of the above pseudocode.
     code: |-
       norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104))
     type: LogPoint
     data_mode: LogPoint native
+  - name: Splunk search - Detecting log clearing with wevtutil
+    description:  This search query looks for  wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.
+    code: |-
+          index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)
+    data_model: Sysmon native
+    type: Splunk
 unit_tests:
-  - configurations:
-    - Windows 7
-    description: You can use the powershell cmdlet “Clear-Eventlog” to clear event logs. Open Powershell as administrator and execute Clear-Eventlog `Clear-EventLog [-LogName] \<String[]\>`. [Additional information here](https://technet.microsoft.com/en-us/library/hh849789.aspx).
+  - description: You can use the powershell cmdlet “Clear-Eventlog” to clear event logs. Open Powershell as administrator and execute Clear-Eventlog `Clear-EventLog [-LogName] \<String[]\>`. [Additional information here](https://technet.microsoft.com/en-us/library/hh849789.aspx).
     commands:
       - Clear-Eventlog Security
       - Clear-Eventlog System
+  - description: Command to not Overwrite old EventLog
+    commands:
+      - Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite
+  - description: Cmd and Powershell command to delete EventLog (only possible after turning off the EventLog service)
+    commands:
+      - del C:\Windows\System32\winevt\logs\Security.evtx
+      - Remove-Item C:\Windows\System32\winevt\logs\Security.evtx
+  - description: Unregister EventLog source 
+    commands:
+      - Remove-EventLog -LogName Security
+data_model_references:
+  - process/create/command_line
+references:
+  - https://ptylu.github.io/content/report/report.html?report=26
 d3fend_mappings:
   - iri: d3f:RPCTrafficAnalysis
     id: D3-RTA

From 1d17ce0f89152d8cfdc94db3352feefd24857968 Mon Sep 17 00:00:00 2001
From: Lucas <31893813+Ptylu@users.noreply.github.com>
Date: Tue, 5 Jul 2022 23:23:54 +0800
Subject: [PATCH 11/82] Update CAR-2016-04-002.yaml

yaml typo corrected
---
 analytics/CAR-2016-04-002.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/analytics/CAR-2016-04-002.yaml b/analytics/CAR-2016-04-002.yaml
index 918f500c..25c9be57 100644
--- a/analytics/CAR-2016-04-002.yaml
+++ b/analytics/CAR-2016-04-002.yaml
@@ -17,8 +17,8 @@ contributors:
   - Lucas Heiligenstein
 id: CAR-2016-04-002
 description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 
-	1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
-	2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.'
+  1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
+  2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.'
   3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104.
   4. Attackers may delete .evtx with `del C:\Windows\System32\winevt\logs\Security.evtx` or `Remove-Item C:\Windows\System32\winevt\logs\Security.evtx` after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset.
   5. Attackers may use the powershell command `Remove-EventLog -LogName Security` to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.

From 3457780b9300acbf9c7820b0e3345a2d43dbc5b7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 22 Jul 2022 02:34:16 +0000
Subject: [PATCH 12/82] Bump tzinfo from 1.2.5 to 1.2.10 in /docs

Bumps [tzinfo](https://github.com/tzinfo/tzinfo) from 1.2.5 to 1.2.10.
- [Release notes](https://github.com/tzinfo/tzinfo/releases)
- [Changelog](https://github.com/tzinfo/tzinfo/blob/master/CHANGES.md)
- [Commits](https://github.com/tzinfo/tzinfo/compare/v1.2.5...v1.2.10)

---
updated-dependencies:
- dependency-name: tzinfo
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 docs/Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
index 8467cc3a..6bbeeef6 100644
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -255,7 +255,7 @@ GEM
     thread_safe (0.3.6)
     typhoeus (1.4.0)
       ethon (>= 0.9.0)
-    tzinfo (1.2.5)
+    tzinfo (1.2.10)
       thread_safe (~> 0.1)
     unf (0.1.4)
       unf_ext

From b48c96977e19a79809c36a2bec854bd76ee346b4 Mon Sep 17 00:00:00 2001
From: "Mr. Nevermore" <InfiniteInsight@gmail.com>
Date: Sun, 11 Sep 2022 22:53:45 -0400
Subject: [PATCH 13/82] Update file.md

fixing coverage map table formatting for autoruns and sysmon line breaks
---
 docs/data_model/file.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index 68fcacad..c0593471 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -51,7 +51,7 @@ A resource for storing information available to a computer program.
 
 | | **company** | **content** | **creation_time** | **file_extension** | **file_gid** | **file_group** | **file_name** | **file_path** | **file_uid** | **file_user** | **fqdn** | **hostname** | **image_path** | **link_target** | **md5_hash** | **mime_type** | **mode** | **pid** | **ppid** | **previous_creation_time** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **uid** | **user** | 
 | ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **create** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | |
+| **create** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | |
 | **delete** | | | | | | | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | |
 | **modify** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | [Autoruns](../sensors/autoruns_13.98) | | | | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | |
 | **read** | | | | | | | | | | | | | | | | | | | | | | | | | |

From 2f2c58a3e0bce66f56aaee91fb5e22ac869dae49 Mon Sep 17 00:00:00 2001
From: "Mr. Nevermore" <InfiniteInsight@gmail.com>
Date: Sun, 11 Sep 2022 23:15:58 -0400
Subject: [PATCH 14/82] Create http.md

Initial commit of planned file that is missing from current production repo
---
 docs/data_model/http.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 docs/data_model/http.md

diff --git a/docs/data_model/http.md b/docs/data_model/http.md
new file mode 100644
index 00000000..f74b2683
--- /dev/null
+++ b/docs/data_model/http.md
@@ -0,0 +1 @@
+<!--  To Do - Write up missing http.md file, using data from car/data_model/http.yaml -->

From 0ae783cd454525e050ed1ad5c69a83b043b47d8d Mon Sep 17 00:00:00 2001
From: Evan Nevermore <InfiniteInsight@gmail.com>
Date: Sun, 11 Sep 2022 23:38:37 -0400
Subject: [PATCH 15/82] Beginning to format document based on car/data_model/
 http.yml

---
 docs/data_model/http.md | 87 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)

diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index f74b2683..a795bc23 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -1 +1,88 @@
 <!--  To Do - Write up missing http.md file, using data from car/data_model/http.yaml -->
+
+---
+title: "File"
+---
+
+HTTP events represents requests made over the network via the HTTP protocol.
+
+## Actions
+
+|Action|Description|
+|---|---|
+|pet|The event corresponding to an HTTP GET request.
+|post|The event corresponding to an HTTP POST request.
+|put|The event corresponding to an HTTP PUT request.
+|tunnel|The event corresponding to an HTTP TUNNEL request.
+
+## Fields
+
+|Field|Description|Example|
+|---|---|---|
+|hostname|hostname on which the request was seen.|HOST1
+|request_body_bytes|
+|http_version|
+|request_body_content|
+|request_referrer|
+|requester_ip_address|
+|response_body_types|
+|response_body_content|
+|response_status_code|
+|url_full|
+|url_domain|
+|url_remainder|
+|url_scheme|
+|user_agent_full|
+|user_agent_name|
+|user_agent_device|
+|user_agent_version|
+<!--
+ - name: hostname
+    
+  - name:  request_body_bytes
+    description: Integer value corresponding to the total number of bytes in the request.
+    example: 180
+  - name: http_version
+    description: HTTP version that is specified in the header.
+    example: 1.1
+  - name: request_body_content
+    description: Body of the HTTP request; usually specifies the exact content being requested.
+  - name: request_referrer
+    description: The URL from which the request was referred, if applicable.
+    example: http://cnn.com
+  - name: requester_ip_address
+    description: IP address from which the request was made.
+    example: 10.0.211.200
+  - name: response_body_bytes
+    description: Integer value corresponding to the total number of bytes in the response.
+    example: 2910
+  - name: response_body_content
+    description: Content of the response (does not include header).
+  - name: response_status_code
+    description: HTTP protocol status code in response header
+    example: 200
+  - name: url_full
+    description: URL to which the HTTP request was sent
+    example: https://www.mitre.org/about/corporate-overview
+  - name: url_domain
+    description: Domain portion of the URL.
+    example: www.mitre.org
+  - name: url_remainder
+    description: the path after the root domain
+    example: /about/corporate-overview
+  - name: url_scheme
+    description: type of user that initiated the request.
+    example: https
+  - name: user_agent_full
+    description: User agent string associated with the request
+    example: HOST1\LOCALUSER1
+  - name: user_agent_name
+    description: The user agent through which the request was made.
+    example: "Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36"
+  - name: user_agent_device
+    description: Device type from which request was made, identified by user_agent substring
+    example: SM-G930VC (Samgsung Galaxy S7)
+  - name: user_agent_version
+    description: User Agent Version. Note that some User Agent strings may not label versions in the same way.
+    example: 4.0
+-->
\ No newline at end of file

From 04f7456ca70868aba77e0ab81ddff221c7e8c098 Mon Sep 17 00:00:00 2001
From: Evan Nevermore <InfiniteInsight@gmail.com>
Date: Mon, 12 Sep 2022 00:02:20 -0400
Subject: [PATCH 16/82] adding headings and the coverage map table

---
 docs/data_model/http.md | 95 +++++++++++------------------------------
 1 file changed, 26 insertions(+), 69 deletions(-)

diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index a795bc23..f859e8b8 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -1,5 +1,3 @@
-<!--  To Do - Write up missing http.md file, using data from car/data_model/http.yaml -->
-
 ---
 title: "File"
 ---
@@ -10,7 +8,7 @@ HTTP events represents requests made over the network via the HTTP protocol.
 
 |Action|Description|
 |---|---|
-|pet|The event corresponding to an HTTP GET request.
+|get|The event corresponding to an HTTP GET request.
 |post|The event corresponding to an HTTP POST request.
 |put|The event corresponding to an HTTP PUT request.
 |tunnel|The event corresponding to an HTTP TUNNEL request.
@@ -20,69 +18,28 @@ HTTP events represents requests made over the network via the HTTP protocol.
 |Field|Description|Example|
 |---|---|---|
 |hostname|hostname on which the request was seen.|HOST1
-|request_body_bytes|
-|http_version|
-|request_body_content|
-|request_referrer|
-|requester_ip_address|
-|response_body_types|
-|response_body_content|
-|response_status_code|
-|url_full|
-|url_domain|
-|url_remainder|
-|url_scheme|
-|user_agent_full|
-|user_agent_name|
-|user_agent_device|
-|user_agent_version|
-<!--
- - name: hostname
-    
-  - name:  request_body_bytes
-    description: Integer value corresponding to the total number of bytes in the request.
-    example: 180
-  - name: http_version
-    description: HTTP version that is specified in the header.
-    example: 1.1
-  - name: request_body_content
-    description: Body of the HTTP request; usually specifies the exact content being requested.
-  - name: request_referrer
-    description: The URL from which the request was referred, if applicable.
-    example: http://cnn.com
-  - name: requester_ip_address
-    description: IP address from which the request was made.
-    example: 10.0.211.200
-  - name: response_body_bytes
-    description: Integer value corresponding to the total number of bytes in the response.
-    example: 2910
-  - name: response_body_content
-    description: Content of the response (does not include header).
-  - name: response_status_code
-    description: HTTP protocol status code in response header
-    example: 200
-  - name: url_full
-    description: URL to which the HTTP request was sent
-    example: https://www.mitre.org/about/corporate-overview
-  - name: url_domain
-    description: Domain portion of the URL.
-    example: www.mitre.org
-  - name: url_remainder
-    description: the path after the root domain
-    example: /about/corporate-overview
-  - name: url_scheme
-    description: type of user that initiated the request.
-    example: https
-  - name: user_agent_full
-    description: User agent string associated with the request
-    example: HOST1\LOCALUSER1
-  - name: user_agent_name
-    description: The user agent through which the request was made.
-    example: "Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36"
-  - name: user_agent_device
-    description: Device type from which request was made, identified by user_agent substring
-    example: SM-G930VC (Samgsung Galaxy S7)
-  - name: user_agent_version
-    description: User Agent Version. Note that some User Agent strings may not label versions in the same way.
-    example: 4.0
--->
\ No newline at end of file
+|request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180
+|http_version|HTTP version that is specified in the header.|1.1
+|request_body_content|Body of the HTTP request; usually specifies the exact content being requested.|varies as content is unique. If referrer is http://cnn.com as in example below, expect the body content to likely be an article from CNN.
+|request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com
+|requester_ip_address|IP address from which the request was made.|151.101.131.5
+|response_body_types|Integer value corresponding to the total number of bytes in the response.|2910
+|response_body_content|Content of the response (does not include header).|
+|response_status_code|HTTP protocol status code in response header|200
+|url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview
+|url_domain|Domain portion of the URL.|www.mitre.org
+|url_remainder|the path after the root domain|/about/corporate-overview
+|url_scheme|type of user that initiated the request.|https
+|user_agent_full| User agent string associated with the request|HOST1\LOCALUSER1
+|user_agent_name|The user agent through which the request was made.|"Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv)</br>AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36"
+|user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7)
+|user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0
+
+## Coverage Map
+
+| | **hostname** | **request_body_bytes** | **http_version** | **request_body_content** | **request_referrer** | **requester_ip_address** | **response_body_types** | **response_body_content** | **response_status_codes** | **url_full** | **url_domain** | **url_remainder** | **url_scheme** | **user_agent_full** | **user_agent_device** | **user_agent_version** |
+| --- | --- | ---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| **get** | | | | | | | | | | | | | | | | |
+| **post** | | | | | | | | | | | | | | | | |
+| **put** | | | | | | | | | | | | | | | | |
+| **tunnel** | | | | | | | | | | | | | | | | |
\ No newline at end of file

From 2049ec3b7ae13492412a9a5c7b38739694aa6334 Mon Sep 17 00:00:00 2001
From: Evan Nevermore <InfiniteInsight@gmail.com>
Date: Mon, 12 Sep 2022 00:07:11 -0400
Subject: [PATCH 17/82] adjusting table format for coverage map

---
 docs/data_model/http.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index f859e8b8..34dc04fd 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -38,7 +38,7 @@ HTTP events represents requests made over the network via the HTTP protocol.
 ## Coverage Map
 
 | | **hostname** | **request_body_bytes** | **http_version** | **request_body_content** | **request_referrer** | **requester_ip_address** | **response_body_types** | **response_body_content** | **response_status_codes** | **url_full** | **url_domain** | **url_remainder** | **url_scheme** | **user_agent_full** | **user_agent_device** | **user_agent_version** |
-| --- | --- | ---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| --- | --- | ---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
 | **get** | | | | | | | | | | | | | | | | |
 | **post** | | | | | | | | | | | | | | | | |
 | **put** | | | | | | | | | | | | | | | | |

From 34959d9c124c86915c59c3a3c6a081c0165c4f93 Mon Sep 17 00:00:00 2001
From: Evan Nevermore <InfiniteInsight@gmail.com>
Date: Mon, 12 Sep 2022 20:18:35 -0400
Subject: [PATCH 18/82] fixing like breaks in the coverage map table

---
 docs/data_model/registry.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index a5ac02aa..8faa412c 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -33,8 +33,8 @@ The registry is a system-defined database in which applications and system compo
 
 | | **data** | **fqdn** | **hostname** | **hive** | **key** | **image_path** | **new_content** | **pid** | **type** | **user** | **value** |
 |---|---|---|---|---|---|---|---|---|---|---|---|
-| **add** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | 
+| **add** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | 
 | 
-**key_edit** | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) |
+**key_edit** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) |
 | **remove** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | 
 | **value_edit** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| | [Autoruns](../sensors/autoruns_13.98) | 

From 0abab475e2a2a9376cc7eb9bbe575c170130ff71 Mon Sep 17 00:00:00 2001
From: "Mr. Nevermore" <InfiniteInsight@gmail.com>
Date: Tue, 13 Sep 2022 11:17:04 -0400
Subject: [PATCH 19/82] Update process.md

Changing line 41 example from `FooCorp` to `True` since it is a boolean.
---
 docs/data_model/process.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index 33ac1152..7ed4995c 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -38,7 +38,7 @@ A process is a running program on a computer.
 |sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`|
 |sid|The security identifier or UID of the `user` token that the process is running under.|`S-1-5-18`|
 |signer|The company that signed the file.|`True`|
-|signature_valid|Boolean indicator of whether signature is current and not revoked.|`FooCorp`|
+|signature_valid|Boolean indicator of whether signature is current and not revoked.|`True`|
 |target_address|Specific address range which is accessed by another process.|`08048000-0804c000`|
 |target_guid|Globally Unique Identifier for the target process (only for process access events).|`{A23EAE89-BD56-5903-0000-0010E9D95EFC}`|
 |target_pid|ID of the target process (only for process access events).|`1338`|

From 246813dd5b5c3f99efdc15fa224b46059e408d68 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 22 Nov 2022 10:19:20 +0000
Subject: [PATCH 20/82] Bump pillow from 9.0.1 to 9.3.0 in /scripts

Bumps [pillow](https://github.com/python-pillow/Pillow) from 9.0.1 to 9.3.0.
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](https://github.com/python-pillow/Pillow/compare/9.0.1...9.3.0)

---
updated-dependencies:
- dependency-name: pillow
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index debae0bc..7bad2a44 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -5,7 +5,7 @@ idna==2.10
 Jinja2==2.11.3
 MarkupSafe==1.1.1
 pendulum==1.2.5
-Pillow==9.0.1
+Pillow==9.3.0
 pyattck==3.0.1
 pyfiglet==0.8.post1
 python-dateutil==2.8.1

From 54be062279b0a9b8c667f2621baa938581d34acb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 8 Dec 2022 08:28:07 +0000
Subject: [PATCH 21/82] Bump certifi from 2020.12.5 to 2022.12.7 in /scripts

Bumps [certifi](https://github.com/certifi/python-certifi) from 2020.12.5 to 2022.12.7.
- [Release notes](https://github.com/certifi/python-certifi/releases)
- [Commits](https://github.com/certifi/python-certifi/compare/2020.12.05...2022.12.07)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 scripts/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index debae0bc..56c756bb 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -1,4 +1,4 @@
-certifi==2020.12.5
+certifi==2022.12.7
 chardet==4.0.0
 fire==0.3.1
 idna==2.10

From 1b3e697286ed3e330cd0e82992c4125a21a4ce83 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 15 Dec 2022 20:16:53 +0000
Subject: [PATCH 22/82] Bump nokogiri from 1.13.6 to 1.13.10 in /docs

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.13.6 to 1.13.10.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.13.6...v1.13.10)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 docs/Gemfile.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock
index 97688127..e6d73404 100644
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@@ -220,7 +220,7 @@ GEM
       jekyll-seo-tag (~> 2.1)
     minitest (5.11.3)
     multipart-post (2.1.1)
-    nokogiri (1.13.6)
+    nokogiri (1.13.10)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     octokit (4.21.0)
@@ -229,7 +229,7 @@ GEM
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
     public_suffix (2.0.5)
-    racc (1.6.0)
+    racc (1.6.1)
     rb-fsevent (0.11.0)
     rb-inotify (0.10.1)
       ffi (~> 1.0)

From 66437c59dc25ac72065c60b3410b1f403eb10f16 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 16 Dec 2022 11:08:34 -0500
Subject: [PATCH 23/82] Update splunk_security_content_to_car.py

Fixed nested objects to pull correct technique id
---
 scripts/splunk_security_content_to_car.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/scripts/splunk_security_content_to_car.py b/scripts/splunk_security_content_to_car.py
index b4f6a4df..834a5adc 100755
--- a/scripts/splunk_security_content_to_car.py
+++ b/scripts/splunk_security_content_to_car.py
@@ -3,7 +3,6 @@
 '''
 Author: Jose Hernandez <research@splunk.com>
 Purpose: Convert Splunk Security Content detections to CAR analytics
-
 '''
 
 import argparse
@@ -76,12 +75,12 @@ def mitre_attack_object(technique, attack):
 def get_mitre_enrichment_new(attack, mitre_attack_id):
     for technique in attack.enterprise.techniques:
         if '.' in mitre_attack_id:
-            for subtechnique in technique.subtechniques:
-                if mitre_attack_id == subtechnique.id:
+            for subtechnique in technique.techniques:
+                if mitre_attack_id == subtechnique.external_references[0].external_id:
                     mitre_attack = mitre_attack_object(subtechnique, attack)
                     return mitre_attack
 
-        elif mitre_attack_id == technique.id:
+        elif mitre_attack_id == technique.external_references[0].external_id:
             mitre_attack = mitre_attack_object(technique, attack)
             return mitre_attack
     return []

From 65bbaa1f6cd8c3d8ab6b84deea663d2603e8c301 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 16 Dec 2022 11:20:33 -0500
Subject: [PATCH 24/82] Update splunk_security_content_to_car.py

Fixed technique and tactic ID in coverage section
---
 scripts/splunk_security_content_to_car.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/splunk_security_content_to_car.py b/scripts/splunk_security_content_to_car.py
index 834a5adc..629eade5 100755
--- a/scripts/splunk_security_content_to_car.py
+++ b/scripts/splunk_security_content_to_car.py
@@ -62,11 +62,11 @@ def generate_car_object(detection_yaml, car_id, DETECTION_PATH):
 
 def mitre_attack_object(technique, attack):
     mitre_attack = dict()
-    mitre_attack['technique'] = technique.id
+    mitre_attack['technique'] = technique.external_references[0].external_id
     # process tactics
     tactics = []
     for tactic in technique.tactics:
-        tactics.append(tactic.id)
+        tactics.append(tactic.external_references[0].external_id)
     mitre_attack['tactics'] = tactics
     mitre_attack['coverage'] = 'Moderate'
 

From 47f4bc1a89dbd5a4b22b9e27cf506e622e594460 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 30 Dec 2022 09:16:39 -0500
Subject: [PATCH 25/82] Updated Coverage files

---
 .../coverage/analytic_coverage_12_30_2022.csv |  589 ++
 docs/coverage/analytic_coverage_12_30_2022.md | 5922 +++++++++++++++++
 .../car_analytic_coverage_12_30_2022.json     |    1 +
 .../es_analytic_coverage_12_30_2022.json      |    1 +
 .../sigma_analytic_coverage_12_30_2022.json   |    1 +
 .../splunk_analytic_coverage_12_30_2022.json  |    1 +
 6 files changed, 6515 insertions(+)
 create mode 100644 docs/coverage/analytic_coverage_12_30_2022.csv
 create mode 100644 docs/coverage/analytic_coverage_12_30_2022.md
 create mode 100644 docs/coverage/car_analytic_coverage_12_30_2022.json
 create mode 100644 docs/coverage/es_analytic_coverage_12_30_2022.json
 create mode 100644 docs/coverage/sigma_analytic_coverage_12_30_2022.json
 create mode 100644 docs/coverage/splunk_analytic_coverage_12_30_2022.json

diff --git a/docs/coverage/analytic_coverage_12_30_2022.csv b/docs/coverage/analytic_coverage_12_30_2022.csv
new file mode 100644
index 00000000..5dd77b31
--- /dev/null
+++ b/docs/coverage/analytic_coverage_12_30_2022.csv
@@ -0,0 +1,589 @@
+Technique (ID), Technique (Name), Sub-technique (Name), Num. CAR, Num. Sigma, Num. ES SIEM, Num. Splunk, Total
+T1001,Data Obfuscation,n/a,0,0,0,0,0
+T1001.001,Data Obfuscation,Junk Data,0,0,0,0,0
+T1001.002,Data Obfuscation,Steganography,0,0,0,0,0
+T1001.003,Data Obfuscation,Protocol Impersonation,0,3,0,1,4
+T1003,OS Credential Dumping,n/a,0,23,34,36,93
+T1003.001,OS Credential Dumping,LSASS Memory,5,75,10,14,104
+T1003.002,OS Credential Dumping,Security Account Manager,1,28,5,9,43
+T1003.003,OS Credential Dumping,NTDS,2,19,1,8,30
+T1003.004,OS Credential Dumping,LSA Secrets,0,12,1,0,13
+T1003.005,OS Credential Dumping,Cached Domain Credentials,0,8,0,1,9
+T1003.006,OS Credential Dumping,DCSync,0,8,0,0,8
+T1003.007,OS Credential Dumping,Proc Filesystem,0,0,0,0,0
+T1003.008,OS Credential Dumping,/etc/passwd and /etc/shadow,0,0,1,1,2
+T1005,Data from Local System,n/a,0,7,2,1,10
+T1006,Direct Volume Access,n/a,0,1,1,0,2
+T1007,System Service Discovery,n/a,2,3,0,0,5
+T1008,Fallback Channels,n/a,0,2,0,0,2
+T1010,Application Window Discovery,n/a,1,1,0,0,2
+T1011,Exfiltration Over Other Network Medium,n/a,0,0,0,0,0
+T1011.001,Exfiltration Over Other Network Medium,Exfiltration Over Bluetooth,0,0,0,0,0
+T1012,Query Registry,n/a,3,10,1,2,16
+T1014,Rootkit,n/a,0,1,0,3,4
+T1016,System Network Configuration Discovery,n/a,2,8,3,4,17
+T1016.001,System Network Configuration Discovery,Internet Connection Discovery,0,0,0,1,1
+T1018,Remote System Discovery,n/a,1,15,4,18,38
+T1020,Automated Exfiltration,n/a,0,5,1,6,12
+T1020.001,Automated Exfiltration,Traffic Duplication,0,0,0,1,1
+T1021,Remote Services,n/a,1,3,34,24,62
+T1021.001,Remote Services,Remote Desktop Protocol,3,14,1,9,27
+T1021.002,Remote Services,SMB/Windows Admin Shares,5,33,6,5,49
+T1021.003,Remote Services,Distributed Component Object Model,1,9,0,5,15
+T1021.004,Remote Services,SSH,0,1,1,2,4
+T1021.005,Remote Services,VNC,0,1,0,0,1
+T1021.006,Remote Services,Windows Remote Management,3,9,0,6,18
+T1025,Data from Removable Media,n/a,0,0,0,0,0
+T1026,Multiband Communication,n/a,0,0,0,0,0
+T1027,Obfuscated Files or Information,n/a,0,83,7,8,98
+T1027.001,Obfuscated Files or Information,Binary Padding,0,3,0,0,3
+T1027.002,Obfuscated Files or Information,Software Packing,0,1,0,0,1
+T1027.003,Obfuscated Files or Information,Steganography,0,5,0,0,5
+T1027.004,Obfuscated Files or Information,Compile After Delivery,0,5,2,1,8
+T1027.005,Obfuscated Files or Information,Indicator Removal from Tools,0,4,0,2,6
+T1027.006,Obfuscated Files or Information,HTML Smuggling,0,0,1,0,1
+T1029,Scheduled Transfer,n/a,1,0,0,0,1
+T1030,Data Transfer Size Limits,n/a,0,2,0,0,2
+T1033,System Owner/User Discovery,n/a,2,25,4,10,41
+T1034,Path Interception,n/a,0,0,0,0,0
+T1036,Masquerading,n/a,1,27,16,27,71
+T1036.001,Masquerading,Invalid Code Signature,0,0,0,0,0
+T1036.002,Masquerading,Right-to-Left Override,0,0,0,0,0
+T1036.003,Masquerading,Rename System Utilities,1,21,2,22,46
+T1036.004,Masquerading,Masquerade Task or Service,0,2,0,1,3
+T1036.005,Masquerading,Match Legitimate Name or Location,1,9,1,1,12
+T1036.006,Masquerading,Space after Filename,0,1,1,0,2
+T1036.007,Masquerading,Double File Extension,0,2,1,0,3
+T1037,Boot or Logon Initialization Scripts,n/a,0,0,5,2,7
+T1037.001,Boot or Logon Initialization Scripts,Logon Script (Windows),2,2,0,1,5
+T1037.002,Boot or Logon Initialization Scripts,Login Hook,0,0,0,0,0
+T1037.003,Boot or Logon Initialization Scripts,Network Logon Script,0,0,0,0,0
+T1037.004,Boot or Logon Initialization Scripts,RC Scripts,0,0,2,1,3
+T1037.005,Boot or Logon Initialization Scripts,Startup Items,0,1,0,0,1
+T1039,Data from Network Shared Drive,n/a,1,2,0,1,4
+T1040,Network Sniffing,n/a,1,8,2,1,12
+T1041,Exfiltration Over C2 Channel,n/a,0,3,0,1,4
+T1043,Commonly Used Port,n/a,0,0,0,0,0
+T1046,Network Service Discovery,n/a,2,11,1,0,14
+T1047,Windows Management Instrumentation,n/a,3,40,5,14,62
+T1048,Exfiltration Over Alternative Protocol,n/a,0,7,6,9,22
+T1048.001,Exfiltration Over Alternative Protocol,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,0,1,0,0,1
+T1048.002,Exfiltration Over Alternative Protocol,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,0,0,0,0,0
+T1048.003,Exfiltration Over Alternative Protocol,Exfiltration Over Unencrypted Non-C2 Protocol,0,14,0,9,23
+T1049,System Network Connections Discovery,n/a,1,8,1,6,16
+T1051,Shared Webroot,n/a,0,0,0,0,0
+T1052,Exfiltration Over Physical Medium,n/a,0,0,0,0,0
+T1052.001,Exfiltration Over Physical Medium,Exfiltration over USB,0,0,0,0,0
+T1053,Scheduled Task/Job,n/a,0,11,19,28,58
+T1053.002,Scheduled Task/Job,At,3,8,0,3,14
+T1053.003,Scheduled Task/Job,Cron,0,6,5,6,17
+T1053.004,Scheduled Task/Job,Launchd,0,0,0,0,0
+T1053.005,Scheduled Task/Job,Scheduled Task,6,38,9,15,68
+T1053.006,Scheduled Task/Job,Systemd Timers,0,0,0,3,3
+T1053.007,Scheduled Task/Job,Container Orchestration Job,0,0,0,0,0
+T1055,Process Injection,n/a,0,23,13,26,62
+T1055.001,Process Injection,Dynamic-link Library Injection,2,8,0,4,14
+T1055.002,Process Injection,Portable Executable Injection,0,0,0,2,2
+T1055.003,Process Injection,Thread Execution Hijacking,0,2,0,0,2
+T1055.004,Process Injection,Asynchronous Procedure Call,0,0,0,0,0
+T1055.005,Process Injection,Thread Local Storage,0,0,0,0,0
+T1055.008,Process Injection,Ptrace System Calls,0,0,0,0,0
+T1055.009,Process Injection,Proc Memory,0,0,0,0,0
+T1055.011,Process Injection,Extra Window Memory Injection,0,0,0,0,0
+T1055.012,Process Injection,Process Hollowing,1,2,2,0,5
+T1055.013,Process Injection,Process Doppelgänging,0,0,0,0,0
+T1055.014,Process Injection,VDSO Hijacking,0,0,0,0,0
+T1055.015,Process Injection,ListPlanting,0,0,0,0,0
+T1056,Input Capture,n/a,0,0,2,1,3
+T1056.001,Input Capture,Keylogging,0,2,0,0,2
+T1056.002,Input Capture,GUI Input Capture,0,3,1,1,5
+T1056.003,Input Capture,Web Portal Capture,0,0,0,0,0
+T1056.004,Input Capture,Credential API Hooking,0,0,0,0,0
+T1057,Process Discovery,n/a,2,5,2,0,9
+T1059,Command and Scripting Interpreter,n/a,1,51,64,57,173
+T1059.001,Command and Scripting Interpreter,PowerShell,3,181,7,32,223
+T1059.002,Command and Scripting Interpreter,AppleScript,0,2,2,0,4
+T1059.003,Command and Scripting Interpreter,Windows Command Shell,2,21,0,9,32
+T1059.004,Command and Scripting Interpreter,Unix Shell,0,8,18,3,29
+T1059.005,Command and Scripting Interpreter,Visual Basic,1,18,0,4,23
+T1059.006,Command and Scripting Interpreter,Python,0,2,2,0,4
+T1059.007,Command and Scripting Interpreter,JavaScript,0,13,3,4,20
+T1059.008,Command and Scripting Interpreter,Network Device CLI,0,0,0,0,0
+T1061,Graphical User Interface,n/a,0,0,0,0,0
+T1062,Hypervisor,n/a,0,0,0,0,0
+T1064,Scripting,n/a,0,0,0,0,0
+T1068,Exploitation for Privilege Escalation,n/a,1,25,18,10,54
+T1069,Permission Groups Discovery,n/a,0,1,5,25,31
+T1069.001,Permission Groups Discovery,Local Groups,3,14,1,11,29
+T1069.002,Permission Groups Discovery,Domain Groups,3,10,2,18,33
+T1069.003,Permission Groups Discovery,Cloud Groups,0,0,0,1,1
+T1070,Indicator Removal on Host,n/a,0,13,14,23,50
+T1070.001,Indicator Removal on Host,Clear Windows Event Logs,2,8,3,6,19
+T1070.002,Indicator Removal on Host,Clear Linux or Mac System Logs,0,3,1,0,4
+T1070.003,Indicator Removal on Host,Clear Command History,1,7,2,0,10
+T1070.004,Indicator Removal on Host,File Deletion,0,12,4,12,28
+T1070.005,Indicator Removal on Host,Network Share Connection Removal,1,3,0,1,5
+T1070.006,Indicator Removal on Host,Timestomp,0,5,1,0,6
+T1071,Application Layer Protocol,n/a,0,6,11,10,27
+T1071.001,Application Layer Protocol,Web Protocols,0,29,3,2,34
+T1071.002,Application Layer Protocol,File Transfer Protocols,0,0,0,1,1
+T1071.003,Application Layer Protocol,Mail Protocols,0,0,0,3,3
+T1071.004,Application Layer Protocol,DNS,0,17,0,4,21
+T1072,Software Deployment Tools,n/a,0,3,0,2,5
+T1074,Data Staged,n/a,0,2,2,1,5
+T1074.001,Data Staged,Local Data Staging,0,4,0,0,4
+T1074.002,Data Staged,Remote Data Staging,0,0,1,0,1
+T1078,Valid Accounts,n/a,0,42,40,51,133
+T1078.001,Valid Accounts,Default Accounts,0,1,2,8,11
+T1078.002,Valid Accounts,Domain Accounts,5,1,2,6,14
+T1078.003,Valid Accounts,Local Accounts,5,1,5,2,13
+T1078.004,Valid Accounts,Cloud Accounts,0,3,1,28,32
+T1080,Taint Shared Content,n/a,0,0,2,0,2
+T1082,System Information Discovery,n/a,2,14,7,5,28
+T1083,File and Directory Discovery,n/a,0,12,2,1,15
+T1087,Account Discovery,n/a,0,12,4,27,43
+T1087.001,Account Discovery,Local Account,2,11,0,11,24
+T1087.002,Account Discovery,Domain Account,2,15,1,19,37
+T1087.003,Account Discovery,Email Account,0,0,0,0,0
+T1087.004,Account Discovery,Cloud Account,0,1,0,0,1
+T1090,Proxy,n/a,0,11,1,3,15
+T1090.001,Proxy,Internal Proxy,0,3,0,0,3
+T1090.002,Proxy,External Proxy,0,1,0,0,1
+T1090.003,Proxy,Multi-hop Proxy,0,2,1,0,3
+T1090.004,Proxy,Domain Fronting,0,0,0,0,0
+T1091,Replication Through Removable Media,n/a,0,1,0,0,1
+T1092,Communication Through Removable Media,n/a,0,0,0,0,0
+T1095,Non-Application Layer Protocol,n/a,0,4,1,2,7
+T1098,Account Manipulation,n/a,1,22,35,10,68
+T1098.001,Account Manipulation,Additional Cloud Credentials,0,0,0,1,1
+T1098.002,Account Manipulation,Additional Email Delegate Permissions,0,0,2,0,2
+T1098.003,Account Manipulation,Additional Cloud Roles,0,1,3,2,6
+T1098.004,Account Manipulation,SSH Authorized Keys,0,0,1,3,4
+T1098.005,Account Manipulation,Device Registration,0,0,0,0,0
+T1102,Web Service,n/a,0,3,1,2,6
+T1102.001,Web Service,Dead Drop Resolver,0,3,0,0,3
+T1102.002,Web Service,Bidirectional Communication,0,2,0,0,2
+T1102.003,Web Service,One-Way Communication,0,2,0,0,2
+T1104,Multi-Stage Channels,n/a,0,1,0,0,1
+T1105,Ingress Tool Transfer,n/a,4,47,9,23,83
+T1106,Native API,n/a,0,12,6,0,18
+T1108,Redundant Access,n/a,0,0,0,0,0
+T1110,Brute Force,n/a,0,10,19,25,54
+T1110.001,Brute Force,Password Guessing,0,3,6,3,12
+T1110.002,Brute Force,Password Cracking,0,1,0,0,1
+T1110.003,Brute Force,Password Spraying,0,8,6,15,29
+T1110.004,Brute Force,Credential Stuffing,0,0,0,5,5
+T1111,Multi-Factor Authentication Interception,n/a,0,0,1,0,1
+T1112,Modify Registry,n/a,8,62,5,25,100
+T1113,Screen Capture,n/a,0,6,1,3,10
+T1114,Email Collection,n/a,0,4,3,8,15
+T1114.001,Email Collection,Local Email Collection,0,1,0,2,3
+T1114.002,Email Collection,Remote Email Collection,0,0,1,3,4
+T1114.003,Email Collection,Email Forwarding Rule,0,0,1,2,3
+T1115,Clipboard Data,n/a,0,6,0,2,8
+T1119,Automated Collection,n/a,0,5,0,0,5
+T1120,Peripheral Device Discovery,n/a,0,2,1,0,3
+T1123,Audio Capture,n/a,0,6,1,0,7
+T1124,System Time Discovery,n/a,0,3,0,1,4
+T1125,Video Capture,n/a,0,1,0,0,1
+T1127,Trusted Developer Utilities Proxy Execution,n/a,0,17,8,9,34
+T1127.001,Trusted Developer Utilities Proxy Execution,MSBuild,1,1,3,6,11
+T1129,Shared Modules,n/a,0,0,1,0,1
+T1132,Data Encoding,n/a,0,0,0,0,0
+T1132.001,Data Encoding,Standard Encoding,0,1,0,0,1
+T1132.002,Data Encoding,Non-Standard Encoding,0,0,0,0,0
+T1133,External Remote Services,n/a,0,7,5,0,12
+T1134,Access Token Manipulation,n/a,0,0,12,5,17
+T1134.001,Access Token Manipulation,Token Impersonation/Theft,0,7,1,3,11
+T1134.002,Access Token Manipulation,Create Process with Token,0,5,3,1,9
+T1134.003,Access Token Manipulation,Make and Impersonate Token,0,1,1,0,2
+T1134.004,Access Token Manipulation,Parent PID Spoofing,0,1,2,1,4
+T1134.005,Access Token Manipulation,SID-History Injection,0,1,0,0,1
+T1135,Network Share Discovery,n/a,0,7,3,0,10
+T1136,Create Account,n/a,0,1,7,14,22
+T1136.001,Create Account,Local Account,1,12,2,5,20
+T1136.002,Create Account,Domain Account,0,2,0,0,2
+T1136.003,Create Account,Cloud Account,0,2,2,10,14
+T1137,Office Application Startup,n/a,0,6,2,0,8
+T1137.001,Office Application Startup,Office Template Macros,0,0,0,0,0
+T1137.002,Office Application Startup,Office Test,0,1,0,0,1
+T1137.003,Office Application Startup,Outlook Forms,0,1,0,0,1
+T1137.004,Office Application Startup,Outlook Home Page,0,0,0,0,0
+T1137.005,Office Application Startup,Outlook Rules,0,0,0,0,0
+T1137.006,Office Application Startup,Add-ins,0,3,0,0,3
+T1140,Deobfuscate/Decode Files or Information,n/a,1,13,6,2,22
+T1149,LC_MAIN Hijacking,n/a,0,0,0,0,0
+T1153,Source,n/a,0,0,0,0,0
+T1175,Component Object Model and Distributed COM,n/a,0,0,0,0,0
+T1176,Browser Extensions,n/a,0,1,0,0,1
+T1185,Browser Session Hijacking,n/a,0,1,0,0,1
+T1187,Forced Authentication,n/a,1,3,0,1,5
+T1189,Drive-by Compromise,n/a,0,2,1,5,8
+T1190,Exploit Public-Facing Application,n/a,0,74,15,31,120
+T1195,Supply Chain Compromise,n/a,0,1,4,3,8
+T1195.001,Supply Chain Compromise,Compromise Software Dependencies and Development Tools,0,1,0,2,3
+T1195.002,Supply Chain Compromise,Compromise Software Supply Chain,0,0,4,1,5
+T1195.003,Supply Chain Compromise,Compromise Hardware Supply Chain,0,0,0,0,0
+T1197,BITS Jobs,n/a,2,16,1,6,25
+T1199,Trusted Relationship,n/a,0,1,0,2,3
+T1200,Hardware Additions,n/a,0,2,0,5,7
+T1201,Password Policy Discovery,n/a,0,4,0,7,11
+T1202,Indirect Command Execution,n/a,0,28,0,4,32
+T1203,Exploitation for Client Execution,n/a,0,21,2,4,27
+T1204,User Execution,n/a,0,8,7,15,30
+T1204.001,User Execution,Malicious Link,0,2,0,1,3
+T1204.002,User Execution,Malicious File,1,26,3,4,34
+T1204.003,User Execution,Malicious Image,0,0,0,7,7
+T1205,Traffic Signaling,n/a,0,0,0,0,0
+T1205.001,Traffic Signaling,Port Knocking,0,0,0,0,0
+T1207,Rogue Domain Controller,n/a,0,1,0,0,1
+T1210,Exploitation of Remote Services,n/a,0,8,1,3,12
+T1211,Exploitation for Defense Evasion,n/a,0,3,1,0,4
+T1212,Exploitation for Credential Access,n/a,0,8,1,2,11
+T1213,Data from Information Repositories,n/a,0,0,0,1,1
+T1213.001,Data from Information Repositories,Confluence,0,0,0,0,0
+T1213.002,Data from Information Repositories,Sharepoint,0,0,0,0,0
+T1213.003,Data from Information Repositories,Code Repositories,0,0,0,0,0
+T1216,System Script Proxy Execution,n/a,0,17,0,1,18
+T1216.001,System Script Proxy Execution,PubPrn,0,2,0,0,2
+T1217,Browser Bookmark Discovery,n/a,0,3,0,0,3
+T1218,System Binary Proxy Execution,n/a,0,94,18,70,182
+T1218.001,System Binary Proxy Execution,Compiled HTML File,1,5,1,8,15
+T1218.002,System Binary Proxy Execution,Control Panel,0,1,1,1,3
+T1218.003,System Binary Proxy Execution,CMSTP,1,7,0,3,11
+T1218.004,System Binary Proxy Execution,InstallUtil,0,0,1,9,10
+T1218.005,System Binary Proxy Execution,Mshta,0,8,4,12,24
+T1218.007,System Binary Proxy Execution,Msiexec,0,9,0,9,18
+T1218.008,System Binary Proxy Execution,Odbcconf,0,1,0,4,5
+T1218.009,System Binary Proxy Execution,Regsvcs/Regasm,0,1,1,6,8
+T1218.010,System Binary Proxy Execution,Regsvr32,2,16,2,6,26
+T1218.011,System Binary Proxy Execution,Rundll32,1,32,3,16,52
+T1218.012,System Binary Proxy Execution,Verclsid,0,0,0,1,1
+T1218.013,System Binary Proxy Execution,Mavinject,0,2,0,1,3
+T1218.014,System Binary Proxy Execution,MMC,0,0,0,3,3
+T1219,Remote Access Software,n/a,0,28,3,3,34
+T1220,XSL Script Processing,n/a,0,3,3,2,8
+T1221,Template Injection,n/a,0,1,0,0,1
+T1222,File and Directory Permissions Modification,n/a,0,0,4,11,15
+T1222.001,File and Directory Permissions Modification,Windows File and Directory Permissions Modification,1,4,0,2,7
+T1222.002,File and Directory Permissions Modification,Linux and Mac File and Directory Permissions Modification,1,4,1,1,7
+T1480,Execution Guardrails,n/a,0,0,0,0,0
+T1480.001,Execution Guardrails,Environmental Keying,0,0,0,0,0
+T1482,Domain Trust Discovery,n/a,0,13,2,11,26
+T1484,Domain Policy Modification,n/a,0,2,4,2,8
+T1484.001,Domain Policy Modification,Group Policy Modification,0,2,0,0,2
+T1484.002,Domain Policy Modification,Domain Trust Modification,0,0,1,2,3
+T1485,Data Destruction,n/a,0,10,8,19,37
+T1486,Data Encrypted for Impact,n/a,0,10,1,7,18
+T1489,Service Stop,n/a,0,7,6,14,27
+T1490,Inhibit System Recovery,n/a,2,18,6,12,38
+T1491,Defacement,n/a,0,0,0,2,2
+T1491.001,Defacement,Internal Defacement,0,2,0,0,2
+T1491.002,Defacement,External Defacement,0,0,0,0,0
+T1495,Firmware Corruption,n/a,0,1,0,0,1
+T1496,Resource Hijacking,n/a,0,4,1,0,5
+T1497,Virtualization/Sandbox Evasion,n/a,0,0,1,1,2
+T1497.001,Virtualization/Sandbox Evasion,System Checks,0,1,0,0,1
+T1497.002,Virtualization/Sandbox Evasion,User Activity Based Checks,0,0,0,0,0
+T1497.003,Virtualization/Sandbox Evasion,Time Based Evasion,0,0,0,1,1
+T1498,Network Denial of Service,n/a,0,0,1,7,8
+T1498.001,Network Denial of Service,Direct Network Flood,0,0,0,0,0
+T1498.002,Network Denial of Service,Reflection Amplification,0,0,0,1,1
+T1499,Endpoint Denial of Service,n/a,0,1,1,1,3
+T1499.001,Endpoint Denial of Service,OS Exhaustion Flood,0,1,0,0,1
+T1499.002,Endpoint Denial of Service,Service Exhaustion Flood,0,0,0,0,0
+T1499.003,Endpoint Denial of Service,Application Exhaustion Flood,0,0,0,0,0
+T1499.004,Endpoint Denial of Service,Application or System Exploitation,0,3,0,0,3
+T1505,Server Software Component,n/a,0,1,2,7,10
+T1505.001,Server Software Component,SQL Stored Procedures,0,0,0,0,0
+T1505.002,Server Software Component,Transport Agent,0,3,0,0,3
+T1505.003,Server Software Component,Web Shell,1,27,2,7,37
+T1505.004,Server Software Component,IIS Components,0,0,0,0,0
+T1505.005,Server Software Component,Terminal Services DLL,0,1,0,0,1
+T1518,Software Discovery,n/a,0,2,3,0,5
+T1518.001,Software Discovery,Security Software Discovery,1,4,2,0,7
+T1525,Implant Internal Image,n/a,0,1,0,0,1
+T1526,Cloud Service Discovery,n/a,0,2,1,7,10
+T1528,Steal Application Access Token,n/a,0,10,3,0,13
+T1529,System Shutdown/Reboot,n/a,0,6,0,3,9
+T1530,Data from Cloud Storage Object,n/a,0,0,5,6,11
+T1531,Account Access Removal,n/a,0,3,9,4,16
+T1534,Internal Spearphishing,n/a,0,0,0,0,0
+T1535,Unused/Unsupported Cloud Regions,n/a,0,0,0,8,8
+T1537,Transfer Data to Cloud Account,n/a,0,4,6,2,12
+T1538,Cloud Service Dashboard,n/a,0,0,0,0,0
+T1539,Steal Web Session Cookie,n/a,0,2,3,0,5
+T1542,Pre-OS Boot,n/a,0,0,0,1,1
+T1542.001,Pre-OS Boot,System Firmware,0,2,0,0,2
+T1542.002,Pre-OS Boot,Component Firmware,0,0,0,0,0
+T1542.003,Pre-OS Boot,Bootkit,0,1,0,0,1
+T1542.004,Pre-OS Boot,ROMMONkit,0,0,0,0,0
+T1542.005,Pre-OS Boot,TFTP Boot,0,0,0,1,1
+T1543,Create or Modify System Process,n/a,0,9,28,16,53
+T1543.001,Create or Modify System Process,Launch Agent,0,0,3,2,5
+T1543.002,Create or Modify System Process,Systemd Service,0,2,1,0,3
+T1543.003,Create or Modify System Process,Windows Service,6,40,10,14,70
+T1543.004,Create or Modify System Process,Launch Daemon,0,0,0,0,0
+T1546,Event Triggered Execution,n/a,0,9,15,15,39
+T1546.001,Event Triggered Execution,Change Default File Association,1,3,0,3,7
+T1546.002,Event Triggered Execution,Screensaver,1,4,1,1,7
+T1546.003,Event Triggered Execution,Windows Management Instrumentation Event Subscription,1,12,1,3,17
+T1546.004,Event Triggered Execution,Unix Shell Configuration Modification,0,1,1,2,4
+T1546.005,Event Triggered Execution,Trap,0,0,0,0,0
+T1546.006,Event Triggered Execution,LC_LOAD_DYLIB Addition,0,0,0,0,0
+T1546.007,Event Triggered Execution,Netsh Helper DLL,0,2,0,0,2
+T1546.008,Event Triggered Execution,Accessibility Features,3,7,1,1,12
+T1546.009,Event Triggered Execution,AppCert DLLs,0,2,1,0,3
+T1546.010,Event Triggered Execution,AppInit DLLs,2,1,1,0,4
+T1546.011,Event Triggered Execution,Application Shimming,0,2,2,3,7
+T1546.012,Event Triggered Execution,Image File Execution Options Injection,0,2,1,2,5
+T1546.013,Event Triggered Execution,PowerShell Profile,0,3,1,0,4
+T1546.014,Event Triggered Execution,Emond,0,1,2,0,3
+T1546.015,Event Triggered Execution,Component Object Model Hijacking,1,9,1,4,15
+T1547,Boot or Logon Autostart Execution,n/a,0,6,24,16,46
+T1547.001,Boot or Logon Autostart Execution,Registry Run Keys / Startup Folder,4,31,9,2,46
+T1547.002,Boot or Logon Autostart Execution,Authentication Package,0,1,2,0,3
+T1547.003,Boot or Logon Autostart Execution,Time Providers,0,1,1,1,3
+T1547.004,Boot or Logon Autostart Execution,Winlogon Helper DLL,2,3,0,0,5
+T1547.005,Boot or Logon Autostart Execution,Security Support Provider,0,1,1,1,3
+T1547.006,Boot or Logon Autostart Execution,Kernel Modules and Extensions,0,1,4,3,8
+T1547.007,Boot or Logon Autostart Execution,Re-opened Applications,0,0,0,0,0
+T1547.008,Boot or Logon Autostart Execution,LSASS Driver,0,1,0,1,2
+T1547.009,Boot or Logon Autostart Execution,Shortcut Modification,0,4,0,0,4
+T1547.010,Boot or Logon Autostart Execution,Port Monitors,1,4,1,1,7
+T1547.012,Boot or Logon Autostart Execution,Print Processors,0,0,0,7,7
+T1547.013,Boot or Logon Autostart Execution,XDG Autostart Entries,0,0,0,0,0
+T1547.014,Boot or Logon Autostart Execution,Active Setup,0,1,0,1,2
+T1547.015,Boot or Logon Autostart Execution,Login Items,0,0,0,0,0
+T1548,Abuse Elevation Control Mechanism,n/a,1,17,23,51,92
+T1548.001,Abuse Elevation Control Mechanism,Setuid and Setgid,0,1,2,3,6
+T1548.002,Abuse Elevation Control Mechanism,Bypass User Account Control,3,48,11,13,75
+T1548.003,Abuse Elevation Control Mechanism,Sudo and Sudo Caching,0,2,4,32,38
+T1548.004,Abuse Elevation Control Mechanism,Elevated Execution with Prompt,0,0,1,0,1
+T1550,Use Alternate Authentication Material,n/a,0,3,6,9,18
+T1550.001,Use Alternate Authentication Material,Application Access Token,0,3,5,0,8
+T1550.002,Use Alternate Authentication Material,Pass the Hash,1,5,0,3,9
+T1550.003,Use Alternate Authentication Material,Pass the Ticket,0,3,1,3,7
+T1550.004,Use Alternate Authentication Material,Web Session Cookie,0,0,0,0,0
+T1552,Unsecured Credentials,n/a,0,5,7,5,17
+T1552.001,Unsecured Credentials,Credentials In Files,1,14,2,1,18
+T1552.002,Unsecured Credentials,Credentials in Registry,1,3,0,3,7
+T1552.003,Unsecured Credentials,Bash History,0,3,0,0,3
+T1552.004,Unsecured Credentials,Private Keys,0,5,1,1,7
+T1552.005,Unsecured Credentials,Cloud Instance Metadata API,0,0,0,0,0
+T1552.006,Unsecured Credentials,Group Policy Preferences,0,4,0,0,4
+T1552.007,Unsecured Credentials,Container API,0,2,0,0,2
+T1553,Subvert Trust Controls,n/a,0,2,5,2,9
+T1553.001,Subvert Trust Controls,Gatekeeper Bypass,0,1,0,0,1
+T1553.002,Subvert Trust Controls,Code Signing,0,1,1,0,2
+T1553.003,Subvert Trust Controls,SIP and Trust Provider Hijacking,0,1,1,0,2
+T1553.004,Subvert Trust Controls,Install Root Certificate,1,5,2,2,10
+T1553.005,Subvert Trust Controls,Mark-of-the-Web Bypass,0,3,0,0,3
+T1553.006,Subvert Trust Controls,Code Signing Policy Modification,0,0,0,0,0
+T1554,Compromise Client Software Binary,n/a,0,3,2,2,7
+T1555,Credentials from Password Stores,n/a,0,4,9,4,17
+T1555.001,Credentials from Password Stores,Keychain,0,1,4,0,5
+T1555.002,Credentials from Password Stores,Securityd Memory,0,0,0,0,0
+T1555.003,Credentials from Password Stores,Credentials from Web Browsers,0,2,2,3,7
+T1555.004,Credentials from Password Stores,Windows Credential Manager,0,4,2,0,6
+T1555.005,Credentials from Password Stores,Password Managers,0,1,0,1,2
+T1556,Modify Authentication Process,n/a,0,2,9,5,16
+T1556.001,Modify Authentication Process,Domain Controller Authentication,0,0,0,0,0
+T1556.002,Modify Authentication Process,Password Filter DLL,0,3,0,0,3
+T1556.003,Modify Authentication Process,Pluggable Authentication Modules,0,0,0,0,0
+T1556.004,Modify Authentication Process,Network Device Authentication,0,0,0,0,0
+T1556.005,Modify Authentication Process,Reversible Encryption,0,0,0,0,0
+T1557,Adversary-in-the-Middle,n/a,0,1,0,4,5
+T1557.001,Adversary-in-the-Middle,LLMNR/NBT-NS Poisoning and SMB Relay,0,7,0,0,7
+T1557.002,Adversary-in-the-Middle,ARP Cache Poisoning,0,0,0,3,3
+T1557.003,Adversary-in-the-Middle,DHCP Spoofing,0,0,0,0,0
+T1558,Steal or Forge Kerberos Tickets,n/a,0,3,9,18,30
+T1558.001,Steal or Forge Kerberos Tickets,Golden Ticket,0,0,0,1,1
+T1558.002,Steal or Forge Kerberos Tickets,Silver Ticket,0,0,0,0,0
+T1558.003,Steal or Forge Kerberos Tickets,Kerberoasting,0,11,1,8,20
+T1558.004,Steal or Forge Kerberos Tickets,AS-REP Roasting,0,0,0,7,7
+T1559,Inter-Process Communication,n/a,0,1,2,0,3
+T1559.001,Inter-Process Communication,Component Object Model,0,4,1,1,6
+T1559.002,Inter-Process Communication,Dynamic Data Exchange,1,1,0,0,2
+T1559.003,Inter-Process Communication,XPC Services,0,0,0,0,0
+T1560,Archive Collected Data,n/a,0,2,2,6,10
+T1560.001,Archive Collected Data,Archive via Utility,1,12,2,6,21
+T1560.002,Archive Collected Data,Archive via Library,0,0,0,0,0
+T1560.003,Archive Collected Data,Archive via Custom Method,0,0,0,0,0
+T1561,Disk Wipe,n/a,0,0,0,2,2
+T1561.001,Disk Wipe,Disk Content Wipe,0,1,0,0,1
+T1561.002,Disk Wipe,Disk Structure Wipe,0,1,0,2,3
+T1562,Impair Defenses,n/a,0,17,77,62,156
+T1562.001,Impair Defenses,Disable or Modify Tools,3,74,39,45,161
+T1562.002,Impair Defenses,Disable Windows Event Logging,1,12,2,0,15
+T1562.003,Impair Defenses,Impair Command History Logging,0,0,0,0,0
+T1562.004,Impair Defenses,Disable or Modify System Firewall,0,13,4,5,22
+T1562.006,Impair Defenses,Indicator Blocking,2,4,3,1,10
+T1562.007,Impair Defenses,Disable or Modify Cloud Firewall,0,0,3,6,9
+T1562.008,Impair Defenses,Disable Cloud Logs,0,0,0,6,6
+T1562.009,Impair Defenses,Safe Mode Boot,0,0,0,0,0
+T1562.010,Impair Defenses,Downgrade Attack,0,1,0,0,1
+T1563,Remote Service Session Hijacking,n/a,0,0,0,0,0
+T1563.001,Remote Service Session Hijacking,SSH Hijacking,0,0,0,0,0
+T1563.002,Remote Service Session Hijacking,RDP Hijacking,0,2,0,0,2
+T1564,Hide Artifacts,n/a,0,6,7,1,14
+T1564.001,Hide Artifacts,Hidden Files and Directories,0,8,5,2,15
+T1564.002,Hide Artifacts,Hidden Users,0,4,0,0,4
+T1564.003,Hide Artifacts,Hidden Window,0,2,0,0,2
+T1564.004,Hide Artifacts,NTFS File Attributes,2,19,2,0,23
+T1564.005,Hide Artifacts,Hidden File System,0,0,0,0,0
+T1564.006,Hide Artifacts,Run Virtual Instance,0,2,0,0,2
+T1564.007,Hide Artifacts,VBA Stomping,0,0,0,0,0
+T1564.008,Hide Artifacts,Email Hiding Rules,0,0,0,0,0
+T1564.009,Hide Artifacts,Resource Forking,0,0,0,0,0
+T1564.010,Hide Artifacts,Process Argument Spoofing,0,0,0,0,0
+T1565,Data Manipulation,n/a,0,3,3,0,6
+T1565.001,Data Manipulation,Stored Data Manipulation,0,3,3,0,6
+T1565.002,Data Manipulation,Transmitted Data Manipulation,0,1,0,0,1
+T1565.003,Data Manipulation,Runtime Data Manipulation,0,0,0,0,0
+T1566,Phishing,n/a,0,9,17,33,59
+T1566.001,Phishing,Spearphishing Attachment,0,15,11,29,55
+T1566.002,Phishing,Spearphishing Link,0,1,8,1,10
+T1566.003,Phishing,Spearphishing via Service,0,0,0,1,1
+T1567,Exfiltration Over Web Service,n/a,0,7,1,2,10
+T1567.001,Exfiltration Over Web Service,Exfiltration to Code Repository,0,3,0,0,3
+T1567.002,Exfiltration Over Web Service,Exfiltration to Cloud Storage,0,7,0,1,8
+T1568,Dynamic Resolution,n/a,0,1,3,0,4
+T1568.001,Dynamic Resolution,Fast Flux DNS,0,0,0,0,0
+T1568.002,Dynamic Resolution,Domain Generation Algorithms,0,2,3,1,6
+T1568.003,Dynamic Resolution,DNS Calculation,0,0,0,0,0
+T1569,System Services,n/a,0,4,3,5,12
+T1569.001,System Services,Launchctl,1,0,0,0,1
+T1569.002,System Services,Service Execution,4,40,3,5,52
+T1570,Lateral Tool Transfer,n/a,3,2,1,0,6
+T1571,Non-Standard Port,n/a,0,3,1,0,4
+T1572,Protocol Tunneling,n/a,0,12,5,3,20
+T1573,Encrypted Channel,n/a,0,4,1,2,7
+T1573.001,Encrypted Channel,Symmetric Cryptography,0,0,0,0,0
+T1573.002,Encrypted Channel,Asymmetric Cryptography,0,0,0,0,0
+T1574,Hijack Execution Flow,n/a,0,8,9,11,28
+T1574.001,Hijack Execution Flow,DLL Search Order Hijacking,1,22,1,4,28
+T1574.002,Hijack Execution Flow,DLL Side-Loading,0,42,2,5,49
+T1574.004,Hijack Execution Flow,Dylib Hijacking,0,0,0,0,0
+T1574.005,Hijack Execution Flow,Executable Installer File Permissions Weakness,0,1,0,0,1
+T1574.006,Hijack Execution Flow,Dynamic Linker Hijacking,0,2,3,1,6
+T1574.007,Hijack Execution Flow,Path Interception by PATH Environment Variable,1,1,3,0,5
+T1574.008,Hijack Execution Flow,Path Interception by Search Order Hijacking,1,1,0,0,2
+T1574.009,Hijack Execution Flow,Path Interception by Unquoted Path,2,0,0,1,3
+T1574.010,Hijack Execution Flow,Services File Permissions Weakness,2,0,1,0,3
+T1574.011,Hijack Execution Flow,Services Registry Permissions Weakness,4,9,0,2,15
+T1574.012,Hijack Execution Flow,COR_PROFILER,0,2,0,0,2
+T1574.013,Hijack Execution Flow,KernelCallbackTable,0,0,0,0,0
+T1578,Modify Cloud Compute Infrastructure,n/a,0,1,2,0,3
+T1578.001,Modify Cloud Compute Infrastructure,Create Snapshot,0,0,0,0,0
+T1578.002,Modify Cloud Compute Infrastructure,Create Cloud Instance,0,0,0,0,0
+T1578.003,Modify Cloud Compute Infrastructure,Delete Cloud Instance,0,1,0,0,1
+T1578.004,Modify Cloud Compute Infrastructure,Revert Cloud Instance,0,0,1,0,1
+T1580,Cloud Infrastructure Discovery,n/a,0,0,0,2,2
+T1583,Acquire Infrastructure,n/a,0,0,0,0,0
+T1583.001,Acquire Infrastructure,Domains,0,0,0,0,0
+T1583.002,Acquire Infrastructure,DNS Server,0,0,0,0,0
+T1583.003,Acquire Infrastructure,Virtual Private Server,0,0,0,0,0
+T1583.004,Acquire Infrastructure,Server,0,0,0,0,0
+T1583.005,Acquire Infrastructure,Botnet,0,0,0,0,0
+T1583.006,Acquire Infrastructure,Web Services,0,0,0,0,0
+T1584,Compromise Infrastructure,n/a,0,2,0,0,2
+T1584.001,Compromise Infrastructure,Domains,0,0,0,0,0
+T1584.002,Compromise Infrastructure,DNS Server,0,0,0,0,0
+T1584.003,Compromise Infrastructure,Virtual Private Server,0,0,0,0,0
+T1584.004,Compromise Infrastructure,Server,0,0,0,0,0
+T1584.005,Compromise Infrastructure,Botnet,0,0,0,0,0
+T1584.006,Compromise Infrastructure,Web Services,0,0,0,0,0
+T1585,Establish Accounts,n/a,0,0,0,0,0
+T1585.001,Establish Accounts,Social Media Accounts,0,0,0,0,0
+T1585.002,Establish Accounts,Email Accounts,0,0,0,0,0
+T1586,Compromise Accounts,n/a,0,0,0,26,26
+T1586.001,Compromise Accounts,Social Media Accounts,0,0,0,0,0
+T1586.002,Compromise Accounts,Email Accounts,0,0,0,0,0
+T1587,Develop Capabilities,n/a,0,5,0,0,5
+T1587.001,Develop Capabilities,Malware,0,10,0,0,10
+T1587.002,Develop Capabilities,Code Signing Certificates,0,0,0,0,0
+T1587.003,Develop Capabilities,Digital Certificates,0,0,0,2,2
+T1587.004,Develop Capabilities,Exploits,0,0,0,0,0
+T1588,Obtain Capabilities,n/a,0,2,1,0,3
+T1588.001,Obtain Capabilities,Malware,0,1,0,0,1
+T1588.002,Obtain Capabilities,Tool,0,7,0,2,9
+T1588.003,Obtain Capabilities,Code Signing Certificates,0,0,0,0,0
+T1588.004,Obtain Capabilities,Digital Certificates,0,0,0,2,2
+T1588.005,Obtain Capabilities,Exploits,0,0,0,0,0
+T1588.006,Obtain Capabilities,Vulnerabilities,0,0,0,0,0
+T1589,Gather Victim Identity Information,n/a,0,1,0,2,3
+T1589.001,Gather Victim Identity Information,Credentials,0,0,0,1,1
+T1589.002,Gather Victim Identity Information,Email Addresses,0,0,0,1,1
+T1589.003,Gather Victim Identity Information,Employee Names,0,0,0,0,0
+T1590,Gather Victim Network Information,n/a,0,2,0,2,4
+T1590.001,Gather Victim Network Information,Domain Properties,0,0,0,0,0
+T1590.002,Gather Victim Network Information,DNS,0,0,0,0,0
+T1590.003,Gather Victim Network Information,Network Trust Dependencies,0,0,0,0,0
+T1590.004,Gather Victim Network Information,Network Topology,0,0,0,0,0
+T1590.005,Gather Victim Network Information,IP Addresses,0,0,0,2,2
+T1590.006,Gather Victim Network Information,Network Security Appliances,0,0,0,0,0
+T1591,Gather Victim Org Information,n/a,0,0,0,0,0
+T1591.001,Gather Victim Org Information,Determine Physical Locations,0,0,0,0,0
+T1591.002,Gather Victim Org Information,Business Relationships,0,0,0,0,0
+T1591.003,Gather Victim Org Information,Identify Business Tempo,0,0,0,0,0
+T1591.004,Gather Victim Org Information,Identify Roles,0,0,0,0,0
+T1592,Gather Victim Host Information,n/a,0,1,0,5,6
+T1592.001,Gather Victim Host Information,Hardware,0,0,0,1,1
+T1592.002,Gather Victim Host Information,Software,0,0,0,0,0
+T1592.003,Gather Victim Host Information,Firmware,0,0,0,0,0
+T1592.004,Gather Victim Host Information,Client Configurations,0,3,0,0,3
+T1593,Search Open Websites/Domains,n/a,0,0,0,0,0
+T1593.001,Search Open Websites/Domains,Social Media,0,0,0,0,0
+T1593.002,Search Open Websites/Domains,Search Engines,0,0,0,0,0
+T1594,Search Victim-Owned Websites,n/a,0,0,0,0,0
+T1595,Active Scanning,n/a,0,0,0,1,1
+T1595.001,Active Scanning,Scanning IP Blocks,0,0,0,0,0
+T1595.002,Active Scanning,Vulnerability Scanning,0,1,0,0,1
+T1595.003,Active Scanning,Wordlist Scanning,0,0,0,0,0
+T1596,Search Open Technical Databases,n/a,0,0,0,0,0
+T1596.001,Search Open Technical Databases,DNS/Passive DNS,0,0,0,0,0
+T1596.002,Search Open Technical Databases,WHOIS,0,0,0,0,0
+T1596.003,Search Open Technical Databases,Digital Certificates,0,0,0,0,0
+T1596.004,Search Open Technical Databases,CDNs,0,0,0,0,0
+T1596.005,Search Open Technical Databases,Scan Databases,0,0,0,0,0
+T1597,Search Closed Sources,n/a,0,0,0,0,0
+T1597.001,Search Closed Sources,Threat Intel Vendors,0,0,0,0,0
+T1597.002,Search Closed Sources,Purchase Technical Data,0,0,0,0,0
+T1598,Phishing for Information,n/a,0,0,0,0,0
+T1598.001,Phishing for Information,Spearphishing Service,0,0,0,0,0
+T1598.002,Phishing for Information,Spearphishing Attachment,0,0,0,0,0
+T1598.003,Phishing for Information,Spearphishing Link,0,0,0,0,0
+T1599,Network Boundary Bridging,n/a,0,0,0,0,0
+T1599.001,Network Boundary Bridging,Network Address Translation Traversal,0,1,0,0,1
+T1600,Weaken Encryption,n/a,0,0,0,0,0
+T1600.001,Weaken Encryption,Reduce Key Space,0,0,0,0,0
+T1600.002,Weaken Encryption,Disable Crypto Hardware,0,0,0,0,0
+T1601,Modify System Image,n/a,0,0,0,0,0
+T1601.001,Modify System Image,Patch System Image,0,0,0,0,0
+T1601.002,Modify System Image,Downgrade System Image,0,0,0,0,0
+T1602,Data from Configuration Repository,n/a,0,0,0,0,0
+T1602.001,Data from Configuration Repository,SNMP (MIB Dump),0,0,0,0,0
+T1602.002,Data from Configuration Repository,Network Device Configuration Dump,0,0,0,0,0
+T1606,Forge Web Credentials,n/a,0,0,0,0,0
+T1606.001,Forge Web Credentials,Web Cookies,0,0,0,0,0
+T1606.002,Forge Web Credentials,SAML Tokens,1,0,0,0,1
+T1608,Stage Capabilities,n/a,0,1,0,0,1
+T1608.001,Stage Capabilities,Upload Malware,0,0,0,0,0
+T1608.002,Stage Capabilities,Upload Tool,0,0,0,0,0
+T1608.003,Stage Capabilities,Install Digital Certificate,0,0,0,0,0
+T1608.004,Stage Capabilities,Drive-by Target,0,0,0,0,0
+T1608.005,Stage Capabilities,Link Target,0,0,0,0,0
+T1609,Container Administration Command,n/a,0,0,1,0,1
+T1610,Deploy Container,n/a,0,0,6,0,6
+T1611,Escape to Host,n/a,0,0,6,0,6
+T1612,Build Image on Host,n/a,0,0,0,0,0
+T1613,Container and Resource Discovery,n/a,0,0,2,0,2
+T1614,System Location Discovery,n/a,0,0,1,0,1
+T1614.001,System Location Discovery,System Language Discovery,0,1,0,0,1
+T1615,Group Policy Discovery,n/a,0,4,0,0,4
+T1619,Cloud Storage Object Discovery,n/a,0,0,0,0,0
+T1620,Reflective Code Loading,n/a,0,1,0,0,1
+T1621,Multi-Factor Authentication Request Generation,n/a,0,0,0,7,7
+T1622,Debugger Evasion,n/a,0,0,0,0,0
+T1647,Plist File Modification,n/a,0,0,2,1,3
diff --git a/docs/coverage/analytic_coverage_12_30_2022.md b/docs/coverage/analytic_coverage_12_30_2022.md
new file mode 100644
index 00000000..ff681143
--- /dev/null
+++ b/docs/coverage/analytic_coverage_12_30_2022.md
@@ -0,0 +1,5922 @@
+---
+    title: Analytic Coverage Comparison
+    ---
+
+    Generated on: December 30, 2022
+
+    A cross-walk of CAR, [Sigma](https://github.com/SigmaHQ/sigma), [Elastic Detection](https://github.com/elastic/detection-rules), and [Splunk Security Content](https://github.com/splunk/security_content/tree/develop/detections) rules in terms of their coverage of ATT&CK Techniques and Sub-techniques. Note that some analytics may have coverage for multiple techniques, so there is not necessarily a 1:1 correlation between the number of hits in this table for a technique/sub-technique and the number of analytics in each repository. The below table is current as of the Generated On date at the top of this page.
+
+    * \# CAR: the number of CAR analytics that contain coverage for the technique/sub-technique.
+    * \# Sigma: the number of Sigma rules that contain coverage for the technique/sub-technique.
+    * \# ES: the number of ES detection rules that contain coverage for the technique/sub-technique.
+    * \# Splunk: the number of Splunk detections rules that contain coverage for the technique/sub-technique.
+    * \# Total: the total number of analytics between CAR/Sigma/ES/Splunk that contain coverage for the technique-sub-technique.
+
+    This table is sortable, so feel free to click on any column to sort by its values. Clicking on each of the CAR/Sigma/ES/Splunk results will search the corresponding repository for the analytics that contain coverage for the technique/sub-technique. 
+
+    This data is also available as:
+
+    * A [CSV file](/coverage/analytic_coverage_12_30_2022.csv).
+    * Separate ATT&CK Navigator Layers:
+    * [CAR Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_12_30_2022.json).
+    * [Sigma Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_12_30_2022.json).
+    * [ES Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_12_30_2022.json).
+    * [Splunk Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/splunk_analytic_coverage_12_30_2022.json).
+
+    <script type="text/javascript" src="/assets/sort-table.js"></script>
+    <table class="js-sort-table" id="coverage-sort">
+            <thead>
+            <tr>
+                <th style="white-space:nowrap;">Technique ID</th>
+                <th>Technique Name</th>
+                <th>Sub-technique Name</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># CAR</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># Sigma</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># ES</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># Splunk</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># Total</th>
+            </tr>
+            </thead>
+            <tbody>
+                <tr>
+                    <td>T1001</td>
+                    <td>Data Obfuscation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1001.001</td>
+                    <td>Data Obfuscation</td>
+                    <td>Junk Data</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1001.002</td>
+                    <td>Data Obfuscation</td>
+                    <td>Steganography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1001.003</td>
+                    <td>Data Obfuscation</td>
+                    <td>Protocol Impersonation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.003">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.003">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1003</td>
+                    <td>OS Credential Dumping</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003">23</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003">34</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003">36</a></td>
+                    <td>93</td>
+                </tr>
+            <tr>
+                    <td>T1003.001</td>
+                    <td>OS Credential Dumping</td>
+                    <td>LSASS Memory</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.001">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.001">75</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.001">10</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.001">14</a></td>
+                    <td>104</td>
+                </tr>
+            <tr>
+                    <td>T1003.002</td>
+                    <td>OS Credential Dumping</td>
+                    <td>Security Account Manager</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.002">28</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.002">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.002">9</a></td>
+                    <td>43</td>
+                </tr>
+            <tr>
+                    <td>T1003.003</td>
+                    <td>OS Credential Dumping</td>
+                    <td>NTDS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.003">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.003">19</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.003">8</a></td>
+                    <td>30</td>
+                </tr>
+            <tr>
+                    <td>T1003.004</td>
+                    <td>OS Credential Dumping</td>
+                    <td>LSA Secrets</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.004">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.004">0</a></td>
+                    <td>13</td>
+                </tr>
+            <tr>
+                    <td>T1003.005</td>
+                    <td>OS Credential Dumping</td>
+                    <td>Cached Domain Credentials</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.005">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.005">1</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1003.006</td>
+                    <td>OS Credential Dumping</td>
+                    <td>DCSync</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.006">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.006">0</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1003.007</td>
+                    <td>OS Credential Dumping</td>
+                    <td>Proc Filesystem</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1003.008</td>
+                    <td>OS Credential Dumping</td>
+                    <td>/etc/passwd and /etc/shadow</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.008">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.008">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1005</td>
+                    <td>Data from Local System</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1005">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1005">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1005">1</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1006</td>
+                    <td>Direct Volume Access</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1006">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1006">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1007</td>
+                    <td>System Service Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1007">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1007">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1007">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1008</td>
+                    <td>Fallback Channels</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1008">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1008">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1010</td>
+                    <td>Application Window Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1010">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1010">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1010">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1010">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1011</td>
+                    <td>Exfiltration Over Other Network Medium</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1011">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1011">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1011">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1011">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1011.001</td>
+                    <td>Exfiltration Over Other Network Medium</td>
+                    <td>Exfiltration Over Bluetooth</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1011.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1011.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1011.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1011.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1012</td>
+                    <td>Query Registry</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1012">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1012">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1012">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1012">2</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1014</td>
+                    <td>Rootkit</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1014">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1014">3</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1016</td>
+                    <td>System Network Configuration Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1016">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1016">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1016">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1016">4</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1016.001</td>
+                    <td>System Network Configuration Discovery</td>
+                    <td>Internet Connection Discovery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1016.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1016.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1016.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1016.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1018</td>
+                    <td>Remote System Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1018">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1018">15</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1018">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1018">18</a></td>
+                    <td>38</td>
+                </tr>
+            <tr>
+                    <td>T1020</td>
+                    <td>Automated Exfiltration</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1020">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1020">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1020">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1020">6</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1020.001</td>
+                    <td>Automated Exfiltration</td>
+                    <td>Traffic Duplication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1020.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1020.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1020.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1020.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1021</td>
+                    <td>Remote Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021">34</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021">24</a></td>
+                    <td>62</td>
+                </tr>
+            <tr>
+                    <td>T1021.001</td>
+                    <td>Remote Services</td>
+                    <td>Remote Desktop Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.001">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.001">9</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1021.002</td>
+                    <td>Remote Services</td>
+                    <td>SMB/Windows Admin Shares</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.002">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.002">33</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.002">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.002">5</a></td>
+                    <td>49</td>
+                </tr>
+            <tr>
+                    <td>T1021.003</td>
+                    <td>Remote Services</td>
+                    <td>Distributed Component Object Model</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.003">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.003">5</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1021.004</td>
+                    <td>Remote Services</td>
+                    <td>SSH</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.004">2</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1021.005</td>
+                    <td>Remote Services</td>
+                    <td>VNC</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1021.006</td>
+                    <td>Remote Services</td>
+                    <td>Windows Remote Management</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.006">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.006">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.006">6</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1025</td>
+                    <td>Data from Removable Media</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1025">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1025">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1025">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1025">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1026</td>
+                    <td>Multiband Communication</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1026">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1026">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1026">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1026">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1027</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027">83</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027">8</a></td>
+                    <td>98</td>
+                </tr>
+            <tr>
+                    <td>T1027.001</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Binary Padding</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1027.002</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Software Packing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1027.003</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Steganography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.003">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.003">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1027.004</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Compile After Delivery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.004">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.004">1</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1027.005</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Indicator Removal from Tools</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.005">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.005">2</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1027.006</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>HTML Smuggling</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.006">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1029</td>
+                    <td>Scheduled Transfer</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1029">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1029">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1029">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1029">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1030</td>
+                    <td>Data Transfer Size Limits</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1030">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1030">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1030">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1030">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1033</td>
+                    <td>System Owner/User Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1033">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1033">25</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1033">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1033">10</a></td>
+                    <td>41</td>
+                </tr>
+            <tr>
+                    <td>T1034</td>
+                    <td>Path Interception</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1034">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1034">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1034">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1034">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1036</td>
+                    <td>Masquerading</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036">27</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036">16</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036">27</a></td>
+                    <td>71</td>
+                </tr>
+            <tr>
+                    <td>T1036.001</td>
+                    <td>Masquerading</td>
+                    <td>Invalid Code Signature</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1036.002</td>
+                    <td>Masquerading</td>
+                    <td>Right-to-Left Override</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1036.003</td>
+                    <td>Masquerading</td>
+                    <td>Rename System Utilities</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.003">21</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.003">22</a></td>
+                    <td>46</td>
+                </tr>
+            <tr>
+                    <td>T1036.004</td>
+                    <td>Masquerading</td>
+                    <td>Masquerade Task or Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.004">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.004">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1036.005</td>
+                    <td>Masquerading</td>
+                    <td>Match Legitimate Name or Location</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.005">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.005">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.005">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.005">1</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1036.006</td>
+                    <td>Masquerading</td>
+                    <td>Space after Filename</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.006">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.006">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1036.007</td>
+                    <td>Masquerading</td>
+                    <td>Double File Extension</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.007">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.007">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.007">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1037</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1037.001</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Logon Script (Windows)</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.001">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1037.002</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Login Hook</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1037.003</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Network Logon Script</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1037.004</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>RC Scripts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.004">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1037.005</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Startup Items</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1039</td>
+                    <td>Data from Network Shared Drive</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1039">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1039">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1039">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1039">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1040</td>
+                    <td>Network Sniffing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1040">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1040">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1040">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1040">1</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1041</td>
+                    <td>Exfiltration Over C2 Channel</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1041">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1041">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1041">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1041">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1043</td>
+                    <td>Commonly Used Port</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1043">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1043">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1043">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1043">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1046</td>
+                    <td>Network Service Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1046">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1046">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1046">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1046">0</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1047</td>
+                    <td>Windows Management Instrumentation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1047">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1047">40</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1047">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1047">14</a></td>
+                    <td>62</td>
+                </tr>
+            <tr>
+                    <td>T1048</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048">9</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1048.001</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>Exfiltration Over Symmetric Encrypted Non-C2 Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1048.002</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1048.003</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>Exfiltration Over Unencrypted Non-C2 Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.003">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.003">9</a></td>
+                    <td>23</td>
+                </tr>
+            <tr>
+                    <td>T1049</td>
+                    <td>System Network Connections Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1049">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1049">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1049">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1049">6</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1051</td>
+                    <td>Shared Webroot</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1051">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1051">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1051">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1051">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1052</td>
+                    <td>Exfiltration Over Physical Medium</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1052">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1052">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1052">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1052">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1052.001</td>
+                    <td>Exfiltration Over Physical Medium</td>
+                    <td>Exfiltration over USB</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1052.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1052.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1052.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1052.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1053</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053">19</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053">28</a></td>
+                    <td>58</td>
+                </tr>
+            <tr>
+                    <td>T1053.002</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>At</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.002">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.002">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.002">3</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1053.003</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Cron</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.003">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.003">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.003">6</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1053.004</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Launchd</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1053.005</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Scheduled Task</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.005">6</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.005">38</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.005">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.005">15</a></td>
+                    <td>68</td>
+                </tr>
+            <tr>
+                    <td>T1053.006</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Systemd Timers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.006">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1053.007</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Container Orchestration Job</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055</td>
+                    <td>Process Injection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055">23</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055">13</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055">26</a></td>
+                    <td>62</td>
+                </tr>
+            <tr>
+                    <td>T1055.001</td>
+                    <td>Process Injection</td>
+                    <td>Dynamic-link Library Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.001">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.001">4</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1055.002</td>
+                    <td>Process Injection</td>
+                    <td>Portable Executable Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.002">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1055.003</td>
+                    <td>Process Injection</td>
+                    <td>Thread Execution Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1055.004</td>
+                    <td>Process Injection</td>
+                    <td>Asynchronous Procedure Call</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.005</td>
+                    <td>Process Injection</td>
+                    <td>Thread Local Storage</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.008</td>
+                    <td>Process Injection</td>
+                    <td>Ptrace System Calls</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.008">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.009</td>
+                    <td>Process Injection</td>
+                    <td>Proc Memory</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.009">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.011</td>
+                    <td>Process Injection</td>
+                    <td>Extra Window Memory Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.011">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.011">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.011">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.011">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.012</td>
+                    <td>Process Injection</td>
+                    <td>Process Hollowing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.012">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.012">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.012">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.012">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1055.013</td>
+                    <td>Process Injection</td>
+                    <td>Process Doppelgänging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.013">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.013">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.014</td>
+                    <td>Process Injection</td>
+                    <td>VDSO Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.014">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.014">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.015</td>
+                    <td>Process Injection</td>
+                    <td>ListPlanting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.015">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.015">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.015">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.015">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1056</td>
+                    <td>Input Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1056.001</td>
+                    <td>Input Capture</td>
+                    <td>Keylogging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1056.002</td>
+                    <td>Input Capture</td>
+                    <td>GUI Input Capture</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.002">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1056.003</td>
+                    <td>Input Capture</td>
+                    <td>Web Portal Capture</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1056.004</td>
+                    <td>Input Capture</td>
+                    <td>Credential API Hooking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1057</td>
+                    <td>Process Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1057">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1057">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1057">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1057">0</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1059</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059">51</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059">64</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059">57</a></td>
+                    <td>173</td>
+                </tr>
+            <tr>
+                    <td>T1059.001</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>PowerShell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.001">181</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.001">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.001">32</a></td>
+                    <td>223</td>
+                </tr>
+            <tr>
+                    <td>T1059.002</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>AppleScript</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.002">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1059.003</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Windows Command Shell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.003">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.003">21</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.003">9</a></td>
+                    <td>32</td>
+                </tr>
+            <tr>
+                    <td>T1059.004</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Unix Shell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.004">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.004">18</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.004">3</a></td>
+                    <td>29</td>
+                </tr>
+            <tr>
+                    <td>T1059.005</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Visual Basic</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.005">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.005">18</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.005">4</a></td>
+                    <td>23</td>
+                </tr>
+            <tr>
+                    <td>T1059.006</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Python</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.006">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.006">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.006">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1059.007</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>JavaScript</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.007">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.007">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.007">4</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1059.008</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Network Device CLI</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.008">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1061</td>
+                    <td>Graphical User Interface</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1061">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1061">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1061">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1061">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1062</td>
+                    <td>Hypervisor</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1062">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1062">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1062">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1062">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1064</td>
+                    <td>Scripting</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1064">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1064">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1064">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1064">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1068</td>
+                    <td>Exploitation for Privilege Escalation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1068">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1068">25</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1068">18</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1068">10</a></td>
+                    <td>54</td>
+                </tr>
+            <tr>
+                    <td>T1069</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069">25</a></td>
+                    <td>31</td>
+                </tr>
+            <tr>
+                    <td>T1069.001</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>Local Groups</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.001">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.001">11</a></td>
+                    <td>29</td>
+                </tr>
+            <tr>
+                    <td>T1069.002</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>Domain Groups</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.002">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.002">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.002">18</a></td>
+                    <td>33</td>
+                </tr>
+            <tr>
+                    <td>T1069.003</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>Cloud Groups</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.003">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1070</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070">14</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070">23</a></td>
+                    <td>50</td>
+                </tr>
+            <tr>
+                    <td>T1070.001</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Clear Windows Event Logs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.001">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.001">6</a></td>
+                    <td>19</td>
+                </tr>
+            <tr>
+                    <td>T1070.002</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Clear Linux or Mac System Logs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.002">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1070.003</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Clear Command History</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.003">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.003">0</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1070.004</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>File Deletion</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.004">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.004">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.004">12</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1070.005</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Network Share Connection Removal</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.005">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.005">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.005">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1070.006</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Timestomp</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.006">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.006">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1071</td>
+                    <td>Application Layer Protocol</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071">11</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071">10</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1071.001</td>
+                    <td>Application Layer Protocol</td>
+                    <td>Web Protocols</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.001">29</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.001">2</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1071.002</td>
+                    <td>Application Layer Protocol</td>
+                    <td>File Transfer Protocols</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.002">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1071.003</td>
+                    <td>Application Layer Protocol</td>
+                    <td>Mail Protocols</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.003">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1071.004</td>
+                    <td>Application Layer Protocol</td>
+                    <td>DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.004">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.004">4</a></td>
+                    <td>21</td>
+                </tr>
+            <tr>
+                    <td>T1072</td>
+                    <td>Software Deployment Tools</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1072">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1072">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1072">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1072">2</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1074</td>
+                    <td>Data Staged</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1074.001</td>
+                    <td>Data Staged</td>
+                    <td>Local Data Staging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074.001">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1074.002</td>
+                    <td>Data Staged</td>
+                    <td>Remote Data Staging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1078</td>
+                    <td>Valid Accounts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078">42</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078">40</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078">51</a></td>
+                    <td>133</td>
+                </tr>
+            <tr>
+                    <td>T1078.001</td>
+                    <td>Valid Accounts</td>
+                    <td>Default Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.001">8</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1078.002</td>
+                    <td>Valid Accounts</td>
+                    <td>Domain Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.002">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.002">6</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1078.003</td>
+                    <td>Valid Accounts</td>
+                    <td>Local Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.003">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.003">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.003">2</a></td>
+                    <td>13</td>
+                </tr>
+            <tr>
+                    <td>T1078.004</td>
+                    <td>Valid Accounts</td>
+                    <td>Cloud Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.004">28</a></td>
+                    <td>32</td>
+                </tr>
+            <tr>
+                    <td>T1080</td>
+                    <td>Taint Shared Content</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1080">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1080">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1080">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1080">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1082</td>
+                    <td>System Information Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1082">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1082">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1082">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1082">5</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1083</td>
+                    <td>File and Directory Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1083">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1083">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1083">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1083">1</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1087</td>
+                    <td>Account Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087">27</a></td>
+                    <td>43</td>
+                </tr>
+            <tr>
+                    <td>T1087.001</td>
+                    <td>Account Discovery</td>
+                    <td>Local Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.001">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.001">11</a></td>
+                    <td>24</td>
+                </tr>
+            <tr>
+                    <td>T1087.002</td>
+                    <td>Account Discovery</td>
+                    <td>Domain Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.002">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.002">15</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.002">19</a></td>
+                    <td>37</td>
+                </tr>
+            <tr>
+                    <td>T1087.003</td>
+                    <td>Account Discovery</td>
+                    <td>Email Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1087.004</td>
+                    <td>Account Discovery</td>
+                    <td>Cloud Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.004">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1090</td>
+                    <td>Proxy</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090">3</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1090.001</td>
+                    <td>Proxy</td>
+                    <td>Internal Proxy</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1090.002</td>
+                    <td>Proxy</td>
+                    <td>External Proxy</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1090.003</td>
+                    <td>Proxy</td>
+                    <td>Multi-hop Proxy</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.003">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1090.004</td>
+                    <td>Proxy</td>
+                    <td>Domain Fronting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1091</td>
+                    <td>Replication Through Removable Media</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1091">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1091">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1091">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1091">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1092</td>
+                    <td>Communication Through Removable Media</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1092">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1092">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1092">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1092">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1095</td>
+                    <td>Non-Application Layer Protocol</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1095">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1095">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1095">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1095">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1098</td>
+                    <td>Account Manipulation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098">22</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098">35</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098">10</a></td>
+                    <td>68</td>
+                </tr>
+            <tr>
+                    <td>T1098.001</td>
+                    <td>Account Manipulation</td>
+                    <td>Additional Cloud Credentials</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1098.002</td>
+                    <td>Account Manipulation</td>
+                    <td>Additional Email Delegate Permissions</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1098.003</td>
+                    <td>Account Manipulation</td>
+                    <td>Additional Cloud Roles</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.003">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.003">2</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1098.004</td>
+                    <td>Account Manipulation</td>
+                    <td>SSH Authorized Keys</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.004">3</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1098.005</td>
+                    <td>Account Manipulation</td>
+                    <td>Device Registration</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1102</td>
+                    <td>Web Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102">2</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1102.001</td>
+                    <td>Web Service</td>
+                    <td>Dead Drop Resolver</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1102.002</td>
+                    <td>Web Service</td>
+                    <td>Bidirectional Communication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1102.003</td>
+                    <td>Web Service</td>
+                    <td>One-Way Communication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1104</td>
+                    <td>Multi-Stage Channels</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1104">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1104">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1104">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1104">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1105</td>
+                    <td>Ingress Tool Transfer</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1105">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1105">47</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1105">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1105">23</a></td>
+                    <td>83</td>
+                </tr>
+            <tr>
+                    <td>T1106</td>
+                    <td>Native API</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1106">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1106">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1106">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1106">0</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1108</td>
+                    <td>Redundant Access</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1108">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1108">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1108">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1108">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1110</td>
+                    <td>Brute Force</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110">19</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110">25</a></td>
+                    <td>54</td>
+                </tr>
+            <tr>
+                    <td>T1110.001</td>
+                    <td>Brute Force</td>
+                    <td>Password Guessing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.001">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.001">3</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1110.002</td>
+                    <td>Brute Force</td>
+                    <td>Password Cracking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1110.003</td>
+                    <td>Brute Force</td>
+                    <td>Password Spraying</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.003">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.003">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.003">15</a></td>
+                    <td>29</td>
+                </tr>
+            <tr>
+                    <td>T1110.004</td>
+                    <td>Brute Force</td>
+                    <td>Credential Stuffing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.004">5</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1111</td>
+                    <td>Multi-Factor Authentication Interception</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1111">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1111">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1111">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1111">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1112</td>
+                    <td>Modify Registry</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1112">8</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1112">62</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1112">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1112">25</a></td>
+                    <td>100</td>
+                </tr>
+            <tr>
+                    <td>T1113</td>
+                    <td>Screen Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1113">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1113">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1113">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1113">3</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1114</td>
+                    <td>Email Collection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114">8</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1114.001</td>
+                    <td>Email Collection</td>
+                    <td>Local Email Collection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.001">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1114.002</td>
+                    <td>Email Collection</td>
+                    <td>Remote Email Collection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.002">3</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1114.003</td>
+                    <td>Email Collection</td>
+                    <td>Email Forwarding Rule</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.003">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1115</td>
+                    <td>Clipboard Data</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1115">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1115">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1115">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1115">2</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1119</td>
+                    <td>Automated Collection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1119">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1119">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1119">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1119">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1120</td>
+                    <td>Peripheral Device Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1120">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1120">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1120">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1120">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1123</td>
+                    <td>Audio Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1123">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1123">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1123">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1123">0</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1124</td>
+                    <td>System Time Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1124">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1124">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1124">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1124">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1125</td>
+                    <td>Video Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1125">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1125">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1125">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1125">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1127</td>
+                    <td>Trusted Developer Utilities Proxy Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1127">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1127">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1127">8</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1127">9</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1127.001</td>
+                    <td>Trusted Developer Utilities Proxy Execution</td>
+                    <td>MSBuild</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1127.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1127.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1127.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1127.001">6</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1129</td>
+                    <td>Shared Modules</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1129">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1129">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1129">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1129">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1132</td>
+                    <td>Data Encoding</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1132.001</td>
+                    <td>Data Encoding</td>
+                    <td>Standard Encoding</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1132.002</td>
+                    <td>Data Encoding</td>
+                    <td>Non-Standard Encoding</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1133</td>
+                    <td>External Remote Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1133">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1133">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1133">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1133">0</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1134</td>
+                    <td>Access Token Manipulation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134">12</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134">5</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1134.001</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Token Impersonation/Theft</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.001">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.001">3</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1134.002</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Create Process with Token</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.002">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.002">1</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1134.003</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Make and Impersonate Token</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1134.004</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Parent PID Spoofing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.004">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1134.005</td>
+                    <td>Access Token Manipulation</td>
+                    <td>SID-History Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1135</td>
+                    <td>Network Share Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1135">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1135">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1135">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1135">0</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1136</td>
+                    <td>Create Account</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136">14</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1136.001</td>
+                    <td>Create Account</td>
+                    <td>Local Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.001">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.001">5</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1136.002</td>
+                    <td>Create Account</td>
+                    <td>Domain Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1136.003</td>
+                    <td>Create Account</td>
+                    <td>Cloud Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.003">10</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1137</td>
+                    <td>Office Application Startup</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137">0</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1137.001</td>
+                    <td>Office Application Startup</td>
+                    <td>Office Template Macros</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1137.002</td>
+                    <td>Office Application Startup</td>
+                    <td>Office Test</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1137.003</td>
+                    <td>Office Application Startup</td>
+                    <td>Outlook Forms</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.003">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1137.004</td>
+                    <td>Office Application Startup</td>
+                    <td>Outlook Home Page</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1137.005</td>
+                    <td>Office Application Startup</td>
+                    <td>Outlook Rules</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1137.006</td>
+                    <td>Office Application Startup</td>
+                    <td>Add-ins</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.006">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.006">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1140</td>
+                    <td>Deobfuscate/Decode Files or Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1140">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1140">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1140">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1140">2</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1149</td>
+                    <td>LC_MAIN Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1149">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1149">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1149">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1149">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1153</td>
+                    <td>Source</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1153">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1153">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1153">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1153">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1175</td>
+                    <td>Component Object Model and Distributed COM</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1175">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1175">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1175">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1175">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1176</td>
+                    <td>Browser Extensions</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1176">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1176">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1176">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1176">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1185</td>
+                    <td>Browser Session Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1185">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1185">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1185">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1185">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1187</td>
+                    <td>Forced Authentication</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1187">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1187">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1187">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1187">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1189</td>
+                    <td>Drive-by Compromise</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1189">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1189">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1189">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1189">5</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1190</td>
+                    <td>Exploit Public-Facing Application</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1190">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1190">74</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1190">15</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1190">31</a></td>
+                    <td>120</td>
+                </tr>
+            <tr>
+                    <td>T1195</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195">3</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1195.001</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>Compromise Software Dependencies and Development Tools</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.001">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1195.002</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>Compromise Software Supply Chain</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.002">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.002">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1195.003</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>Compromise Hardware Supply Chain</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1197</td>
+                    <td>BITS Jobs</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1197">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1197">16</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1197">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1197">6</a></td>
+                    <td>25</td>
+                </tr>
+            <tr>
+                    <td>T1199</td>
+                    <td>Trusted Relationship</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1199">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1199">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1199">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1199">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1200</td>
+                    <td>Hardware Additions</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1200">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1200">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1200">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1200">5</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1201</td>
+                    <td>Password Policy Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1201">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1201">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1201">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1201">7</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1202</td>
+                    <td>Indirect Command Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1202">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1202">28</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1202">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1202">4</a></td>
+                    <td>32</td>
+                </tr>
+            <tr>
+                    <td>T1203</td>
+                    <td>Exploitation for Client Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1203">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1203">21</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1203">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1203">4</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1204</td>
+                    <td>User Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204">15</a></td>
+                    <td>30</td>
+                </tr>
+            <tr>
+                    <td>T1204.001</td>
+                    <td>User Execution</td>
+                    <td>Malicious Link</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.001">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1204.002</td>
+                    <td>User Execution</td>
+                    <td>Malicious File</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.002">26</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.002">4</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1204.003</td>
+                    <td>User Execution</td>
+                    <td>Malicious Image</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.003">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1205</td>
+                    <td>Traffic Signaling</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1205">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1205">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1205">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1205">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1205.001</td>
+                    <td>Traffic Signaling</td>
+                    <td>Port Knocking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1205.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1205.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1205.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1205.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1207</td>
+                    <td>Rogue Domain Controller</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1207">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1207">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1207">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1207">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1210</td>
+                    <td>Exploitation of Remote Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1210">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1210">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1210">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1210">3</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1211</td>
+                    <td>Exploitation for Defense Evasion</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1211">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1211">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1211">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1211">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1212</td>
+                    <td>Exploitation for Credential Access</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1212">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1212">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1212">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1212">2</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1213</td>
+                    <td>Data from Information Repositories</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1213.001</td>
+                    <td>Data from Information Repositories</td>
+                    <td>Confluence</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1213.002</td>
+                    <td>Data from Information Repositories</td>
+                    <td>Sharepoint</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1213.003</td>
+                    <td>Data from Information Repositories</td>
+                    <td>Code Repositories</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1216</td>
+                    <td>System Script Proxy Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1216">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1216">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1216">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1216">1</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1216.001</td>
+                    <td>System Script Proxy Execution</td>
+                    <td>PubPrn</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1216.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1216.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1216.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1216.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1217</td>
+                    <td>Browser Bookmark Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1217">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1217">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1217">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1217">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1218</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218">94</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218">18</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218">70</a></td>
+                    <td>182</td>
+                </tr>
+            <tr>
+                    <td>T1218.001</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Compiled HTML File</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.001">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.001">8</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1218.002</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Control Panel</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.002">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1218.003</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>CMSTP</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.003">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.003">3</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1218.004</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>InstallUtil</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.004">9</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1218.005</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Mshta</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.005">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.005">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.005">12</a></td>
+                    <td>24</td>
+                </tr>
+            <tr>
+                    <td>T1218.007</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Msiexec</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.007">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.007">9</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1218.008</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Odbcconf</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.008">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.008">4</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1218.009</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Regsvcs/Regasm</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.009">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.009">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.009">6</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1218.010</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Regsvr32</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.010">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.010">16</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.010">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.010">6</a></td>
+                    <td>26</td>
+                </tr>
+            <tr>
+                    <td>T1218.011</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Rundll32</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.011">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.011">32</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.011">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.011">16</a></td>
+                    <td>52</td>
+                </tr>
+            <tr>
+                    <td>T1218.012</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Verclsid</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.012">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.012">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.012">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1218.013</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Mavinject</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.013">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.013">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1218.014</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>MMC</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.014">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.014">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1219</td>
+                    <td>Remote Access Software</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1219">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1219">28</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1219">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1219">3</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1220</td>
+                    <td>XSL Script Processing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1220">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1220">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1220">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1220">2</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1221</td>
+                    <td>Template Injection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1221">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1221">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1221">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1221">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1222</td>
+                    <td>File and Directory Permissions Modification</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222">11</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1222.001</td>
+                    <td>File and Directory Permissions Modification</td>
+                    <td>Windows File and Directory Permissions Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222.001">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1222.002</td>
+                    <td>File and Directory Permissions Modification</td>
+                    <td>Linux and Mac File and Directory Permissions Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222.002">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222.002">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1480</td>
+                    <td>Execution Guardrails</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1480">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1480">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1480">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1480">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1480.001</td>
+                    <td>Execution Guardrails</td>
+                    <td>Environmental Keying</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1480.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1480.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1480.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1480.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1482</td>
+                    <td>Domain Trust Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1482">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1482">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1482">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1482">11</a></td>
+                    <td>26</td>
+                </tr>
+            <tr>
+                    <td>T1484</td>
+                    <td>Domain Policy Modification</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484">2</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1484.001</td>
+                    <td>Domain Policy Modification</td>
+                    <td>Group Policy Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1484.002</td>
+                    <td>Domain Policy Modification</td>
+                    <td>Domain Trust Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484.002">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1485</td>
+                    <td>Data Destruction</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1485">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1485">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1485">8</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1485">19</a></td>
+                    <td>37</td>
+                </tr>
+            <tr>
+                    <td>T1486</td>
+                    <td>Data Encrypted for Impact</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1486">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1486">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1486">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1486">7</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1489</td>
+                    <td>Service Stop</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1489">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1489">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1489">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1489">14</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1490</td>
+                    <td>Inhibit System Recovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1490">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1490">18</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1490">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1490">12</a></td>
+                    <td>38</td>
+                </tr>
+            <tr>
+                    <td>T1491</td>
+                    <td>Defacement</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1491.001</td>
+                    <td>Defacement</td>
+                    <td>Internal Defacement</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1491.002</td>
+                    <td>Defacement</td>
+                    <td>External Defacement</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1495</td>
+                    <td>Firmware Corruption</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1495">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1495">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1495">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1495">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1496</td>
+                    <td>Resource Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1496">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1496">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1496">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1496">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1497</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1497.001</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>System Checks</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1497.002</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>User Activity Based Checks</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1497.003</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>Time Based Evasion</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.003">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1498</td>
+                    <td>Network Denial of Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498">7</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1498.001</td>
+                    <td>Network Denial of Service</td>
+                    <td>Direct Network Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1498.002</td>
+                    <td>Network Denial of Service</td>
+                    <td>Reflection Amplification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498.002">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1499</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1499.001</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>OS Exhaustion Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1499.002</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>Service Exhaustion Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1499.003</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>Application Exhaustion Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1499.004</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>Application or System Exploitation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.004">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1505</td>
+                    <td>Server Software Component</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505">7</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1505.001</td>
+                    <td>Server Software Component</td>
+                    <td>SQL Stored Procedures</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1505.002</td>
+                    <td>Server Software Component</td>
+                    <td>Transport Agent</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1505.003</td>
+                    <td>Server Software Component</td>
+                    <td>Web Shell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.003">27</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.003">7</a></td>
+                    <td>37</td>
+                </tr>
+            <tr>
+                    <td>T1505.004</td>
+                    <td>Server Software Component</td>
+                    <td>IIS Components</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1505.005</td>
+                    <td>Server Software Component</td>
+                    <td>Terminal Services DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1518</td>
+                    <td>Software Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1518">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1518">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1518">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1518">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1518.001</td>
+                    <td>Software Discovery</td>
+                    <td>Security Software Discovery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1518.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1518.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1518.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1518.001">0</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1525</td>
+                    <td>Implant Internal Image</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1525">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1525">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1525">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1525">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1526</td>
+                    <td>Cloud Service Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1526">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1526">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1526">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1526">7</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1528</td>
+                    <td>Steal Application Access Token</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1528">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1528">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1528">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1528">0</a></td>
+                    <td>13</td>
+                </tr>
+            <tr>
+                    <td>T1529</td>
+                    <td>System Shutdown/Reboot</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1529">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1529">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1529">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1529">3</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1530</td>
+                    <td>Data from Cloud Storage Object</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1530">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1530">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1530">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1530">6</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1531</td>
+                    <td>Account Access Removal</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1531">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1531">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1531">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1531">4</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1534</td>
+                    <td>Internal Spearphishing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1534">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1534">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1534">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1534">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1535</td>
+                    <td>Unused/Unsupported Cloud Regions</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1535">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1535">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1535">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1535">8</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1537</td>
+                    <td>Transfer Data to Cloud Account</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1537">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1537">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1537">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1537">2</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1538</td>
+                    <td>Cloud Service Dashboard</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1538">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1538">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1538">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1538">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1539</td>
+                    <td>Steal Web Session Cookie</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1539">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1539">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1539">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1539">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1542</td>
+                    <td>Pre-OS Boot</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1542.001</td>
+                    <td>Pre-OS Boot</td>
+                    <td>System Firmware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1542.002</td>
+                    <td>Pre-OS Boot</td>
+                    <td>Component Firmware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1542.003</td>
+                    <td>Pre-OS Boot</td>
+                    <td>Bootkit</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.003">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1542.004</td>
+                    <td>Pre-OS Boot</td>
+                    <td>ROMMONkit</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1542.005</td>
+                    <td>Pre-OS Boot</td>
+                    <td>TFTP Boot</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.005">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1543</td>
+                    <td>Create or Modify System Process</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543">28</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543">16</a></td>
+                    <td>53</td>
+                </tr>
+            <tr>
+                    <td>T1543.001</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Launch Agent</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.001">2</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1543.002</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Systemd Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1543.003</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Windows Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.003">6</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.003">40</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.003">10</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.003">14</a></td>
+                    <td>70</td>
+                </tr>
+            <tr>
+                    <td>T1543.004</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Launch Daemon</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1546</td>
+                    <td>Event Triggered Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546">15</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546">15</a></td>
+                    <td>39</td>
+                </tr>
+            <tr>
+                    <td>T1546.001</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Change Default File Association</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.001">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1546.002</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Screensaver</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.002">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.002">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1546.003</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Windows Management Instrumentation Event Subscription</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.003">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.003">3</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1546.004</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Unix Shell Configuration Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.004">2</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1546.005</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Trap</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1546.006</td>
+                    <td>Event Triggered Execution</td>
+                    <td>LC_LOAD_DYLIB Addition</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1546.007</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Netsh Helper DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.007">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.007">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1546.008</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Accessibility Features</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.008">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.008">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.008">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.008">1</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1546.009</td>
+                    <td>Event Triggered Execution</td>
+                    <td>AppCert DLLs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.009">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.009">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.009">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1546.010</td>
+                    <td>Event Triggered Execution</td>
+                    <td>AppInit DLLs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.010">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.010">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.010">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.010">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1546.011</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Application Shimming</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.011">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.011">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.011">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.011">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1546.012</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Image File Execution Options Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.012">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.012">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.012">2</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1546.013</td>
+                    <td>Event Triggered Execution</td>
+                    <td>PowerShell Profile</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.013">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.013">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.013">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1546.014</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Emond</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.014">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.014">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.014">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1546.015</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Component Object Model Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.015">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.015">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.015">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.015">4</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1547</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547">24</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547">16</a></td>
+                    <td>46</td>
+                </tr>
+            <tr>
+                    <td>T1547.001</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Registry Run Keys / Startup Folder</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.001">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.001">31</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.001">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.001">2</a></td>
+                    <td>46</td>
+                </tr>
+            <tr>
+                    <td>T1547.002</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Authentication Package</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1547.003</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Time Providers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.003">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1547.004</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Winlogon Helper DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.004">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.004">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1547.005</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Security Support Provider</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.005">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.005">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1547.006</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Kernel Modules and Extensions</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.006">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.006">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.006">3</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1547.007</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Re-opened Applications</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1547.008</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>LSASS Driver</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.008">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.008">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1547.009</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Shortcut Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.009">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.009">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1547.010</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Port Monitors</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.010">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.010">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.010">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.010">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1547.012</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Print Processors</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.012">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.012">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.012">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1547.013</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>XDG Autostart Entries</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.013">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.013">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1547.014</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Active Setup</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.014">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.014">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1547.015</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Login Items</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.015">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.015">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.015">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.015">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1548</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548">23</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548">51</a></td>
+                    <td>92</td>
+                </tr>
+            <tr>
+                    <td>T1548.001</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Setuid and Setgid</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.001">3</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1548.002</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Bypass User Account Control</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.002">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.002">48</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.002">11</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.002">13</a></td>
+                    <td>75</td>
+                </tr>
+            <tr>
+                    <td>T1548.003</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Sudo and Sudo Caching</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.003">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.003">32</a></td>
+                    <td>38</td>
+                </tr>
+            <tr>
+                    <td>T1548.004</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Elevated Execution with Prompt</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.004">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1550</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550">9</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1550.001</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Application Access Token</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.001">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.001">0</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1550.002</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Pass the Hash</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.002">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.002">3</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1550.003</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Pass the Ticket</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.003">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.003">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1550.004</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Web Session Cookie</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1552</td>
+                    <td>Unsecured Credentials</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552">5</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1552.001</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Credentials In Files</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.001">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.001">1</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1552.002</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Credentials in Registry</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.002">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1552.003</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Bash History</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.003">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.003">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1552.004</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Private Keys</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.004">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.004">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1552.005</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Cloud Instance Metadata API</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1552.006</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Group Policy Preferences</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.006">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.006">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1552.007</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Container API</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.007">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.007">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1553</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553">2</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1553.001</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Gatekeeper Bypass</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1553.002</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Code Signing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1553.003</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>SIP and Trust Provider Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1553.004</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Install Root Certificate</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.004">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.004">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.004">2</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1553.005</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Mark-of-the-Web Bypass</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.005">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.005">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1553.006</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Code Signing Policy Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1554</td>
+                    <td>Compromise Client Software Binary</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1554">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1554">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1554">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1554">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1555</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555">4</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1555.001</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Keychain</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.001">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.001">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1555.002</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Securityd Memory</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1555.003</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Credentials from Web Browsers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.003">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1555.004</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Windows Credential Manager</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.004">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.004">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1555.005</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Password Managers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.005">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1556</td>
+                    <td>Modify Authentication Process</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556">5</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1556.001</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Domain Controller Authentication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1556.002</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Password Filter DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1556.003</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Pluggable Authentication Modules</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1556.004</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Network Device Authentication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1556.005</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Reversible Encryption</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1557</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557">4</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1557.001</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>LLMNR/NBT-NS Poisoning and SMB Relay</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.001">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.001">0</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1557.002</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>ARP Cache Poisoning</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.002">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1557.003</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>DHCP Spoofing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1558</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558">18</a></td>
+                    <td>30</td>
+                </tr>
+            <tr>
+                    <td>T1558.001</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>Golden Ticket</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1558.002</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>Silver Ticket</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1558.003</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>Kerberoasting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.003">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.003">8</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1558.004</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>AS-REP Roasting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.004">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1559</td>
+                    <td>Inter-Process Communication</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1559.001</td>
+                    <td>Inter-Process Communication</td>
+                    <td>Component Object Model</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.001">1</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1559.002</td>
+                    <td>Inter-Process Communication</td>
+                    <td>Dynamic Data Exchange</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1559.003</td>
+                    <td>Inter-Process Communication</td>
+                    <td>XPC Services</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1560</td>
+                    <td>Archive Collected Data</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560">6</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1560.001</td>
+                    <td>Archive Collected Data</td>
+                    <td>Archive via Utility</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.001">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.001">6</a></td>
+                    <td>21</td>
+                </tr>
+            <tr>
+                    <td>T1560.002</td>
+                    <td>Archive Collected Data</td>
+                    <td>Archive via Library</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1560.003</td>
+                    <td>Archive Collected Data</td>
+                    <td>Archive via Custom Method</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1561</td>
+                    <td>Disk Wipe</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1561.001</td>
+                    <td>Disk Wipe</td>
+                    <td>Disk Content Wipe</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1561.002</td>
+                    <td>Disk Wipe</td>
+                    <td>Disk Structure Wipe</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561.002">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1562</td>
+                    <td>Impair Defenses</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562">77</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562">62</a></td>
+                    <td>156</td>
+                </tr>
+            <tr>
+                    <td>T1562.001</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable or Modify Tools</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.001">74</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.001">39</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.001">45</a></td>
+                    <td>161</td>
+                </tr>
+            <tr>
+                    <td>T1562.002</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable Windows Event Logging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.002">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.002">0</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1562.003</td>
+                    <td>Impair Defenses</td>
+                    <td>Impair Command History Logging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1562.004</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable or Modify System Firewall</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.004">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.004">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.004">5</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1562.006</td>
+                    <td>Impair Defenses</td>
+                    <td>Indicator Blocking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.006">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.006">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.006">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.006">1</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1562.007</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable or Modify Cloud Firewall</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.007">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.007">6</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1562.008</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable Cloud Logs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.008">6</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1562.009</td>
+                    <td>Impair Defenses</td>
+                    <td>Safe Mode Boot</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.009">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1562.010</td>
+                    <td>Impair Defenses</td>
+                    <td>Downgrade Attack</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.010">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.010">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.010">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.010">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1563</td>
+                    <td>Remote Service Session Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1563.001</td>
+                    <td>Remote Service Session Hijacking</td>
+                    <td>SSH Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1563.002</td>
+                    <td>Remote Service Session Hijacking</td>
+                    <td>RDP Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1564</td>
+                    <td>Hide Artifacts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564">1</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1564.001</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden Files and Directories</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.001">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.001">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.001">2</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1564.002</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden Users</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.002">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.002">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1564.003</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden Window</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1564.004</td>
+                    <td>Hide Artifacts</td>
+                    <td>NTFS File Attributes</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.004">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.004">19</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.004">0</a></td>
+                    <td>23</td>
+                </tr>
+            <tr>
+                    <td>T1564.005</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden File System</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.006</td>
+                    <td>Hide Artifacts</td>
+                    <td>Run Virtual Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.006">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.006">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1564.007</td>
+                    <td>Hide Artifacts</td>
+                    <td>VBA Stomping</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.008</td>
+                    <td>Hide Artifacts</td>
+                    <td>Email Hiding Rules</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.008">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.009</td>
+                    <td>Hide Artifacts</td>
+                    <td>Resource Forking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.009">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.010</td>
+                    <td>Hide Artifacts</td>
+                    <td>Process Argument Spoofing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.010">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.010">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.010">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.010">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1565</td>
+                    <td>Data Manipulation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1565.001</td>
+                    <td>Data Manipulation</td>
+                    <td>Stored Data Manipulation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.001">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1565.002</td>
+                    <td>Data Manipulation</td>
+                    <td>Transmitted Data Manipulation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1565.003</td>
+                    <td>Data Manipulation</td>
+                    <td>Runtime Data Manipulation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1566</td>
+                    <td>Phishing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566">17</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566">33</a></td>
+                    <td>59</td>
+                </tr>
+            <tr>
+                    <td>T1566.001</td>
+                    <td>Phishing</td>
+                    <td>Spearphishing Attachment</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.001">15</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.001">11</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.001">29</a></td>
+                    <td>55</td>
+                </tr>
+            <tr>
+                    <td>T1566.002</td>
+                    <td>Phishing</td>
+                    <td>Spearphishing Link</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.002">8</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.002">1</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1566.003</td>
+                    <td>Phishing</td>
+                    <td>Spearphishing via Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.003">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1567</td>
+                    <td>Exfiltration Over Web Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567">2</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1567.001</td>
+                    <td>Exfiltration Over Web Service</td>
+                    <td>Exfiltration to Code Repository</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1567.002</td>
+                    <td>Exfiltration Over Web Service</td>
+                    <td>Exfiltration to Cloud Storage</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567.002">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567.002">1</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1568</td>
+                    <td>Dynamic Resolution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1568.001</td>
+                    <td>Dynamic Resolution</td>
+                    <td>Fast Flux DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1568.002</td>
+                    <td>Dynamic Resolution</td>
+                    <td>Domain Generation Algorithms</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.002">1</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1568.003</td>
+                    <td>Dynamic Resolution</td>
+                    <td>DNS Calculation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1569</td>
+                    <td>System Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569">5</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1569.001</td>
+                    <td>System Services</td>
+                    <td>Launchctl</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1569.002</td>
+                    <td>System Services</td>
+                    <td>Service Execution</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569.002">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569.002">40</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569.002">5</a></td>
+                    <td>52</td>
+                </tr>
+            <tr>
+                    <td>T1570</td>
+                    <td>Lateral Tool Transfer</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1570">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1570">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1570">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1570">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1571</td>
+                    <td>Non-Standard Port</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1571">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1571">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1571">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1571">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1572</td>
+                    <td>Protocol Tunneling</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1572">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1572">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1572">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1572">3</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1573</td>
+                    <td>Encrypted Channel</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1573.001</td>
+                    <td>Encrypted Channel</td>
+                    <td>Symmetric Cryptography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1573.002</td>
+                    <td>Encrypted Channel</td>
+                    <td>Asymmetric Cryptography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1574</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574">11</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1574.001</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>DLL Search Order Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.001">22</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.001">4</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1574.002</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>DLL Side-Loading</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.002">42</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.002">5</a></td>
+                    <td>49</td>
+                </tr>
+            <tr>
+                    <td>T1574.004</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Dylib Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1574.005</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Executable Installer File Permissions Weakness</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1574.006</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Dynamic Linker Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.006">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.006">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.006">1</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1574.007</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Path Interception by PATH Environment Variable</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.007">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.007">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.007">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.007">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1574.008</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Path Interception by Search Order Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.008">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.008">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.008">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1574.009</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Path Interception by Unquoted Path</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.009">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.009">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1574.010</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Services File Permissions Weakness</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.010">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.010">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.010">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.010">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1574.011</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Services Registry Permissions Weakness</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.011">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.011">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.011">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.011">2</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1574.012</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>COR_PROFILER</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.012">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.012">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.012">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1574.013</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>KernelCallbackTable</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.013">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.013">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1578</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1578.001</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Create Snapshot</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1578.002</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Create Cloud Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1578.003</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Delete Cloud Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.003">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1578.004</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Revert Cloud Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.004">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1580</td>
+                    <td>Cloud Infrastructure Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1580">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1580">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1580">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1580">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1583</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.001</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Domains</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.002</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>DNS Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.003</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Virtual Private Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.004</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.005</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Botnet</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.006</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Web Services</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1584.001</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Domains</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.002</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>DNS Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.003</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Virtual Private Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.004</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.005</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Botnet</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.006</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Web Services</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1585</td>
+                    <td>Establish Accounts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1585.001</td>
+                    <td>Establish Accounts</td>
+                    <td>Social Media Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1585.002</td>
+                    <td>Establish Accounts</td>
+                    <td>Email Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1586</td>
+                    <td>Compromise Accounts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586">26</a></td>
+                    <td>26</td>
+                </tr>
+            <tr>
+                    <td>T1586.001</td>
+                    <td>Compromise Accounts</td>
+                    <td>Social Media Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1586.002</td>
+                    <td>Compromise Accounts</td>
+                    <td>Email Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1587</td>
+                    <td>Develop Capabilities</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1587.001</td>
+                    <td>Develop Capabilities</td>
+                    <td>Malware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.001">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.001">0</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1587.002</td>
+                    <td>Develop Capabilities</td>
+                    <td>Code Signing Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1587.003</td>
+                    <td>Develop Capabilities</td>
+                    <td>Digital Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.003">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1587.004</td>
+                    <td>Develop Capabilities</td>
+                    <td>Exploits</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1588</td>
+                    <td>Obtain Capabilities</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1588.001</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Malware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1588.002</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Tool</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.002">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.002">2</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1588.003</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Code Signing Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1588.004</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Digital Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.004">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1588.005</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Exploits</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1588.006</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Vulnerabilities</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1589</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1589.001</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>Credentials</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1589.002</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>Email Addresses</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.002">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1589.003</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>Employee Names</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590">2</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1590.001</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Domain Properties</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.002</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.003</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Network Trust Dependencies</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.004</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Network Topology</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.005</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>IP Addresses</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.005">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1590.006</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Network Security Appliances</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.001</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Determine Physical Locations</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.002</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Business Relationships</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.003</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Identify Business Tempo</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.004</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Identify Roles</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1592</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592">5</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1592.001</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Hardware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1592.002</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Software</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1592.003</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Firmware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1592.004</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Client Configurations</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.004">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1593</td>
+                    <td>Search Open Websites/Domains</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1593.001</td>
+                    <td>Search Open Websites/Domains</td>
+                    <td>Social Media</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1593.002</td>
+                    <td>Search Open Websites/Domains</td>
+                    <td>Search Engines</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1594</td>
+                    <td>Search Victim-Owned Websites</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1594">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1594">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1594">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1594">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1595</td>
+                    <td>Active Scanning</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1595.001</td>
+                    <td>Active Scanning</td>
+                    <td>Scanning IP Blocks</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1595.002</td>
+                    <td>Active Scanning</td>
+                    <td>Vulnerability Scanning</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1595.003</td>
+                    <td>Active Scanning</td>
+                    <td>Wordlist Scanning</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.001</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>DNS/Passive DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.002</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>WHOIS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.003</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>Digital Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.004</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>CDNs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.005</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>Scan Databases</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1597</td>
+                    <td>Search Closed Sources</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1597.001</td>
+                    <td>Search Closed Sources</td>
+                    <td>Threat Intel Vendors</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1597.002</td>
+                    <td>Search Closed Sources</td>
+                    <td>Purchase Technical Data</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598</td>
+                    <td>Phishing for Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598.001</td>
+                    <td>Phishing for Information</td>
+                    <td>Spearphishing Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598.002</td>
+                    <td>Phishing for Information</td>
+                    <td>Spearphishing Attachment</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598.003</td>
+                    <td>Phishing for Information</td>
+                    <td>Spearphishing Link</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1599</td>
+                    <td>Network Boundary Bridging</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1599">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1599">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1599">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1599">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1599.001</td>
+                    <td>Network Boundary Bridging</td>
+                    <td>Network Address Translation Traversal</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1599.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1599.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1599.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1599.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1600</td>
+                    <td>Weaken Encryption</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1600.001</td>
+                    <td>Weaken Encryption</td>
+                    <td>Reduce Key Space</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1600.002</td>
+                    <td>Weaken Encryption</td>
+                    <td>Disable Crypto Hardware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1601</td>
+                    <td>Modify System Image</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1601.001</td>
+                    <td>Modify System Image</td>
+                    <td>Patch System Image</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1601.002</td>
+                    <td>Modify System Image</td>
+                    <td>Downgrade System Image</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1602</td>
+                    <td>Data from Configuration Repository</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1602.001</td>
+                    <td>Data from Configuration Repository</td>
+                    <td>SNMP (MIB Dump)</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1602.002</td>
+                    <td>Data from Configuration Repository</td>
+                    <td>Network Device Configuration Dump</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1606</td>
+                    <td>Forge Web Credentials</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1606.001</td>
+                    <td>Forge Web Credentials</td>
+                    <td>Web Cookies</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1606.002</td>
+                    <td>Forge Web Credentials</td>
+                    <td>SAML Tokens</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1608</td>
+                    <td>Stage Capabilities</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1608.001</td>
+                    <td>Stage Capabilities</td>
+                    <td>Upload Malware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.002</td>
+                    <td>Stage Capabilities</td>
+                    <td>Upload Tool</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.003</td>
+                    <td>Stage Capabilities</td>
+                    <td>Install Digital Certificate</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.004</td>
+                    <td>Stage Capabilities</td>
+                    <td>Drive-by Target</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.005</td>
+                    <td>Stage Capabilities</td>
+                    <td>Link Target</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1609</td>
+                    <td>Container Administration Command</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1609">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1609">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1609">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1609">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1610</td>
+                    <td>Deploy Container</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1610">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1610">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1610">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1610">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1611</td>
+                    <td>Escape to Host</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1611">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1611">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1611">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1611">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1612</td>
+                    <td>Build Image on Host</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1612">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1612">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1612">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1612">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1613</td>
+                    <td>Container and Resource Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1613">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1613">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1613">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1613">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1614</td>
+                    <td>System Location Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1614">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1614">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1614">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1614">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1614.001</td>
+                    <td>System Location Discovery</td>
+                    <td>System Language Discovery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1614.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1614.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1614.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1614.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1615</td>
+                    <td>Group Policy Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1615">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1615">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1615">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1615">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1619</td>
+                    <td>Cloud Storage Object Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1619">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1619">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1619">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1619">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1620</td>
+                    <td>Reflective Code Loading</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1620">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1620">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1620">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1620">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1621</td>
+                    <td>Multi-Factor Authentication Request Generation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1621">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1621">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1621">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1621">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1622</td>
+                    <td>Debugger Evasion</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1622">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1622">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1622">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1622">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1647</td>
+                    <td>Plist File Modification</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1647">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1647">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1647">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1647">1</a></td>
+                    <td>3</td>
+                </tr>
+      </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/coverage/car_analytic_coverage_12_30_2022.json b/docs/coverage/car_analytic_coverage_12_30_2022.json
new file mode 100644
index 00000000..2efa52aa
--- /dev/null
+++ b/docs/coverage/car_analytic_coverage_12_30_2022.json
@@ -0,0 +1 @@
+{"versions": {"attack": "10", "navigator": "4.4", "layer": "4.3"}, "domain": "enterprise-attack", "description": "A comparison of Technique/Sub-technique coverage across the car GitHub repository. Generated on December 30, 2022.", "filters": {"platforms": ["Linux", "macOS", "Windows", "Network"]}, "sorting": 0, "layout": {"layout": "side", "showID": false, "showName": true}, "hideDisabled": false, "techniques": [{"techniqueID": "T1552.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1087.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1049", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1140", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1016", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1069.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1518.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1040", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1018", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1136.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1046", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1562.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1197", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1204.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1036.005", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1105", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1505.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1490", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1070.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1057", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1082", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1033", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1553.004", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1560.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1098", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1021.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1021.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1569.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1187", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1068", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1021.006", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1087.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1003.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1003.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1053.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1547.004", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1003.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1047", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1548", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1036.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1222.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.006", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1059.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1059.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1021.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1546.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1574.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1543.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1546.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.011", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1069.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1059.005", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574.011", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1053.005", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1546.015", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1070.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1070.005", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1564.004", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1112", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1547.010", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1559.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1037.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.010", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.008", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1546.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1055.012", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1055.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.010", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1574.008", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1021", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1036", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1012", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1570", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1039", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1007", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1222.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574.007", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1552.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1010", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1550.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1078.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1078.003", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1127.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1606.002", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1569.001", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574.010", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1029", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574.009", "color": "#ccccff", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "metadata": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "name": "ATT&CK Analytic Coverage - CAR"}
\ No newline at end of file
diff --git a/docs/coverage/es_analytic_coverage_12_30_2022.json b/docs/coverage/es_analytic_coverage_12_30_2022.json
new file mode 100644
index 00000000..381e3ec5
--- /dev/null
+++ b/docs/coverage/es_analytic_coverage_12_30_2022.json
@@ -0,0 +1 @@
+{"versions": {"attack": "10", "navigator": "4.4", "layer": "4.3"}, "domain": "enterprise-attack", "description": "A comparison of Technique/Sub-technique coverage across the es GitHub repository. Generated on December 30, 2022.", "filters": {"platforms": ["Linux", "macOS", "Windows", "Network"]}, "sorting": 0, "layout": {"layout": "side", "showID": false, "showName": true}, "hideDisabled": false, "techniques": [{"techniqueID": "T1546.014", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1059.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1552.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1070.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1049", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1070.006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "64"}], "showSubtechniques": false}, {"techniqueID": "T1204", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1140", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1016", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1027", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1069.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1518.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1040", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1036.006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1018", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1136.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1046", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1056.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "39"}], "showSubtechniques": false}, {"techniqueID": "T1555.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1566", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "17"}], "showSubtechniques": false}, {"techniqueID": "T1566.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1553", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1113", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1083", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1053.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1071.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1197", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1203", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1005", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1528", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1189", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1204.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1036.005", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1190", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1110", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "19"}], "showSubtechniques": false}, {"techniqueID": "T1105", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1568", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1566.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1505.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1565.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1490", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1505", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1053", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "19"}], "showSubtechniques": false}, {"techniqueID": "T1070.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1057", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1082", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1033", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1553.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1552.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1070.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1074", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1560.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1098", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "35"}], "showSubtechniques": false}, {"techniqueID": "T1021.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1021.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1095", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1571", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1569.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1496", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1068", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1210", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1087.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1558.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1048", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1003.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1003.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1003.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1003.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1047", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1567", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "23"}], "showSubtechniques": false}, {"techniqueID": "T1562.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1212", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1036.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1485", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1546.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1222.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1106", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1123", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1543.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1547.006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1574.006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1564.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "34"}], "showSubtechniques": false}, {"techniqueID": "T1499", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1090", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1568.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1572", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1102", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1078", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "40"}], "showSubtechniques": false}, {"techniqueID": "T1078.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1556", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1578", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1562", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "77"}], "showSubtechniques": false}, {"techniqueID": "T1552", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1526", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1098.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1484", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1531", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1565", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1114", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1020", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1573", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1537", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1136.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1486", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1550", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1550.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1059.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1136", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1087", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1055", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "13"}], "showSubtechniques": false}, {"techniqueID": "T1588", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1219", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1558", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1134.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1218", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1546.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1547", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "24"}], "showSubtechniques": false}, {"techniqueID": "T1574.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1543.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1137", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1564", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1027.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.011", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1574.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1036.007", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.013", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1195", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1574", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1482", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1069.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1059.007", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1133", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1070", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1555.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1555.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1053.005", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1555", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1560", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.015", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1518", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1070.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1069", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1564.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1110.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1120", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1559.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1071", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1220", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1112", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1546.012", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.009", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.010", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.011", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1553.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.010", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.008", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.005", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1055.012", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.005", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1127", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1134.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1218.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.010", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1569", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1021", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "34"}], "showSubtechniques": false}, {"techniqueID": "T1090.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1036", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "16"}], "showSubtechniques": false}, {"techniqueID": "T1550.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1135", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1012", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1570", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1559", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1539", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1489", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1574.007", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1547.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1134.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059.006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1134.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.009", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1211", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1543", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "28"}], "showSubtechniques": false}, {"techniqueID": "T1554", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1110.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1553.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1078.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1078.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1078.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1021.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1127.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1574.010", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1098.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1647", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1543.001", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1056", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1037", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1497", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1530", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1222", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1562.007", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1484.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1080", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1098.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1114.003", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1074.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1498", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1111", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1578.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1611", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1610", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1613", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1609", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1134", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1037.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1003.008", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1195.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1614", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1129", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1027.006", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.004", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1114.002", "color": "#ccffe7", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "metadata": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "name": "ATT&CK Analytic Coverage - ES"}
\ No newline at end of file
diff --git a/docs/coverage/sigma_analytic_coverage_12_30_2022.json b/docs/coverage/sigma_analytic_coverage_12_30_2022.json
new file mode 100644
index 00000000..8a1f5bcd
--- /dev/null
+++ b/docs/coverage/sigma_analytic_coverage_12_30_2022.json
@@ -0,0 +1 @@
+{"versions": {"attack": "10", "navigator": "4.4", "layer": "4.3"}, "domain": "enterprise-attack", "description": "A comparison of Technique/Sub-technique coverage across the sigma GitHub repository. Generated on December 30, 2022.", "filters": {"platforms": ["Linux", "macOS", "Windows", "Network"]}, "sorting": 0, "layout": {"layout": "side", "showID": false, "showName": true}, "hideDisabled": false, "techniques": [{"techniqueID": "T1037.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.014", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1552.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1087.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1070.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1049", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1070.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1059", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "51"}], "showSubtechniques": false}, {"techniqueID": "T1204", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1140", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "13"}], "showSubtechniques": false}, {"techniqueID": "T1016", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1564.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1553.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1027", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "83"}], "showSubtechniques": false}, {"techniqueID": "T1069.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1030", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1529", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1027.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1518.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1040", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1036.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1018", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1136.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1552.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1046", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1056.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1562.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "74"}], "showSubtechniques": false}, {"techniqueID": "T1555.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1566", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1566.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1204.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1553", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1113", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1083", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1053.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1071.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "29"}], "showSubtechniques": false}, {"techniqueID": "T1102.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1102.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1102.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1197", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "16"}], "showSubtechniques": false}, {"techniqueID": "T1203", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "21"}], "showSubtechniques": false}, {"techniqueID": "T1005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1119", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1528", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1189", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1204.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "26"}], "showSubtechniques": false}, {"techniqueID": "T1036.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1567.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1190", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "74"}], "showSubtechniques": false}, {"techniqueID": "T1110", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1105", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "47"}], "showSubtechniques": false}, {"techniqueID": "T1568", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1566.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1590", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1505.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "27"}], "showSubtechniques": false}, {"techniqueID": "T1499.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1495", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1565.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1490", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1505", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1565.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1053", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1070.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1201", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1057", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1082", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1033", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "25"}], "showSubtechniques": false}, {"techniqueID": "T1124", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1553.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1552.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1070.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1561.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1561.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1074", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1560.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1098", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "22"}], "showSubtechniques": false}, {"techniqueID": "T1048.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1071.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "17"}], "showSubtechniques": false}, {"techniqueID": "T1041", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1021.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "33"}], "showSubtechniques": false}, {"techniqueID": "T1021.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1095", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1571", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1569.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "40"}], "showSubtechniques": false}, {"techniqueID": "T1496", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1557.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1187", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1068", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "25"}], "showSubtechniques": false}, {"techniqueID": "T1021.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1210", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1087.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1558.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1048", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1003.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "28"}], "showSubtechniques": false}, {"techniqueID": "T1003.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1003.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "19"}], "showSubtechniques": false}, {"techniqueID": "T1053.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1547.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1003.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "75"}], "showSubtechniques": false}, {"techniqueID": "T1047", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "40"}], "showSubtechniques": false}, {"techniqueID": "T1595.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1567", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1548", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "17"}], "showSubtechniques": false}, {"techniqueID": "T1589", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "13"}], "showSubtechniques": false}, {"techniqueID": "T1212", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1588.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1036.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "21"}], "showSubtechniques": false}, {"techniqueID": "T1115", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1485", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1546.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1222.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1027.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1106", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1123", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1562.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1543.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1059.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1547.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1587", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1584", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1564.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "23"}], "showSubtechniques": false}, {"techniqueID": "T1056.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1499", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1592.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1548.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1090", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1014", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1568.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1572", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1102", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1078", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "42"}], "showSubtechniques": false}, {"techniqueID": "T1078.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1556", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1578", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "17"}], "showSubtechniques": false}, {"techniqueID": "T1552", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1087.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1526", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1578.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1098.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1552.007", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1484", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1531", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1565", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1114", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1020", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1573", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1537", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1136.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1486", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1199", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1592", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1525", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1550", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1550.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1059.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "181"}], "showSubtechniques": false}, {"techniqueID": "T1059.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "21"}], "showSubtechniques": false}, {"techniqueID": "T1136", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1087", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1021.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1055", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "23"}], "showSubtechniques": false}, {"techniqueID": "T1588", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1219", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "28"}], "showSubtechniques": false}, {"techniqueID": "T1558", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1134.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1003.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1547.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "31"}], "showSubtechniques": false}, {"techniqueID": "T1218", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "94"}], "showSubtechniques": false}, {"techniqueID": "T1546.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1548.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "48"}], "showSubtechniques": false}, {"techniqueID": "T1547", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1574.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "22"}], "showSubtechniques": false}, {"techniqueID": "T1137.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1543.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "40"}], "showSubtechniques": false}, {"techniqueID": "T1137", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1008", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1564", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1027.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1546.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1218.011", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "32"}], "showSubtechniques": false}, {"techniqueID": "T1574.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "42"}], "showSubtechniques": false}, {"techniqueID": "T1547.009", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1036.007", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1587.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1546.013", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1195", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1195.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1542.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1216", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "17"}], "showSubtechniques": false}, {"techniqueID": "T1137.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1574", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1482", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "13"}], "showSubtechniques": false}, {"techniqueID": "T1069.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1001.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1059.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1059.007", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "13"}], "showSubtechniques": false}, {"techniqueID": "T1133", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1070", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "13"}], "showSubtechniques": false}, {"techniqueID": "T1555.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1074.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1574.011", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1484.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1555.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1053.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "38"}], "showSubtechniques": false}, {"techniqueID": "T1555", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1560", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.015", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1491.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.007", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1114.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1518", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1553.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1070.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1217", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1069", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1564.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1564.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1615", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1136.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1070.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1574.012", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1556.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1564.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "19"}], "showSubtechniques": false}, {"techniqueID": "T1202", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "28"}], "showSubtechniques": false}, {"techniqueID": "T1497.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1110.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1003.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1120", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1559.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1562.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1055.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1071", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1220", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1027.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1112", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "62"}], "showSubtechniques": false}, {"techniqueID": "T1588.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1546.012", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.009", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1547.010", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1221", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.011", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1559.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1553.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1037.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.010", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1137.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.008", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1547.008", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1125", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1608", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1555.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1055.012", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1055.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1127", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "17"}], "showSubtechniques": false}, {"techniqueID": "T1218.008", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1134.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1563.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1218.010", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "16"}], "showSubtechniques": false}, {"techniqueID": "T1542.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574.008", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1569", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1021", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1552.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1090.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1036", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "27"}], "showSubtechniques": false}, {"techniqueID": "T1027.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1550.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1135", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1090.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1072", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1012", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1570", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1036.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1039", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1559", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1176", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1539", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1007", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1489", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1222.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1505.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574.007", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.007", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1547.014", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1557", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1614.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1134.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1620", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059.006", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1021.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1552.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1134.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.013", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1562.010", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1185", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.009", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1048.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1132.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1216.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1574.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1104", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1211", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1110.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1505.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1543", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1599.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1554", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1110.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1010", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1550.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1553.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1091", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1200", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1134.005", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1090.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1207", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1078.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1078.002", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1078.003", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1021.004", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1499.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1567.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1127.001", "color": "#ffcccc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "metadata": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "name": "ATT&CK Analytic Coverage - Sigma"}
\ No newline at end of file
diff --git a/docs/coverage/splunk_analytic_coverage_12_30_2022.json b/docs/coverage/splunk_analytic_coverage_12_30_2022.json
new file mode 100644
index 00000000..bdf82e73
--- /dev/null
+++ b/docs/coverage/splunk_analytic_coverage_12_30_2022.json
@@ -0,0 +1 @@
+{"versions": {"attack": "10", "navigator": "4.4", "layer": "4.3"}, "domain": "enterprise-attack", "description": "A comparison of Technique/Sub-technique coverage across the splunk GitHub repository. Generated on December 30, 2022.", "filters": {"platforms": ["Linux", "macOS", "Windows", "Network"]}, "sorting": 0, "layout": {"layout": "side", "showID": false, "showName": true}, "hideDisabled": false, "techniques": [{"techniqueID": "T1552.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1087.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1049", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1059", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "57"}], "showSubtechniques": false}, {"techniqueID": "T1204", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1140", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1016", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1027", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1069.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1529", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1040", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1018", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1136.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1056.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "45"}], "showSubtechniques": false}, {"techniqueID": "T1566", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "33"}], "showSubtechniques": false}, {"techniqueID": "T1566.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1204.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1553", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1113", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1083", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1053.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1071.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1197", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1203", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1189", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1204.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1036.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1567.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1190", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "31"}], "showSubtechniques": false}, {"techniqueID": "T1110", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "25"}], "showSubtechniques": false}, {"techniqueID": "T1105", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "23"}], "showSubtechniques": false}, {"techniqueID": "T1566.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "29"}], "showSubtechniques": false}, {"techniqueID": "T1590", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1505.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1490", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1505", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1053", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "28"}], "showSubtechniques": false}, {"techniqueID": "T1201", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1082", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1033", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1124", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1553.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1552.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1070.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1561.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1074", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1560.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1098", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1048.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1071.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1041", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1021.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1021.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1095", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1569.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1187", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1068", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1021.006", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1210", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1087.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "19"}], "showSubtechniques": false}, {"techniqueID": "T1558.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1048", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1003.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1003.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1053.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1003.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1047", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1567", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1548", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "51"}], "showSubtechniques": false}, {"techniqueID": "T1589", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1562.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1212", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1036.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "22"}], "showSubtechniques": false}, {"techniqueID": "T1115", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1485", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "19"}], "showSubtechniques": false}, {"techniqueID": "T1546.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1222.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1562.006", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1547.006", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1574.006", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1564.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "36"}], "showSubtechniques": false}, {"techniqueID": "T1499", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "32"}], "showSubtechniques": false}, {"techniqueID": "T1090", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1014", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1548.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1568.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1572", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1102", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1078", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "51"}], "showSubtechniques": false}, {"techniqueID": "T1078.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "28"}], "showSubtechniques": false}, {"techniqueID": "T1556", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1562", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "62"}], "showSubtechniques": false}, {"techniqueID": "T1552", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1526", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1098.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1484", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1531", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1114", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1020", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1573", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1537", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1136.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1486", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1199", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1592", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1550", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1059.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "32"}], "showSubtechniques": false}, {"techniqueID": "T1059.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1136", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1087", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "27"}], "showSubtechniques": false}, {"techniqueID": "T1021.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1055", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "26"}], "showSubtechniques": false}, {"techniqueID": "T1219", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1558", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1134.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1003.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1218", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "70"}], "showSubtechniques": false}, {"techniqueID": "T1546.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1548.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "13"}], "showSubtechniques": false}, {"techniqueID": "T1547", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "16"}], "showSubtechniques": false}, {"techniqueID": "T1574.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1543.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1546", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1564", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1027.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1218.011", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "16"}], "showSubtechniques": false}, {"techniqueID": "T1574.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1195", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1195.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1216", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1574", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1482", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1069.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "18"}], "showSubtechniques": false}, {"techniqueID": "T1001.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1059.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1059.007", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1070", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "23"}], "showSubtechniques": false}, {"techniqueID": "T1574.011", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1555.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1053.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1555", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1560", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1546.015", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1218.007", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1114.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1070.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1069", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "25"}], "showSubtechniques": false}, {"techniqueID": "T1070.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1202", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1110.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1218.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1559.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1071", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "10"}], "showSubtechniques": false}, {"techniqueID": "T1220", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1112", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "25"}], "showSubtechniques": false}, {"techniqueID": "T1588.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1546.012", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1547.010", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.011", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1037.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.008", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.008", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1546.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1555.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "12"}], "showSubtechniques": false}, {"techniqueID": "T1055.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1127", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1218.008", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1134.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1218.010", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1569", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1021", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "24"}], "showSubtechniques": false}, {"techniqueID": "T1036", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "27"}], "showSubtechniques": false}, {"techniqueID": "T1027.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1550.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1072", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1012", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1036.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1039", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1489", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "14"}], "showSubtechniques": false}, {"techniqueID": "T1222.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1547.014", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1557", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "4"}], "showSubtechniques": false}, {"techniqueID": "T1134.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1552.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1218.013", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.009", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1543", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "16"}], "showSubtechniques": false}, {"techniqueID": "T1554", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1110.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "15"}], "showSubtechniques": false}, {"techniqueID": "T1550.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1200", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1078.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1078.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1078.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1021.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1127.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1574.009", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1098.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1647", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1543.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1056", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1037", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1497", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1530", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1222", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "11"}], "showSubtechniques": false}, {"techniqueID": "T1562.007", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1484.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1114.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1498", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1134", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1037.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1003.008", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1195.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "9"}], "showSubtechniques": false}, {"techniqueID": "T1114.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1557.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1498.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1213", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1071.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1020.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1542.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1542", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1547.012", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1586", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "26"}], "showSubtechniques": false}, {"techniqueID": "T1586.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "26"}], "showSubtechniques": false}, {"techniqueID": "T1055.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1558.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1590.005", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1071.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1497.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1016.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1491", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1561", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1589.002", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1053.006", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1595", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.014", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "3"}], "showSubtechniques": false}, {"techniqueID": "T1558.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1218.012", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1592.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1589.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1204.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1562.008", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "6"}], "showSubtechniques": false}, {"techniqueID": "T1535", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "8"}], "showSubtechniques": false}, {"techniqueID": "T1110.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "5"}], "showSubtechniques": false}, {"techniqueID": "T1069.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1621", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "7"}], "showSubtechniques": false}, {"techniqueID": "T1098.001", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}, {"techniqueID": "T1580", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1556.006", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1587.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1588.004", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "2"}], "showSubtechniques": false}, {"techniqueID": "T1566.003", "color": "#fff0cc", "comment": "", "enabled": true, "metadata": [{"name": "Analytic Count", "value": "1"}], "showSubtechniques": false}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "metadata": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false, "name": "ATT&CK Analytic Coverage - Splunk"}
\ No newline at end of file

From 26edee51b262e3fc02be734c0341b0bdb5606039 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 30 Dec 2022 09:23:35 -0500
Subject: [PATCH 26/82] Updated repo counts

---
 docs/coverage/index.md | 11332 ++++++++++++++++++++-------------------
 1 file changed, 5901 insertions(+), 5431 deletions(-)

diff --git a/docs/coverage/index.md b/docs/coverage/index.md
index 242c3757..9eb9d871 100644
--- a/docs/coverage/index.md
+++ b/docs/coverage/index.md
@@ -2,7 +2,7 @@
 title: Analytic Coverage Comparison
 ---
 
-Generated on: May 19, 2022
+Generated on: December 30, 2022
 
 A cross-walk of CAR, [Sigma](https://github.com/SigmaHQ/sigma), [Elastic Detection](https://github.com/elastic/detection-rules), and [Splunk Security Content](https://github.com/splunk/security_content/tree/develop/detections) rules in terms of their coverage of ATT&CK Techniques and Sub-techniques. Note that some analytics may have coverage for multiple techniques, so there is not necessarily a 1:1 correlation between the number of hits in this table for a technique/sub-technique and the number of analytics in each repository. The below table is current as of the Generated On date at the top of this page.
 
@@ -16,5437 +16,5907 @@ This table is sortable, so feel free to click on any column to sort by its value
 
 This data is also available as:
 
-* A [CSV file](/coverage/analytic_coverage_05_19_2022.csv).
+* A [CSV file](/coverage/analytic_coverage_12_30_2022.csv).
 * Separate ATT&CK Navigator Layers:
-   * [CAR Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_05_19_2022.json).
-   * [Sigma Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_05_19_2022.json).
-   * [ES Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_05_19_2022.json).
-   * [Splunk Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/splunk_analytic_coverage_05_19_2022.json).
+   * [CAR Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_12_30_2022.json).
+   * [Sigma Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_12_30_2022.json).
+   * [ES Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/es_analytic_coverage_12_30_2022.json).
+   * [Splunk Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/splunk_analytic_coverage_12_30_2022.json).
 
 <script type="text/javascript" src="/assets/sort-table.js"></script>
-<table class="js-sort-table" id="coverage-sort">
-        <thead>
-        <tr>
-            <th style="white-space:nowrap;">Technique ID</th>
-            <th>Technique Name</th>
-            <th>Sub-technique Name</th>
-            <th style="white-space:nowrap;" class="js-sort-number"># CAR</th>
-            <th style="white-space:nowrap;" class="js-sort-number"># Sigma</th>
-            <th style="white-space:nowrap;" class="js-sort-number"># ES</th>
-            <th style="white-space:nowrap;" class="js-sort-number"># Splunk</th>
-            <th style="white-space:nowrap;" class="js-sort-number"># Total</th>
-        </tr>
-        </thead>
-        <tbody>
-            <tr>
-                <td>T1001</td>
-                <td>Data Obfuscation</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1001.001</td>
-                <td>Data Obfuscation</td>
-                <td>Junk Data</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1001.002</td>
-                <td>Data Obfuscation</td>
-                <td>Steganography</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1001.003</td>
-                <td>Data Obfuscation</td>
-                <td>Protocol Impersonation</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.003">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.003">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1003</td>
-                <td>OS Credential Dumping</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003">14</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003">26</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003">31</a></td>
-                <td>71</td>
-            </tr>
-            <tr>
-                <td>T1003.001</td>
-                <td>OS Credential Dumping</td>
-                <td>LSASS Memory</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.001">5</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.001">61</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.001">9</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.001">13</a></td>
-                <td>88</td>
-            </tr>
-            <tr>
-                <td>T1003.002</td>
-                <td>OS Credential Dumping</td>
-                <td>Security Account Manager</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.002">27</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.002">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.002">9</a></td>
-                <td>42</td>
-            </tr>
-            <tr>
-                <td>T1003.003</td>
-                <td>OS Credential Dumping</td>
-                <td>NTDS</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.003">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.003">18</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.003">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.003">7</a></td>
-                <td>28</td>
-            </tr>
-            <tr>
-                <td>T1003.004</td>
-                <td>OS Credential Dumping</td>
-                <td>LSA Secrets</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.004">12</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.004">0</a></td>
-                <td>13</td>
-            </tr>
-            <tr>
-                <td>T1003.005</td>
-                <td>OS Credential Dumping</td>
-                <td>Cached Domain Credentials</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.005">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.005">0</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1003.006</td>
-                <td>OS Credential Dumping</td>
-                <td>DCSync</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.006">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.006">0</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1003.007</td>
-                <td>OS Credential Dumping</td>
-                <td>Proc Filesystem</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.007">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.007">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.007">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.007">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1003.008</td>
-                <td>OS Credential Dumping</td>
-                <td>/etc/passwd and /etc/shadow</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.008">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.008">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.008">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1005</td>
-                <td>Data from Local System</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1005">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1005">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1005">1</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1006</td>
-                <td>Direct Volume Access</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1006">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1006">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1006">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1007</td>
-                <td>System Service Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1007">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1007">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1007">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1007">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1008</td>
-                <td>Fallback Channels</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1008">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1008">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1008">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1010</td>
-                <td>Application Window Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1010">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1010">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1010">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1010">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1011</td>
-                <td>Exfiltration Over Other Network Medium</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1011">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1011">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1011">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1011">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1011.001</td>
-                <td>Exfiltration Over Other Network Medium</td>
-                <td>Exfiltration Over Bluetooth</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1011.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1011.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1011.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1011.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1012</td>
-                <td>Query Registry</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1012">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1012">11</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1012">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1012">0</a></td>
-                <td>15</td>
-            </tr>
-            <tr>
-                <td>T1014</td>
-                <td>Rootkit</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1014">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1014">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1014">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1014">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1016</td>
-                <td>System Network Configuration Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1016">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1016">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1016">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1016">3</a></td>
-                <td>16</td>
-            </tr>
-            <tr>
-                <td>T1018</td>
-                <td>Remote System Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1018">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1018">14</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1018">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1018">18</a></td>
-                <td>37</td>
-            </tr>
-            <tr>
-                <td>T1020</td>
-                <td>Automated Exfiltration</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1020">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1020">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1020">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1020">6</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1020.001</td>
-                <td>Automated Exfiltration</td>
-                <td>Traffic Duplication</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1020.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1020.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1020.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1020.001">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1021</td>
-                <td>Remote Services</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021">31</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021">20</a></td>
-                <td>53</td>
-            </tr>
-            <tr>
-                <td>T1021.001</td>
-                <td>Remote Services</td>
-                <td>Remote Desktop Protocol</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.001">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.001">12</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.001">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.001">5</a></td>
-                <td>21</td>
-            </tr>
-            <tr>
-                <td>T1021.002</td>
-                <td>Remote Services</td>
-                <td>SMB/Windows Admin Shares</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.002">5</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.002">30</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.002">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.002">5</a></td>
-                <td>46</td>
-            </tr>
-            <tr>
-                <td>T1021.003</td>
-                <td>Remote Services</td>
-                <td>Distributed Component Object Model</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.003">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.003">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.003">5</a></td>
-                <td>14</td>
-            </tr>
-            <tr>
-                <td>T1021.004</td>
-                <td>Remote Services</td>
-                <td>SSH</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1021.005</td>
-                <td>Remote Services</td>
-                <td>VNC</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.005">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.005">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1021.006</td>
-                <td>Remote Services</td>
-                <td>Windows Remote Management</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.006">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.006">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.006">6</a></td>
-                <td>18</td>
-            </tr>
-            <tr>
-                <td>T1025</td>
-                <td>Data from Removable Media</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1025">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1025">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1025">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1025">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1026</td>
-                <td>Multiband Communication</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1026">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1026">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1026">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1026">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1027</td>
-                <td>Obfuscated Files or Information</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027">75</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027">6</a></td>
-                <td>87</td>
-            </tr>
-            <tr>
-                <td>T1027.001</td>
-                <td>Obfuscated Files or Information</td>
-                <td>Binary Padding</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.001">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.001">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1027.002</td>
-                <td>Obfuscated Files or Information</td>
-                <td>Software Packing</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1027.003</td>
-                <td>Obfuscated Files or Information</td>
-                <td>Steganography</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.003">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.003">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1027.004</td>
-                <td>Obfuscated Files or Information</td>
-                <td>Compile After Delivery</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.004">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.004">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.004">1</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1027.005</td>
-                <td>Obfuscated Files or Information</td>
-                <td>Indicator Removal from Tools</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.005">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.005">2</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1029</td>
-                <td>Scheduled Transfer</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1029">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1029">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1029">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1029">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1030</td>
-                <td>Data Transfer Size Limits</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1030">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1030">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1030">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1030">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1033</td>
-                <td>System Owner/User Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1033">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1033">18</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1033">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1033">8</a></td>
-                <td>32</td>
-            </tr>
-            <tr>
-                <td>T1034</td>
-                <td>Path Interception</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1034">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1034">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1034">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1034">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1036</td>
-                <td>Masquerading</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036">23</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036">12</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036">17</a></td>
-                <td>53</td>
-            </tr>
-            <tr>
-                <td>T1036.001</td>
-                <td>Masquerading</td>
-                <td>Invalid Code Signature</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1036.002</td>
-                <td>Masquerading</td>
-                <td>Right-to-Left Override</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1036.003</td>
-                <td>Masquerading</td>
-                <td>Rename System Utilities</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.003">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.003">13</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.003">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.003">12</a></td>
-                <td>28</td>
-            </tr>
-            <tr>
-                <td>T1036.004</td>
-                <td>Masquerading</td>
-                <td>Masquerade Task or Service</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.004">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.004">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1036.005</td>
-                <td>Masquerading</td>
-                <td>Match Legitimate Name or Location</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.005">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.005">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.005">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.005">1</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1036.006</td>
-                <td>Masquerading</td>
-                <td>Space after Filename</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.006">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.006">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1037</td>
-                <td>Boot or Logon Initialization Scripts</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037">2</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1037.001</td>
-                <td>Boot or Logon Initialization Scripts</td>
-                <td>Logon Script (Windows)</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.001">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.001">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.001">1</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1037.002</td>
-                <td>Boot or Logon Initialization Scripts</td>
-                <td>Logon Script (Mac)</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1037.003</td>
-                <td>Boot or Logon Initialization Scripts</td>
-                <td>Network Logon Script</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1037.004</td>
-                <td>Boot or Logon Initialization Scripts</td>
-                <td>Rc.common</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.004">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1037.005</td>
-                <td>Boot or Logon Initialization Scripts</td>
-                <td>Startup Items</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.005">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.005">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1039</td>
-                <td>Data from Network Shared Drive</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1039">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1039">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1039">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1039">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1040</td>
-                <td>Network Sniffing</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1040">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1040">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1040">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1040">0</a></td>
-                <td>11</td>
-            </tr>
-            <tr>
-                <td>T1041</td>
-                <td>Exfiltration Over C2 Channel</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1041">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1041">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1041">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1041">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1043</td>
-                <td>Commonly Used Port</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1043">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1043">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1043">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1043">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1046</td>
-                <td>Network Service Scanning</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1046">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1046">10</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1046">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1046">0</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1047</td>
-                <td>Windows Management Instrumentation</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1047">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1047">34</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1047">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1047">12</a></td>
-                <td>54</td>
-            </tr>
-            <tr>
-                <td>T1048</td>
-                <td>Exfiltration Over Alternative Protocol</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048">9</a></td>
-                <td>22</td>
-            </tr>
-            <tr>
-                <td>T1048.001</td>
-                <td>Exfiltration Over Alternative Protocol</td>
-                <td>Exfiltration Over Symmetric Encrypted Non-C2 Protocol</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1048.002</td>
-                <td>Exfiltration Over Alternative Protocol</td>
-                <td>Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1048.003</td>
-                <td>Exfiltration Over Alternative Protocol</td>
-                <td>Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.003">14</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.003">9</a></td>
-                <td>23</td>
-            </tr>
-            <tr>
-                <td>T1049</td>
-                <td>System Network Connections Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1049">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1049">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1049">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1049">5</a></td>
-                <td>15</td>
-            </tr>
-            <tr>
-                <td>T1051</td>
-                <td>Shared Webroot</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1051">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1051">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1051">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1051">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1052</td>
-                <td>Exfiltration Over Physical Medium</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1052">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1052">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1052">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1052">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1052.001</td>
-                <td>Exfiltration Over Physical Medium</td>
-                <td>Exfiltration over USB</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1052.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1052.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1052.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1052.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1053</td>
-                <td>Scheduled Task/Job</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053">12</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053">14</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053">26</a></td>
-                <td>52</td>
-            </tr>
-            <tr>
-                <td>T1053.001</td>
-                <td>Scheduled Task/Job</td>
-                <td>At (Linux)</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.001">2</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1053.002</td>
-                <td>Scheduled Task/Job</td>
-                <td>At (Windows)</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.002">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.002">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.002">1</a></td>
-                <td>11</td>
-            </tr>
-            <tr>
-                <td>T1053.003</td>
-                <td>Scheduled Task/Job</td>
-                <td>Cron</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.003">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.003">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.003">5</a></td>
-                <td>13</td>
-            </tr>
-            <tr>
-                <td>T1053.004</td>
-                <td>Scheduled Task/Job</td>
-                <td>Launchd</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1053.005</td>
-                <td>Scheduled Task/Job</td>
-                <td>Scheduled Task</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.005">6</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.005">28</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.005">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.005">15</a></td>
-                <td>54</td>
-            </tr>
-            <tr>
-                <td>T1053.006</td>
-                <td>Scheduled Task/Job</td>
-                <td>Systemd Timers</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.006">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.006">3</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1055</td>
-                <td>Process Injection</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055">20</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055">11</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055">20</a></td>
-                <td>51</td>
-            </tr>
-            <tr>
-                <td>T1055.001</td>
-                <td>Process Injection</td>
-                <td>Dynamic-link Library Injection</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.001">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.001">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.001">3</a></td>
-                <td>13</td>
-            </tr>
-            <tr>
-                <td>T1055.002</td>
-                <td>Process Injection</td>
-                <td>Portable Executable Injection</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1055.003</td>
-                <td>Process Injection</td>
-                <td>Thread Execution Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.003">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.003">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1055.004</td>
-                <td>Process Injection</td>
-                <td>Asynchronous Procedure Call</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1055.005</td>
-                <td>Process Injection</td>
-                <td>Thread Local Storage</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1055.008</td>
-                <td>Process Injection</td>
-                <td>Ptrace System Calls</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.008">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.008">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.008">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1055.009</td>
-                <td>Process Injection</td>
-                <td>Proc Memory</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.009">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.009">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.009">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.009">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1055.011</td>
-                <td>Process Injection</td>
-                <td>Extra Window Memory Injection</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.011">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.011">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.011">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.011">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1055.012</td>
-                <td>Process Injection</td>
-                <td>Process Hollowing</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.012">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.012">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.012">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.012">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1055.013</td>
-                <td>Process Injection</td>
-                <td>Process Doppelgänging</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.013">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.013">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.013">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.013">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1055.014</td>
-                <td>Process Injection</td>
-                <td>VDSO Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.014">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.014">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.014">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.014">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1056</td>
-                <td>Input Capture</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1056.001</td>
-                <td>Input Capture</td>
-                <td>Keylogging</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1056.002</td>
-                <td>Input Capture</td>
-                <td>GUI Input Capture</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.002">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.002">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.002">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1056.003</td>
-                <td>Input Capture</td>
-                <td>Web Portal Capture</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1056.004</td>
-                <td>Input Capture</td>
-                <td>Credential API Hooking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.004">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.004">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1057</td>
-                <td>Process Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1057">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1057">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1057">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1057">0</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1059</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059">29</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059">55</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059">42</a></td>
-                <td>127</td>
-            </tr>
-            <tr>
-                <td>T1059.001</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>PowerShell</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.001">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.001">164</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.001">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.001">20</a></td>
-                <td>194</td>
-            </tr>
-            <tr>
-                <td>T1059.002</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>AppleScript</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.002">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1059.003</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>Windows Command Shell</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.003">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.003">16</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.003">8</a></td>
-                <td>26</td>
-            </tr>
-            <tr>
-                <td>T1059.004</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>Unix Shell</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.004">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.004">15</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.004">2</a></td>
-                <td>25</td>
-            </tr>
-            <tr>
-                <td>T1059.005</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>Visual Basic</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.005">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.005">18</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.005">4</a></td>
-                <td>23</td>
-            </tr>
-            <tr>
-                <td>T1059.006</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>Python</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.006">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.006">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.006">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1059.007</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>JavaScript/JScript</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.007">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.007">13</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.007">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.007">4</a></td>
-                <td>20</td>
-            </tr>
-            <tr>
-                <td>T1059.008</td>
-                <td>Command and Scripting Interpreter</td>
-                <td>Network Device CLI</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.008">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.008">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.008">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1061</td>
-                <td>Graphical User Interface</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1061">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1061">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1061">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1061">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1062</td>
-                <td>Hypervisor</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1062">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1062">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1062">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1062">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1064</td>
-                <td>Scripting</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1064">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1064">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1064">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1064">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1068</td>
-                <td>Exploitation for Privilege Escalation</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1068">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1068">21</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1068">13</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1068">7</a></td>
-                <td>42</td>
-            </tr>
-            <tr>
-                <td>T1069</td>
-                <td>Permission Groups Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069">25</a></td>
-                <td>31</td>
-            </tr>
-            <tr>
-                <td>T1069.001</td>
-                <td>Permission Groups Discovery</td>
-                <td>Local Groups</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.001">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.001">13</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.001">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.001">11</a></td>
-                <td>28</td>
-            </tr>
-            <tr>
-                <td>T1069.002</td>
-                <td>Permission Groups Discovery</td>
-                <td>Domain Groups</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.002">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.002">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.002">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.002">18</a></td>
-                <td>31</td>
-            </tr>
-            <tr>
-                <td>T1069.003</td>
-                <td>Permission Groups Discovery</td>
-                <td>Cloud Groups</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.003">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1070</td>
-                <td>Indicator Removal on Host</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070">13</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070">22</a></td>
-                <td>44</td>
-            </tr>
-            <tr>
-                <td>T1070.001</td>
-                <td>Indicator Removal on Host</td>
-                <td>Clear Windows Event Logs</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.001">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.001">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.001">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.001">6</a></td>
-                <td>17</td>
-            </tr>
-            <tr>
-                <td>T1070.002</td>
-                <td>Indicator Removal on Host</td>
-                <td>Clear Linux or Mac System Logs</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.002">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1070.003</td>
-                <td>Indicator Removal on Host</td>
-                <td>Clear Command History</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.003">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.003">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.003">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.003">0</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1070.004</td>
-                <td>Indicator Removal on Host</td>
-                <td>File Deletion</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.004">11</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.004">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.004">11</a></td>
-                <td>25</td>
-            </tr>
-            <tr>
-                <td>T1070.005</td>
-                <td>Indicator Removal on Host</td>
-                <td>Network Share Connection Removal</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.005">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.005">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.005">1</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1070.006</td>
-                <td>Indicator Removal on Host</td>
-                <td>Timestomp</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.006">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.006">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.006">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1071</td>
-                <td>Application Layer Protocol</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071">8</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071">4</a></td>
-                <td>18</td>
-            </tr>
-            <tr>
-                <td>T1071.001</td>
-                <td>Application Layer Protocol</td>
-                <td>Web Protocols</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.001">26</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.001">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.001">2</a></td>
-                <td>31</td>
-            </tr>
-            <tr>
-                <td>T1071.002</td>
-                <td>Application Layer Protocol</td>
-                <td>File Transfer Protocols</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.002">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1071.003</td>
-                <td>Application Layer Protocol</td>
-                <td>Mail Protocols</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1071.004</td>
-                <td>Application Layer Protocol</td>
-                <td>DNS</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.004">17</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.004">4</a></td>
-                <td>21</td>
-            </tr>
-            <tr>
-                <td>T1072</td>
-                <td>Software Deployment Tools</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1072">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1072">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1072">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1072">2</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1074</td>
-                <td>Data Staged</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1074.001</td>
-                <td>Data Staged</td>
-                <td>Local Data Staging</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074.001">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074.001">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1074.002</td>
-                <td>Data Staged</td>
-                <td>Remote Data Staging</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1078</td>
-                <td>Valid Accounts</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078">19</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078">30</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078">37</a></td>
-                <td>86</td>
-            </tr>
-            <tr>
-                <td>T1078.001</td>
-                <td>Valid Accounts</td>
-                <td>Default Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.001">4</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1078.002</td>
-                <td>Valid Accounts</td>
-                <td>Domain Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.002">5</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.002">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.002">6</a></td>
-                <td>14</td>
-            </tr>
-            <tr>
-                <td>T1078.003</td>
-                <td>Valid Accounts</td>
-                <td>Local Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.003">5</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.003">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.003">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.003">1</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1078.004</td>
-                <td>Valid Accounts</td>
-                <td>Cloud Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.004">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.004">19</a></td>
-                <td>23</td>
-            </tr>
-            <tr>
-                <td>T1080</td>
-                <td>Taint Shared Content</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1080">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1080">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1080">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1080">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1082</td>
-                <td>System Information Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1082">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1082">12</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1082">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1082">3</a></td>
-                <td>21</td>
-            </tr>
-            <tr>
-                <td>T1083</td>
-                <td>File and Directory Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1083">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1083">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1083">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1083">1</a></td>
-                <td>11</td>
-            </tr>
-            <tr>
-                <td>T1087</td>
-                <td>Account Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087">24</a></td>
-                <td>37</td>
-            </tr>
-            <tr>
-                <td>T1087.001</td>
-                <td>Account Discovery</td>
-                <td>Local Account</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.001">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.001">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.001">11</a></td>
-                <td>22</td>
-            </tr>
-            <tr>
-                <td>T1087.002</td>
-                <td>Account Discovery</td>
-                <td>Domain Account</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.002">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.002">13</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.002">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.002">17</a></td>
-                <td>33</td>
-            </tr>
-            <tr>
-                <td>T1087.003</td>
-                <td>Account Discovery</td>
-                <td>Email Account</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1087.004</td>
-                <td>Account Discovery</td>
-                <td>Cloud Account</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1090</td>
-                <td>Proxy</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1090.001</td>
-                <td>Proxy</td>
-                <td>Internal Proxy</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1090.002</td>
-                <td>Proxy</td>
-                <td>External Proxy</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1090.003</td>
-                <td>Proxy</td>
-                <td>Multi-hop Proxy</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.003">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.003">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.003">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1090.004</td>
-                <td>Proxy</td>
-                <td>Domain Fronting</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1091</td>
-                <td>Replication Through Removable Media</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1091">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1091">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1091">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1091">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1092</td>
-                <td>Communication Through Removable Media</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1092">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1092">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1092">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1092">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1095</td>
-                <td>Non-Application Layer Protocol</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1095">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1095">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1095">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1095">1</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1098</td>
-                <td>Account Manipulation</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098">16</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098">32</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098">5</a></td>
-                <td>54</td>
-            </tr>
-            <tr>
-                <td>T1098.001</td>
-                <td>Account Manipulation</td>
-                <td>Additional Cloud Credentials</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1098.002</td>
-                <td>Account Manipulation</td>
-                <td>Exchange Email Delegate Permissions</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.002">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1098.003</td>
-                <td>Account Manipulation</td>
-                <td>Add Office 365 Global Administrator Role</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.003">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.003">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1098.004</td>
-                <td>Account Manipulation</td>
-                <td>SSH Authorized Keys</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.004">2</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1102</td>
-                <td>Web Service</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1102.001</td>
-                <td>Web Service</td>
-                <td>Dead Drop Resolver</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.001">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.001">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1102.002</td>
-                <td>Web Service</td>
-                <td>Bidirectional Communication</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.002">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1102.003</td>
-                <td>Web Service</td>
-                <td>One-Way Communication</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.003">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.003">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1104</td>
-                <td>Multi-Stage Channels</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1104">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1104">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1104">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1104">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1105</td>
-                <td>Ingress Tool Transfer</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1105">4</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1105">34</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1105">9</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1105">17</a></td>
-                <td>64</td>
-            </tr>
-            <tr>
-                <td>T1106</td>
-                <td>Native API</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1106">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1106">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1106">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1106">0</a></td>
-                <td>13</td>
-            </tr>
-            <tr>
-                <td>T1108</td>
-                <td>Redundant Access</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1108">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1108">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1108">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1108">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1110</td>
-                <td>Brute Force</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110">9</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110">11</a></td>
-                <td>27</td>
-            </tr>
-            <tr>
-                <td>T1110.001</td>
-                <td>Brute Force</td>
-                <td>Password Guessing</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.001">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.001">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1110.002</td>
-                <td>Brute Force</td>
-                <td>Password Cracking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1110.003</td>
-                <td>Brute Force</td>
-                <td>Password Spraying</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.003">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.003">8</a></td>
-                <td>16</td>
-            </tr>
-            <tr>
-                <td>T1110.004</td>
-                <td>Brute Force</td>
-                <td>Credential Stuffing</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1111</td>
-                <td>Two-Factor Authentication Interception</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1111">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1111">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1111">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1111">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1112</td>
-                <td>Modify Registry</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1112">8</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1112">54</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1112">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1112">17</a></td>
-                <td>82</td>
-            </tr>
-            <tr>
-                <td>T1113</td>
-                <td>Screen Capture</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1113">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1113">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1113">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1113">3</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1114</td>
-                <td>Email Collection</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114">8</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1114.001</td>
-                <td>Email Collection</td>
-                <td>Local Email Collection</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.001">2</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1114.002</td>
-                <td>Email Collection</td>
-                <td>Remote Email Collection</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.002">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.002">3</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1114.003</td>
-                <td>Email Collection</td>
-                <td>Email Forwarding Rule</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.003">2</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1115</td>
-                <td>Clipboard Data</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1115">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1115">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1115">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1115">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1119</td>
-                <td>Automated Collection</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1119">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1119">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1119">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1119">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1120</td>
-                <td>Peripheral Device Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1120">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1120">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1120">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1120">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1123</td>
-                <td>Audio Capture</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1123">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1123">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1123">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1123">0</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1124</td>
-                <td>System Time Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1124">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1124">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1124">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1124">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1125</td>
-                <td>Video Capture</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1125">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1125">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1125">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1125">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1127</td>
-                <td>Trusted Developer Utilities Proxy Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1127">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1127">11</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1127">8</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1127">9</a></td>
-                <td>28</td>
-            </tr>
-            <tr>
-                <td>T1127.001</td>
-                <td>Trusted Developer Utilities Proxy Execution</td>
-                <td>MSBuild</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1127.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1127.001">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1127.001">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1127.001">6</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1129</td>
-                <td>Shared Modules</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1129">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1129">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1129">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1129">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1132</td>
-                <td>Data Encoding</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1132.001</td>
-                <td>Data Encoding</td>
-                <td>Standard Encoding</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1132.002</td>
-                <td>Data Encoding</td>
-                <td>Non-Standard Encoding</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1133</td>
-                <td>External Remote Services</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1133">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1133">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1133">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1133">0</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1134</td>
-                <td>Access Token Manipulation</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134">2</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1134.001</td>
-                <td>Access Token Manipulation</td>
-                <td>Token Impersonation/Theft</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.001">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.001">1</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1134.002</td>
-                <td>Access Token Manipulation</td>
-                <td>Create Process with Token</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.002">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.002">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1134.003</td>
-                <td>Access Token Manipulation</td>
-                <td>Make and Impersonate Token</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1134.004</td>
-                <td>Access Token Manipulation</td>
-                <td>Parent PID Spoofing</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.004">1</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1134.005</td>
-                <td>Access Token Manipulation</td>
-                <td>SID-History Injection</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.005">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.005">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1135</td>
-                <td>Network Share Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1135">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1135">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1135">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1135">0</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1136</td>
-                <td>Create Account</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136">11</a></td>
-                <td>19</td>
-            </tr>
-            <tr>
-                <td>T1136.001</td>
-                <td>Create Account</td>
-                <td>Local Account</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.001">11</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.001">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.001">4</a></td>
-                <td>18</td>
-            </tr>
-            <tr>
-                <td>T1136.002</td>
-                <td>Create Account</td>
-                <td>Domain Account</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.002">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1136.003</td>
-                <td>Create Account</td>
-                <td>Cloud Account</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.003">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.003">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.003">6</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1137</td>
-                <td>Office Application Startup</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137">0</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1137.001</td>
-                <td>Office Application Startup</td>
-                <td>Office Template Macros</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1137.002</td>
-                <td>Office Application Startup</td>
-                <td>Office Test</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1137.003</td>
-                <td>Office Application Startup</td>
-                <td>Outlook Forms</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.003">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.003">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1137.004</td>
-                <td>Office Application Startup</td>
-                <td>Outlook Home Page</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1137.005</td>
-                <td>Office Application Startup</td>
-                <td>Outlook Rules</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1137.006</td>
-                <td>Office Application Startup</td>
-                <td>Add-ins</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.006">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.006">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1140</td>
-                <td>Deobfuscate/Decode Files or Information</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1140">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1140">10</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1140">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1140">2</a></td>
-                <td>19</td>
-            </tr>
-            <tr>
-                <td>T1149</td>
-                <td>LC_MAIN Hijacking</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1149">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1149">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1149">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1149">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1153</td>
-                <td>Source</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1153">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1153">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1153">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1153">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1175</td>
-                <td>Component Object Model and Distributed COM</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1175">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1175">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1175">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1175">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1176</td>
-                <td>Browser Extensions</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1176">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1176">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1176">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1176">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1185</td>
-                <td>Man in the Browser</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1185">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1185">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1185">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1185">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1187</td>
-                <td>Forced Authentication</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1187">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1187">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1187">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1187">1</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1189</td>
-                <td>Drive-by Compromise</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1189">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1189">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1189">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1189">2</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1190</td>
-                <td>Exploit Public-Facing Application</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1190">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1190">60</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1190">15</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1190">23</a></td>
-                <td>98</td>
-            </tr>
-            <tr>
-                <td>T1195</td>
-                <td>Supply Chain Compromise</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195">3</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1195.001</td>
-                <td>Supply Chain Compromise</td>
-                <td>Compromise Software Dependencies and Development Tools</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.001">2</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1195.002</td>
-                <td>Supply Chain Compromise</td>
-                <td>Compromise Software Supply Chain</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.002">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.002">1</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1195.003</td>
-                <td>Supply Chain Compromise</td>
-                <td>Compromise Hardware Supply Chain</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1197</td>
-                <td>BITS Jobs</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1197">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1197">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1197">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1197">6</a></td>
-                <td>17</td>
-            </tr>
-            <tr>
-                <td>T1199</td>
-                <td>Trusted Relationship</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1199">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1199">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1199">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1199">2</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1200</td>
-                <td>Hardware Additions</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1200">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1200">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1200">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1200">5</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1201</td>
-                <td>Password Policy Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1201">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1201">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1201">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1201">7</a></td>
-                <td>11</td>
-            </tr>
-            <tr>
-                <td>T1202</td>
-                <td>Indirect Command Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1202">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1202">19</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1202">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1202">3</a></td>
-                <td>22</td>
-            </tr>
-            <tr>
-                <td>T1203</td>
-                <td>Exploitation for Client Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1203">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1203">21</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1203">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1203">4</a></td>
-                <td>27</td>
-            </tr>
-            <tr>
-                <td>T1204</td>
-                <td>User Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204">15</a></td>
-                <td>29</td>
-            </tr>
-            <tr>
-                <td>T1204.001</td>
-                <td>User Execution</td>
-                <td>Malicious Link</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.001">1</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1204.002</td>
-                <td>User Execution</td>
-                <td>Malicious File</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.002">27</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.002">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.002">4</a></td>
-                <td>35</td>
-            </tr>
-            <tr>
-                <td>T1205</td>
-                <td>Traffic Signaling</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1205">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1205">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1205">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1205">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1205.001</td>
-                <td>Traffic Signaling</td>
-                <td>Port Knocking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1205.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1205.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1205.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1205.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1207</td>
-                <td>Rogue Domain Controller</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1207">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1207">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1207">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1207">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1210</td>
-                <td>Exploitation of Remote Services</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1210">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1210">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1210">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1210">1</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1211</td>
-                <td>Exploitation for Defense Evasion</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1211">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1211">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1211">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1211">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1212</td>
-                <td>Exploitation for Credential Access</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1212">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1212">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1212">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1212">2</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1213</td>
-                <td>Data from Information Repositories</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1213.001</td>
-                <td>Data from Information Repositories</td>
-                <td>Confluence</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1213.002</td>
-                <td>Data from Information Repositories</td>
-                <td>Sharepoint</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1216</td>
-                <td>Signed Script Proxy Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1216">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1216">12</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1216">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1216">0</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1216.001</td>
-                <td>Signed Script Proxy Execution</td>
-                <td>PubPrn</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1216.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1216.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1216.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1216.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1217</td>
-                <td>Browser Bookmark Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1217">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1217">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1217">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1217">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1218</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218">67</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218">17</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218">60</a></td>
-                <td>144</td>
-            </tr>
-            <tr>
-                <td>T1218.001</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Compiled HTML File</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.001">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.001">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.001">4</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1218.002</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Control Panel</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.002">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.002">1</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1218.003</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>CMSTP</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.003">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.003">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.003">3</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1218.004</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>InstallUtil</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.004">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.004">9</a></td>
-                <td>11</td>
-            </tr>
-            <tr>
-                <td>T1218.005</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Mshta</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.005">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.005">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.005">12</a></td>
-                <td>24</td>
-            </tr>
-            <tr>
-                <td>T1218.007</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Msiexec</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.007">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.007">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.007">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.007">1</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1218.008</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Odbcconf</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.008">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.008">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.008">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1218.009</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Regsvcs/Regasm</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.009">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.009">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.009">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.009">6</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1218.010</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Regsvr32</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.010">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.010">16</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.010">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.010">5</a></td>
-                <td>25</td>
-            </tr>
-            <tr>
-                <td>T1218.011</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Rundll32</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.011">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.011">31</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.011">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.011">15</a></td>
-                <td>50</td>
-            </tr>
-            <tr>
-                <td>T1218.012</td>
-                <td>Signed Binary Proxy Execution</td>
-                <td>Verclsid</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.012">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.012">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.012">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.012">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1219</td>
-                <td>Remote Access Software</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1219">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1219">19</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1219">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1219">0</a></td>
-                <td>22</td>
-            </tr>
-            <tr>
-                <td>T1220</td>
-                <td>XSL Script Processing</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1220">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1220">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1220">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1220">2</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1221</td>
-                <td>Template Injection</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1221">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1221">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1221">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1221">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1222</td>
-                <td>File and Directory Permissions Modification</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222">11</a></td>
-                <td>14</td>
-            </tr>
-            <tr>
-                <td>T1222.001</td>
-                <td>File and Directory Permissions Modification</td>
-                <td>Windows File and Directory Permissions Modification</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222.001">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222.001">2</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1222.002</td>
-                <td>File and Directory Permissions Modification</td>
-                <td>Linux and Mac File and Directory Permissions Modification</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222.002">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222.002">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1480</td>
-                <td>Execution Guardrails</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1480">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1480">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1480">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1480">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1480.001</td>
-                <td>Execution Guardrails</td>
-                <td>Environmental Keying</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1480.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1480.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1480.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1480.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1482</td>
-                <td>Domain Trust Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1482">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1482">10</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1482">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1482">11</a></td>
-                <td>22</td>
-            </tr>
-            <tr>
-                <td>T1484</td>
-                <td>Domain Policy Modification</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1484.001</td>
-                <td>Domain Policy Modification</td>
-                <td>Group Policy Modification</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1484.002</td>
-                <td>Domain Policy Modification</td>
-                <td>Domain Trust Modification</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484.002">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1485</td>
-                <td>Data Destruction</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1485">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1485">10</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1485">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1485">16</a></td>
-                <td>33</td>
-            </tr>
-            <tr>
-                <td>T1486</td>
-                <td>Data Encrypted for Impact</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1486">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1486">9</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1486">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1486">7</a></td>
-                <td>17</td>
-            </tr>
-            <tr>
-                <td>T1489</td>
-                <td>Service Stop</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1489">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1489">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1489">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1489">7</a></td>
-                <td>13</td>
-            </tr>
-            <tr>
-                <td>T1490</td>
-                <td>Inhibit System Recovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1490">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1490">15</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1490">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1490">12</a></td>
-                <td>35</td>
-            </tr>
-            <tr>
-                <td>T1491</td>
-                <td>Defacement</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1491.001</td>
-                <td>Defacement</td>
-                <td>Internal Defacement</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1491.002</td>
-                <td>Defacement</td>
-                <td>External Defacement</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1495</td>
-                <td>Firmware Corruption</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1495">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1495">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1495">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1495">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1496</td>
-                <td>Resource Hijacking</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1496">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1496">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1496">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1496">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1497</td>
-                <td>Virtualization/Sandbox Evasion</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1497.001</td>
-                <td>Virtualization/Sandbox Evasion</td>
-                <td>System Checks</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1497.002</td>
-                <td>Virtualization/Sandbox Evasion</td>
-                <td>User Activity Based Checks</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1497.003</td>
-                <td>Virtualization/Sandbox Evasion</td>
-                <td>Time Based Evasion</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.003">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1498</td>
-                <td>Network Denial of Service</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498">7</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1498.001</td>
-                <td>Network Denial of Service</td>
-                <td>Direct Network Flood</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1498.002</td>
-                <td>Network Denial of Service</td>
-                <td>Reflection Amplification</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498.002">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1499</td>
-                <td>Endpoint Denial of Service</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1499.001</td>
-                <td>Endpoint Denial of Service</td>
-                <td>OS Exhaustion Flood</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1499.002</td>
-                <td>Endpoint Denial of Service</td>
-                <td>Service Exhaustion Flood</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1499.003</td>
-                <td>Endpoint Denial of Service</td>
-                <td>Application Exhaustion Flood</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1499.004</td>
-                <td>Endpoint Denial of Service</td>
-                <td>Application or System Exploitation</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.004">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.004">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1505</td>
-                <td>Server Software Component</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505">5</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1505.001</td>
-                <td>Server Software Component</td>
-                <td>SQL Stored Procedures</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1505.002</td>
-                <td>Server Software Component</td>
-                <td>Transport Agent</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.002">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.002">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1505.003</td>
-                <td>Server Software Component</td>
-                <td>Web Shell</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.003">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.003">23</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.003">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.003">6</a></td>
-                <td>32</td>
-            </tr>
-            <tr>
-                <td>T1518</td>
-                <td>Software Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1518">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1518">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1518">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1518">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1518.001</td>
-                <td>Software Discovery</td>
-                <td>Security Software Discovery</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1518.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1518.001">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1518.001">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1518.001">0</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1525</td>
-                <td>Implant Container Image</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1525">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1525">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1525">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1525">2</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1526</td>
-                <td>Cloud Service Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1526">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1526">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1526">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1526">7</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1528</td>
-                <td>Steal Application Access Token</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1528">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1528">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1528">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1528">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1529</td>
-                <td>System Shutdown/Reboot</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1529">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1529">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1529">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1529">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1530</td>
-                <td>Data from Cloud Storage Object</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1530">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1530">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1530">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1530">6</a></td>
-                <td>11</td>
-            </tr>
-            <tr>
-                <td>T1531</td>
-                <td>Account Access Removal</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1531">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1531">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1531">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1531">4</a></td>
-                <td>14</td>
-            </tr>
-            <tr>
-                <td>T1534</td>
-                <td>Internal Spearphishing</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1534">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1534">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1534">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1534">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1535</td>
-                <td>Unused/Unsupported Cloud Regions</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1535">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1535">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1535">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1535">8</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1537</td>
-                <td>Transfer Data to Cloud Account</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1537">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1537">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1537">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1537">2</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1538</td>
-                <td>Cloud Service Dashboard</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1538">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1538">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1538">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1538">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1539</td>
-                <td>Steal Web Session Cookie</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1539">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1539">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1539">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1539">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1542</td>
-                <td>Pre-OS Boot</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1542.001</td>
-                <td>Pre-OS Boot</td>
-                <td>System Firmware</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1542.002</td>
-                <td>Pre-OS Boot</td>
-                <td>Component Firmware</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1542.003</td>
-                <td>Pre-OS Boot</td>
-                <td>Bootkit</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.003">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.003">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1542.004</td>
-                <td>Pre-OS Boot</td>
-                <td>ROMMONkit</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1542.005</td>
-                <td>Pre-OS Boot</td>
-                <td>TFTP Boot</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.005">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1543</td>
-                <td>Create or Modify System Process</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543">17</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543">15</a></td>
-                <td>34</td>
-            </tr>
-            <tr>
-                <td>T1543.001</td>
-                <td>Create or Modify System Process</td>
-                <td>Launch Agent</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.001">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.001">2</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1543.002</td>
-                <td>Create or Modify System Process</td>
-                <td>Systemd Service</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.002">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1543.003</td>
-                <td>Create or Modify System Process</td>
-                <td>Windows Service</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.003">6</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.003">25</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.003">8</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.003">13</a></td>
-                <td>52</td>
-            </tr>
-            <tr>
-                <td>T1543.004</td>
-                <td>Create or Modify System Process</td>
-                <td>Launch Daemon</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1546</td>
-                <td>Event Triggered Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546">14</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546">12</a></td>
-                <td>34</td>
-            </tr>
-            <tr>
-                <td>T1546.001</td>
-                <td>Event Triggered Execution</td>
-                <td>Change Default File Association</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.001">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.001">2</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1546.002</td>
-                <td>Event Triggered Execution</td>
-                <td>Screensaver</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.002">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.002">1</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1546.003</td>
-                <td>Event Triggered Execution</td>
-                <td>Windows Management Instrumentation Event Subscription</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.003">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.003">12</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.003">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.003">2</a></td>
-                <td>16</td>
-            </tr>
-            <tr>
-                <td>T1546.004</td>
-                <td>Event Triggered Execution</td>
-                <td>.bash_profile and .bashrc</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.004">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.004">2</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1546.005</td>
-                <td>Event Triggered Execution</td>
-                <td>Trap</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1546.006</td>
-                <td>Event Triggered Execution</td>
-                <td>LC_LOAD_DYLIB Addition</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.006">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.006">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1546.007</td>
-                <td>Event Triggered Execution</td>
-                <td>Netsh Helper DLL</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.007">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.007">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.007">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.007">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1546.008</td>
-                <td>Event Triggered Execution</td>
-                <td>Accessibility Features</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.008">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.008">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.008">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.008">1</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1546.009</td>
-                <td>Event Triggered Execution</td>
-                <td>AppCert DLLs</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.009">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.009">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.009">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.009">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1546.010</td>
-                <td>Event Triggered Execution</td>
-                <td>AppInit DLLs</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.010">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.010">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.010">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.010">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1546.011</td>
-                <td>Event Triggered Execution</td>
-                <td>Application Shimming</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.011">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.011">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.011">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.011">3</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1546.012</td>
-                <td>Event Triggered Execution</td>
-                <td>Image File Execution Options Injection</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.012">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.012">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.012">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.012">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1546.013</td>
-                <td>Event Triggered Execution</td>
-                <td>PowerShell Profile</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.013">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.013">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.013">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.013">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1546.014</td>
-                <td>Event Triggered Execution</td>
-                <td>Emond</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.014">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.014">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.014">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.014">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1546.015</td>
-                <td>Event Triggered Execution</td>
-                <td>Component Object Model Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.015">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.015">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.015">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.015">1</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1547</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547">23</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547">15</a></td>
-                <td>43</td>
-            </tr>
-            <tr>
-                <td>T1547.001</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Registry Run Keys / Startup Folder</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.001">4</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.001">27</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.001">9</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.001">2</a></td>
-                <td>42</td>
-            </tr>
-            <tr>
-                <td>T1547.002</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Authentication Package</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.002">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1547.003</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Time Providers</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.003">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.003">1</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1547.004</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Winlogon Helper DLL</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.004">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.004">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.004">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1547.005</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Security Support Provider</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.005">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.005">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.005">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1547.006</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Kernel Modules and Extensions</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.006">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.006">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.006">3</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1547.007</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Re-opened Applications</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.007">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.007">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.007">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.007">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1547.008</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>LSASS Driver</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.008">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.008">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.008">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1547.009</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Shortcut Modification</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.009">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.009">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.009">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.009">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1547.010</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Port Monitors</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.010">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.010">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.010">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.010">1</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1547.011</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Plist Modification</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.011">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.011">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.011">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.011">1</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1547.012</td>
-                <td>Boot or Logon Autostart Execution</td>
-                <td>Print Processors</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.012">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.012">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.012">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.012">7</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1548</td>
-                <td>Abuse Elevation Control Mechanism</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548">13</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548">21</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548">25</a></td>
-                <td>60</td>
-            </tr>
-            <tr>
-                <td>T1548.001</td>
-                <td>Abuse Elevation Control Mechanism</td>
-                <td>Setuid and Setgid</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.001">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.001">3</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1548.002</td>
-                <td>Abuse Elevation Control Mechanism</td>
-                <td>Bypass User Account Control</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.002">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.002">45</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.002">11</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.002">13</a></td>
-                <td>72</td>
-            </tr>
-            <tr>
-                <td>T1548.003</td>
-                <td>Abuse Elevation Control Mechanism</td>
-                <td>Sudo and Sudo Caching</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.003">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.003">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.003">7</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1548.004</td>
-                <td>Abuse Elevation Control Mechanism</td>
-                <td>Elevated Execution with Prompt</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1550</td>
-                <td>Use Alternate Authentication Material</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550">9</a></td>
-                <td>18</td>
-            </tr>
-            <tr>
-                <td>T1550.001</td>
-                <td>Use Alternate Authentication Material</td>
-                <td>Application Access Token</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.001">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.001">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.001">0</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1550.002</td>
-                <td>Use Alternate Authentication Material</td>
-                <td>Pass the Hash</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.002">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.002">3</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1550.003</td>
-                <td>Use Alternate Authentication Material</td>
-                <td>Pass the Ticket</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.003">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.003">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.003">3</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1550.004</td>
-                <td>Use Alternate Authentication Material</td>
-                <td>Web Session Cookie</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1552</td>
-                <td>Unsecured Credentials</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552">2</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1552.001</td>
-                <td>Unsecured Credentials</td>
-                <td>Credentials In Files</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.001">12</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.001">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.001">0</a></td>
-                <td>15</td>
-            </tr>
-            <tr>
-                <td>T1552.002</td>
-                <td>Unsecured Credentials</td>
-                <td>Credentials in Registry</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.002">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.002">2</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1552.003</td>
-                <td>Unsecured Credentials</td>
-                <td>Bash History</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.003">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.003">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1552.004</td>
-                <td>Unsecured Credentials</td>
-                <td>Private Keys</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.004">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.004">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.004">0</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1552.005</td>
-                <td>Unsecured Credentials</td>
-                <td>Cloud Instance Metadata API</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1552.006</td>
-                <td>Unsecured Credentials</td>
-                <td>Group Policy Preferences</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.006">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.006">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1553</td>
-                <td>Subvert Trust Controls</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553">2</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1553.001</td>
-                <td>Subvert Trust Controls</td>
-                <td>Gatekeeper Bypass</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1553.002</td>
-                <td>Subvert Trust Controls</td>
-                <td>Code Signing</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.002">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1553.003</td>
-                <td>Subvert Trust Controls</td>
-                <td>SIP and Trust Provider Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.003">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.003">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1553.004</td>
-                <td>Subvert Trust Controls</td>
-                <td>Install Root Certificate</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.004">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.004">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.004">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.004">2</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1554</td>
-                <td>Compromise Client Software Binary</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1554">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1554">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1554">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1554">2</a></td>
-                <td>7</td>
-            </tr>
-            <tr>
-                <td>T1555</td>
-                <td>Credentials from Password Stores</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555">3</a></td>
-                <td>14</td>
-            </tr>
-            <tr>
-                <td>T1555.001</td>
-                <td>Credentials from Password Stores</td>
-                <td>Keychain</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.001">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.001">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1555.002</td>
-                <td>Credentials from Password Stores</td>
-                <td>Securityd Memory</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1555.003</td>
-                <td>Credentials from Password Stores</td>
-                <td>Credentials from Web Browsers</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.003">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.003">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.003">3</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1556</td>
-                <td>Modify Authentication Process</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556">5</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556">2</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1556.001</td>
-                <td>Modify Authentication Process</td>
-                <td>Domain Controller Authentication</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1556.002</td>
-                <td>Modify Authentication Process</td>
-                <td>Password Filter DLL</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.002">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1556.003</td>
-                <td>Modify Authentication Process</td>
-                <td>Pluggable Authentication Modules</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1556.004</td>
-                <td>Modify Authentication Process</td>
-                <td>Network Device Authentication</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1557</td>
-                <td>Man-in-the-Middle</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557">4</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1557.001</td>
-                <td>Man-in-the-Middle</td>
-                <td>LLMNR/NBT-NS Poisoning and SMB Relay</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.001">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.001">0</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1557.002</td>
-                <td>Man-in-the-Middle</td>
-                <td>ARP Cache Poisoning</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.002">3</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1558</td>
-                <td>Steal or Forge Kerberos Tickets</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558">9</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558">13</a></td>
-                <td>25</td>
-            </tr>
-            <tr>
-                <td>T1558.001</td>
-                <td>Steal or Forge Kerberos Tickets</td>
-                <td>Golden Ticket</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.001">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1558.002</td>
-                <td>Steal or Forge Kerberos Tickets</td>
-                <td>Silver Ticket</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1558.003</td>
-                <td>Steal or Forge Kerberos Tickets</td>
-                <td>Kerberoasting</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.003">11</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.003">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.003">6</a></td>
-                <td>18</td>
-            </tr>
-            <tr>
-                <td>T1558.004</td>
-                <td>Steal or Forge Kerberos Tickets</td>
-                <td>AS-REP Roasting</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.004">5</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1559</td>
-                <td>Inter-Process Communication</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1559.001</td>
-                <td>Inter-Process Communication</td>
-                <td>Component Object Model</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.001">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.001">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.001">1</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1559.002</td>
-                <td>Inter-Process Communication</td>
-                <td>Dynamic Data Exchange</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1560</td>
-                <td>Archive Collected Data</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560">6</a></td>
-                <td>10</td>
-            </tr>
-            <tr>
-                <td>T1560.001</td>
-                <td>Archive Collected Data</td>
-                <td>Archive via Utility</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.001">10</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.001">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.001">6</a></td>
-                <td>19</td>
-            </tr>
-            <tr>
-                <td>T1560.002</td>
-                <td>Archive Collected Data</td>
-                <td>Archive via Library</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1560.003</td>
-                <td>Archive Collected Data</td>
-                <td>Archive via Custom Method</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1561</td>
-                <td>Disk Wipe</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561">2</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1561.001</td>
-                <td>Disk Wipe</td>
-                <td>Disk Content Wipe</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1561.002</td>
-                <td>Disk Wipe</td>
-                <td>Disk Structure Wipe</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561.002">2</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1562</td>
-                <td>Impair Defenses</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562">59</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562">51</a></td>
-                <td>118</td>
-            </tr>
-            <tr>
-                <td>T1562.001</td>
-                <td>Impair Defenses</td>
-                <td>Disable or Modify Tools</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.001">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.001">51</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.001">35</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.001">40</a></td>
-                <td>129</td>
-            </tr>
-            <tr>
-                <td>T1562.002</td>
-                <td>Impair Defenses</td>
-                <td>Disable Windows Event Logging</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.002">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.002">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.002">0</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1562.003</td>
-                <td>Impair Defenses</td>
-                <td>Impair Command History Logging</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1562.004</td>
-                <td>Impair Defenses</td>
-                <td>Disable or Modify System Firewall</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.004">10</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.004">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.004">5</a></td>
-                <td>19</td>
-            </tr>
-            <tr>
-                <td>T1562.006</td>
-                <td>Impair Defenses</td>
-                <td>Indicator Blocking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.006">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.006">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.006">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.006">1</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1562.007</td>
-                <td>Impair Defenses</td>
-                <td>Disable or Modify Cloud Firewall</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.007">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.007">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.007">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.007">6</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1562.008</td>
-                <td>Impair Defenses</td>
-                <td>Disable Cloud Logs</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.008">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.008">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.008">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1563</td>
-                <td>Remote Service Session Hijacking</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1563.001</td>
-                <td>Remote Service Session Hijacking</td>
-                <td>SSH Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1563.002</td>
-                <td>Remote Service Session Hijacking</td>
-                <td>RDP Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563.002">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563.002">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1564</td>
-                <td>Hide Artifacts</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564">6</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564">1</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1564.001</td>
-                <td>Hide Artifacts</td>
-                <td>Hidden Files and Directories</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.001">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.001">4</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.001">2</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1564.002</td>
-                <td>Hide Artifacts</td>
-                <td>Hidden Users</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1564.003</td>
-                <td>Hide Artifacts</td>
-                <td>Hidden Window</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.003">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.003">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1564.004</td>
-                <td>Hide Artifacts</td>
-                <td>NTFS File Attributes</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.004">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.004">10</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.004">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.004">0</a></td>
-                <td>14</td>
-            </tr>
-            <tr>
-                <td>T1564.005</td>
-                <td>Hide Artifacts</td>
-                <td>Hidden File System</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1564.006</td>
-                <td>Hide Artifacts</td>
-                <td>Run Virtual Instance</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.006">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.006">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1564.007</td>
-                <td>Hide Artifacts</td>
-                <td>VBA Stomping</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.007">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.007">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.007">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.007">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1565</td>
-                <td>Data Manipulation</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1565.001</td>
-                <td>Data Manipulation</td>
-                <td>Stored Data Manipulation</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.001">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.001">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.001">0</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1565.002</td>
-                <td>Data Manipulation</td>
-                <td>Transmitted Data Manipulation</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.002">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.002">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1565.003</td>
-                <td>Data Manipulation</td>
-                <td>Runtime Data Manipulation</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1566</td>
-                <td>Phishing</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566">16</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566">28</a></td>
-                <td>48</td>
-            </tr>
-            <tr>
-                <td>T1566.001</td>
-                <td>Phishing</td>
-                <td>Spearphishing Attachment</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.001">11</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.001">10</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.001">24</a></td>
-                <td>45</td>
-            </tr>
-            <tr>
-                <td>T1566.002</td>
-                <td>Phishing</td>
-                <td>Spearphishing Link</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.002">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.002">1</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1566.003</td>
-                <td>Phishing</td>
-                <td>Spearphishing via Service</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.003">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1567</td>
-                <td>Exfiltration Over Web Service</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567">1</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1567.001</td>
-                <td>Exfiltration Over Web Service</td>
-                <td>Exfiltration to Code Repository</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567.001">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567.001">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1567.002</td>
-                <td>Exfiltration Over Web Service</td>
-                <td>Exfiltration to Cloud Storage</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567.002">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567.002">1</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1568</td>
-                <td>Dynamic Resolution</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1568.001</td>
-                <td>Dynamic Resolution</td>
-                <td>Fast Flux DNS</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1568.002</td>
-                <td>Dynamic Resolution</td>
-                <td>Domain Generation Algorithms</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.002">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.002">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1568.003</td>
-                <td>Dynamic Resolution</td>
-                <td>DNS Calculation</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1569</td>
-                <td>System Services</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569">5</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1569.001</td>
-                <td>System Services</td>
-                <td>Launchctl</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1569.002</td>
-                <td>System Services</td>
-                <td>Service Execution</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569.002">4</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569.002">32</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569.002">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569.002">5</a></td>
-                <td>44</td>
-            </tr>
-            <tr>
-                <td>T1570</td>
-                <td>Lateral Tool Transfer</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1570">3</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1570">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1570">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1570">0</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1571</td>
-                <td>Non-Standard Port</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1571">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1571">3</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1571">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1571">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1572</td>
-                <td>Protocol Tunneling</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1572">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1572">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1572">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1572">0</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1573</td>
-                <td>Encrypted Channel</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1573.001</td>
-                <td>Encrypted Channel</td>
-                <td>Symmetric Cryptography</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1573.002</td>
-                <td>Encrypted Channel</td>
-                <td>Asymmetric Cryptography</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1574</td>
-                <td>Hijack Execution Flow</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574">7</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574">5</a></td>
-                <td>18</td>
-            </tr>
-            <tr>
-                <td>T1574.001</td>
-                <td>Hijack Execution Flow</td>
-                <td>DLL Search Order Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.001">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.001">7</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.001">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.001">0</a></td>
-                <td>9</td>
-            </tr>
-            <tr>
-                <td>T1574.002</td>
-                <td>Hijack Execution Flow</td>
-                <td>DLL Side-Loading</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.002">18</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.002">2</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.002">2</a></td>
-                <td>22</td>
-            </tr>
-            <tr>
-                <td>T1574.004</td>
-                <td>Hijack Execution Flow</td>
-                <td>Dylib Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1574.005</td>
-                <td>Hijack Execution Flow</td>
-                <td>Executable Installer File Permissions Weakness</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1574.006</td>
-                <td>Hijack Execution Flow</td>
-                <td>LD_PRELOAD</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.006">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.006">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.006">1</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1574.007</td>
-                <td>Hijack Execution Flow</td>
-                <td>Path Interception by PATH Environment Variable</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.007">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.007">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.007">3</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.007">0</a></td>
-                <td>4</td>
-            </tr>
-            <tr>
-                <td>T1574.008</td>
-                <td>Hijack Execution Flow</td>
-                <td>Path Interception by Search Order Hijacking</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.008">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.008">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.008">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.008">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1574.009</td>
-                <td>Hijack Execution Flow</td>
-                <td>Path Interception by Unquoted Path</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.009">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.009">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.009">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.009">1</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1574.010</td>
-                <td>Hijack Execution Flow</td>
-                <td>Services File Permissions Weakness</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.010">2</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.010">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.010">1</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.010">0</a></td>
-                <td>3</td>
-            </tr>
-            <tr>
-                <td>T1574.011</td>
-                <td>Hijack Execution Flow</td>
-                <td>Services Registry Permissions Weakness</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.011">4</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.011">6</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.011">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.011">2</a></td>
-                <td>12</td>
-            </tr>
-            <tr>
-                <td>T1574.012</td>
-                <td>Hijack Execution Flow</td>
-                <td>COR_PROFILER</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.012">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.012">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.012">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.012">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1578</td>
-                <td>Modify Cloud Compute Infrastructure</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1578.001</td>
-                <td>Modify Cloud Compute Infrastructure</td>
-                <td>Create Snapshot</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1578.002</td>
-                <td>Modify Cloud Compute Infrastructure</td>
-                <td>Create Cloud Instance</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1578.003</td>
-                <td>Modify Cloud Compute Infrastructure</td>
-                <td>Delete Cloud Instance</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.003">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.003">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1578.004</td>
-                <td>Modify Cloud Compute Infrastructure</td>
-                <td>Revert Cloud Instance</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1580</td>
-                <td>Cloud Infrastructure Discovery</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1580">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1580">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1580">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1580">2</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1583</td>
-                <td>Acquire Infrastructure</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1583.001</td>
-                <td>Acquire Infrastructure</td>
-                <td>Domains</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1583.002</td>
-                <td>Acquire Infrastructure</td>
-                <td>DNS Server</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1583.003</td>
-                <td>Acquire Infrastructure</td>
-                <td>Virtual Private Server</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1583.004</td>
-                <td>Acquire Infrastructure</td>
-                <td>Server</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1583.005</td>
-                <td>Acquire Infrastructure</td>
-                <td>Botnet</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1583.006</td>
-                <td>Acquire Infrastructure</td>
-                <td>Web Services</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.006">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.006">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1584</td>
-                <td>Compromise Infrastructure</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1584.001</td>
-                <td>Compromise Infrastructure</td>
-                <td>Domains</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1584.002</td>
-                <td>Compromise Infrastructure</td>
-                <td>DNS Server</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1584.003</td>
-                <td>Compromise Infrastructure</td>
-                <td>Virtual Private Server</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1584.004</td>
-                <td>Compromise Infrastructure</td>
-                <td>Server</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1584.005</td>
-                <td>Compromise Infrastructure</td>
-                <td>Botnet</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1584.006</td>
-                <td>Compromise Infrastructure</td>
-                <td>Web Services</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.006">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.006">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1585</td>
-                <td>Establish Accounts</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1585.001</td>
-                <td>Establish Accounts</td>
-                <td>Social Media Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1585.002</td>
-                <td>Establish Accounts</td>
-                <td>Email Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1586</td>
-                <td>Compromise Accounts</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1586.001</td>
-                <td>Compromise Accounts</td>
-                <td>Social Media Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1586.002</td>
-                <td>Compromise Accounts</td>
-                <td>Email Accounts</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1587</td>
-                <td>Develop Capabilities</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587">5</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587">0</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1587.001</td>
-                <td>Develop Capabilities</td>
-                <td>Malware</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.001">8</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.001">0</a></td>
-                <td>8</td>
-            </tr>
-            <tr>
-                <td>T1587.002</td>
-                <td>Develop Capabilities</td>
-                <td>Code Signing Certificates</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1587.003</td>
-                <td>Develop Capabilities</td>
-                <td>Digital Certificates</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1587.004</td>
-                <td>Develop Capabilities</td>
-                <td>Exploits</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1588</td>
-                <td>Obtain Capabilities</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588">2</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588">0</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1588.001</td>
-                <td>Obtain Capabilities</td>
-                <td>Malware</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1588.002</td>
-                <td>Obtain Capabilities</td>
-                <td>Tool</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.002">4</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.002">2</a></td>
-                <td>6</td>
-            </tr>
-            <tr>
-                <td>T1588.003</td>
-                <td>Obtain Capabilities</td>
-                <td>Code Signing Certificates</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1588.004</td>
-                <td>Obtain Capabilities</td>
-                <td>Digital Certificates</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1588.005</td>
-                <td>Obtain Capabilities</td>
-                <td>Exploits</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1588.006</td>
-                <td>Obtain Capabilities</td>
-                <td>Vulnerabilities</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.006">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.006">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1589</td>
-                <td>Gather Victim Identity Information</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589">1</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1589.001</td>
-                <td>Gather Victim Identity Information</td>
-                <td>Credentials</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1589.002</td>
-                <td>Gather Victim Identity Information</td>
-                <td>Email Addresses</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.002">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1589.003</td>
-                <td>Gather Victim Identity Information</td>
-                <td>Employee Names</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1590</td>
-                <td>Gather Victim Network Information</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590">1</a></td>
-                <td>2</td>
-            </tr>
-            <tr>
-                <td>T1590.001</td>
-                <td>Gather Victim Network Information</td>
-                <td>Domain Properties</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1590.002</td>
-                <td>Gather Victim Network Information</td>
-                <td>DNS</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1590.003</td>
-                <td>Gather Victim Network Information</td>
-                <td>Network Trust Dependencies</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1590.004</td>
-                <td>Gather Victim Network Information</td>
-                <td>Network Topology</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1590.005</td>
-                <td>Gather Victim Network Information</td>
-                <td>IP Addresses</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.005">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1590.006</td>
-                <td>Gather Victim Network Information</td>
-                <td>Network Security Appliances</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.006">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.006">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.006">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.006">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1591</td>
-                <td>Gather Victim Org Information</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1591.001</td>
-                <td>Gather Victim Org Information</td>
-                <td>Determine Physical Locations</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1591.002</td>
-                <td>Gather Victim Org Information</td>
-                <td>Business Relationships</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1591.003</td>
-                <td>Gather Victim Org Information</td>
-                <td>Identify Business Tempo</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1591.004</td>
-                <td>Gather Victim Org Information</td>
-                <td>Identify Roles</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1592</td>
-                <td>Gather Victim Host Information</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592">4</a></td>
-                <td>5</td>
-            </tr>
-            <tr>
-                <td>T1592.001</td>
-                <td>Gather Victim Host Information</td>
-                <td>Hardware</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1592.002</td>
-                <td>Gather Victim Host Information</td>
-                <td>Software</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1592.003</td>
-                <td>Gather Victim Host Information</td>
-                <td>Firmware</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1592.004</td>
-                <td>Gather Victim Host Information</td>
-                <td>Client Configurations</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1593</td>
-                <td>Search Open Websites/Domains</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1593.001</td>
-                <td>Search Open Websites/Domains</td>
-                <td>Social Media</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1593.002</td>
-                <td>Search Open Websites/Domains</td>
-                <td>Search Engines</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1594</td>
-                <td>Search Victim-Owned Websites</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1594">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1594">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1594">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1594">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1595</td>
-                <td>Active Scanning</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595">1</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1595.001</td>
-                <td>Active Scanning</td>
-                <td>Scanning IP Blocks</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1595.002</td>
-                <td>Active Scanning</td>
-                <td>Vulnerability Scanning</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1596</td>
-                <td>Search Open Technical Databases</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1596.001</td>
-                <td>Search Open Technical Databases</td>
-                <td>DNS/Passive DNS</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1596.002</td>
-                <td>Search Open Technical Databases</td>
-                <td>WHOIS</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1596.003</td>
-                <td>Search Open Technical Databases</td>
-                <td>Digital Certificates</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1596.004</td>
-                <td>Search Open Technical Databases</td>
-                <td>CDNs</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.004">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.004">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.004">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.004">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1596.005</td>
-                <td>Search Open Technical Databases</td>
-                <td>Scan Databases</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.005">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.005">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.005">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.005">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1597</td>
-                <td>Search Closed Sources</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1597.001</td>
-                <td>Search Closed Sources</td>
-                <td>Threat Intel Vendors</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1597.002</td>
-                <td>Search Closed Sources</td>
-                <td>Purchase Technical Data</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1598</td>
-                <td>Phishing for Information</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1598.001</td>
-                <td>Phishing for Information</td>
-                <td>Spearphishing Service</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1598.002</td>
-                <td>Phishing for Information</td>
-                <td>Spearphishing Attachment</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1598.003</td>
-                <td>Phishing for Information</td>
-                <td>Spearphishing Link</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.003">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.003">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.003">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.003">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1599</td>
-                <td>Network Boundary Bridging</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1599">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1599">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1599">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1599">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1599.001</td>
-                <td>Network Boundary Bridging</td>
-                <td>Network Address Translation Traversal</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1599.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1599.001">1</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1599.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1599.001">0</a></td>
-                <td>1</td>
-            </tr>
-            <tr>
-                <td>T1600</td>
-                <td>Weaken Encryption</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1600.001</td>
-                <td>Weaken Encryption</td>
-                <td>Reduce Key Space</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1600.002</td>
-                <td>Weaken Encryption</td>
-                <td>Disable Crypto Hardware</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1601</td>
-                <td>Modify System Image</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1601.001</td>
-                <td>Modify System Image</td>
-                <td>Patch System Image</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1601.002</td>
-                <td>Modify System Image</td>
-                <td>Downgrade System Image</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1602</td>
-                <td>Data from Configuration Repository</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1602.001</td>
-                <td>Data from Configuration Repository</td>
-                <td>SNMP (MIB Dump)</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1602.002</td>
-                <td>Data from Configuration Repository</td>
-                <td>Network Device Configuration Dump</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602.002">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602.002">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1606</td>
-                <td>Forge Web Credentials</td>
-                <td>n/a</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1606.001</td>
-                <td>Forge Web Credentials</td>
-                <td>Web Cookies</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606.001">0</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606.001">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606.001">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606.001">0</a></td>
-                <td>0</td>
-            </tr>
-            <tr>
-                <td>T1606.002</td>
-                <td>Forge Web Credentials</td>
-                <td>SAML Tokens</td>
-                <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606.002">1</a></td>
-                <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606.002">0</a></td>
-                <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606.002">0</a></td>
-                <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606.002">0</a></td>
-                <td>1</td>
-            </tr>
+    <table class="js-sort-table" id="coverage-sort">
+            <thead>
+            <tr>
+                <th style="white-space:nowrap;">Technique ID</th>
+                <th>Technique Name</th>
+                <th>Sub-technique Name</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># CAR</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># Sigma</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># ES</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># Splunk</th>
+                <th style="white-space:nowrap;" class="js-sort-number"># Total</th>
+            </tr>
+            </thead>
+            <tbody>
+                <tr>
+                    <td>T1001</td>
+                    <td>Data Obfuscation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1001.001</td>
+                    <td>Data Obfuscation</td>
+                    <td>Junk Data</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1001.002</td>
+                    <td>Data Obfuscation</td>
+                    <td>Steganography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1001.003</td>
+                    <td>Data Obfuscation</td>
+                    <td>Protocol Impersonation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1001.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1001.003">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1001.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1001.003">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1003</td>
+                    <td>OS Credential Dumping</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003">23</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003">34</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003">36</a></td>
+                    <td>93</td>
+                </tr>
+            <tr>
+                    <td>T1003.001</td>
+                    <td>OS Credential Dumping</td>
+                    <td>LSASS Memory</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.001">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.001">75</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.001">10</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.001">14</a></td>
+                    <td>104</td>
+                </tr>
+            <tr>
+                    <td>T1003.002</td>
+                    <td>OS Credential Dumping</td>
+                    <td>Security Account Manager</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.002">28</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.002">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.002">9</a></td>
+                    <td>43</td>
+                </tr>
+            <tr>
+                    <td>T1003.003</td>
+                    <td>OS Credential Dumping</td>
+                    <td>NTDS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.003">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.003">19</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.003">8</a></td>
+                    <td>30</td>
+                </tr>
+            <tr>
+                    <td>T1003.004</td>
+                    <td>OS Credential Dumping</td>
+                    <td>LSA Secrets</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.004">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.004">0</a></td>
+                    <td>13</td>
+                </tr>
+            <tr>
+                    <td>T1003.005</td>
+                    <td>OS Credential Dumping</td>
+                    <td>Cached Domain Credentials</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.005">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.005">1</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1003.006</td>
+                    <td>OS Credential Dumping</td>
+                    <td>DCSync</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.006">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.006">0</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1003.007</td>
+                    <td>OS Credential Dumping</td>
+                    <td>Proc Filesystem</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1003.008</td>
+                    <td>OS Credential Dumping</td>
+                    <td>/etc/passwd and /etc/shadow</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1003.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1003.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1003.008">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1003.008">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1005</td>
+                    <td>Data from Local System</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1005">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1005">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1005">1</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1006</td>
+                    <td>Direct Volume Access</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1006">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1006">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1007</td>
+                    <td>System Service Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1007">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1007">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1007">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1008</td>
+                    <td>Fallback Channels</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1008">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1008">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1010</td>
+                    <td>Application Window Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1010">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1010">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1010">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1010">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1011</td>
+                    <td>Exfiltration Over Other Network Medium</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1011">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1011">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1011">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1011">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1011.001</td>
+                    <td>Exfiltration Over Other Network Medium</td>
+                    <td>Exfiltration Over Bluetooth</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1011.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1011.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1011.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1011.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1012</td>
+                    <td>Query Registry</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1012">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1012">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1012">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1012">2</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1014</td>
+                    <td>Rootkit</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1014">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1014">3</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1016</td>
+                    <td>System Network Configuration Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1016">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1016">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1016">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1016">4</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1016.001</td>
+                    <td>System Network Configuration Discovery</td>
+                    <td>Internet Connection Discovery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1016.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1016.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1016.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1016.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1018</td>
+                    <td>Remote System Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1018">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1018">15</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1018">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1018">18</a></td>
+                    <td>38</td>
+                </tr>
+            <tr>
+                    <td>T1020</td>
+                    <td>Automated Exfiltration</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1020">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1020">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1020">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1020">6</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1020.001</td>
+                    <td>Automated Exfiltration</td>
+                    <td>Traffic Duplication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1020.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1020.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1020.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1020.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1021</td>
+                    <td>Remote Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021">34</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021">24</a></td>
+                    <td>62</td>
+                </tr>
+            <tr>
+                    <td>T1021.001</td>
+                    <td>Remote Services</td>
+                    <td>Remote Desktop Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.001">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.001">9</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1021.002</td>
+                    <td>Remote Services</td>
+                    <td>SMB/Windows Admin Shares</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.002">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.002">33</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.002">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.002">5</a></td>
+                    <td>49</td>
+                </tr>
+            <tr>
+                    <td>T1021.003</td>
+                    <td>Remote Services</td>
+                    <td>Distributed Component Object Model</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.003">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.003">5</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1021.004</td>
+                    <td>Remote Services</td>
+                    <td>SSH</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.004">2</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1021.005</td>
+                    <td>Remote Services</td>
+                    <td>VNC</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1021.006</td>
+                    <td>Remote Services</td>
+                    <td>Windows Remote Management</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1021.006">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1021.006">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1021.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1021.006">6</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1025</td>
+                    <td>Data from Removable Media</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1025">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1025">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1025">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1025">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1026</td>
+                    <td>Multiband Communication</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1026">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1026">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1026">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1026">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1027</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027">83</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027">8</a></td>
+                    <td>98</td>
+                </tr>
+            <tr>
+                    <td>T1027.001</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Binary Padding</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1027.002</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Software Packing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1027.003</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Steganography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.003">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.003">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1027.004</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Compile After Delivery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.004">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.004">1</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1027.005</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>Indicator Removal from Tools</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.005">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.005">2</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1027.006</td>
+                    <td>Obfuscated Files or Information</td>
+                    <td>HTML Smuggling</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1027.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1027.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1027.006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1027.006">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1029</td>
+                    <td>Scheduled Transfer</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1029">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1029">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1029">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1029">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1030</td>
+                    <td>Data Transfer Size Limits</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1030">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1030">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1030">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1030">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1033</td>
+                    <td>System Owner/User Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1033">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1033">25</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1033">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1033">10</a></td>
+                    <td>41</td>
+                </tr>
+            <tr>
+                    <td>T1034</td>
+                    <td>Path Interception</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1034">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1034">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1034">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1034">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1036</td>
+                    <td>Masquerading</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036">27</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036">16</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036">27</a></td>
+                    <td>71</td>
+                </tr>
+            <tr>
+                    <td>T1036.001</td>
+                    <td>Masquerading</td>
+                    <td>Invalid Code Signature</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1036.002</td>
+                    <td>Masquerading</td>
+                    <td>Right-to-Left Override</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1036.003</td>
+                    <td>Masquerading</td>
+                    <td>Rename System Utilities</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.003">21</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.003">22</a></td>
+                    <td>46</td>
+                </tr>
+            <tr>
+                    <td>T1036.004</td>
+                    <td>Masquerading</td>
+                    <td>Masquerade Task or Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.004">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.004">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1036.005</td>
+                    <td>Masquerading</td>
+                    <td>Match Legitimate Name or Location</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.005">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.005">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.005">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.005">1</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1036.006</td>
+                    <td>Masquerading</td>
+                    <td>Space after Filename</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.006">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.006">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1036.007</td>
+                    <td>Masquerading</td>
+                    <td>Double File Extension</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1036.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1036.007">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1036.007">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1036.007">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1037</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1037.001</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Logon Script (Windows)</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.001">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1037.002</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Login Hook</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1037.003</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Network Logon Script</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1037.004</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>RC Scripts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.004">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1037.005</td>
+                    <td>Boot or Logon Initialization Scripts</td>
+                    <td>Startup Items</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1037.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1037.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1037.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1037.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1039</td>
+                    <td>Data from Network Shared Drive</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1039">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1039">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1039">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1039">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1040</td>
+                    <td>Network Sniffing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1040">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1040">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1040">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1040">1</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1041</td>
+                    <td>Exfiltration Over C2 Channel</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1041">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1041">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1041">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1041">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1043</td>
+                    <td>Commonly Used Port</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1043">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1043">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1043">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1043">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1046</td>
+                    <td>Network Service Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1046">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1046">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1046">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1046">0</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1047</td>
+                    <td>Windows Management Instrumentation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1047">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1047">40</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1047">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1047">14</a></td>
+                    <td>62</td>
+                </tr>
+            <tr>
+                    <td>T1048</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048">9</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1048.001</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>Exfiltration Over Symmetric Encrypted Non-C2 Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1048.002</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1048.003</td>
+                    <td>Exfiltration Over Alternative Protocol</td>
+                    <td>Exfiltration Over Unencrypted Non-C2 Protocol</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1048.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1048.003">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1048.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1048.003">9</a></td>
+                    <td>23</td>
+                </tr>
+            <tr>
+                    <td>T1049</td>
+                    <td>System Network Connections Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1049">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1049">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1049">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1049">6</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1051</td>
+                    <td>Shared Webroot</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1051">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1051">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1051">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1051">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1052</td>
+                    <td>Exfiltration Over Physical Medium</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1052">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1052">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1052">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1052">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1052.001</td>
+                    <td>Exfiltration Over Physical Medium</td>
+                    <td>Exfiltration over USB</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1052.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1052.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1052.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1052.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1053</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053">19</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053">28</a></td>
+                    <td>58</td>
+                </tr>
+            <tr>
+                    <td>T1053.002</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>At</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.002">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.002">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.002">3</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1053.003</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Cron</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.003">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.003">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.003">6</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1053.004</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Launchd</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1053.005</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Scheduled Task</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.005">6</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.005">38</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.005">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.005">15</a></td>
+                    <td>68</td>
+                </tr>
+            <tr>
+                    <td>T1053.006</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Systemd Timers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.006">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1053.007</td>
+                    <td>Scheduled Task/Job</td>
+                    <td>Container Orchestration Job</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1053.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1053.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1053.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1053.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055</td>
+                    <td>Process Injection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055">23</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055">13</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055">26</a></td>
+                    <td>62</td>
+                </tr>
+            <tr>
+                    <td>T1055.001</td>
+                    <td>Process Injection</td>
+                    <td>Dynamic-link Library Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.001">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.001">4</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1055.002</td>
+                    <td>Process Injection</td>
+                    <td>Portable Executable Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.002">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1055.003</td>
+                    <td>Process Injection</td>
+                    <td>Thread Execution Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1055.004</td>
+                    <td>Process Injection</td>
+                    <td>Asynchronous Procedure Call</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.005</td>
+                    <td>Process Injection</td>
+                    <td>Thread Local Storage</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.008</td>
+                    <td>Process Injection</td>
+                    <td>Ptrace System Calls</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.008">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.009</td>
+                    <td>Process Injection</td>
+                    <td>Proc Memory</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.009">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.011</td>
+                    <td>Process Injection</td>
+                    <td>Extra Window Memory Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.011">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.011">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.011">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.011">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.012</td>
+                    <td>Process Injection</td>
+                    <td>Process Hollowing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.012">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.012">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.012">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.012">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1055.013</td>
+                    <td>Process Injection</td>
+                    <td>Process Doppelgänging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.013">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.013">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.014</td>
+                    <td>Process Injection</td>
+                    <td>VDSO Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.014">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.014">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1055.015</td>
+                    <td>Process Injection</td>
+                    <td>ListPlanting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1055.015">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1055.015">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1055.015">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1055.015">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1056</td>
+                    <td>Input Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1056.001</td>
+                    <td>Input Capture</td>
+                    <td>Keylogging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1056.002</td>
+                    <td>Input Capture</td>
+                    <td>GUI Input Capture</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.002">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1056.003</td>
+                    <td>Input Capture</td>
+                    <td>Web Portal Capture</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1056.004</td>
+                    <td>Input Capture</td>
+                    <td>Credential API Hooking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1056.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1056.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1056.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1056.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1057</td>
+                    <td>Process Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1057">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1057">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1057">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1057">0</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1059</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059">51</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059">64</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059">57</a></td>
+                    <td>173</td>
+                </tr>
+            <tr>
+                    <td>T1059.001</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>PowerShell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.001">181</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.001">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.001">32</a></td>
+                    <td>223</td>
+                </tr>
+            <tr>
+                    <td>T1059.002</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>AppleScript</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.002">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1059.003</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Windows Command Shell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.003">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.003">21</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.003">9</a></td>
+                    <td>32</td>
+                </tr>
+            <tr>
+                    <td>T1059.004</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Unix Shell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.004">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.004">18</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.004">3</a></td>
+                    <td>29</td>
+                </tr>
+            <tr>
+                    <td>T1059.005</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Visual Basic</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.005">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.005">18</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.005">4</a></td>
+                    <td>23</td>
+                </tr>
+            <tr>
+                    <td>T1059.006</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Python</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.006">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.006">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.006">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1059.007</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>JavaScript</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.007">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.007">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.007">4</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1059.008</td>
+                    <td>Command and Scripting Interpreter</td>
+                    <td>Network Device CLI</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1059.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1059.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1059.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1059.008">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1061</td>
+                    <td>Graphical User Interface</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1061">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1061">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1061">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1061">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1062</td>
+                    <td>Hypervisor</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1062">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1062">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1062">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1062">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1064</td>
+                    <td>Scripting</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1064">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1064">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1064">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1064">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1068</td>
+                    <td>Exploitation for Privilege Escalation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1068">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1068">25</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1068">18</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1068">10</a></td>
+                    <td>54</td>
+                </tr>
+            <tr>
+                    <td>T1069</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069">25</a></td>
+                    <td>31</td>
+                </tr>
+            <tr>
+                    <td>T1069.001</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>Local Groups</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.001">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.001">11</a></td>
+                    <td>29</td>
+                </tr>
+            <tr>
+                    <td>T1069.002</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>Domain Groups</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.002">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.002">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.002">18</a></td>
+                    <td>33</td>
+                </tr>
+            <tr>
+                    <td>T1069.003</td>
+                    <td>Permission Groups Discovery</td>
+                    <td>Cloud Groups</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1069.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1069.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1069.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1069.003">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1070</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070">14</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070">23</a></td>
+                    <td>50</td>
+                </tr>
+            <tr>
+                    <td>T1070.001</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Clear Windows Event Logs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.001">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.001">6</a></td>
+                    <td>19</td>
+                </tr>
+            <tr>
+                    <td>T1070.002</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Clear Linux or Mac System Logs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.002">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1070.003</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Clear Command History</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.003">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.003">0</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1070.004</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>File Deletion</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.004">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.004">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.004">12</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1070.005</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Network Share Connection Removal</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.005">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.005">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.005">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1070.006</td>
+                    <td>Indicator Removal on Host</td>
+                    <td>Timestomp</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1070.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1070.006">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1070.006">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1070.006">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1071</td>
+                    <td>Application Layer Protocol</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071">11</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071">10</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1071.001</td>
+                    <td>Application Layer Protocol</td>
+                    <td>Web Protocols</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.001">29</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.001">2</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1071.002</td>
+                    <td>Application Layer Protocol</td>
+                    <td>File Transfer Protocols</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.002">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1071.003</td>
+                    <td>Application Layer Protocol</td>
+                    <td>Mail Protocols</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.003">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1071.004</td>
+                    <td>Application Layer Protocol</td>
+                    <td>DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1071.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1071.004">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1071.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1071.004">4</a></td>
+                    <td>21</td>
+                </tr>
+            <tr>
+                    <td>T1072</td>
+                    <td>Software Deployment Tools</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1072">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1072">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1072">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1072">2</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1074</td>
+                    <td>Data Staged</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1074.001</td>
+                    <td>Data Staged</td>
+                    <td>Local Data Staging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074.001">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1074.002</td>
+                    <td>Data Staged</td>
+                    <td>Remote Data Staging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1074.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1074.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1074.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1074.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1078</td>
+                    <td>Valid Accounts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078">42</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078">40</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078">51</a></td>
+                    <td>133</td>
+                </tr>
+            <tr>
+                    <td>T1078.001</td>
+                    <td>Valid Accounts</td>
+                    <td>Default Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.001">8</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1078.002</td>
+                    <td>Valid Accounts</td>
+                    <td>Domain Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.002">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.002">6</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1078.003</td>
+                    <td>Valid Accounts</td>
+                    <td>Local Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.003">5</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.003">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.003">2</a></td>
+                    <td>13</td>
+                </tr>
+            <tr>
+                    <td>T1078.004</td>
+                    <td>Valid Accounts</td>
+                    <td>Cloud Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1078.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1078.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1078.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1078.004">28</a></td>
+                    <td>32</td>
+                </tr>
+            <tr>
+                    <td>T1080</td>
+                    <td>Taint Shared Content</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1080">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1080">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1080">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1080">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1082</td>
+                    <td>System Information Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1082">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1082">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1082">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1082">5</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1083</td>
+                    <td>File and Directory Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1083">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1083">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1083">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1083">1</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1087</td>
+                    <td>Account Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087">27</a></td>
+                    <td>43</td>
+                </tr>
+            <tr>
+                    <td>T1087.001</td>
+                    <td>Account Discovery</td>
+                    <td>Local Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.001">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.001">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.001">11</a></td>
+                    <td>24</td>
+                </tr>
+            <tr>
+                    <td>T1087.002</td>
+                    <td>Account Discovery</td>
+                    <td>Domain Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.002">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.002">15</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.002">19</a></td>
+                    <td>37</td>
+                </tr>
+            <tr>
+                    <td>T1087.003</td>
+                    <td>Account Discovery</td>
+                    <td>Email Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1087.004</td>
+                    <td>Account Discovery</td>
+                    <td>Cloud Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1087.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1087.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1087.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1087.004">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1090</td>
+                    <td>Proxy</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090">3</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1090.001</td>
+                    <td>Proxy</td>
+                    <td>Internal Proxy</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1090.002</td>
+                    <td>Proxy</td>
+                    <td>External Proxy</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1090.003</td>
+                    <td>Proxy</td>
+                    <td>Multi-hop Proxy</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.003">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1090.004</td>
+                    <td>Proxy</td>
+                    <td>Domain Fronting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1090.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1090.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1090.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1090.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1091</td>
+                    <td>Replication Through Removable Media</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1091">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1091">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1091">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1091">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1092</td>
+                    <td>Communication Through Removable Media</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1092">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1092">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1092">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1092">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1095</td>
+                    <td>Non-Application Layer Protocol</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1095">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1095">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1095">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1095">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1098</td>
+                    <td>Account Manipulation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098">22</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098">35</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098">10</a></td>
+                    <td>68</td>
+                </tr>
+            <tr>
+                    <td>T1098.001</td>
+                    <td>Account Manipulation</td>
+                    <td>Additional Cloud Credentials</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1098.002</td>
+                    <td>Account Manipulation</td>
+                    <td>Additional Email Delegate Permissions</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1098.003</td>
+                    <td>Account Manipulation</td>
+                    <td>Additional Cloud Roles</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.003">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.003">2</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1098.004</td>
+                    <td>Account Manipulation</td>
+                    <td>SSH Authorized Keys</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.004">3</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1098.005</td>
+                    <td>Account Manipulation</td>
+                    <td>Device Registration</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1098.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1098.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1098.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1098.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1102</td>
+                    <td>Web Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102">2</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1102.001</td>
+                    <td>Web Service</td>
+                    <td>Dead Drop Resolver</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1102.002</td>
+                    <td>Web Service</td>
+                    <td>Bidirectional Communication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1102.003</td>
+                    <td>Web Service</td>
+                    <td>One-Way Communication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1102.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1102.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1102.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1102.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1104</td>
+                    <td>Multi-Stage Channels</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1104">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1104">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1104">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1104">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1105</td>
+                    <td>Ingress Tool Transfer</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1105">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1105">47</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1105">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1105">23</a></td>
+                    <td>83</td>
+                </tr>
+            <tr>
+                    <td>T1106</td>
+                    <td>Native API</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1106">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1106">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1106">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1106">0</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1108</td>
+                    <td>Redundant Access</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1108">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1108">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1108">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1108">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1110</td>
+                    <td>Brute Force</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110">19</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110">25</a></td>
+                    <td>54</td>
+                </tr>
+            <tr>
+                    <td>T1110.001</td>
+                    <td>Brute Force</td>
+                    <td>Password Guessing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.001">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.001">3</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1110.002</td>
+                    <td>Brute Force</td>
+                    <td>Password Cracking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1110.003</td>
+                    <td>Brute Force</td>
+                    <td>Password Spraying</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.003">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.003">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.003">15</a></td>
+                    <td>29</td>
+                </tr>
+            <tr>
+                    <td>T1110.004</td>
+                    <td>Brute Force</td>
+                    <td>Credential Stuffing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1110.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1110.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1110.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1110.004">5</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1111</td>
+                    <td>Multi-Factor Authentication Interception</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1111">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1111">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1111">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1111">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1112</td>
+                    <td>Modify Registry</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1112">8</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1112">62</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1112">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1112">25</a></td>
+                    <td>100</td>
+                </tr>
+            <tr>
+                    <td>T1113</td>
+                    <td>Screen Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1113">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1113">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1113">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1113">3</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1114</td>
+                    <td>Email Collection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114">8</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1114.001</td>
+                    <td>Email Collection</td>
+                    <td>Local Email Collection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.001">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1114.002</td>
+                    <td>Email Collection</td>
+                    <td>Remote Email Collection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.002">3</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1114.003</td>
+                    <td>Email Collection</td>
+                    <td>Email Forwarding Rule</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1114.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1114.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1114.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1114.003">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1115</td>
+                    <td>Clipboard Data</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1115">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1115">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1115">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1115">2</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1119</td>
+                    <td>Automated Collection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1119">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1119">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1119">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1119">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1120</td>
+                    <td>Peripheral Device Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1120">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1120">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1120">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1120">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1123</td>
+                    <td>Audio Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1123">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1123">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1123">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1123">0</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1124</td>
+                    <td>System Time Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1124">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1124">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1124">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1124">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1125</td>
+                    <td>Video Capture</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1125">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1125">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1125">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1125">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1127</td>
+                    <td>Trusted Developer Utilities Proxy Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1127">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1127">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1127">8</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1127">9</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1127.001</td>
+                    <td>Trusted Developer Utilities Proxy Execution</td>
+                    <td>MSBuild</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1127.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1127.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1127.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1127.001">6</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1129</td>
+                    <td>Shared Modules</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1129">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1129">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1129">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1129">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1132</td>
+                    <td>Data Encoding</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1132.001</td>
+                    <td>Data Encoding</td>
+                    <td>Standard Encoding</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1132.002</td>
+                    <td>Data Encoding</td>
+                    <td>Non-Standard Encoding</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1132.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1132.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1132.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1132.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1133</td>
+                    <td>External Remote Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1133">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1133">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1133">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1133">0</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1134</td>
+                    <td>Access Token Manipulation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134">12</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134">5</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1134.001</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Token Impersonation/Theft</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.001">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.001">3</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1134.002</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Create Process with Token</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.002">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.002">1</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1134.003</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Make and Impersonate Token</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1134.004</td>
+                    <td>Access Token Manipulation</td>
+                    <td>Parent PID Spoofing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.004">1</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1134.005</td>
+                    <td>Access Token Manipulation</td>
+                    <td>SID-History Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1134.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1134.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1134.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1134.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1135</td>
+                    <td>Network Share Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1135">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1135">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1135">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1135">0</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1136</td>
+                    <td>Create Account</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136">14</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1136.001</td>
+                    <td>Create Account</td>
+                    <td>Local Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.001">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.001">5</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1136.002</td>
+                    <td>Create Account</td>
+                    <td>Domain Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1136.003</td>
+                    <td>Create Account</td>
+                    <td>Cloud Account</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1136.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1136.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1136.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1136.003">10</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1137</td>
+                    <td>Office Application Startup</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137">0</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1137.001</td>
+                    <td>Office Application Startup</td>
+                    <td>Office Template Macros</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1137.002</td>
+                    <td>Office Application Startup</td>
+                    <td>Office Test</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1137.003</td>
+                    <td>Office Application Startup</td>
+                    <td>Outlook Forms</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.003">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1137.004</td>
+                    <td>Office Application Startup</td>
+                    <td>Outlook Home Page</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1137.005</td>
+                    <td>Office Application Startup</td>
+                    <td>Outlook Rules</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1137.006</td>
+                    <td>Office Application Startup</td>
+                    <td>Add-ins</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1137.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1137.006">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1137.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1137.006">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1140</td>
+                    <td>Deobfuscate/Decode Files or Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1140">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1140">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1140">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1140">2</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1149</td>
+                    <td>LC_MAIN Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1149">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1149">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1149">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1149">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1153</td>
+                    <td>Source</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1153">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1153">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1153">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1153">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1175</td>
+                    <td>Component Object Model and Distributed COM</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1175">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1175">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1175">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1175">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1176</td>
+                    <td>Browser Extensions</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1176">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1176">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1176">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1176">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1185</td>
+                    <td>Browser Session Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1185">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1185">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1185">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1185">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1187</td>
+                    <td>Forced Authentication</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1187">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1187">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1187">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1187">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1189</td>
+                    <td>Drive-by Compromise</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1189">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1189">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1189">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1189">5</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1190</td>
+                    <td>Exploit Public-Facing Application</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1190">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1190">74</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1190">15</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1190">31</a></td>
+                    <td>120</td>
+                </tr>
+            <tr>
+                    <td>T1195</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195">3</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1195.001</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>Compromise Software Dependencies and Development Tools</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.001">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1195.002</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>Compromise Software Supply Chain</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.002">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.002">1</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1195.003</td>
+                    <td>Supply Chain Compromise</td>
+                    <td>Compromise Hardware Supply Chain</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1195.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1195.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1195.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1195.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1197</td>
+                    <td>BITS Jobs</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1197">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1197">16</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1197">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1197">6</a></td>
+                    <td>25</td>
+                </tr>
+            <tr>
+                    <td>T1199</td>
+                    <td>Trusted Relationship</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1199">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1199">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1199">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1199">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1200</td>
+                    <td>Hardware Additions</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1200">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1200">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1200">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1200">5</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1201</td>
+                    <td>Password Policy Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1201">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1201">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1201">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1201">7</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1202</td>
+                    <td>Indirect Command Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1202">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1202">28</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1202">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1202">4</a></td>
+                    <td>32</td>
+                </tr>
+            <tr>
+                    <td>T1203</td>
+                    <td>Exploitation for Client Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1203">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1203">21</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1203">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1203">4</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1204</td>
+                    <td>User Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204">15</a></td>
+                    <td>30</td>
+                </tr>
+            <tr>
+                    <td>T1204.001</td>
+                    <td>User Execution</td>
+                    <td>Malicious Link</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.001">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1204.002</td>
+                    <td>User Execution</td>
+                    <td>Malicious File</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.002">26</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.002">4</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1204.003</td>
+                    <td>User Execution</td>
+                    <td>Malicious Image</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1204.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1204.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1204.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1204.003">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1205</td>
+                    <td>Traffic Signaling</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1205">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1205">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1205">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1205">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1205.001</td>
+                    <td>Traffic Signaling</td>
+                    <td>Port Knocking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1205.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1205.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1205.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1205.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1207</td>
+                    <td>Rogue Domain Controller</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1207">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1207">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1207">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1207">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1210</td>
+                    <td>Exploitation of Remote Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1210">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1210">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1210">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1210">3</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1211</td>
+                    <td>Exploitation for Defense Evasion</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1211">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1211">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1211">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1211">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1212</td>
+                    <td>Exploitation for Credential Access</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1212">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1212">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1212">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1212">2</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1213</td>
+                    <td>Data from Information Repositories</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1213.001</td>
+                    <td>Data from Information Repositories</td>
+                    <td>Confluence</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1213.002</td>
+                    <td>Data from Information Repositories</td>
+                    <td>Sharepoint</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1213.003</td>
+                    <td>Data from Information Repositories</td>
+                    <td>Code Repositories</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1213.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1213.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1213.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1213.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1216</td>
+                    <td>System Script Proxy Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1216">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1216">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1216">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1216">1</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1216.001</td>
+                    <td>System Script Proxy Execution</td>
+                    <td>PubPrn</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1216.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1216.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1216.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1216.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1217</td>
+                    <td>Browser Bookmark Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1217">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1217">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1217">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1217">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1218</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218">94</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218">18</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218">70</a></td>
+                    <td>182</td>
+                </tr>
+            <tr>
+                    <td>T1218.001</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Compiled HTML File</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.001">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.001">8</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1218.002</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Control Panel</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.002">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1218.003</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>CMSTP</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.003">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.003">3</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1218.004</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>InstallUtil</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.004">9</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1218.005</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Mshta</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.005">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.005">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.005">12</a></td>
+                    <td>24</td>
+                </tr>
+            <tr>
+                    <td>T1218.007</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Msiexec</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.007">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.007">9</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1218.008</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Odbcconf</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.008">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.008">4</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1218.009</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Regsvcs/Regasm</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.009">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.009">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.009">6</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1218.010</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Regsvr32</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.010">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.010">16</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.010">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.010">6</a></td>
+                    <td>26</td>
+                </tr>
+            <tr>
+                    <td>T1218.011</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Rundll32</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.011">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.011">32</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.011">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.011">16</a></td>
+                    <td>52</td>
+                </tr>
+            <tr>
+                    <td>T1218.012</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Verclsid</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.012">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.012">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.012">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1218.013</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>Mavinject</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.013">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.013">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1218.014</td>
+                    <td>System Binary Proxy Execution</td>
+                    <td>MMC</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1218.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1218.014">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1218.014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1218.014">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1219</td>
+                    <td>Remote Access Software</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1219">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1219">28</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1219">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1219">3</a></td>
+                    <td>34</td>
+                </tr>
+            <tr>
+                    <td>T1220</td>
+                    <td>XSL Script Processing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1220">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1220">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1220">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1220">2</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1221</td>
+                    <td>Template Injection</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1221">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1221">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1221">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1221">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1222</td>
+                    <td>File and Directory Permissions Modification</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222">11</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1222.001</td>
+                    <td>File and Directory Permissions Modification</td>
+                    <td>Windows File and Directory Permissions Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222.001">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1222.002</td>
+                    <td>File and Directory Permissions Modification</td>
+                    <td>Linux and Mac File and Directory Permissions Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1222.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1222.002">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1222.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1222.002">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1480</td>
+                    <td>Execution Guardrails</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1480">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1480">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1480">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1480">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1480.001</td>
+                    <td>Execution Guardrails</td>
+                    <td>Environmental Keying</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1480.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1480.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1480.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1480.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1482</td>
+                    <td>Domain Trust Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1482">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1482">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1482">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1482">11</a></td>
+                    <td>26</td>
+                </tr>
+            <tr>
+                    <td>T1484</td>
+                    <td>Domain Policy Modification</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484">2</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1484.001</td>
+                    <td>Domain Policy Modification</td>
+                    <td>Group Policy Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1484.002</td>
+                    <td>Domain Policy Modification</td>
+                    <td>Domain Trust Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1484.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1484.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1484.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1484.002">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1485</td>
+                    <td>Data Destruction</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1485">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1485">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1485">8</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1485">19</a></td>
+                    <td>37</td>
+                </tr>
+            <tr>
+                    <td>T1486</td>
+                    <td>Data Encrypted for Impact</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1486">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1486">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1486">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1486">7</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1489</td>
+                    <td>Service Stop</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1489">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1489">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1489">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1489">14</a></td>
+                    <td>27</td>
+                </tr>
+            <tr>
+                    <td>T1490</td>
+                    <td>Inhibit System Recovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1490">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1490">18</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1490">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1490">12</a></td>
+                    <td>38</td>
+                </tr>
+            <tr>
+                    <td>T1491</td>
+                    <td>Defacement</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1491.001</td>
+                    <td>Defacement</td>
+                    <td>Internal Defacement</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1491.002</td>
+                    <td>Defacement</td>
+                    <td>External Defacement</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1491.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1491.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1491.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1491.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1495</td>
+                    <td>Firmware Corruption</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1495">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1495">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1495">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1495">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1496</td>
+                    <td>Resource Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1496">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1496">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1496">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1496">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1497</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1497.001</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>System Checks</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1497.002</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>User Activity Based Checks</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1497.003</td>
+                    <td>Virtualization/Sandbox Evasion</td>
+                    <td>Time Based Evasion</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1497.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1497.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1497.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1497.003">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1498</td>
+                    <td>Network Denial of Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498">7</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1498.001</td>
+                    <td>Network Denial of Service</td>
+                    <td>Direct Network Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1498.002</td>
+                    <td>Network Denial of Service</td>
+                    <td>Reflection Amplification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1498.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1498.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1498.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1498.002">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1499</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1499.001</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>OS Exhaustion Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1499.002</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>Service Exhaustion Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1499.003</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>Application Exhaustion Flood</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1499.004</td>
+                    <td>Endpoint Denial of Service</td>
+                    <td>Application or System Exploitation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1499.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1499.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1499.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1499.004">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1505</td>
+                    <td>Server Software Component</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505">7</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1505.001</td>
+                    <td>Server Software Component</td>
+                    <td>SQL Stored Procedures</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1505.002</td>
+                    <td>Server Software Component</td>
+                    <td>Transport Agent</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1505.003</td>
+                    <td>Server Software Component</td>
+                    <td>Web Shell</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.003">27</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.003">7</a></td>
+                    <td>37</td>
+                </tr>
+            <tr>
+                    <td>T1505.004</td>
+                    <td>Server Software Component</td>
+                    <td>IIS Components</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1505.005</td>
+                    <td>Server Software Component</td>
+                    <td>Terminal Services DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1505.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1505.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1505.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1505.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1518</td>
+                    <td>Software Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1518">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1518">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1518">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1518">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1518.001</td>
+                    <td>Software Discovery</td>
+                    <td>Security Software Discovery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1518.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1518.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1518.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1518.001">0</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1525</td>
+                    <td>Implant Internal Image</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1525">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1525">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1525">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1525">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1526</td>
+                    <td>Cloud Service Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1526">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1526">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1526">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1526">7</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1528</td>
+                    <td>Steal Application Access Token</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1528">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1528">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1528">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1528">0</a></td>
+                    <td>13</td>
+                </tr>
+            <tr>
+                    <td>T1529</td>
+                    <td>System Shutdown/Reboot</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1529">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1529">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1529">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1529">3</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1530</td>
+                    <td>Data from Cloud Storage Object</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1530">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1530">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1530">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1530">6</a></td>
+                    <td>11</td>
+                </tr>
+            <tr>
+                    <td>T1531</td>
+                    <td>Account Access Removal</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1531">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1531">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1531">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1531">4</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1534</td>
+                    <td>Internal Spearphishing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1534">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1534">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1534">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1534">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1535</td>
+                    <td>Unused/Unsupported Cloud Regions</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1535">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1535">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1535">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1535">8</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1537</td>
+                    <td>Transfer Data to Cloud Account</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1537">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1537">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1537">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1537">2</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1538</td>
+                    <td>Cloud Service Dashboard</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1538">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1538">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1538">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1538">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1539</td>
+                    <td>Steal Web Session Cookie</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1539">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1539">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1539">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1539">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1542</td>
+                    <td>Pre-OS Boot</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1542.001</td>
+                    <td>Pre-OS Boot</td>
+                    <td>System Firmware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.001">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.001">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1542.002</td>
+                    <td>Pre-OS Boot</td>
+                    <td>Component Firmware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1542.003</td>
+                    <td>Pre-OS Boot</td>
+                    <td>Bootkit</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.003">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1542.004</td>
+                    <td>Pre-OS Boot</td>
+                    <td>ROMMONkit</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1542.005</td>
+                    <td>Pre-OS Boot</td>
+                    <td>TFTP Boot</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1542.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1542.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1542.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1542.005">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1543</td>
+                    <td>Create or Modify System Process</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543">28</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543">16</a></td>
+                    <td>53</td>
+                </tr>
+            <tr>
+                    <td>T1543.001</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Launch Agent</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.001">2</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1543.002</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Systemd Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1543.003</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Windows Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.003">6</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.003">40</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.003">10</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.003">14</a></td>
+                    <td>70</td>
+                </tr>
+            <tr>
+                    <td>T1543.004</td>
+                    <td>Create or Modify System Process</td>
+                    <td>Launch Daemon</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1543.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1543.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1543.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1543.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1546</td>
+                    <td>Event Triggered Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546">15</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546">15</a></td>
+                    <td>39</td>
+                </tr>
+            <tr>
+                    <td>T1546.001</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Change Default File Association</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.001">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1546.002</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Screensaver</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.002">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.002">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1546.003</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Windows Management Instrumentation Event Subscription</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.003">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.003">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.003">3</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1546.004</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Unix Shell Configuration Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.004">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.004">2</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1546.005</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Trap</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1546.006</td>
+                    <td>Event Triggered Execution</td>
+                    <td>LC_LOAD_DYLIB Addition</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1546.007</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Netsh Helper DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.007">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.007">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1546.008</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Accessibility Features</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.008">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.008">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.008">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.008">1</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1546.009</td>
+                    <td>Event Triggered Execution</td>
+                    <td>AppCert DLLs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.009">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.009">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.009">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1546.010</td>
+                    <td>Event Triggered Execution</td>
+                    <td>AppInit DLLs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.010">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.010">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.010">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.010">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1546.011</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Application Shimming</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.011">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.011">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.011">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.011">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1546.012</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Image File Execution Options Injection</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.012">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.012">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.012">2</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1546.013</td>
+                    <td>Event Triggered Execution</td>
+                    <td>PowerShell Profile</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.013">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.013">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.013">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1546.014</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Emond</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.014">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.014">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.014">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1546.015</td>
+                    <td>Event Triggered Execution</td>
+                    <td>Component Object Model Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1546.015">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1546.015">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1546.015">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1546.015">4</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1547</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547">24</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547">16</a></td>
+                    <td>46</td>
+                </tr>
+            <tr>
+                    <td>T1547.001</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Registry Run Keys / Startup Folder</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.001">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.001">31</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.001">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.001">2</a></td>
+                    <td>46</td>
+                </tr>
+            <tr>
+                    <td>T1547.002</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Authentication Package</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1547.003</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Time Providers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.003">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1547.004</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Winlogon Helper DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.004">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.004">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1547.005</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Security Support Provider</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.005">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.005">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1547.006</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Kernel Modules and Extensions</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.006">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.006">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.006">3</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1547.007</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Re-opened Applications</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1547.008</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>LSASS Driver</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.008">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.008">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1547.009</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Shortcut Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.009">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.009">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1547.010</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Port Monitors</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.010">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.010">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.010">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.010">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1547.012</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Print Processors</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.012">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.012">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.012">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1547.013</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>XDG Autostart Entries</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.013">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.013">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1547.014</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Active Setup</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.014">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.014">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.014">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.014">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1547.015</td>
+                    <td>Boot or Logon Autostart Execution</td>
+                    <td>Login Items</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1547.015">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1547.015">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1547.015">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1547.015">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1548</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548">23</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548">51</a></td>
+                    <td>92</td>
+                </tr>
+            <tr>
+                    <td>T1548.001</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Setuid and Setgid</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.001">3</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1548.002</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Bypass User Account Control</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.002">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.002">48</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.002">11</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.002">13</a></td>
+                    <td>75</td>
+                </tr>
+            <tr>
+                    <td>T1548.003</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Sudo and Sudo Caching</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.003">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.003">32</a></td>
+                    <td>38</td>
+                </tr>
+            <tr>
+                    <td>T1548.004</td>
+                    <td>Abuse Elevation Control Mechanism</td>
+                    <td>Elevated Execution with Prompt</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1548.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1548.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1548.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1548.004">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1550</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550">9</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1550.001</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Application Access Token</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.001">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.001">0</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1550.002</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Pass the Hash</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.002">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.002">3</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1550.003</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Pass the Ticket</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.003">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.003">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1550.004</td>
+                    <td>Use Alternate Authentication Material</td>
+                    <td>Web Session Cookie</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1550.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1550.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1550.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1550.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1552</td>
+                    <td>Unsecured Credentials</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552">5</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1552.001</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Credentials In Files</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.001">14</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.001">1</a></td>
+                    <td>18</td>
+                </tr>
+            <tr>
+                    <td>T1552.002</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Credentials in Registry</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.002">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1552.003</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Bash History</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.003">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.003">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1552.004</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Private Keys</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.004">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.004">1</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1552.005</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Cloud Instance Metadata API</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1552.006</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Group Policy Preferences</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.006">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.006">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1552.007</td>
+                    <td>Unsecured Credentials</td>
+                    <td>Container API</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1552.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1552.007">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1552.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1552.007">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1553</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553">2</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1553.001</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Gatekeeper Bypass</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1553.002</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Code Signing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.002">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1553.003</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>SIP and Trust Provider Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1553.004</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Install Root Certificate</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.004">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.004">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.004">2</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1553.005</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Mark-of-the-Web Bypass</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.005">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.005">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1553.006</td>
+                    <td>Subvert Trust Controls</td>
+                    <td>Code Signing Policy Modification</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1553.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1553.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1553.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1553.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1554</td>
+                    <td>Compromise Client Software Binary</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1554">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1554">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1554">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1554">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1555</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555">4</a></td>
+                    <td>17</td>
+                </tr>
+            <tr>
+                    <td>T1555.001</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Keychain</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.001">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.001">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1555.002</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Securityd Memory</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1555.003</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Credentials from Web Browsers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.003">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.003">3</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1555.004</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Windows Credential Manager</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.004">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.004">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1555.005</td>
+                    <td>Credentials from Password Stores</td>
+                    <td>Password Managers</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1555.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1555.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1555.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1555.005">1</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1556</td>
+                    <td>Modify Authentication Process</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556">5</a></td>
+                    <td>16</td>
+                </tr>
+            <tr>
+                    <td>T1556.001</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Domain Controller Authentication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1556.002</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Password Filter DLL</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.002">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.002">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1556.003</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Pluggable Authentication Modules</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1556.004</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Network Device Authentication</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1556.005</td>
+                    <td>Modify Authentication Process</td>
+                    <td>Reversible Encryption</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1556.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1556.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1556.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1556.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1557</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557">4</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1557.001</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>LLMNR/NBT-NS Poisoning and SMB Relay</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.001">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.001">0</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1557.002</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>ARP Cache Poisoning</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.002">3</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1557.003</td>
+                    <td>Adversary-in-the-Middle</td>
+                    <td>DHCP Spoofing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1557.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1557.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1557.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1557.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1558</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558">18</a></td>
+                    <td>30</td>
+                </tr>
+            <tr>
+                    <td>T1558.001</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>Golden Ticket</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1558.002</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>Silver Ticket</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1558.003</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>Kerberoasting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.003">11</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.003">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.003">8</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1558.004</td>
+                    <td>Steal or Forge Kerberos Tickets</td>
+                    <td>AS-REP Roasting</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1558.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1558.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1558.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1558.004">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1559</td>
+                    <td>Inter-Process Communication</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1559.001</td>
+                    <td>Inter-Process Communication</td>
+                    <td>Component Object Model</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.001">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.001">1</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1559.002</td>
+                    <td>Inter-Process Communication</td>
+                    <td>Dynamic Data Exchange</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1559.003</td>
+                    <td>Inter-Process Communication</td>
+                    <td>XPC Services</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1559.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1559.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1559.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1559.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1560</td>
+                    <td>Archive Collected Data</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560">6</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1560.001</td>
+                    <td>Archive Collected Data</td>
+                    <td>Archive via Utility</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.001">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.001">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.001">6</a></td>
+                    <td>21</td>
+                </tr>
+            <tr>
+                    <td>T1560.002</td>
+                    <td>Archive Collected Data</td>
+                    <td>Archive via Library</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1560.003</td>
+                    <td>Archive Collected Data</td>
+                    <td>Archive via Custom Method</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1560.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1560.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1560.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1560.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1561</td>
+                    <td>Disk Wipe</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1561.001</td>
+                    <td>Disk Wipe</td>
+                    <td>Disk Content Wipe</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1561.002</td>
+                    <td>Disk Wipe</td>
+                    <td>Disk Structure Wipe</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1561.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1561.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1561.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1561.002">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1562</td>
+                    <td>Impair Defenses</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562">17</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562">77</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562">62</a></td>
+                    <td>156</td>
+                </tr>
+            <tr>
+                    <td>T1562.001</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable or Modify Tools</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.001">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.001">74</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.001">39</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.001">45</a></td>
+                    <td>161</td>
+                </tr>
+            <tr>
+                    <td>T1562.002</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable Windows Event Logging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.002">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.002">0</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1562.003</td>
+                    <td>Impair Defenses</td>
+                    <td>Impair Command History Logging</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1562.004</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable or Modify System Firewall</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.004">13</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.004">4</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.004">5</a></td>
+                    <td>22</td>
+                </tr>
+            <tr>
+                    <td>T1562.006</td>
+                    <td>Impair Defenses</td>
+                    <td>Indicator Blocking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.006">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.006">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.006">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.006">1</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1562.007</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable or Modify Cloud Firewall</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.007">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.007">6</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1562.008</td>
+                    <td>Impair Defenses</td>
+                    <td>Disable Cloud Logs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.008">6</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1562.009</td>
+                    <td>Impair Defenses</td>
+                    <td>Safe Mode Boot</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.009">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1562.010</td>
+                    <td>Impair Defenses</td>
+                    <td>Downgrade Attack</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1562.010">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1562.010">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1562.010">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1562.010">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1563</td>
+                    <td>Remote Service Session Hijacking</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1563.001</td>
+                    <td>Remote Service Session Hijacking</td>
+                    <td>SSH Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1563.002</td>
+                    <td>Remote Service Session Hijacking</td>
+                    <td>RDP Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1563.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1563.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1563.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1563.002">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1564</td>
+                    <td>Hide Artifacts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564">6</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564">7</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564">1</a></td>
+                    <td>14</td>
+                </tr>
+            <tr>
+                    <td>T1564.001</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden Files and Directories</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.001">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.001">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.001">2</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1564.002</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden Users</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.002">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.002">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1564.003</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden Window</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.003">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.003">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1564.004</td>
+                    <td>Hide Artifacts</td>
+                    <td>NTFS File Attributes</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.004">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.004">19</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.004">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.004">0</a></td>
+                    <td>23</td>
+                </tr>
+            <tr>
+                    <td>T1564.005</td>
+                    <td>Hide Artifacts</td>
+                    <td>Hidden File System</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.006</td>
+                    <td>Hide Artifacts</td>
+                    <td>Run Virtual Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.006">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.006">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1564.007</td>
+                    <td>Hide Artifacts</td>
+                    <td>VBA Stomping</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.007">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.007">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.007">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.007">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.008</td>
+                    <td>Hide Artifacts</td>
+                    <td>Email Hiding Rules</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.008">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.008">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.008">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.009</td>
+                    <td>Hide Artifacts</td>
+                    <td>Resource Forking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.009">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.009">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1564.010</td>
+                    <td>Hide Artifacts</td>
+                    <td>Process Argument Spoofing</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1564.010">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1564.010">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1564.010">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1564.010">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1565</td>
+                    <td>Data Manipulation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1565.001</td>
+                    <td>Data Manipulation</td>
+                    <td>Stored Data Manipulation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.001">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.001">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1565.002</td>
+                    <td>Data Manipulation</td>
+                    <td>Transmitted Data Manipulation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1565.003</td>
+                    <td>Data Manipulation</td>
+                    <td>Runtime Data Manipulation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1565.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1565.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1565.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1565.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1566</td>
+                    <td>Phishing</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566">17</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566">33</a></td>
+                    <td>59</td>
+                </tr>
+            <tr>
+                    <td>T1566.001</td>
+                    <td>Phishing</td>
+                    <td>Spearphishing Attachment</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.001">15</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.001">11</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.001">29</a></td>
+                    <td>55</td>
+                </tr>
+            <tr>
+                    <td>T1566.002</td>
+                    <td>Phishing</td>
+                    <td>Spearphishing Link</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.002">8</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.002">1</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1566.003</td>
+                    <td>Phishing</td>
+                    <td>Spearphishing via Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1566.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1566.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1566.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1566.003">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1567</td>
+                    <td>Exfiltration Over Web Service</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567">2</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1567.001</td>
+                    <td>Exfiltration Over Web Service</td>
+                    <td>Exfiltration to Code Repository</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567.001">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567.001">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1567.002</td>
+                    <td>Exfiltration Over Web Service</td>
+                    <td>Exfiltration to Cloud Storage</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1567.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1567.002">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1567.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1567.002">1</a></td>
+                    <td>8</td>
+                </tr>
+            <tr>
+                    <td>T1568</td>
+                    <td>Dynamic Resolution</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1568.001</td>
+                    <td>Dynamic Resolution</td>
+                    <td>Fast Flux DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1568.002</td>
+                    <td>Dynamic Resolution</td>
+                    <td>Domain Generation Algorithms</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.002">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.002">1</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1568.003</td>
+                    <td>Dynamic Resolution</td>
+                    <td>DNS Calculation</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1568.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1568.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1568.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1568.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1569</td>
+                    <td>System Services</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569">5</a></td>
+                    <td>12</td>
+                </tr>
+            <tr>
+                    <td>T1569.001</td>
+                    <td>System Services</td>
+                    <td>Launchctl</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1569.002</td>
+                    <td>System Services</td>
+                    <td>Service Execution</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1569.002">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1569.002">40</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1569.002">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1569.002">5</a></td>
+                    <td>52</td>
+                </tr>
+            <tr>
+                    <td>T1570</td>
+                    <td>Lateral Tool Transfer</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1570">3</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1570">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1570">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1570">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1571</td>
+                    <td>Non-Standard Port</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1571">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1571">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1571">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1571">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1572</td>
+                    <td>Protocol Tunneling</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1572">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1572">12</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1572">5</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1572">3</a></td>
+                    <td>20</td>
+                </tr>
+            <tr>
+                    <td>T1573</td>
+                    <td>Encrypted Channel</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573">2</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1573.001</td>
+                    <td>Encrypted Channel</td>
+                    <td>Symmetric Cryptography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1573.002</td>
+                    <td>Encrypted Channel</td>
+                    <td>Asymmetric Cryptography</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1573.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1573.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1573.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1573.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1574</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574">8</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574">9</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574">11</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1574.001</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>DLL Search Order Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.001">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.001">22</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.001">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.001">4</a></td>
+                    <td>28</td>
+                </tr>
+            <tr>
+                    <td>T1574.002</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>DLL Side-Loading</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.002">42</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.002">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.002">5</a></td>
+                    <td>49</td>
+                </tr>
+            <tr>
+                    <td>T1574.004</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Dylib Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1574.005</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Executable Installer File Permissions Weakness</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.005">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.005">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1574.006</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Dynamic Linker Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.006">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.006">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.006">1</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1574.007</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Path Interception by PATH Environment Variable</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.007">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.007">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.007">3</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.007">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1574.008</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Path Interception by Search Order Hijacking</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.008">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.008">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.008">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.008">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1574.009</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Path Interception by Unquoted Path</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.009">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.009">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.009">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.009">1</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1574.010</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Services File Permissions Weakness</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.010">2</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.010">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.010">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.010">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1574.011</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>Services Registry Permissions Weakness</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.011">4</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.011">9</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.011">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.011">2</a></td>
+                    <td>15</td>
+                </tr>
+            <tr>
+                    <td>T1574.012</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>COR_PROFILER</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.012">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.012">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.012">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.012">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1574.013</td>
+                    <td>Hijack Execution Flow</td>
+                    <td>KernelCallbackTable</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1574.013">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1574.013">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1574.013">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1574.013">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1578</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1578.001</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Create Snapshot</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1578.002</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Create Cloud Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1578.003</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Delete Cloud Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.003">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.003">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1578.004</td>
+                    <td>Modify Cloud Compute Infrastructure</td>
+                    <td>Revert Cloud Instance</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1578.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1578.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1578.004">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1578.004">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1580</td>
+                    <td>Cloud Infrastructure Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1580">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1580">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1580">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1580">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1583</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.001</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Domains</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.002</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>DNS Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.003</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Virtual Private Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.004</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.005</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Botnet</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1583.006</td>
+                    <td>Acquire Infrastructure</td>
+                    <td>Web Services</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1583.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1583.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1583.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1583.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1584.001</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Domains</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.002</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>DNS Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.003</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Virtual Private Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.004</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Server</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.005</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Botnet</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1584.006</td>
+                    <td>Compromise Infrastructure</td>
+                    <td>Web Services</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1584.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1584.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1584.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1584.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1585</td>
+                    <td>Establish Accounts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1585.001</td>
+                    <td>Establish Accounts</td>
+                    <td>Social Media Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1585.002</td>
+                    <td>Establish Accounts</td>
+                    <td>Email Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1585.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1585.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1585.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1585.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1586</td>
+                    <td>Compromise Accounts</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586">26</a></td>
+                    <td>26</td>
+                </tr>
+            <tr>
+                    <td>T1586.001</td>
+                    <td>Compromise Accounts</td>
+                    <td>Social Media Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1586.002</td>
+                    <td>Compromise Accounts</td>
+                    <td>Email Accounts</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1586.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1586.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1586.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1586.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1587</td>
+                    <td>Develop Capabilities</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587">5</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587">0</a></td>
+                    <td>5</td>
+                </tr>
+            <tr>
+                    <td>T1587.001</td>
+                    <td>Develop Capabilities</td>
+                    <td>Malware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.001">10</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.001">0</a></td>
+                    <td>10</td>
+                </tr>
+            <tr>
+                    <td>T1587.002</td>
+                    <td>Develop Capabilities</td>
+                    <td>Code Signing Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1587.003</td>
+                    <td>Develop Capabilities</td>
+                    <td>Digital Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.003">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1587.004</td>
+                    <td>Develop Capabilities</td>
+                    <td>Exploits</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1587.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1587.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1587.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1587.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1588</td>
+                    <td>Obtain Capabilities</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1588.001</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Malware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1588.002</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Tool</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.002">7</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.002">2</a></td>
+                    <td>9</td>
+                </tr>
+            <tr>
+                    <td>T1588.003</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Code Signing Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1588.004</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Digital Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.004">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1588.005</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Exploits</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1588.006</td>
+                    <td>Obtain Capabilities</td>
+                    <td>Vulnerabilities</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1588.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1588.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1588.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1588.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1589</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589">2</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1589.001</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>Credentials</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1589.002</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>Email Addresses</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.002">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1589.003</td>
+                    <td>Gather Victim Identity Information</td>
+                    <td>Employee Names</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1589.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1589.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1589.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1589.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590">2</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590">2</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1590.001</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Domain Properties</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.002</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.003</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Network Trust Dependencies</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.004</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Network Topology</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1590.005</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>IP Addresses</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.005">2</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1590.006</td>
+                    <td>Gather Victim Network Information</td>
+                    <td>Network Security Appliances</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1590.006">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1590.006">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1590.006">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1590.006">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.001</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Determine Physical Locations</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.002</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Business Relationships</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.003</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Identify Business Tempo</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1591.004</td>
+                    <td>Gather Victim Org Information</td>
+                    <td>Identify Roles</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1591.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1591.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1591.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1591.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1592</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592">5</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1592.001</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Hardware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.001">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1592.002</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Software</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1592.003</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Firmware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1592.004</td>
+                    <td>Gather Victim Host Information</td>
+                    <td>Client Configurations</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1592.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1592.004">3</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1592.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1592.004">0</a></td>
+                    <td>3</td>
+                </tr>
+            <tr>
+                    <td>T1593</td>
+                    <td>Search Open Websites/Domains</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1593.001</td>
+                    <td>Search Open Websites/Domains</td>
+                    <td>Social Media</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1593.002</td>
+                    <td>Search Open Websites/Domains</td>
+                    <td>Search Engines</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1593.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1593.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1593.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1593.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1594</td>
+                    <td>Search Victim-Owned Websites</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1594">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1594">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1594">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1594">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1595</td>
+                    <td>Active Scanning</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595">1</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1595.001</td>
+                    <td>Active Scanning</td>
+                    <td>Scanning IP Blocks</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1595.002</td>
+                    <td>Active Scanning</td>
+                    <td>Vulnerability Scanning</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.002">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1595.003</td>
+                    <td>Active Scanning</td>
+                    <td>Wordlist Scanning</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1595.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1595.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1595.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1595.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.001</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>DNS/Passive DNS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.002</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>WHOIS</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.003</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>Digital Certificates</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.004</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>CDNs</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1596.005</td>
+                    <td>Search Open Technical Databases</td>
+                    <td>Scan Databases</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1596.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1596.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1596.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1596.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1597</td>
+                    <td>Search Closed Sources</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1597.001</td>
+                    <td>Search Closed Sources</td>
+                    <td>Threat Intel Vendors</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1597.002</td>
+                    <td>Search Closed Sources</td>
+                    <td>Purchase Technical Data</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1597.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1597.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1597.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1597.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598</td>
+                    <td>Phishing for Information</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598.001</td>
+                    <td>Phishing for Information</td>
+                    <td>Spearphishing Service</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598.002</td>
+                    <td>Phishing for Information</td>
+                    <td>Spearphishing Attachment</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1598.003</td>
+                    <td>Phishing for Information</td>
+                    <td>Spearphishing Link</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1598.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1598.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1598.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1598.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1599</td>
+                    <td>Network Boundary Bridging</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1599">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1599">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1599">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1599">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1599.001</td>
+                    <td>Network Boundary Bridging</td>
+                    <td>Network Address Translation Traversal</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1599.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1599.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1599.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1599.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1600</td>
+                    <td>Weaken Encryption</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1600.001</td>
+                    <td>Weaken Encryption</td>
+                    <td>Reduce Key Space</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1600.002</td>
+                    <td>Weaken Encryption</td>
+                    <td>Disable Crypto Hardware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1600.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1600.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1600.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1600.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1601</td>
+                    <td>Modify System Image</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1601.001</td>
+                    <td>Modify System Image</td>
+                    <td>Patch System Image</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1601.002</td>
+                    <td>Modify System Image</td>
+                    <td>Downgrade System Image</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1601.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1601.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1601.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1601.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1602</td>
+                    <td>Data from Configuration Repository</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1602.001</td>
+                    <td>Data from Configuration Repository</td>
+                    <td>SNMP (MIB Dump)</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1602.002</td>
+                    <td>Data from Configuration Repository</td>
+                    <td>Network Device Configuration Dump</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1602.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1602.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1602.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1602.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1606</td>
+                    <td>Forge Web Credentials</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1606.001</td>
+                    <td>Forge Web Credentials</td>
+                    <td>Web Cookies</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1606.002</td>
+                    <td>Forge Web Credentials</td>
+                    <td>SAML Tokens</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1606.002">1</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1606.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1606.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1606.002">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1608</td>
+                    <td>Stage Capabilities</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1608.001</td>
+                    <td>Stage Capabilities</td>
+                    <td>Upload Malware</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.001">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.001">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.002</td>
+                    <td>Stage Capabilities</td>
+                    <td>Upload Tool</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.002">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.002">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.002">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.002">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.003</td>
+                    <td>Stage Capabilities</td>
+                    <td>Install Digital Certificate</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.003">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.003">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.003">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.003">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.004</td>
+                    <td>Stage Capabilities</td>
+                    <td>Drive-by Target</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.004">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.004">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.004">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.004">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1608.005</td>
+                    <td>Stage Capabilities</td>
+                    <td>Link Target</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1608.005">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1608.005">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1608.005">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1608.005">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1609</td>
+                    <td>Container Administration Command</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1609">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1609">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1609">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1609">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1610</td>
+                    <td>Deploy Container</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1610">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1610">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1610">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1610">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1611</td>
+                    <td>Escape to Host</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1611">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1611">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1611">6</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1611">0</a></td>
+                    <td>6</td>
+                </tr>
+            <tr>
+                    <td>T1612</td>
+                    <td>Build Image on Host</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1612">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1612">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1612">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1612">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1613</td>
+                    <td>Container and Resource Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1613">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1613">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1613">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1613">0</a></td>
+                    <td>2</td>
+                </tr>
+            <tr>
+                    <td>T1614</td>
+                    <td>System Location Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1614">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1614">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1614">1</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1614">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1614.001</td>
+                    <td>System Location Discovery</td>
+                    <td>System Language Discovery</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1614.001">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1614.001">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1614.001">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1614.001">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1615</td>
+                    <td>Group Policy Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1615">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1615">4</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1615">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1615">0</a></td>
+                    <td>4</td>
+                </tr>
+            <tr>
+                    <td>T1619</td>
+                    <td>Cloud Storage Object Discovery</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1619">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1619">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1619">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1619">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1620</td>
+                    <td>Reflective Code Loading</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1620">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1620">1</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1620">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1620">0</a></td>
+                    <td>1</td>
+                </tr>
+            <tr>
+                    <td>T1621</td>
+                    <td>Multi-Factor Authentication Request Generation</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1621">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1621">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1621">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1621">7</a></td>
+                    <td>7</td>
+                </tr>
+            <tr>
+                    <td>T1622</td>
+                    <td>Debugger Evasion</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1622">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1622">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1622">0</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1622">0</a></td>
+                    <td>0</td>
+                </tr>
+            <tr>
+                    <td>T1647</td>
+                    <td>Plist File Modification</td>
+                    <td>n/a</td>
+                    <td><a href="https://github.com/mitre-attack/car/search?l=YAML&q=T1647">0</a></td>
+                    <td><a href="https://github.com/SigmaHQ/sigma/search?p=1&q=attack.t1647">0</a></td>
+                    <td><a href="https://github.com/elastic/detection-rules/search?l=TOML&q=T1647">2</a></td>
+                    <td><a href="https://github.com/splunk/security_content/search?l=YAML&p=1&q=T1647">1</a></td>
+                    <td>3</td>
+                </tr>
       </tbody>
-</table>
\ No newline at end of file
+</table>

From baacbcce13eba99fab28bc4972e94bc4d75e001a Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 30 Dec 2022 09:25:48 -0500
Subject: [PATCH 27/82] Update index.md

---
 docs/coverage/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/coverage/index.md b/docs/coverage/index.md
index 9eb9d871..50c6b12c 100644
--- a/docs/coverage/index.md
+++ b/docs/coverage/index.md
@@ -24,7 +24,7 @@ This data is also available as:
    * [Splunk Analytic Coverage](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/splunk_analytic_coverage_12_30_2022.json).
 
 <script type="text/javascript" src="/assets/sort-table.js"></script>
-    <table class="js-sort-table" id="coverage-sort">
+<table class="js-sort-table" id="coverage-sort">
             <thead>
             <tr>
                 <th style="white-space:nowrap;">Technique ID</th>

From 9edfaa1f40c32f3195eaac86cfbccf641a782792 Mon Sep 17 00:00:00 2001
From: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Date: Fri, 3 Feb 2023 11:27:44 -0500
Subject: [PATCH 28/82] Update CAR-2016-04-002.yaml

---
 analytics/CAR-2016-04-002.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/analytics/CAR-2016-04-002.yaml b/analytics/CAR-2016-04-002.yaml
index 25c9be57..9306a8c0 100644
--- a/analytics/CAR-2016-04-002.yaml
+++ b/analytics/CAR-2016-04-002.yaml
@@ -18,10 +18,10 @@ contributors:
 id: CAR-2016-04-002
 description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 
   1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
-  2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.'
+  2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.
   3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104.
   4. Attackers may delete .evtx with `del C:\Windows\System32\winevt\logs\Security.evtx` or `Remove-Item C:\Windows\System32\winevt\logs\Security.evtx` after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset.
-  5. Attackers may use the powershell command `Remove-EventLog -LogName Security` to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.
+  5. Attackers may use the powershell command `Remove-EventLog -LogName Security` to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.'
 coverage:
   - technique: T1070
     tactics:

From 1428226a123a6f5ce49678280be0eefe69af6a92 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sat, 4 Feb 2023 18:01:59 -0500
Subject: [PATCH 29/82] Handle the case when the by_technique directory wasn't
 already created

Useful when we're doing as full a refresh as possible in /docs/analytics
---
 scripts/generate_analytics.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/generate_analytics.py b/scripts/generate_analytics.py
index 2c9959fc..f1c8c3c8 100755
--- a/scripts/generate_analytics.py
+++ b/scripts/generate_analytics.py
@@ -226,6 +226,7 @@
 index_file.write(index_content)
 index_file.flush()
 index_file.close()
+makedirs('../docs/analytics/by_technique', exist_ok=True)
 tech_index_file = open('../docs/analytics/by_technique/index.md', 'w')
 tech_index_file.write(subtechnique_table)
 tech_index_file.flush()

From 4d95bfafdf72b28516d19eba50d77b72ad718c2d Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 01:20:35 -0500
Subject: [PATCH 30/82] Moved auditd yaml to /sensors from /docs/sensors and
 also fixed a string parsing issue

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 {docs/sensors => sensors}/auditd_2.8.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 rename {docs/sensors => sensors}/auditd_2.8.yaml (94%)

diff --git a/docs/sensors/auditd_2.8.yaml b/sensors/auditd_2.8.yaml
similarity index 94%
rename from docs/sensors/auditd_2.8.yaml
rename to sensors/auditd_2.8.yaml
index 5e9f50fa..2431fbfe 100755
--- a/docs/sensors/auditd_2.8.yaml
+++ b/sensors/auditd_2.8.yaml
@@ -3,7 +3,8 @@ sensor_name: auditd
 sensor_version: 2.8
 sensor_developer: Red Hat
 sensor_url: 'https://people.redhat.com/sgrubb/audit/'
-sensor_description: 'auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk'
+sensor_description: |
+  auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk
 mappings:
   - object: file
     action: create
@@ -133,4 +134,4 @@ mappings:
       - value
       - data
 other_coverage:
-  - 'N/A'
\ No newline at end of file
+  - 'N/A'

From ad37faa6ff45c302dcae3e8b60ecef9f6bd09694 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 01:21:55 -0500
Subject: [PATCH 31/82] make generate scripts more robust by adding a
 dependency warning (sensors needs to run after analytics) and ensuring that
 the directories in /docs they need exist

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/generate_attack_nav_layer.py | 3 ++-
 scripts/generate_sensors.py          | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/generate_attack_nav_layer.py b/scripts/generate_attack_nav_layer.py
index 0fba73be..4f8cb3d3 100644
--- a/scripts/generate_attack_nav_layer.py
+++ b/scripts/generate_attack_nav_layer.py
@@ -6,7 +6,7 @@
 import glob
 import yaml
 import sys
-from os import path
+from os import path, makedirs
 
 # Static ATT&CK Navigator layer JSON fields
 VERSION = "3.0"
@@ -67,6 +67,7 @@ def addMapping(technique, name, attack_mappings):
     layer_json["techniques"].append(technique)
 
 # Output JSON to docs directory
+makedirs('../docs/car_attack', exist_ok=True)
 outfile = open("../docs/car_attack/car_attack.json","w")
 json.dump(layer_json, outfile, indent=4)
 outfile.close()
diff --git a/scripts/generate_sensors.py b/scripts/generate_sensors.py
index cc2b38aa..0d8007a6 100755
--- a/scripts/generate_sensors.py
+++ b/scripts/generate_sensors.py
@@ -1,5 +1,7 @@
 """This script generates the sensor portion of the site, including coverage,
 for each YAML sensor mapping file.
+NOTE: This script should be run after `generate_analytics.py` as it is
+dependent on files in /docs/analytics existing and being up to date.
 """
 
 import json
@@ -181,6 +183,7 @@ def generateSensorsForAnalytics(analytics, sensor_dict):
 sensor_template = Template(open('sensor_template.md').read())
 
 # Generate the sensor page for each sensor
+makedirs('../docs/sensors', exist_ok=True)
 for sensor in mappings:
   sensor_tag = sensor['sensor_name'] + "_" + str(sensor['sensor_version'])
   # Generate the markdown

From 7df9d68ad399b917f4260fb27317fdbbe48e5355 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 01:23:54 -0500
Subject: [PATCH 32/82] automatically regenerate /docs/sensors/index.md and
 make index.md respect the capitalization of the tool as put in the yaml file

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/generate_sensors.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/scripts/generate_sensors.py b/scripts/generate_sensors.py
index 0d8007a6..5200fcf7 100755
--- a/scripts/generate_sensors.py
+++ b/scripts/generate_sensors.py
@@ -190,3 +190,31 @@ def generateSensorsForAnalytics(analytics, sensor_dict):
   markdown = sensor_template.render(sensor=sensor)
   # Save to the sensors directory
   open('../docs/sensors/{}.md'.format(sensor_tag.lower()), 'w').write(markdown)
+
+# Generate index file
+index_content = '''---
+title: "Sensors"
+---
+
+Sensors are tools that collect data that can be used to run analytics.
+
+CAR currently has a limited number of sensors mapped to the CAR [Data Model](../data_model). They are:
+{}'''.format(
+        '\n'.join(
+            (
+                '* [{sensor_name} ({sensor_version})]({sensor_name_lower}_{sensor_version})'.format(
+                    sensor_name=sensor['sensor_name'],
+                    sensor_name_lower=sensor['sensor_name'].lower(),
+                    sensor_version=sensor['sensor_version']
+                    ) for sensor in sorted(
+                        mappings,
+                        key=lambda sensor: (
+                            sensor['sensor_name'].lower(),
+                            sensor['sensor_version']
+                        )
+                    )
+                )
+            )
+        )
+with open('../docs/sensors/index.md', 'w') as index_file:
+  index_file.write(index_content)

From 52f84b8eda6931ae3af0427b15d81d87b391da77 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 01:29:39 -0500
Subject: [PATCH 33/82] ran generate_analytics

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/analytics/CAR-2013-01-002/index.md |  3 +-
 docs/analytics/CAR-2013-01-003/index.md |  3 +-
 docs/analytics/CAR-2013-02-003/index.md |  3 +-
 docs/analytics/CAR-2013-02-008/index.md |  3 +-
 docs/analytics/CAR-2013-02-012/index.md |  3 +-
 docs/analytics/CAR-2013-03-001/index.md |  3 +-
 docs/analytics/CAR-2013-04-002/index.md |  7 ++-
 docs/analytics/CAR-2013-05-002/index.md |  3 +-
 docs/analytics/CAR-2013-05-003/index.md |  3 +-
 docs/analytics/CAR-2013-05-004/index.md |  5 +-
 docs/analytics/CAR-2013-05-005/index.md |  3 +-
 docs/analytics/CAR-2013-05-009/index.md |  3 +-
 docs/analytics/CAR-2013-07-001/index.md |  3 +-
 docs/analytics/CAR-2013-07-002/index.md |  3 +-
 docs/analytics/CAR-2013-07-005/index.md |  3 +-
 docs/analytics/CAR-2013-08-001/index.md |  3 +-
 docs/analytics/CAR-2013-09-003/index.md |  3 +-
 docs/analytics/CAR-2013-09-005/index.md |  3 +-
 docs/analytics/CAR-2013-10-001/index.md |  3 +-
 docs/analytics/CAR-2013-10-002/index.md |  3 +-
 docs/analytics/CAR-2014-02-001/index.md |  3 +-
 docs/analytics/CAR-2014-03-001/index.md |  3 +-
 docs/analytics/CAR-2014-03-005/index.md |  3 +-
 docs/analytics/CAR-2014-03-006/index.md |  5 +-
 docs/analytics/CAR-2014-04-003/index.md |  3 +-
 docs/analytics/CAR-2014-05-001/index.md |  3 +-
 docs/analytics/CAR-2014-05-002/index.md |  3 +-
 docs/analytics/CAR-2014-07-001/index.md |  3 +-
 docs/analytics/CAR-2014-11-002/index.md |  3 +-
 docs/analytics/CAR-2014-11-003/index.md |  3 +-
 docs/analytics/CAR-2014-11-004/index.md |  3 +-
 docs/analytics/CAR-2014-11-005/index.md |  3 +-
 docs/analytics/CAR-2014-11-006/index.md |  3 +-
 docs/analytics/CAR-2014-11-007/index.md |  3 +-
 docs/analytics/CAR-2014-11-008/index.md |  3 +-
 docs/analytics/CAR-2014-12-001/index.md |  3 +-
 docs/analytics/CAR-2015-04-001/index.md |  5 +-
 docs/analytics/CAR-2015-04-002/index.md |  3 +-
 docs/analytics/CAR-2015-07-001/index.md |  3 +-
 docs/analytics/CAR-2016-03-001/index.md |  3 +-
 docs/analytics/CAR-2016-03-002/index.md |  3 +-
 docs/analytics/CAR-2016-04-002/index.md | 64 +++++++++++++++++++++----
 docs/analytics/CAR-2016-04-003/index.md |  3 +-
 docs/analytics/CAR-2016-04-004/index.md |  3 +-
 docs/analytics/CAR-2016-04-005/index.md |  3 +-
 docs/analytics/CAR-2019-04-001/index.md |  3 +-
 docs/analytics/CAR-2019-04-002/index.md |  5 +-
 docs/analytics/CAR-2019-04-003/index.md |  5 +-
 docs/analytics/CAR-2019-04-004/index.md |  3 +-
 docs/analytics/CAR-2019-07-001/index.md |  3 +-
 docs/analytics/CAR-2019-07-002/index.md |  3 +-
 docs/analytics/CAR-2019-08-001/index.md |  3 +-
 docs/analytics/CAR-2019-08-002/index.md |  3 +-
 docs/analytics/CAR-2020-04-001/index.md |  3 +-
 docs/analytics/CAR-2020-05-001/index.md |  3 +-
 docs/analytics/CAR-2020-05-003/index.md |  3 +-
 docs/analytics/CAR-2020-08-001/index.md |  3 +-
 docs/analytics/CAR-2020-08-002/index.md |  3 +-
 docs/analytics/CAR-2020-09-001/index.md |  3 +-
 docs/analytics/CAR-2020-09-002/index.md |  3 +-
 docs/analytics/CAR-2020-09-003/index.md |  3 +-
 docs/analytics/CAR-2020-09-004/index.md |  3 +-
 docs/analytics/CAR-2020-09-005/index.md |  3 +-
 docs/analytics/CAR-2020-11-001/index.md |  3 +-
 docs/analytics/CAR-2020-11-002/index.md |  3 +-
 docs/analytics/CAR-2020-11-003/index.md |  3 +-
 docs/analytics/CAR-2020-11-004/index.md |  3 +-
 docs/analytics/CAR-2020-11-005/index.md |  5 +-
 docs/analytics/CAR-2020-11-006/index.md |  3 +-
 docs/analytics/CAR-2020-11-007/index.md |  5 +-
 docs/analytics/CAR-2020-11-008/index.md |  3 +-
 docs/analytics/CAR-2020-11-009/index.md |  5 +-
 docs/analytics/CAR-2020-11-010/index.md |  5 +-
 docs/analytics/CAR-2020-11-011/index.md |  3 +-
 docs/analytics/CAR-2021-01-001/index.md |  5 +-
 docs/analytics/CAR-2021-01-002/index.md |  3 +-
 docs/analytics/CAR-2021-01-003/index.md |  5 +-
 docs/analytics/CAR-2021-01-004/index.md |  3 +-
 docs/analytics/CAR-2021-01-006/index.md |  3 +-
 docs/analytics/CAR-2021-01-007/index.md |  3 +-
 docs/analytics/CAR-2021-01-008/index.md |  3 +-
 docs/analytics/CAR-2021-01-009/index.md |  3 +-
 docs/analytics/CAR-2021-02-001/index.md |  3 +-
 docs/analytics/CAR-2021-02-002/index.md |  3 +-
 docs/analytics/CAR-2021-04-001/index.md |  3 +-
 docs/analytics/CAR-2021-05-001/index.md |  3 +-
 docs/analytics/CAR-2021-05-002/index.md |  3 +-
 docs/analytics/CAR-2021-05-003/index.md |  3 +-
 docs/analytics/CAR-2021-05-004/index.md |  3 +-
 docs/analytics/CAR-2021-05-005/index.md |  3 +-
 docs/analytics/CAR-2021-05-006/index.md |  3 +-
 docs/analytics/CAR-2021-05-007/index.md |  3 +-
 docs/analytics/CAR-2021-05-008/index.md |  3 +-
 docs/analytics/CAR-2021-05-009/index.md |  3 +-
 docs/analytics/CAR-2021-05-010/index.md |  3 +-
 docs/analytics/CAR-2021-05-011/index.md |  3 +-
 docs/analytics/CAR-2021-05-012/index.md |  3 +-
 docs/analytics/CAR-2021-11-001/index.md |  3 +-
 docs/analytics/CAR-2021-11-002/index.md |  3 +-
 docs/analytics/CAR-2021-12-001/index.md |  3 +-
 docs/analytics/CAR-2021-12-002/index.md |  3 +-
 docs/analytics/CAR-2022-03-001/index.md |  3 +-
 docs/analytics/by_technique/index.md    |  6 +--
 docs/analytics/index.md                 | 22 ++++-----
 docs/data/analytics.json                |  2 +-
 105 files changed, 183 insertions(+), 240 deletions(-)

diff --git a/docs/analytics/CAR-2013-01-002/index.md b/docs/analytics/CAR-2013-01-002/index.md
index cd1c136e..aad379aa 100644
--- a/docs/analytics/CAR-2013-01-002/index.md
+++ b/docs/analytics/CAR-2013-01-002/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain [Persistence](https://attack.mitre.org/tactics/TA0003). Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.
 
 Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.
diff --git a/docs/analytics/CAR-2013-01-003/index.md b/docs/analytics/CAR-2013-01-003/index.md
index 75764090..0261bdbb 100644
--- a/docs/analytics/CAR-2013-01-003/index.md
+++ b/docs/analytics/CAR-2013-01-003/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: N/A
 ---
-
-
+<br><br>
 [Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. 
 
 ### Output Description
diff --git a/docs/analytics/CAR-2013-02-003/index.md b/docs/analytics/CAR-2013-02-003/index.md
index 3e581573..8a8c3601 100644
--- a/docs/analytics/CAR-2013-02-003/index.md
+++ b/docs/analytics/CAR-2013-02-003/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The Windows [Command Prompt](https://en.wikipedia.org/wiki/cmd.exe) (`cmd.exe`) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as `dir`, `copy`, `mkdir`, and `type`, as well as batch scripts (`.bat`). Typically, when a user runs a command prompt, the parent process is `explorer.exe` or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process `cmd.exe` from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of `cmd.exe`, it may be possible to detect adversaries.
 
 
diff --git a/docs/analytics/CAR-2013-02-008/index.md b/docs/analytics/CAR-2013-02-008/index.md
index d1333341..023ce975 100644
--- a/docs/analytics/CAR-2013-02-008/index.md
+++ b/docs/analytics/CAR-2013-02-008/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.
 
 Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.
diff --git a/docs/analytics/CAR-2013-02-012/index.md b/docs/analytics/CAR-2013-02-012/index.md
index 38ceef36..15553611 100644
--- a/docs/analytics/CAR-2013-02-012/index.md
+++ b/docs/analytics/CAR-2013-02-012/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
 
 Certain users will likely appear as being logged into several machines and may need to be "whitelisted." Such users would include network admins or user names that are common to many hosts.
diff --git a/docs/analytics/CAR-2013-03-001/index.md b/docs/analytics/CAR-2013-03-001/index.md
index c9c5fcda..9d01d6a1 100644
--- a/docs/analytics/CAR-2013-03-001/index.md
+++ b/docs/analytics/CAR-2013-03-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via `regedit.exe` or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility `reg.exe` provides a [command-line interface](https://en.wikipedia.org/wiki/Command-line_interface) to the registry, so that queries and modifications can be performed from a shell, such as `cmd.exe`. When a user is responsible for these actions, the parent of `cmd.exe` will likely be `explorer.exe`. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.
 
 ### Output Description
diff --git a/docs/analytics/CAR-2013-04-002/index.md b/docs/analytics/CAR-2013-04-002/index.md
index 6c83b1b0..cb0704f1 100644
--- a/docs/analytics/CAR-2013-04-002/index.md
+++ b/docs/analytics/CAR-2013-04-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.
 
   Commands of interest:
@@ -60,7 +59,7 @@ The host on which the commands were executed, the time of execution, and what co
 |[Hijack Execution Flow](https://attack.mitre.org/techniques/T1574/)|[Services Registry Permissions Weakness](https://attack.mitre.org/techniques/T1574/011/)|[Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)|Low|
 |[Remote System Discovery](https://attack.mitre.org/techniques/T1018/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
 |[System Services](https://attack.mitre.org/techniques/T1569/)|[Service Execution](https://attack.mitre.org/techniques/T1569/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Low|
-|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At (Windows)](https://attack.mitre.org/techniques/T1053/002/), [Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)|[Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/), [Execution](https://attack.mitre.org/tactics/TA0002/)|Low|
+|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At](https://attack.mitre.org/techniques/T1053/002/), [Scheduled Task](https://attack.mitre.org/techniques/T1053/005/)|[Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/), [Execution](https://attack.mitre.org/tactics/TA0002/)|Low|
 |[Scheduled Transfer](https://attack.mitre.org/techniques/T1029/)|N/A|[Exfiltration](https://attack.mitre.org/tactics/TA0010/)|Low|
 |[System Owner/User Discovery](https://attack.mitre.org/techniques/T1033/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
 |[System Service Discovery](https://attack.mitre.org/techniques/T1007/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
@@ -69,7 +68,7 @@ The host on which the commands were executed, the time of execution, and what co
 |[System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
 |[Application Window Discovery](https://attack.mitre.org/techniques/T1010/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
 |[Software Discovery](https://attack.mitre.org/techniques/T1518/)|[Security Software Discovery](https://attack.mitre.org/techniques/T1518/001/)|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
-|[Network Service Scanning](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
+|[Network Service Discovery](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Low|
 |[Impair Defenses](https://attack.mitre.org/techniques/T1562/)|[Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001/), [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low|
 |[Account Manipulation](https://attack.mitre.org/techniques/T1098/)|N/A|[Credential Access](https://attack.mitre.org/tactics/TA0006/)|Low|
 |[Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)|[Visual Basic](https://attack.mitre.org/techniques/T1059/005/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Moderate|
diff --git a/docs/analytics/CAR-2013-05-002/index.md b/docs/analytics/CAR-2013-05-002/index.md
index bdb65c08..e4ae3e07 100644
--- a/docs/analytics/CAR-2013-05-002/index.md
+++ b/docs/analytics/CAR-2013-05-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes.
 
 Monitors the directories
diff --git a/docs/analytics/CAR-2013-05-003/index.md b/docs/analytics/CAR-2013-05-003/index.md
index d38e9010..61a44567 100644
--- a/docs/analytics/CAR-2013-05-003/index.md
+++ b/docs/analytics/CAR-2013-05-003/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 As described in [CAR-2013-01-003](../CAR-2013-01-003), SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in [Exfiltration](https://attack.mitre.org/tactics/TA0010) or as a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.
 
 
diff --git a/docs/analytics/CAR-2013-05-004/index.md b/docs/analytics/CAR-2013-05-004/index.md
index e09cdad9..06973576 100644
--- a/docs/analytics/CAR-2013-05-004/index.md
+++ b/docs/analytics/CAR-2013-05-004/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 In order to gain [persistence](https://attack.mitre.org/tactics/TA0003/), [privilege escalation](https://attack.mitre.org/tactics/TA0004/), or [remote execution](https://attack.mitre.org/tactics/TA0002/), an adversary may use the Windows built-in command AT (at.exe) to [schedule a command](https://attack.mitre.org/techniques/T1053/002) to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally.
 The built-in Windows tool schtasks.exe ([CAR-2013-08-001](../CAR-2013-08-001)) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.
 
@@ -18,7 +17,7 @@ The built-in Windows tool schtasks.exe ([CAR-2013-08-001](../CAR-2013-08-001)) o
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At (Windows)](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/), [Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)|Moderate|
+|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/), [Persistence](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004/)|Moderate|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2013-05-005/index.md b/docs/analytics/CAR-2013-05-005/index.md
index 94ad88e9..b1a8263d 100644
--- a/docs/analytics/CAR-2013-05-005/index.md
+++ b/docs/analytics/CAR-2013-05-005/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by [CAR-2013-05-003](../CAR-2013-05-003)). Then, a variety of [Execution](https://attack.mitre.org/tactics/TA0002) techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.
 
 This can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. `%SYSTEMROOT%\system32`) to gain a higher detection rate.
diff --git a/docs/analytics/CAR-2013-05-009/index.md b/docs/analytics/CAR-2013-05-009/index.md
index 9ee7725a..8e6fc0d4 100644
--- a/docs/analytics/CAR-2013-05-009/index.md
+++ b/docs/analytics/CAR-2013-05-009/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to [avoid detection](https://attack.mitre.org/tactics/TA0005).
 
 Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention.
diff --git a/docs/analytics/CAR-2013-07-001/index.md b/docs/analytics/CAR-2013-07-001/index.md
index b94b0e1a..60a6ae48 100644
--- a/docs/analytics/CAR-2013-07-001/index.md
+++ b/docs/analytics/CAR-2013-07-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better [blend in](https://attack.mitre.org/tactics/TA0005) with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.
 
 Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include
diff --git a/docs/analytics/CAR-2013-07-002/index.md b/docs/analytics/CAR-2013-07-002/index.md
index 9e3f6c4f..faa8f65c 100644
--- a/docs/analytics/CAR-2013-07-002/index.md
+++ b/docs/analytics/CAR-2013-07-002/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP
 contributors: MITRE
 applicable_platforms: N/A
 ---
-
-
+<br><br>
 The [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to [laterally move](https://attack.mitre.org/tactics/TA0008) to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.
 
 Remote Desktop can be detected in several ways
diff --git a/docs/analytics/CAR-2013-07-005/index.md b/docs/analytics/CAR-2013-07-005/index.md
index 0b3cecce..871358e0 100644
--- a/docs/analytics/CAR-2013-07-005/index.md
+++ b/docs/analytics/CAR-2013-07-005/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adversary has [collected](https://attack.mitre.org/tactics/TA0009), it is very likely that a [compressed archive](https://attack.mitre.org/techniques/T1560) will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.
 
 In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names.
diff --git a/docs/analytics/CAR-2013-08-001/index.md b/docs/analytics/CAR-2013-08-001/index.md
index 1f9da11f..4e59652f 100644
--- a/docs/analytics/CAR-2013-08-001/index.md
+++ b/docs/analytics/CAR-2013-08-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The Windows built-in tool `schtasks.exe` provides the creation, modification, and running of [scheduled tasks](https://attack.mitre.org/techniques/T1053) on a local or remote computer. It is provided as a more flexible alternative to `at.exe`, described in [CAR-2013-05-004](../CAR-2013-05-004). Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain [Persistence](https://attack.mitre.org/tactics/TA0003) and can be used in combination with a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique to remotely gain [execution](https://attack.mitre.org/tactics/TA0002). Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The `/s` flag specifies the remote system on which the task should be scheduled, usually indicating [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
 
 
diff --git a/docs/analytics/CAR-2013-09-003/index.md b/docs/analytics/CAR-2013-09-003/index.md
index 4a4da06f..63b65680 100644
--- a/docs/analytics/CAR-2013-09-003/index.md
+++ b/docs/analytics/CAR-2013-09-003/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: N/A
 ---
-
-
+<br><br>
 Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.
 
 This analytic monitors SMB activity that deals with user activity rather than file activity.
diff --git a/docs/analytics/CAR-2013-09-005/index.md b/docs/analytics/CAR-2013-09-005/index.md
index 17223b34..50633efa 100644
--- a/docs/analytics/CAR-2013-09-005/index.md
+++ b/docs/analytics/CAR-2013-09-005/index.md
@@ -8,8 +8,7 @@ analytic_type: Detection
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.
 
 
diff --git a/docs/analytics/CAR-2013-10-001/index.md b/docs/analytics/CAR-2013-10-001/index.md
index f510d361..8c0e020a 100644
--- a/docs/analytics/CAR-2013-10-001/index.md
+++ b/docs/analytics/CAR-2013-10-001/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.
 
 Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users.
diff --git a/docs/analytics/CAR-2013-10-002/index.md b/docs/analytics/CAR-2013-10-002/index.md
index 817b39fc..7cf719f6 100644
--- a/docs/analytics/CAR-2013-10-002/index.md
+++ b/docs/analytics/CAR-2013-10-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).
 
 -   Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)
diff --git a/docs/analytics/CAR-2014-02-001/index.md b/docs/analytics/CAR-2014-02-001/index.md
index 8795f621..3708d644 100644
--- a/docs/analytics/CAR-2014-02-001/index.md
+++ b/docs/analytics/CAR-2014-02-001/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness, TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may modify the binary file for an existing service to achieve [Persistence](https://attack.mitre.org/tactics/TA0003) while potentially [evading defenses](https://attack.mitre.org/tactics/TA0005). If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.
 
 ### Output Description
diff --git a/docs/analytics/CAR-2014-03-001/index.md b/docs/analytics/CAR-2014-03-001/index.md
index 4562ac13..7ac418cc 100644
--- a/docs/analytics/CAR-2014-03-001/index.md
+++ b/docs/analytics/CAR-2014-03-001/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.
 
 Monitoring SMB write requests still creates some noise, particulary with named pipes. As a result, SMB is now split between writing named pipes and writing other files.
diff --git a/docs/analytics/CAR-2014-03-005/index.md b/docs/analytics/CAR-2014-03-005/index.md
index 565b1f4f..e69641cc 100644
--- a/docs/analytics/CAR-2014-03-005/index.md
+++ b/docs/analytics/CAR-2014-03-005/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. 
 
 When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.
diff --git a/docs/analytics/CAR-2014-03-006/index.md b/docs/analytics/CAR-2014-03-006/index.md
index 23ec43d7..9f23fd75 100644
--- a/docs/analytics/CAR-2014-03-006/index.md
+++ b/docs/analytics/CAR-2014-03-006/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may find it necessary to use [Dyanamic-link Libraries](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682589.aspx) (DLLs) to [evade defenses](https://attack.mitre.org/tactics/TA0005). One way these DLLs can be "executed" is through the use of the built-in Windows utility [RunDLL32](https://attack.mitre.org/techniques/T1218.011), which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.
 
 
@@ -17,7 +16,7 @@ Adversaries may find it necessary to use [Dyanamic-link Libraries](https://msdn.
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Rundll32](https://attack.mitre.org/techniques/T1218/011/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate|
+|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Rundll32](https://attack.mitre.org/techniques/T1218/011/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2014-04-003/index.md b/docs/analytics/CAR-2014-04-003/index.md
index ea605a74..047e86f3 100644
--- a/docs/analytics/CAR-2014-04-003/index.md
+++ b/docs/analytics/CAR-2014-04-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 [PowerShell](https://attack.mitre.org/techniques/T1059/001/) is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.
 
 Powershell can be used to hide monitored command line execution such as:
diff --git a/docs/analytics/CAR-2014-05-001/index.md b/docs/analytics/CAR-2014-05-001/index.md
index cfa009fc..425de5dc 100644
--- a/docs/analytics/CAR-2014-05-001/index.md
+++ b/docs/analytics/CAR-2014-05-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP, Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Microsoft Windows uses its implementation of [Distributed Computing Environment/Remote Procedure Call](https://en.wikipedia.org/wiki/DCE/RPC) (DCE/RPC), which it calls [Microsoft RPC](https://en.wikipedia.org/wiki/Microsoft_RPC), to call certain APIs remotely.
 
 A Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service.
diff --git a/docs/analytics/CAR-2014-05-002/index.md b/docs/analytics/CAR-2014-05-002/index.md
index b86a9eaa..4774e240 100644
--- a/docs/analytics/CAR-2014-05-002/index.md
+++ b/docs/analytics/CAR-2014-05-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Windows runs the [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM) within the process `services.exe`. Windows launches services as independent processes or DLL loads within a [svchost.exe](https://en.wikipedia.org/wiki/svchost.exe) group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point [SvcMain](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687414.aspx). If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.
 
 To survive the timeout, [adversaries and red teams](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf) can create services that direct to `cmd.exe` with the flag `/c`, followed by the desired command. The `/c` flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain [Persistence](https://attack.mitre.org/tactics/TA0003) and [Privilege Escalation](https://attack.mitre.org/tactics/TA0004).
diff --git a/docs/analytics/CAR-2014-07-001/index.md b/docs/analytics/CAR-2014-07-001/index.md
index 9846a527..e0c9d4eb 100644
--- a/docs/analytics/CAR-2014-07-001/index.md
+++ b/docs/analytics/CAR-2014-07-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 According to [ATT&CK](https://attack.mitre.org/), an adversary may [escalate privileges](https://attack.mitre.org/tactics/TA0004) by [intercepting the search path](https://attack.mitre.org/techniques/T1579/009) for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths.
 
 
diff --git a/docs/analytics/CAR-2014-11-002/index.md b/docs/analytics/CAR-2014-11-002/index.md
index f995daf6..5c7a8c01 100644
--- a/docs/analytics/CAR-2014-11-002/index.md
+++ b/docs/analytics/CAR-2014-11-002/index.md
@@ -8,8 +8,7 @@ analytic_type: Anomaly, TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`.
 
 While this analytic does not take the user into account, doing so could generate further interesting results. 
diff --git a/docs/analytics/CAR-2014-11-003/index.md b/docs/analytics/CAR-2014-11-003/index.md
index 90f24c51..917b1158 100644
--- a/docs/analytics/CAR-2014-11-003/index.md
+++ b/docs/analytics/CAR-2014-11-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. 
 
 This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility.
diff --git a/docs/analytics/CAR-2014-11-004/index.md b/docs/analytics/CAR-2014-11-004/index.md
index 38d07b19..2ba04b40 100644
--- a/docs/analytics/CAR-2014-11-004/index.md
+++ b/docs/analytics/CAR-2014-11-004/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 According to [ATT&CK](https://attack.mitre.org/), [PowerShell](https://attack.mitre.org/techniques/T1059/001) can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe
 
 For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command `Enter-PSSession -ComputerName \<RemoteHost\>` creates a remote PowerShell session.
diff --git a/docs/analytics/CAR-2014-11-005/index.md b/docs/analytics/CAR-2014-11-005/index.md
index b2e760a4..49e6d432 100644
--- a/docs/analytics/CAR-2014-11-005/index.md
+++ b/docs/analytics/CAR-2014-11-005/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 An adversary can remotely [manipulate the registry](https://attack.mitre.org/techniques/T1112) of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique, [discover](https://attack.mitre.org/tactics/TA0007) the configuration of a host, achieve [Persistence](https://attack.mitre.org/tactics/TA0003), or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to [remotely enable](https://attack.mitre.org/techniques/T1569/002) the RemoteRegistry service, which can be detected with [CAR-2014-03-005](../CAR-2014-03-005).
 
 Remote access to the registry can be achieved via
diff --git a/docs/analytics/CAR-2014-11-006/index.md b/docs/analytics/CAR-2014-11-006/index.md
index dc76813a..783d529e 100644
--- a/docs/analytics/CAR-2014-11-006/index.md
+++ b/docs/analytics/CAR-2014-11-006/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 When a [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI "/wsman" is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host.
 
 
diff --git a/docs/analytics/CAR-2014-11-007/index.md b/docs/analytics/CAR-2014-11-007/index.md
index 7b3b9466..1b37f562 100644
--- a/docs/analytics/CAR-2014-11-007/index.md
+++ b/docs/analytics/CAR-2014-11-007/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 As described in ATT&CK, an adversary can use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC ([CAR-2014-05-001](../CAR-2014-05-001)), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as [Event Tracing for Windows](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803.aspx). Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected.
 
 Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts.
diff --git a/docs/analytics/CAR-2014-11-008/index.md b/docs/analytics/CAR-2014-11-008/index.md
index fe2db043..6f4d4188 100644
--- a/docs/analytics/CAR-2014-11-008/index.md
+++ b/docs/analytics/CAR-2014-11-008/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 An adversary can use [accessibility features](https://attack.mitre.org/techniques/T1546/008) (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within [Remote Desktop](https://attack.mitre.org/techniques/T1021/001). To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of `cmd.exe` or `powershell.exe` launched directly from the logon process, `winlogon.exe`. It should be used in tandem with [CAR-2014-11-003](../CAR-2014-11-003), which detects the accessibility programs in the command line.
 
 Several accessibility programs can be run using the Ease of Access center
diff --git a/docs/analytics/CAR-2014-12-001/index.md b/docs/analytics/CAR-2014-12-001/index.md
index daec6f5f..4058fd4a 100644
--- a/docs/analytics/CAR-2014-12-001/index.md
+++ b/docs/analytics/CAR-2014-12-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries can use [Windows Management Instrumentation (WMI)](https://attack.mitre.org/techniques/T1047) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by [CAR-2014-11-007](../CAR-2014-11-007). After the WMI connection has been initialized, a process can be remotely launched using the command: `wmic /node:"<hostname>" process call create "<command line>"`, which is detected via [CAR-2016-03-002](../CAR-2016-03-002).
 
 This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.
diff --git a/docs/analytics/CAR-2015-04-001/index.md b/docs/analytics/CAR-2015-04-001/index.md
index 5021fabd..02b2afb1 100644
--- a/docs/analytics/CAR-2015-04-001/index.md
+++ b/docs/analytics/CAR-2015-04-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 When AT.exe is used to remotely [schedule tasks](https://attack.mitre.org/techniques/T1053), Windows uses named pipes over [SMB](https://en.wikipedia.org/wiki/Server_Message_Block) to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe "ATSVC" is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention `C:\Windows\System32\AT<job\_id>`. Unlike [CAR-2013-05-004](../CAR-2013-05-004), this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained [execution](https://attack.mitre.org/tactics/TA0002).
 
 This pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern `C:\Windows\System32\AT\<job_id\>`.
@@ -19,7 +18,7 @@ This pipe activity could be discovered with a network decoder, such as that in w
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At (Windows)](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Moderate|
+|[Scheduled Task/Job](https://attack.mitre.org/techniques/T1053/)|[At](https://attack.mitre.org/techniques/T1053/002/)|[Execution](https://attack.mitre.org/tactics/TA0002/)|Moderate|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2015-04-002/index.md b/docs/analytics/CAR-2015-04-002/index.md
index 3de33820..fb341a20 100644
--- a/docs/analytics/CAR-2015-04-002/index.md
+++ b/docs/analytics/CAR-2015-04-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 An adversary can [move laterally](https://attack.mitre.org/tactics/TA0008) using the `schtasks` command to remotely [schedule tasks/jobs](https://attack.mitre.org/techniques/T1053). Although these events can be detected with command line analytics [CAR-2013-08-001](../CAR-2013-08-001), it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established ([CAR-2014-05-001](../CAR-2014-05-001)), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.
 
 Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats
diff --git a/docs/analytics/CAR-2015-07-001/index.md b/docs/analytics/CAR-2015-07-001/index.md
index 67c7d653..24371e7c 100644
--- a/docs/analytics/CAR-2015-07-001/index.md
+++ b/docs/analytics/CAR-2015-07-001/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Once a credential dumper like [mimikatz](https://attack.mitre.org/software/S0002) runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of `lsass.exe`. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.
 
 The time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration.
diff --git a/docs/analytics/CAR-2016-03-001/index.md b/docs/analytics/CAR-2016-03-001/index.md
index 66fd553e..f58cdb2e 100644
--- a/docs/analytics/CAR-2016-03-001/index.md
+++ b/docs/analytics/CAR-2016-03-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 When entering on a host for the first time, an adversary may try to [discover](https://attack.mitre.org/tactics/TA0007) information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when [establishing persistence](https://attack.mitre.org/tactics/TA0003), [escalating privileges](https://attack.mitre.org/tactics/TA0004), or [moving laterally](https://attack.mitre.org/tactics/TA0008).
 
 Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.
diff --git a/docs/analytics/CAR-2016-03-002/index.md b/docs/analytics/CAR-2016-03-002/index.md
index 0df1cf0f..9cd3fac9 100644
--- a/docs/analytics/CAR-2016-03-002/index.md
+++ b/docs/analytics/CAR-2016-03-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\<hostname\>" process call create "\<command line\>"`. It is possible to also connect via IP address, in which case the string `"\<hostname\>"` would instead look like `IP Address`. 
 
 Although this analytic was created after [CAR-2014-12-001](../CAR-2014-12-001), it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility [PowerShell](https://attack.mitre.org/T1059/001).
diff --git a/docs/analytics/CAR-2016-04-002/index.md b/docs/analytics/CAR-2016-04-002/index.md
index be7ca2cc..830b4277 100644
--- a/docs/analytics/CAR-2016-04-002/index.md
+++ b/docs/analytics/CAR-2016-04-002/index.md
@@ -3,21 +3,23 @@ title: "CAR-2016-04-002: User Activity from Clearing Event Logs"
 layout: analytic
 submission_date: 2016/04/14
 information_domain: Host
-subtypes: Event Records
+subtypes: Event Records, Process
 analytic_type: Anomaly
-contributors: MITRE/NSA
+contributors: MITRE/NSA, Cyware Labs, Lucas Heiligenstein
 applicable_platforms: Windows, Linux, macOS
 ---
+<br><br>
+It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. 2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk. 3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104. 4. Attackers may delete .evtx with `del C:\Windows\System32\winevt\logs\Security.evtx` or `Remove-Item C:\Windows\System32\winevt\logs\Security.evtx` after having disabled and stopped the Eventlog service. As the EventLog service is disabled and stopped, the .evtx files are no longer used by this service and can be deleted. The new EventLog will be Unavailable until the configuration is reset. 5. Attackers may use the powershell command `Remove-EventLog -LogName Security` to unregister source of events that are part of Windows (Application, Security…). This command deletes the security EventLog (which also generates EventId 1102) but the new Eventlogs are still recorded until the system is rebooted . After the System is rebooted, the Security log is unregistered and doesn’t log any new Eventlog. However logs generated between the command and the reboot are still available in the .evtx file.
 
-
-It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a "Clear Event Log" is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.
+#### References
+https://ptylu.github.io/content/report/report.html?report=26
 
 
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate|
+|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate|
 
 
 ### D3FEND Techniques
@@ -28,17 +30,24 @@ It is unlikely that event log data would be cleared during normal operations, an
 
 
 
+### Data Model References
+
+|Object|Action|Field|
+|---|---|---|
+|[process](/data_model/process) | [create](/data_model/process#create) | [command_line](/data_model/process#command_line) |
+
 
 
 ### Implementations
 
-#### Pseudocode
+#### PseudoCode for dedicated EventID EventLog deletion (Pseudocode)
+
 
 When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.
 
 
 ```
-([log_name] == "Security" and [event_code] in [1100, 1102]) or
+([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or
 ([log_name] == "System" and [event_code] == 104)
 ```
 
@@ -57,7 +66,8 @@ When an eventlog is cleared, a new event is created that alerts that the eventlo
 
 
 
-#### Logpoint
+#### LogPoint version of the above pseudocode. (Logpoint)
+
 
 LogPoint version of the above pseudocode.
 
@@ -67,13 +77,22 @@ norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="Sys
 ```
 
 
+#### Splunk search - Detecting log clearing with wevtutil (Splunk, Sysmon native)
+
+
+This search query looks for  wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.
+
+
+```
+index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)
+```
+
+
 
 ### Unit Tests
 
 #### Test Case 1
 
-**Configurations:** Windows 7
-
 You can use the powershell cmdlet “Clear-Eventlog” to clear event logs. Open Powershell as administrator and execute Clear-Eventlog `Clear-EventLog [-LogName] \<String[]\>`. [Additional information here](https://technet.microsoft.com/en-us/library/hh849789.aspx).
 
 ```
@@ -81,4 +100,29 @@ Clear-Eventlog Security
 Clear-Eventlog System
 ```
 
+#### Test Case 2
+
+Command to not Overwrite old EventLog
+
+```
+Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite
+```
+
+#### Test Case 3
+
+Cmd and Powershell command to delete EventLog (only possible after turning off the EventLog service)
+
+```
+del C:\Windows\System32\winevt\logs\Security.evtx
+Remove-Item C:\Windows\System32\winevt\logs\Security.evtx
+```
+
+#### Test Case 4
+
+Unregister EventLog source
+
+```
+Remove-EventLog -LogName Security
+```
+
 
diff --git a/docs/analytics/CAR-2016-04-003/index.md b/docs/analytics/CAR-2016-04-003/index.md
index da137cea..ea1ed9b3 100644
--- a/docs/analytics/CAR-2016-04-003/index.md
+++ b/docs/analytics/CAR-2016-04-003/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE/NSA
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.
 
 Stopping services events are Windows Event Code 7036.
diff --git a/docs/analytics/CAR-2016-04-004/index.md b/docs/analytics/CAR-2016-04-004/index.md
index e35b429e..87162383 100644
--- a/docs/analytics/CAR-2016-04-004/index.md
+++ b/docs/analytics/CAR-2016-04-004/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE/NSA
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The successful use of [Pass The Hash](https://attack.mitre.org/techniques/T1550/002/) for lateral movement between workstations would trigger event ID 4624, with an event level of Information, from the security log. This behavior would be a LogonType of 3 using NTLM authentication where it is not a domain logon and not the ANONYMOUS LOGON account.
 
 
diff --git a/docs/analytics/CAR-2016-04-005/index.md b/docs/analytics/CAR-2016-04-005/index.md
index adb10ba0..1950f251 100644
--- a/docs/analytics/CAR-2016-04-005/index.md
+++ b/docs/analytics/CAR-2016-04-005/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE/NSA
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 A remote desktop logon, through [RDP](https://attack.mitre.org/techniques/T1021/001), may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.
 
 
diff --git a/docs/analytics/CAR-2019-04-001/index.md b/docs/analytics/CAR-2019-04-001/index.md
index fa51f619..c94f5997 100644
--- a/docs/analytics/CAR-2019-04-001/index.md
+++ b/docs/analytics/CAR-2019-04-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool.
 
 
diff --git a/docs/analytics/CAR-2019-04-002/index.md b/docs/analytics/CAR-2019-04-002/index.md
index 994afe6b..bfc4d74b 100644
--- a/docs/analytics/CAR-2019-04-002/index.md
+++ b/docs/analytics/CAR-2019-04-002/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.
 
 
@@ -17,7 +16,7 @@ Regsvr32 can be used to execute arbitrary code in the context of a Windows signe
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low|
+|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2019-04-003/index.md b/docs/analytics/CAR-2019-04-003/index.md
index 08d03a0c..b2ec47b1 100644
--- a/docs/analytics/CAR-2019-04-003/index.md
+++ b/docs/analytics/CAR-2019-04-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.
 
 Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.
@@ -22,7 +21,7 @@ As usual, credit to Roberto Rodriguez and the [ThreatHunter Playbook](https://gi
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate|
+|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Regsvr32](https://attack.mitre.org/techniques/T1218/010/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Moderate|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2019-04-004/index.md b/docs/analytics/CAR-2019-04-004/index.md
index 010132aa..325ac168 100644
--- a/docs/analytics/CAR-2019-04-004/index.md
+++ b/docs/analytics/CAR-2019-04-004/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are “overtuned” to look for common access patterns used by Mimikatz.
 
 *This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn’t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.*
diff --git a/docs/analytics/CAR-2019-07-001/index.md b/docs/analytics/CAR-2019-07-001/index.md
index 97734adc..013dfc51 100644
--- a/docs/analytics/CAR-2019-07-001/index.md
+++ b/docs/analytics/CAR-2019-07-001/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: Meric Degirmenci, MITRE
 applicable_platforms: Windows, Linux, macOS
 ---
-
-
+<br><br>
 Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action -  they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.
 
 Note - this analytic references file permissions, which are not currently in the CAR data model.
diff --git a/docs/analytics/CAR-2019-07-002/index.md b/docs/analytics/CAR-2019-07-002/index.md
index b2a9e3d8..72858330 100644
--- a/docs/analytics/CAR-2019-07-002/index.md
+++ b/docs/analytics/CAR-2019-07-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Kaushal Parikh/Cyware Labs, Tony Lambert/Red Canary, MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. 
 
 ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
diff --git a/docs/analytics/CAR-2019-08-001/index.md b/docs/analytics/CAR-2019-08-001/index.md
index b680c3b2..0d727545 100644
--- a/docs/analytics/CAR-2019-08-001/index.md
+++ b/docs/analytics/CAR-2019-08-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Tony Lambert/Red Canary
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The Windows Task Manager may be used to dump the memory space of `lsass.exe` to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting `lsass.exe`, and clicking "Create dump file". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.
 
 This requires filesystem data to determine whether files have been created.
diff --git a/docs/analytics/CAR-2019-08-002/index.md b/docs/analytics/CAR-2019-08-002/index.md
index 51e635b8..f0fb91fd 100644
--- a/docs/analytics/CAR-2019-08-002/index.md
+++ b/docs/analytics/CAR-2019-08-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Tony Lambert/Red Canary
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching `ntdsutil.exe` as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, `ntds.dit`, to the specified folder path.
 
 This requires filesystem data to determine whether files have been created.
diff --git a/docs/analytics/CAR-2020-04-001/index.md b/docs/analytics/CAR-2020-04-001/index.md
index 7ea6ad41..34f8426c 100644
--- a/docs/analytics/CAR-2020-04-001/index.md
+++ b/docs/analytics/CAR-2020-04-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: 
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 This analytic has been deprecated in favor of [CAR-2021-01-009](/analytics/CAR-2021-01-009), which covers the same technique with some additional detections.
 
 
diff --git a/docs/analytics/CAR-2020-05-001/index.md b/docs/analytics/CAR-2020-05-001/index.md
index 3f95023f..add50eb2 100644
--- a/docs/analytics/CAR-2020-05-001/index.md
+++ b/docs/analytics/CAR-2020-05-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Cyber National Mission Force (CNMF)
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call [MiniDumpWriteDump](https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump). Tools like [SafetyKatz](https://github.com/GhostPack/SafetyKatz), [SafetyDump](https://github.com/m0rv4i/SafetyDump), and [Outflank-Dumpert](https://github.com/outflanknl/Dumpert) default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.
 
 The analytic is based on a [Sigma analytic](https://github.com/NVISO-BE/sigma-public/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) contributed by Samir Bousseaden and written up in a [blog on MENASEC](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html). It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in [CAR-2019-08-001](/analytics/CAR-2019-08-001/). In this iteration of the Sigma analytic, the `GrantedAccess` filter isn't included because it didn't seem to filter out any false positives and introduces the potential for evasion.
diff --git a/docs/analytics/CAR-2020-05-003/index.md b/docs/analytics/CAR-2020-05-003/index.md
index 0a3d8198..9d095cf7 100644
--- a/docs/analytics/CAR-2020-05-003/index.md
+++ b/docs/analytics/CAR-2020-05-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Cyber National Mission Force (CNMF)
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 [LoLBAS](https://lolbas-project.github.io/) are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they're used (this would depend on your environment), but many others are very common and can't be simply alerted on.
 
 This analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives.
diff --git a/docs/analytics/CAR-2020-08-001/index.md b/docs/analytics/CAR-2020-08-001/index.md
index 4b01d575..8f13ef62 100644
--- a/docs/analytics/CAR-2020-08-001/index.md
+++ b/docs/analytics/CAR-2020-08-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell.
 
 #### References
diff --git a/docs/analytics/CAR-2020-08-002/index.md b/docs/analytics/CAR-2020-08-002/index.md
index 43592b71..a53a38fb 100644
--- a/docs/analytics/CAR-2020-08-002/index.md
+++ b/docs/analytics/CAR-2020-08-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because their contents can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using Living off the Land Binaries and Scripts (LOLBAS).
 
 #### References
diff --git a/docs/analytics/CAR-2020-09-001/index.md b/docs/analytics/CAR-2020-09-001/index.md
index cdd11183..5363b961 100644
--- a/docs/analytics/CAR-2020-09-001/index.md
+++ b/docs/analytics/CAR-2020-09-001/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.
 
 
diff --git a/docs/analytics/CAR-2020-09-002/index.md b/docs/analytics/CAR-2020-09-002/index.md
index 05870ca6..453072c5 100644
--- a/docs/analytics/CAR-2020-09-002/index.md
+++ b/docs/analytics/CAR-2020-09-002/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys. 
 
 
diff --git a/docs/analytics/CAR-2020-09-003/index.md b/docs/analytics/CAR-2020-09-003/index.md
index c806e823..ec2492d4 100644
--- a/docs/analytics/CAR-2020-09-003/index.md
+++ b/docs/analytics/CAR-2020-09-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.
 
 
diff --git a/docs/analytics/CAR-2020-09-004/index.md b/docs/analytics/CAR-2020-09-004/index.md
index 1b665456..02c9710c 100644
--- a/docs/analytics/CAR-2020-09-004/index.md
+++ b/docs/analytics/CAR-2020-09-004/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as [PowerSploit](https://powersploit.readthedocs.io/en/latest/) in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.
 
 
diff --git a/docs/analytics/CAR-2020-09-005/index.md b/docs/analytics/CAR-2020-09-005/index.md
index 8d0eeb27..f5b226a5 100644
--- a/docs/analytics/CAR-2020-09-005/index.md
+++ b/docs/analytics/CAR-2020-09-005/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse. 
 
 
diff --git a/docs/analytics/CAR-2020-11-001/index.md b/docs/analytics/CAR-2020-11-001/index.md
index 9f6d64ee..881b48b4 100755
--- a/docs/analytics/CAR-2020-11-001/index.md
+++ b/docs/analytics/CAR-2020-11-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.  
 
 
diff --git a/docs/analytics/CAR-2020-11-002/index.md b/docs/analytics/CAR-2020-11-002/index.md
index f0156be0..11c8bef6 100755
--- a/docs/analytics/CAR-2020-11-002/index.md
+++ b/docs/analytics/CAR-2020-11-002/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.
 
 
diff --git a/docs/analytics/CAR-2020-11-003/index.md b/docs/analytics/CAR-2020-11-003/index.md
index 6325d7c9..5195e8c1 100755
--- a/docs/analytics/CAR-2020-11-003/index.md
+++ b/docs/analytics/CAR-2020-11-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
 
 
diff --git a/docs/analytics/CAR-2020-11-004/index.md b/docs/analytics/CAR-2020-11-004/index.md
index 1c055207..4a286dcf 100755
--- a/docs/analytics/CAR-2020-11-004/index.md
+++ b/docs/analytics/CAR-2020-11-004/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.
 
 
diff --git a/docs/analytics/CAR-2020-11-005/index.md b/docs/analytics/CAR-2020-11-005/index.md
index 7d3fc4ac..6b29102e 100755
--- a/docs/analytics/CAR-2020-11-005/index.md
+++ b/docs/analytics/CAR-2020-11-005/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.
 
 
@@ -17,7 +16,7 @@ Adversaries may attempt to conceal their tracks by deleting the history of comma
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Clear Command History](https://attack.mitre.org/techniques/T1070/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low|
+|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Clear Command History](https://attack.mitre.org/techniques/T1070/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2020-11-006/index.md b/docs/analytics/CAR-2020-11-006/index.md
index 90c5d954..4531700e 100755
--- a/docs/analytics/CAR-2020-11-006/index.md
+++ b/docs/analytics/CAR-2020-11-006/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.
 
 
diff --git a/docs/analytics/CAR-2020-11-007/index.md b/docs/analytics/CAR-2020-11-007/index.md
index 877c6baf..57d88e48 100755
--- a/docs/analytics/CAR-2020-11-007/index.md
+++ b/docs/analytics/CAR-2020-11-007/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.
 
 
@@ -17,7 +16,7 @@ Adversaries may use network shares to exfliltrate date; they will then remove th
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Network Share Connection Removal](https://attack.mitre.org/techniques/T1070/005/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High|
+|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Network Share Connection Removal](https://attack.mitre.org/techniques/T1070/005/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2020-11-008/index.md b/docs/analytics/CAR-2020-11-008/index.md
index bace94ce..0915aec5 100755
--- a/docs/analytics/CAR-2020-11-008/index.md
+++ b/docs/analytics/CAR-2020-11-008/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.
 
 
diff --git a/docs/analytics/CAR-2020-11-009/index.md b/docs/analytics/CAR-2020-11-009/index.md
index baf1d569..ef6ee340 100755
--- a/docs/analytics/CAR-2020-11-009/index.md
+++ b/docs/analytics/CAR-2020-11-009/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.
 
 
@@ -17,7 +16,7 @@ Adversaries may hide malicious code in .chm compiled HTML files. When these file
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Compiled HTML File](https://attack.mitre.org/techniques/T1218/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High|
+|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[Compiled HTML File](https://attack.mitre.org/techniques/T1218/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2020-11-010/index.md b/docs/analytics/CAR-2020-11-010/index.md
index 9b29504d..800a6add 100755
--- a/docs/analytics/CAR-2020-11-010/index.md
+++ b/docs/analytics/CAR-2020-11-010/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong, MITRE
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion.
 When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.
 
@@ -18,7 +17,7 @@ When CMSTP.exe is seen in combination with an external connection, it is a good
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[CMSTP](https://attack.mitre.org/techniques/T1218/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High|
+|[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)|[CMSTP](https://attack.mitre.org/techniques/T1218/003/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|High|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2020-11-011/index.md b/docs/analytics/CAR-2020-11-011/index.md
index 0c9a1f08..756d02c2 100755
--- a/docs/analytics/CAR-2020-11-011/index.md
+++ b/docs/analytics/CAR-2020-11-011/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.
 
 
diff --git a/docs/analytics/CAR-2021-01-001/index.md b/docs/analytics/CAR-2021-01-001/index.md
index 0e643152..45c95617 100644
--- a/docs/analytics/CAR-2021-01-001/index.md
+++ b/docs/analytics/CAR-2021-01-001/index.md
@@ -8,8 +8,7 @@ analytic_type: Situational Awareness
 contributors: Cyware Labs
 applicable_platforms: Windows, Linux
 ---
-
-
+<br><br>
 After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the lateral movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc.
 
 
@@ -17,7 +16,7 @@ After compromising an initial machine, adversaries commonly attempt to laterally
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Network Service Scanning](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Moderate|
+|[Network Service Discovery](https://attack.mitre.org/techniques/T1046/)|N/A|[Discovery](https://attack.mitre.org/tactics/TA0007/)|Moderate|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2021-01-002/index.md b/docs/analytics/CAR-2021-01-002/index.md
index 9404e5bf..42fddd25 100644
--- a/docs/analytics/CAR-2021-01-002/index.md
+++ b/docs/analytics/CAR-2021-01-002/index.md
@@ -8,8 +8,7 @@ analytic_type: Anomaly
 contributors: Cyware Labs
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.
 
 
diff --git a/docs/analytics/CAR-2021-01-003/index.md b/docs/analytics/CAR-2021-01-003/index.md
index 3199c4f5..ce77d77c 100644
--- a/docs/analytics/CAR-2021-01-003/index.md
+++ b/docs/analytics/CAR-2021-01-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Cyware Labs
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
 
 
@@ -17,7 +16,7 @@ In an attempt to clear traces after compromising a machine, threat actors often
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
 |---|---|---|---|
-|[Indicator Removal on Host](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low|
+|[Indicator Removal](https://attack.mitre.org/techniques/T1070/)|[Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)|[Defense Evasion](https://attack.mitre.org/tactics/TA0005/)|Low|
 
 
 ### D3FEND Techniques
diff --git a/docs/analytics/CAR-2021-01-004/index.md b/docs/analytics/CAR-2021-01-004/index.md
index 394efed8..7aaac00c 100644
--- a/docs/analytics/CAR-2021-01-004/index.md
+++ b/docs/analytics/CAR-2021-01-004/index.md
@@ -8,8 +8,7 @@ analytic_type: Anomaly
 contributors: Cyware Labs
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.
 
 
diff --git a/docs/analytics/CAR-2021-01-006/index.md b/docs/analytics/CAR-2021-01-006/index.md
index 47ed0621..aeb988af 100644
--- a/docs/analytics/CAR-2021-01-006/index.md
+++ b/docs/analytics/CAR-2021-01-006/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Cyware Labs
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
 
 
diff --git a/docs/analytics/CAR-2021-01-007/index.md b/docs/analytics/CAR-2021-01-007/index.md
index 363df542..96f4c91b 100644
--- a/docs/analytics/CAR-2021-01-007/index.md
+++ b/docs/analytics/CAR-2021-01-007/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Cyware Labs
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
 
 
diff --git a/docs/analytics/CAR-2021-01-008/index.md b/docs/analytics/CAR-2021-01-008/index.md
index 4e9e3d6f..6acda7f9 100644
--- a/docs/analytics/CAR-2021-01-008/index.md
+++ b/docs/analytics/CAR-2021-01-008/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Cyware Labs
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.
 
 
diff --git a/docs/analytics/CAR-2021-01-009/index.md b/docs/analytics/CAR-2021-01-009/index.md
index f696a43b..da8c6b20 100644
--- a/docs/analytics/CAR-2021-01-009/index.md
+++ b/docs/analytics/CAR-2021-01-009/index.md
@@ -9,8 +9,7 @@ analytic_type: TTP
 contributors: Cyware Labs, Lucas Heiligenstein
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.
 
 
diff --git a/docs/analytics/CAR-2021-02-001/index.md b/docs/analytics/CAR-2021-02-001/index.md
index b8d53e57..99a8ff0c 100644
--- a/docs/analytics/CAR-2021-02-001/index.md
+++ b/docs/analytics/CAR-2021-02-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Nichols Jasper
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. 
 
 
diff --git a/docs/analytics/CAR-2021-02-002/index.md b/docs/analytics/CAR-2021-02-002/index.md
index 27084fc6..b19db756 100644
--- a/docs/analytics/CAR-2021-02-002/index.md
+++ b/docs/analytics/CAR-2021-02-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Sebastien Damaye
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.  
 
 
diff --git a/docs/analytics/CAR-2021-04-001/index.md b/docs/analytics/CAR-2021-04-001/index.md
index 13206a2c..791d82ca 100644
--- a/docs/analytics/CAR-2021-04-001/index.md
+++ b/docs/analytics/CAR-2021-04-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Sebastien Damaye
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 [Masquerading (T1036)](https://attack.mitre.org/techniques/T1036/) is defined by ATT&CK as follows:
 
 "Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names."
diff --git a/docs/analytics/CAR-2021-05-001/index.md b/docs/analytics/CAR-2021-05-001/index.md
index bcfff05a..6b904bb5 100644
--- a/docs/analytics/CAR-2021-05-001/index.md
+++ b/docs/analytics/CAR-2021-05-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity.
 
 
diff --git a/docs/analytics/CAR-2021-05-002/index.md b/docs/analytics/CAR-2021-05-002/index.md
index fe0865a1..45d39dba 100644
--- a/docs/analytics/CAR-2021-05-002/index.md
+++ b/docs/analytics/CAR-2021-05-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.
 
 
diff --git a/docs/analytics/CAR-2021-05-003/index.md b/docs/analytics/CAR-2021-05-003/index.md
index 4ab5bbf8..54242317 100644
--- a/docs/analytics/CAR-2021-05-003/index.md
+++ b/docs/analytics/CAR-2021-05-003/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.
 
 
diff --git a/docs/analytics/CAR-2021-05-004/index.md b/docs/analytics/CAR-2021-05-004/index.md
index 009eed82..301bea27 100644
--- a/docs/analytics/CAR-2021-05-004/index.md
+++ b/docs/analytics/CAR-2021-05-004/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.
 
 
diff --git a/docs/analytics/CAR-2021-05-005/index.md b/docs/analytics/CAR-2021-05-005/index.md
index 0f7b9824..1e5ac427 100644
--- a/docs/analytics/CAR-2021-05-005/index.md
+++ b/docs/analytics/CAR-2021-05-005/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.
 
 
diff --git a/docs/analytics/CAR-2021-05-006/index.md b/docs/analytics/CAR-2021-05-006/index.md
index 2b95ce18..3eff2abb 100644
--- a/docs/analytics/CAR-2021-05-006/index.md
+++ b/docs/analytics/CAR-2021-05-006/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.
 
 
diff --git a/docs/analytics/CAR-2021-05-007/index.md b/docs/analytics/CAR-2021-05-007/index.md
index da8731a4..ff39d9e5 100644
--- a/docs/analytics/CAR-2021-05-007/index.md
+++ b/docs/analytics/CAR-2021-05-007/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash>`. 
 
 
diff --git a/docs/analytics/CAR-2021-05-008/index.md b/docs/analytics/CAR-2021-05-008/index.md
index 5c56e905..5056e205 100644
--- a/docs/analytics/CAR-2021-05-008/index.md
+++ b/docs/analytics/CAR-2021-05-008/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.
 
 
diff --git a/docs/analytics/CAR-2021-05-009/index.md b/docs/analytics/CAR-2021-05-009/index.md
index 9fffa107..9ca808eb 100644
--- a/docs/analytics/CAR-2021-05-009/index.md
+++ b/docs/analytics/CAR-2021-05-009/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.
 
 
diff --git a/docs/analytics/CAR-2021-05-010/index.md b/docs/analytics/CAR-2021-05-010/index.md
index d1b1304b..228547b8 100644
--- a/docs/analytics/CAR-2021-05-010/index.md
+++ b/docs/analytics/CAR-2021-05-010/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 This search looks for the creation of local administrator accounts using net.exe.
 
 
diff --git a/docs/analytics/CAR-2021-05-011/index.md b/docs/analytics/CAR-2021-05-011/index.md
index 6e6b6514..6e0a2ef1 100644
--- a/docs/analytics/CAR-2021-05-011/index.md
+++ b/docs/analytics/CAR-2021-05-011/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.
 
 
diff --git a/docs/analytics/CAR-2021-05-012/index.md b/docs/analytics/CAR-2021-05-012/index.md
index cdd017be..fc7e0d6e 100644
--- a/docs/analytics/CAR-2021-05-012/index.md
+++ b/docs/analytics/CAR-2021-05-012/index.md
@@ -9,8 +9,7 @@ analytic_type: TTP
 contributors: Splunk Threat Research <research@splunk.com>
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 This detection is to identify a creation of "user mode service" where the service file path is located in non-common service folder in windows.
 
 
diff --git a/docs/analytics/CAR-2021-11-001/index.md b/docs/analytics/CAR-2021-11-001/index.md
index bec2ed6f..18eb1c64 100644
--- a/docs/analytics/CAR-2021-11-001/index.md
+++ b/docs/analytics/CAR-2021-11-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Lucas Heiligenstein
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order and adversaries may execute their own malicious dll.
 
 
diff --git a/docs/analytics/CAR-2021-11-002/index.md b/docs/analytics/CAR-2021-11-002/index.md
index ebd130b7..61b22c50 100644
--- a/docs/analytics/CAR-2021-11-002/index.md
+++ b/docs/analytics/CAR-2021-11-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Lucas Heiligenstein
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Detection of modification of the registry key values of `Notify`, `Userinit`, and `Shell` located in `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` and `HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\`. When a user logs on, the Registry key values of `Notify`, `Userinit` and `Shell` are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload.
 
 
diff --git a/docs/analytics/CAR-2021-12-001/index.md b/docs/analytics/CAR-2021-12-001/index.md
index 22eb641d..b7078c65 100644
--- a/docs/analytics/CAR-2021-12-001/index.md
+++ b/docs/analytics/CAR-2021-12-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Lucas Heiligenstein
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.
 
 
diff --git a/docs/analytics/CAR-2021-12-002/index.md b/docs/analytics/CAR-2021-12-002/index.md
index bb1a9467..53fcf621 100644
--- a/docs/analytics/CAR-2021-12-002/index.md
+++ b/docs/analytics/CAR-2021-12-002/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Lucas Heiligenstein
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.
 
 
diff --git a/docs/analytics/CAR-2022-03-001/index.md b/docs/analytics/CAR-2022-03-001/index.md
index 0b100f86..a10887d6 100644
--- a/docs/analytics/CAR-2022-03-001/index.md
+++ b/docs/analytics/CAR-2022-03-001/index.md
@@ -8,8 +8,7 @@ analytic_type: TTP
 contributors: Lucas Heiligenstein
 applicable_platforms: Windows
 ---
-
-
+<br><br>
 Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. There are different ways to perform this attack.
 1. The first one is to create the Registry Key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt`. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise).
 2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start`, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system.
diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md
index 3ecf4011..5dff7bc9 100644
--- a/docs/analytics/by_technique/index.md
+++ b/docs/analytics/by_technique/index.md
@@ -75,7 +75,7 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-08-001">CAR-2013-08-001: Execution with schtasks</a></li><li><a href="CAR-2015-04-002">CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks</a></li><li><a href="CAR-2020-09-001">CAR-2020-09-001: Scheduled Task - FileAccess</a></li><li><a href="CAR-2021-12-001">CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1053/002/">T1053.002: At (Windows)</a></td>
+            <td><a href="https://attack.mitre.org/techniques/T1053/002/">T1053.002: At</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-004">CAR-2013-05-004: Execution with AT</a></li><li><a href="CAR-2015-04-001">CAR-2015-04-001: Remotely Scheduled Tasks via AT</a></li></ul></td>
         </tr>
        <tr>
@@ -118,7 +118,7 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-03-001">CAR-2016-03-001: Host Discovery Commands</a></li><li><a href="CAR-2020-11-006">CAR-2020-11-006: Local Permission Group Discovery</a></li></ul></td>
         </tr>
        <tr>
-            <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1070/">T1070: Indicator Removal on Host</a></td>
+            <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1070/">T1070: Indicator Removal</a></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1070/003/">T1070.003: Clear Command History</a></td>
@@ -170,7 +170,7 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2021-05-002">CAR-2021-05-002: Batch File Write to System32</a></li></ul></td>
         </tr>
        <tr>
-            <td rowspan="5"><a href="https://attack.mitre.org/techniques/T1218/">T1218: Signed Binary Proxy Execution</a></td>
+            <td rowspan="5"><a href="https://attack.mitre.org/techniques/T1218/">T1218: System Binary Proxy Execution</a></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
diff --git a/docs/analytics/index.md b/docs/analytics/index.md
index 80989bb7..ad04a76f 100644
--- a/docs/analytics/index.md
+++ b/docs/analytics/index.md
@@ -207,7 +207,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2014-03-006/">CAR-2014-03-006</a></td>
                 <td>RunDLL32.exe monitoring</td>
                 <td style="white-space:nowrap;">March 28 2014</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">Signed Binary Proxy Execution</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">System Binary Proxy Execution</a></li></ul></td>
                 <td>Dnif, Logpoint, Pseudocode</td>
                 <td>Windows</td>
             </tr>
@@ -351,8 +351,8 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2016-04-002/">CAR-2016-04-002</a></td>
                 <td>User Activity from Clearing Event Logs</td>
                 <td style="white-space:nowrap;">April 14 2016</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal on Host</a></li></ul></td>
-                <td>Logpoint, Pseudocode, Sigma</td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal</a></li></ul></td>
+                <td>Logpoint, Pseudocode, Sigma, Splunk</td>
                 <td>Windows, Linux, macOS</td>
             </tr>
             <tr>
@@ -391,7 +391,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2019-04-002/">CAR-2019-04-002</a></td>
                 <td>Generic Regsvr32</td>
                 <td style="white-space:nowrap;">April 24 2019</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">Signed Binary Proxy Execution</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">System Binary Proxy Execution</a></li></ul></td>
                 <td>Pseudocode, Splunk</td>
                 <td>Windows</td>
             </tr>
@@ -399,7 +399,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2019-04-003/">CAR-2019-04-003</a></td>
                 <td>Squiblydoo</td>
                 <td style="white-space:nowrap;">April 24 2019</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">Signed Binary Proxy Execution</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">System Binary Proxy Execution</a></li></ul></td>
                 <td>Eql, Logpoint, Psuedocode, Splunk</td>
                 <td>Windows</td>
             </tr>
@@ -559,7 +559,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2020-11-005/">CAR-2020-11-005</a></td>
                 <td>Clear Powershell Console Command History</td>
                 <td style="white-space:nowrap;">November 30 2020</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal on Host</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal</a></li></ul></td>
                 <td>Logpoint, Pseudocode, Splunk</td>
                 <td>Windows</td>
             </tr>
@@ -575,7 +575,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2020-11-007/">CAR-2020-11-007</a></td>
                 <td>Network Share Connection Removal</td>
                 <td style="white-space:nowrap;">November 30 2020</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal on Host</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal</a></li></ul></td>
                 <td>Logpoint, Pseudocode, Splunk</td>
                 <td>Windows</td>
             </tr>
@@ -591,7 +591,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2020-11-009/">CAR-2020-11-009</a></td>
                 <td>Compiled HTML Access</td>
                 <td style="white-space:nowrap;">November 30 2020</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">Signed Binary Proxy Execution</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">System Binary Proxy Execution</a></li></ul></td>
                 <td>Logpoint, Pseudocode, Splunk</td>
                 <td>Windows</td>
             </tr>
@@ -599,7 +599,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2020-11-010/">CAR-2020-11-010</a></td>
                 <td>CMSTP</td>
                 <td style="white-space:nowrap;">November 30 2020</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">Signed Binary Proxy Execution</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1218/">System Binary Proxy Execution</a></li></ul></td>
                 <td>Logpoint, Pseudocode, Splunk</td>
                 <td>Windows</td>
             </tr>
@@ -615,7 +615,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2021-01-001/">CAR-2021-01-001</a></td>
                 <td>Identifying Port Scanning Activity</td>
                 <td style="white-space:nowrap;">October 23 2020</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1046/">Network Service Scanning</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1046/">Network Service Discovery</a></li></ul></td>
                 <td>Splunk</td>
                 <td>Windows, Linux</td>
             </tr>
@@ -631,7 +631,7 @@ permalink: /analytics/
                 <td style="white-space:nowrap;"><a href="/analytics/CAR-2021-01-003/">CAR-2021-01-003</a></td>
                 <td>Clearing Windows Logs with Wevtutil</td>
                 <td style="white-space:nowrap;">December 02 2020</td>
-                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal on Host</a></li></ul></td>
+                <td><ul><li><a href="https://attack.mitre.org/techniques/T1070/">Indicator Removal</a></li></ul></td>
                 <td>Splunk</td>
                 <td>Windows</td>
             </tr>
diff --git a/docs/data/analytics.json b/docs/data/analytics.json
index 251702c6..2ee43fdb 100644
--- a/docs/data/analytics.json
+++ b/docs/data/analytics.json
@@ -1 +1 @@
-{"analytics": [{"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Medium"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569.002", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Detecting Shadow Copy Deletion via Vssadmin.exe", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}]}
\ No newline at end of file
+{"analytics": [{"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}]}
\ No newline at end of file

From 888b7798f5213ed444a29995b0277e7f3afd4722 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 01:30:32 -0500
Subject: [PATCH 34/82] ran generate_attack_nav_layer

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/car_attack/car_attack.json | 352 ++++++++++++++++++++++++++------
 1 file changed, 284 insertions(+), 68 deletions(-)

diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json
index a363f7e5..02432b5c 100644
--- a/docs/car_attack/car_attack.json
+++ b/docs/car_attack/car_attack.json
@@ -5,23 +5,22 @@
     "domain": "mitre-enterprise",
     "techniques": [
         {
-            "techniqueID": "T1490",
+            "techniqueID": "T1003",
             "color": "#c6dbef",
-            "comment": "CAR-2020-04-001: Shadow Copy Deletion",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1003",
+            "techniqueID": "T1003.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS",
+            "enabled": true
         },
         {
             "techniqueID": "T1003.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager",
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS",
             "enabled": true
         },
         {
@@ -34,10 +33,36 @@
         {
             "techniqueID": "T1105",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments",
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1559",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1559.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1606",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
             "enabled": true,
             "showSubtechniques": true
         },
+        {
+            "techniqueID": "T1606.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "enabled": true
+        },
         {
             "techniqueID": "T1187",
             "color": "#c6dbef",
@@ -48,20 +73,33 @@
         {
             "techniqueID": "T1053",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
             "enabled": true,
             "showSubtechniques": true
         },
         {
             "techniqueID": "T1053.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1070",
+            "color": "#c6dbef",
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1070.003",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-005: Clear Powershell Console Command History",
             "enabled": true
         },
         {
             "techniqueID": "T1218",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo",
+            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP",
             "enabled": true,
             "showSubtechniques": true
         },
@@ -84,10 +122,17 @@
             "enabled": true,
             "showSubtechniques": true
         },
+        {
+            "techniqueID": "T1197",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File",
+            "enabled": true,
+            "showSubtechniques": true
+        },
         {
             "techniqueID": "T1546",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver",
             "enabled": true,
             "showSubtechniques": true
         },
@@ -97,6 +142,12 @@
             "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
             "enabled": true
         },
+        {
+            "techniqueID": "T1218.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-009: Compiled HTML Access",
+            "enabled": true
+        },
         {
             "techniqueID": "T1021.001",
             "color": "#c6dbef",
@@ -106,7 +157,7 @@
         {
             "techniqueID": "T1059",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions",
+            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings",
             "enabled": true,
             "showSubtechniques": true
         },
@@ -116,10 +167,29 @@
             "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd",
             "enabled": true
         },
+        {
+            "techniqueID": "T1569",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1569.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-012: Create Service In Suspicious File Path",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1569.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
+            "enabled": true
+        },
         {
             "techniqueID": "T1570",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-001: SMB Write Request - NamedPipes",
+            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes",
             "enabled": true,
             "showSubtechniques": true
         },
@@ -139,7 +209,7 @@
         {
             "techniqueID": "T1574",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
             "enabled": true,
             "showSubtechniques": true
         },
@@ -150,16 +220,16 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1569",
+            "techniqueID": "T1127",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1569.002",
+            "techniqueID": "T1127.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
             "enabled": true
         },
         {
@@ -194,16 +264,69 @@
             "comment": "CAR-2016-04-004: Successful Local Account Login",
             "enabled": true
         },
+        {
+            "techniqueID": "T1548",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation",
+            "enabled": true,
+            "showSubtechniques": true
+        },
         {
             "techniqueID": "T1021.002",
             "color": "#c6dbef",
             "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity",
             "enabled": true
         },
+        {
+            "techniqueID": "T1574.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1112",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1055",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1055.012",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-004: Processes Started From Irregular Parent",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1140",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-009: CertUtil With Decode Argument",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1562",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1562.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
+            "enabled": true
+        },
         {
             "techniqueID": "T1036",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names",
+            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading",
             "enabled": true,
             "showSubtechniques": true
         },
@@ -253,20 +376,20 @@
         {
             "techniqueID": "T1069",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true,
             "showSubtechniques": true
         },
         {
             "techniqueID": "T1069.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true
         },
         {
             "techniqueID": "T1069.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true
         },
         {
@@ -276,17 +399,10 @@
             "enabled": true,
             "showSubtechniques": true
         },
-        {
-            "techniqueID": "T1112",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry",
-            "enabled": true,
-            "showSubtechniques": true
-        },
         {
             "techniqueID": "T1574.011",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
             "enabled": true
         },
         {
@@ -361,27 +477,14 @@
         {
             "techniqueID": "T1046",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1562",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity",
             "enabled": true,
             "showSubtechniques": true
         },
-        {
-            "techniqueID": "T1562.001",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true
-        },
         {
             "techniqueID": "T1562.006",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
             "enabled": true
         },
         {
@@ -400,17 +503,23 @@
         {
             "techniqueID": "T1012",
             "color": "#c6dbef",
-            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1089",
+            "techniqueID": "T1204",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-003: User Activity from Stopping Windows Defensive Services",
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
             "enabled": true,
             "showSubtechniques": true
         },
+        {
+            "techniqueID": "T1204.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
+            "enabled": true
+        },
         {
             "techniqueID": "T1218.011",
             "color": "#c6dbef",
@@ -418,11 +527,18 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1003.003",
+            "techniqueID": "T1055.001",
             "color": "#c6dbef",
-            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject",
             "enabled": true
         },
+        {
+            "techniqueID": "T1040",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-002: Local Network Sniffing",
+            "enabled": true,
+            "showSubtechniques": true
+        },
         {
             "techniqueID": "T1222",
             "color": "#c6dbef",
@@ -443,12 +559,24 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1551",
+            "techniqueID": "T1547",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true,
             "showSubtechniques": true
         },
+        {
+            "techniqueID": "T1547.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1070.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "enabled": true
+        },
         {
             "techniqueID": "T1059.001",
             "color": "#c6dbef",
@@ -456,16 +584,29 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1547",
+            "techniqueID": "T1490",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell",
+            "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.001",
+            "techniqueID": "T1564",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell",
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1564.004",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1546.015",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-09-002: Component Object Model Hijacking",
             "enabled": true
         },
         {
@@ -477,7 +618,7 @@
         {
             "techniqueID": "T1547.004",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify",
             "enabled": true
         },
         {
@@ -513,20 +654,20 @@
         {
             "techniqueID": "T1546.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs",
             "enabled": true
         },
         {
             "techniqueID": "T1037",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
             "enabled": true,
             "showSubtechniques": true
         },
         {
             "techniqueID": "T1037.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
             "enabled": true
         },
         {
@@ -542,6 +683,12 @@
             "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
             "enabled": true
         },
+        {
+            "techniqueID": "T1562.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2022-03-001: Disable Windows Event Logging",
+            "enabled": true
+        },
         {
             "techniqueID": "T1039",
             "color": "#c6dbef",
@@ -550,29 +697,98 @@
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1055",
+            "techniqueID": "T1553",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1055.001",
+            "techniqueID": "T1553.004",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true
         },
         {
-            "techniqueID": "T1548",
+            "techniqueID": "T1036.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass",
+            "comment": "CAR-2021-04-001: Common Windows Process Masquerading",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1546.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-011: Registry Edit from Screensaver",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1070.005",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-007: Network Share Connection Removal",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1068",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
             "enabled": true,
             "showSubtechniques": true
         },
+        {
+            "techniqueID": "T1136",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1136.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "enabled": true
+        },
         {
             "techniqueID": "T1548.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1552",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-09-004: Credentials in Files & Registry",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1552.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-09-004: Credentials in Files & Registry",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1552.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-09-004: Credentials in Files & Registry",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1505",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1505.003",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1218.003",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-010: CMSTP",
             "enabled": true
         }
     ]

From 156185e56a5e98b4fb0c7d8918689c25a6d413ee Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 01:32:00 -0500
Subject: [PATCH 35/82] ran generate_sensors

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/sensors/auditd_2.8.md     | 136 +++++++++++++++++++++++++++++++++
 docs/sensors/autoruns_13.98.md |  28 ++++---
 docs/sensors/index.md          |   7 +-
 docs/sensors/osquery_4.1.2.md  |  23 +++---
 docs/sensors/osquery_4.6.0.md  |  23 +++---
 docs/sensors/sysmon_10.4.md    |  53 +++++++------
 docs/sensors/sysmon_11.0.md    |  53 +++++++------
 docs/sensors/sysmon_13.md      |  53 +++++++------
 8 files changed, 271 insertions(+), 105 deletions(-)
 create mode 100644 docs/sensors/auditd_2.8.md

diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md
new file mode 100644
index 00000000..de2e70bd
--- /dev/null
+++ b/docs/sensors/auditd_2.8.md
@@ -0,0 +1,136 @@
+---
+title: "auditd (2.8)"
+---
+
+- Manufacturer: Red Hat
+- Version: 2.8
+- Website: https://people.redhat.com/sgrubb/audit/
+
+
+## Description
+auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk
+
+
+
+
+## Data Model Coverage
+
+### [file](../data_model/file)
+
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+
+### [driver](../data_model/driver)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  | | |✓|✓|✓| |✓|✓| | |
+| `unload` |  | | | | | | | | | | |
+
+### [flow](../data_model/flow)
+
+| | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `end` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
+| `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
+
+### [process](../data_model/process)
+
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+
+
+
+
+## Analytic Coverage
+
+ - [CAR-2013-02-003: Processes Spawning cmd.exe](../analytics/CAR-2013-02-003)
+ - [CAR-2013-03-001: Reg.exe called from Command Shell](../analytics/CAR-2013-03-001)
+ - [CAR-2013-04-002: Quick execution of a series of suspicious commands](../analytics/CAR-2013-04-002)
+ - [CAR-2013-05-002: Suspicious Run Locations](../analytics/CAR-2013-05-002)
+ - [CAR-2013-05-004: Execution with AT](../analytics/CAR-2013-05-004)
+ - [CAR-2013-05-005: SMB Copy and Execution](../analytics/CAR-2013-05-005)
+ - [CAR-2013-05-009: Running executables with same hash and different names](../analytics/CAR-2013-05-009)
+ - [CAR-2013-07-001: Suspicious Arguments](../analytics/CAR-2013-07-001)
+ - [CAR-2013-07-002: RDP Connection Detection](../analytics/CAR-2013-07-002)
+ - [CAR-2013-07-005: Command Line Usage of Archiving Software](../analytics/CAR-2013-07-005)
+ - [CAR-2013-08-001: Execution with schtasks](../analytics/CAR-2013-08-001)
+ - [CAR-2014-02-001: Service Binary Modifications](../analytics/CAR-2014-02-001)
+ - [CAR-2014-03-001: SMB Write Request - NamedPipes](../analytics/CAR-2014-03-001)
+ - [CAR-2014-03-005: Remotely Launched Executables via Services](../analytics/CAR-2014-03-005)
+ - [CAR-2014-03-006: RunDLL32.exe monitoring](../analytics/CAR-2014-03-006)
+ - [CAR-2014-04-003: Powershell Execution](../analytics/CAR-2014-04-003)
+ - [CAR-2014-05-001: RPC Activity](../analytics/CAR-2014-05-001)
+ - [CAR-2014-05-002: Services launching Cmd](../analytics/CAR-2014-05-002)
+ - [CAR-2014-07-001: Service Search Path Interception](../analytics/CAR-2014-07-001)
+ - [CAR-2014-11-002: Outlier Parents of Cmd](../analytics/CAR-2014-11-002)
+ - [CAR-2014-11-003: Debuggers for Accessibility Applications](../analytics/CAR-2014-11-003)
+ - [CAR-2014-11-004: Remote PowerShell Sessions](../analytics/CAR-2014-11-004)
+ - [CAR-2014-11-006: Windows Remote Management (WinRM)](../analytics/CAR-2014-11-006)
+ - [CAR-2014-11-008: Command Launched from WinLogon](../analytics/CAR-2014-11-008)
+ - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001)
+ - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001)
+ - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002)
+ - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002)
+ - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001)
+ - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002)
+ - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003)
+ - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002)
+ - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001)
+ - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002)
+ - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001)
+ - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002)
+ - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001)
+ - [CAR-2020-09-002: Component Object Model Hijacking](../analytics/CAR-2020-09-002)
+ - [CAR-2020-09-003: Indicator Blocking - Driver Unloaded](../analytics/CAR-2020-09-003)
+ - [CAR-2020-09-004: Credentials in Files & Registry](../analytics/CAR-2020-09-004)
+ - [CAR-2020-09-005: AppInit DLLs](../analytics/CAR-2020-09-005)
+ - [CAR-2020-11-001: Boot or Logon Initialization Scripts](../analytics/CAR-2020-11-001)
+ - [CAR-2020-11-002: Local Network Sniffing](../analytics/CAR-2020-11-002)
+ - [CAR-2020-11-003: DLL Injection with Mavinject](../analytics/CAR-2020-11-003)
+ - [CAR-2020-11-004: Processes Started From Irregular Parent](../analytics/CAR-2020-11-004)
+ - [CAR-2020-11-005: Clear Powershell Console Command History](../analytics/CAR-2020-11-005)
+ - [CAR-2020-11-006: Local Permission Group Discovery](../analytics/CAR-2020-11-006)
+ - [CAR-2020-11-007: Network Share Connection Removal](../analytics/CAR-2020-11-007)
+ - [CAR-2020-11-008: MSBuild and msxsl](../analytics/CAR-2020-11-008)
+ - [CAR-2020-11-009: Compiled HTML Access](../analytics/CAR-2020-11-009)
+ - [CAR-2020-11-010: CMSTP](../analytics/CAR-2020-11-010)
+ - [CAR-2020-11-011: Registry Edit from Screensaver](../analytics/CAR-2020-11-011)
+ - [CAR-2021-01-001: Identifying Port Scanning Activity](../analytics/CAR-2021-01-001)
+ - [CAR-2021-01-002: Unusually Long Command Line Strings](../analytics/CAR-2021-01-002)
+ - [CAR-2021-01-003: Clearing Windows Logs with Wevtutil](../analytics/CAR-2021-01-003)
+ - [CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe](../analytics/CAR-2021-01-004)
+ - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006)
+ - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007)
+ - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008)
+ - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009)
+ - [CAR-2021-02-001: Webshell-Indicative Process Tree](../analytics/CAR-2021-02-001)
+ - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002)
+ - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001)
+ - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001)
+ - [CAR-2021-05-002: Batch File Write to System32](../analytics/CAR-2021-05-002)
+ - [CAR-2021-05-003: BCDEdit Failure Recovery Modification](../analytics/CAR-2021-05-003)
+ - [CAR-2021-05-004: BITS Job Persistence](../analytics/CAR-2021-05-004)
+ - [CAR-2021-05-005: BITSAdmin Download File](../analytics/CAR-2021-05-005)
+ - [CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments](../analytics/CAR-2021-05-006)
+ - [CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments](../analytics/CAR-2021-05-007)
+ - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008)
+ - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009)
+ - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010)
+ - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001)
+ - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002)
+ - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001)
+ - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002)
+ - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001)
+ - [N/A](../analytics/N/A)
diff --git a/docs/sensors/autoruns_13.98.md b/docs/sensors/autoruns_13.98.md
index 81338f9d..2cf2b3de 100644
--- a/docs/sensors/autoruns_13.98.md
+++ b/docs/sensors/autoruns_13.98.md
@@ -14,18 +14,6 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi
 
 ## Data Model Coverage
 
-### [file](../data_model/file)
-
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | |
-| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-
 ### [registry](../data_model/registry)
 
 | | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` |
@@ -45,6 +33,18 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi
 | `start` |  | | | | | | | | | |
 | `stop` |  | | | | | | | | | |
 
+### [file](../data_model/file)
+
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | |
+| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `modify` | ✓| |✓| |✓|✓|✓| | |✓|✓| |✓| | | | | | | |✓|✓| |✓| | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+
 
 
 
@@ -62,3 +62,7 @@ Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Wi
  - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002)
  - [CAR-2021-05-002: Batch File Write to System32](../analytics/CAR-2021-05-002)
  - [CAR-2021-05-012: Create Service In Suspicious File Path](../analytics/CAR-2021-05-012)
+ - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001)
+ - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002)
+ - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002)
+ - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001)
diff --git a/docs/sensors/index.md b/docs/sensors/index.md
index 6f183ead..c8d34e09 100755
--- a/docs/sensors/index.md
+++ b/docs/sensors/index.md
@@ -5,9 +5,10 @@ title: "Sensors"
 Sensors are tools that collect data that can be used to run analytics.
 
 CAR currently has a limited number of sensors mapped to the CAR [Data Model](../data_model). They are:
+* [auditd (2.8)](auditd_2.8)
 * [Autoruns (13.98)](autoruns_13.98)
+* [osquery (4.1.2)](osquery_4.1.2)
+* [osquery (4.6.0)](osquery_4.6.0)
 * [Sysmon (10.4)](sysmon_10.4)
 * [Sysmon (11.0)](sysmon_11.0)
-* [Sysmon (13.0)](sysmon_13)
-* [OSQuery (4.1.2)](osquery_4.1.2)
-* [OSQuery (4.6.0)](osquery_4.6.0)
+* [Sysmon (13)](sysmon_13)
\ No newline at end of file
diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md
index bdb46448..9c5d21f5 100755
--- a/docs/sensors/osquery_4.1.2.md
+++ b/docs/sensors/osquery_4.1.2.md
@@ -14,13 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [driver](../data_model/driver)
-
-| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
-|---|---|---|---|---|---|---|---|---|---|---|
-| `load` |  | | |✓|✓|✓| |✓|✓| | |
-| `unload` |  | | | | | | | | | | |
-
 ### [file](../data_model/file)
 
 | | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
@@ -33,6 +26,13 @@ osquery exposes an operating system as a high-performance relational database. T
 | `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 | `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 
+### [driver](../data_model/driver)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  | | |✓|✓|✓| |✓|✓| | |
+| `unload` |  | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -81,13 +81,13 @@ osquery exposes an operating system as a high-performance relational database. T
  - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001)
  - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001)
  - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002)
+ - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002)
  - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001)
  - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002)
  - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003)
  - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002)
  - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001)
  - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002)
- - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001)
  - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001)
  - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002)
  - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001)
@@ -113,7 +113,7 @@ osquery exposes an operating system as a high-performance relational database. T
  - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006)
  - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007)
  - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008)
- - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009)
+ - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009)
  - [CAR-2021-02-001: Webshell-Indicative Process Tree](../analytics/CAR-2021-02-001)
  - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002)
  - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001)
@@ -127,4 +127,9 @@ osquery exposes an operating system as a high-performance relational database. T
  - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008)
  - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009)
  - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010)
+ - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001)
+ - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002)
+ - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001)
+ - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002)
+ - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001)
  - [N/A](../analytics/N/A)
diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md
index b044a54c..7efe527e 100755
--- a/docs/sensors/osquery_4.6.0.md
+++ b/docs/sensors/osquery_4.6.0.md
@@ -14,13 +14,6 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [driver](../data_model/driver)
-
-| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
-|---|---|---|---|---|---|---|---|---|---|---|
-| `load` |  | | |✓|✓|✓| |✓|✓| | |
-| `unload` |  | | | | | | | | | | |
-
 ### [file](../data_model/file)
 
 | | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
@@ -33,6 +26,13 @@ osquery exposes an operating system as a high-performance relational database. T
 | `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
 | `write` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
 
+### [driver](../data_model/driver)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  | | |✓|✓|✓| |✓|✓| | |
+| `unload` |  | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -81,13 +81,13 @@ osquery exposes an operating system as a high-performance relational database. T
  - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001)
  - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001)
  - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002)
+ - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002)
  - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001)
  - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002)
  - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003)
  - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002)
  - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001)
  - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002)
- - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001)
  - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001)
  - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002)
  - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001)
@@ -113,7 +113,7 @@ osquery exposes an operating system as a high-performance relational database. T
  - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006)
  - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007)
  - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008)
- - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009)
+ - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009)
  - [CAR-2021-02-001: Webshell-Indicative Process Tree](../analytics/CAR-2021-02-001)
  - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002)
  - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001)
@@ -127,4 +127,9 @@ osquery exposes an operating system as a high-performance relational database. T
  - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008)
  - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009)
  - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010)
+ - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001)
+ - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002)
+ - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001)
+ - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002)
+ - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001)
  - [N/A](../analytics/N/A)
diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md
index 088dcab9..0bbcec26 100755
--- a/docs/sensors/sysmon_10.4.md
+++ b/docs/sensors/sysmon_10.4.md
@@ -14,12 +14,23 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [driver](../data_model/driver)
+### [thread](../data_model/thread)
 
-| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
+### [registry](../data_model/registry)
+
+| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` |
 |---|---|---|---|---|---|---|---|---|---|---|
-| `load` |  |✓| |✓|✓| | |✓|✓| |✓|
-| `unload` |  | | | | | | | | | | |
+| `add` |  |✓|✓| |✓|✓| |✓| | |✓|
+| `key_edit` |  | | | | | | | | | | |
+| `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
+| `value_edit` |  | | | | | | | | | | |
 
 ### [file](../data_model/file)
 
@@ -33,6 +44,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `timestomp` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | |
 | `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
+### [driver](../data_model/driver)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  |✓| |✓|✓| | |✓|✓| |✓|
+| `unload` |  | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -49,24 +67,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓|
 | `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
-### [registry](../data_model/registry)
-
-| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` |
-|---|---|---|---|---|---|---|---|---|---|---|
-| `add` |  |✓|✓| |✓|✓| |✓| | |✓|
-| `key_edit` |  | | | | | | | | | | |
-| `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
-| `value_edit` |  | | | | | | | | | | |
-
-### [thread](../data_model/thread)
-
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
-
 
 
 
@@ -95,6 +95,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001)
  - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001)
  - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002)
+ - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002)
  - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001)
  - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002)
  - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003)
@@ -102,7 +103,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002)
  - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001)
  - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002)
- - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001)
  - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001)
  - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002)
  - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001)
@@ -124,7 +124,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006)
  - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007)
  - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008)
- - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009)
+ - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009)
  - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002)
  - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001)
  - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001)
@@ -136,3 +136,8 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008)
  - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009)
  - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010)
+ - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001)
+ - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002)
+ - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001)
+ - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002)
+ - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001)
diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md
index 6d8b7af8..bf5db123 100755
--- a/docs/sensors/sysmon_11.0.md
+++ b/docs/sensors/sysmon_11.0.md
@@ -14,12 +14,23 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [driver](../data_model/driver)
+### [thread](../data_model/thread)
 
-| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
+### [registry](../data_model/registry)
+
+| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` |
 |---|---|---|---|---|---|---|---|---|---|---|
-| `load` |  |✓| |✓|✓| | |✓|✓| |✓|
-| `unload` |  | | | | | | | | | | |
+| `add` |  |✓|✓| |✓|✓| |✓| | |✓|
+| `key_edit` |  | | | | | | | | | | |
+| `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
+| `value_edit` |  | | | | | | | | | | |
 
 ### [file](../data_model/file)
 
@@ -33,6 +44,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
 | `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
+### [driver](../data_model/driver)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  |✓| |✓|✓| | |✓|✓| |✓|
+| `unload` |  | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -49,24 +67,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓|
 | `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
-### [registry](../data_model/registry)
-
-| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` |
-|---|---|---|---|---|---|---|---|---|---|---|
-| `add` |  |✓|✓| |✓|✓| |✓| | |✓|
-| `key_edit` |  | | | | | | | | | | |
-| `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
-| `value_edit` |  | | | | | | | | | | |
-
-### [thread](../data_model/thread)
-
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
-
 
 
 
@@ -95,6 +95,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001)
  - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001)
  - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002)
+ - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002)
  - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001)
  - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002)
  - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003)
@@ -102,7 +103,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002)
  - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001)
  - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002)
- - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001)
  - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001)
  - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002)
  - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001)
@@ -124,7 +124,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006)
  - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007)
  - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008)
- - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009)
+ - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009)
  - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002)
  - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001)
  - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001)
@@ -137,3 +137,8 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008)
  - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009)
  - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010)
+ - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001)
+ - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002)
+ - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001)
+ - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002)
+ - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001)
diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md
index 640337b1..40ed48d5 100644
--- a/docs/sensors/sysmon_13.md
+++ b/docs/sensors/sysmon_13.md
@@ -14,12 +14,23 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [driver](../data_model/driver)
+### [thread](../data_model/thread)
 
-| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
+### [registry](../data_model/registry)
+
+| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` |
 |---|---|---|---|---|---|---|---|---|---|---|
-| `load` |  |✓| |✓|✓| | |✓|✓|✓|✓|
-| `unload` |  | | | | | | | | | | |
+| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓|
+| `key_edit` |  |✓|✓| |✓|✓|✓|✓| | |✓|
+| `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
+| `value_edit` |  |✓|✓| |✓|✓|✓|✓| | |✓|
 
 ### [file](../data_model/file)
 
@@ -33,6 +44,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
 | `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
+### [driver](../data_model/driver)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
+|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  |✓| |✓|✓| | |✓|✓|✓|✓|
+| `unload` |  | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -49,24 +67,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓|
 | `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
-### [registry](../data_model/registry)
-
-| | `data` | `fqdn` | `hive` | `hostname` | `image_path` | `key` | `new_content` | `pid` | `type` | `user` | `value` |
-|---|---|---|---|---|---|---|---|---|---|---|
-| `add` | ✓|✓|✓| |✓|✓| |✓| | |✓|
-| `key_edit` |  |✓|✓| |✓|✓|✓|✓| | |✓|
-| `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
-| `value_edit` |  |✓|✓| |✓|✓|✓|✓| | |✓|
-
-### [thread](../data_model/thread)
-
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
-
 
 
 
@@ -95,6 +95,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2014-12-001: Remotely Launched Executables via WMI](../analytics/CAR-2014-12-001)
  - [CAR-2016-03-001: Host Discovery Commands](../analytics/CAR-2016-03-001)
  - [CAR-2016-03-002: Create Remote Process via WMIC](../analytics/CAR-2016-03-002)
+ - [CAR-2016-04-002: User Activity from Clearing Event Logs](../analytics/CAR-2016-04-002)
  - [CAR-2019-04-001: UAC Bypass](../analytics/CAR-2019-04-001)
  - [CAR-2019-04-002: Generic Regsvr32](../analytics/CAR-2019-04-002)
  - [CAR-2019-04-003: Squiblydoo](../analytics/CAR-2019-04-003)
@@ -102,7 +103,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2019-07-002: Lsass Process Dump via Procdump](../analytics/CAR-2019-07-002)
  - [CAR-2019-08-001: Credential Dumping via Windows Task Manager](../analytics/CAR-2019-08-001)
  - [CAR-2019-08-002: Active Directory Dumping via NTDSUtil](../analytics/CAR-2019-08-002)
- - [CAR-2020-04-001: Shadow Copy Deletion](../analytics/CAR-2020-04-001)
  - [CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities](../analytics/CAR-2020-08-001)
  - [CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS](../analytics/CAR-2020-08-002)
  - [CAR-2020-09-001: Scheduled Task - FileAccess](../analytics/CAR-2020-09-001)
@@ -124,7 +124,7 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2021-01-006: Unusual Child Process spawned using DDE exploit](../analytics/CAR-2021-01-006)
  - [CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt](../analytics/CAR-2021-01-007)
  - [CAR-2021-01-008: Disable UAC](../analytics/CAR-2021-01-008)
- - [CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe](../analytics/CAR-2021-01-009)
+ - [CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize](../analytics/CAR-2021-01-009)
  - [CAR-2021-02-002: Get System Elevation](../analytics/CAR-2021-02-002)
  - [CAR-2021-04-001: Common Windows Process Masquerading](../analytics/CAR-2021-04-001)
  - [CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store](../analytics/CAR-2021-05-001)
@@ -137,3 +137,8 @@ Sysmon is a freely available program from Microsoft that is provided as part of
  - [CAR-2021-05-008: Certutil exe certificate extraction](../analytics/CAR-2021-05-008)
  - [CAR-2021-05-009: CertUtil With Decode Argument](../analytics/CAR-2021-05-009)
  - [CAR-2021-05-010: Create local admin accounts using net exe](../analytics/CAR-2021-05-010)
+ - [CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0](../analytics/CAR-2021-11-001)
+ - [CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify](../analytics/CAR-2021-11-002)
+ - [CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths](../analytics/CAR-2021-12-001)
+ - [CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'](../analytics/CAR-2021-12-002)
+ - [CAR-2022-03-001: Disable Windows Event Logging](../analytics/CAR-2022-03-001)

From 698ae29e60bd29945f65fc609540d4b38c1aa02d Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 04:01:14 -0500
Subject: [PATCH 36/82] fixed bug where techniques that had no subtechniques
 were not being listed

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/generate_analytics.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/generate_analytics.py b/scripts/generate_analytics.py
index f1c8c3c8..70817a80 100755
--- a/scripts/generate_analytics.py
+++ b/scripts/generate_analytics.py
@@ -184,7 +184,7 @@
         none_sub_str = "(N/A - technique only)"
     else:
         none_str = "(N/A - see below)"
-    if len(sub_bucket.keys()) > 1:
+    if len(sub_bucket.keys()) > 1 or len(none_bucket) > 0:
       num_rows = len(sub_bucket.keys()) + 1
       tid_url = "https://attack.mitre.org/techniques/{0}/".format(tid)
       tid_link = '<a href="{0}">{1}: {2}</a>'.format(tid_url,tid,techniques[tid])
@@ -192,7 +192,7 @@
       if none_sub_str == "(N/A - technique only)":
         subtechnique_table += tr_template.format(rowspan,tid_link,none_sub_str,none_str)
       else:
-        subtechnique_table += tr_tech_template.format(rowspan,tid_link)    
+        subtechnique_table += tr_tech_template.format(rowspan,tid_link)
     # Write the subtechniques to the table
     if sub_bucket:
         for sub_tid, car_list in sub_bucket.items():

From 858bf449d6c7c75ac21b77e168608ac8ed0b5da6 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 04:02:22 -0500
Subject: [PATCH 37/82] fixed bug where techniques with both technique only
 CARs and subtechnique based CARs were not rendering properly

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/generate_analytics.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/scripts/generate_analytics.py b/scripts/generate_analytics.py
index 70817a80..31d9d383 100755
--- a/scripts/generate_analytics.py
+++ b/scripts/generate_analytics.py
@@ -210,11 +210,9 @@
               sub_link = '<a href="{0}">{1}: {2}</a>'.format(sub_url,sub_tid,techniques[sub_tid])
               subtechnique_table += tr_template.format("",tid_link,sub_link,sub_str)
             elif len(sub_bucket.keys()) == 1:
-              tid_url = "https://attack.mitre.org/techniques/{0}/".format(tid)
               sub_url = "https://attack.mitre.org/techniques/{0}/{1}/".format(sub_tid.split(".")[0],sub_tid.split(".")[1])
-              tid_link = '<a href="{0}">{1}: {2}</a>'.format(tid_url,tid,techniques[tid])
               sub_link = '<a href="{0}">{1}: {2}</a>'.format(sub_url,sub_tid,techniques[sub_tid])
-              subtechnique_table += tr_template.format("",tid_link,sub_link,sub_str)
+              subtechnique_table += tr_sub_template.format(sub_link,sub_str)
             else:
               sub_url = "https://attack.mitre.org/techniques/{0}/{1}/".format(sub_tid.split(".")[0],sub_tid.split(".")[1])
               sub_link = '<a href="{0}">{1}: {2}</a>'.format(sub_url,sub_tid,techniques[sub_tid])

From 4049143d1774ebc34e363917cadc0572d3cf1d1b Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Wed, 15 Feb 2023 04:04:23 -0500
Subject: [PATCH 38/82] reran generate_analytics to generate a correct
 by_technique table

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/analytics/by_technique/index.md | 121 ++++++++++++++++++++++++++-
 1 file changed, 120 insertions(+), 1 deletion(-)

diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md
index 5dff7bc9..e1445b68 100644
--- a/docs/analytics/by_technique/index.md
+++ b/docs/analytics/by_technique/index.md
@@ -28,6 +28,31 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002: Security Account Manager</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1007/">T1007: System Service Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-03-001">CAR-2016-03-001: Host Discovery Commands</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1010/">T1010: Application Window Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1012/">T1012: Query Registry</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1016/">T1016: System Network Configuration Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-03-001">CAR-2016-03-001: Host Discovery Commands</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1018/">T1018: Remote System Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="5"><a href="https://attack.mitre.org/techniques/T1021/">T1021: Remote Services</a></td>
             <td>(N/A - technique only)</td>
@@ -49,6 +74,16 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
             <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1029/">T1029: Scheduled Transfer</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1033/">T1033: System Owner/User Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-03-001">CAR-2016-03-001: Host Discovery Commands</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1036/">T1036: Masquerading</a></td>
             <td>(N/A - technique only)</td>
@@ -67,6 +102,31 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1037/001/">T1037.001: Logon Script (Windows)</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2020-11-001">CAR-2020-11-001: Boot or Logon Initialization Scripts</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1039/">T1039: Data from Network Shared Drive</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-01-003">CAR-2013-01-003: SMB Events Monitoring</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1040/">T1040: Network Sniffing</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2020-11-002">CAR-2020-11-002: Local Network Sniffing</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1046/">T1046: Network Service Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2021-01-001">CAR-2021-01-001: Identifying Port Scanning Activity</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1047/">T1047: Windows Management Instrumentation</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2014-11-007">CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC</a></li><li><a href="CAR-2014-12-001">CAR-2014-12-001: Remotely Launched Executables via WMI</a></li><li><a href="CAR-2016-03-002">CAR-2016-03-002: Create Remote Process via WMIC</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1049/">T1049: System Network Connections Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1053/">T1053: Scheduled Task/Job</a></td>
         </tr>
@@ -89,6 +149,11 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1055/001/">T1055.001: Dynamic-link Library Injection</a></td>
             <td><ul><li><a href="CAR-2013-10-002">CAR-2013-10-002: DLL Injection via Load Library</a></li><li><a href="CAR-2020-11-003">CAR-2020-11-003: DLL Injection with Mavinject</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1057/">T1057: Process Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-03-001">CAR-2016-03-001: Host Discovery Commands</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1059/">T1059: Command and Scripting Interpreter</a></td>
             <td>(N/A - technique only)</td>
@@ -106,6 +171,11 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001: PowerShell</a></td>
             <td><ul><li><a href="CAR-2014-04-003">CAR-2014-04-003: Powershell Execution</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1068/">T1068: Exploitation for Privilege Escalation</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2021-01-004">CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1069/">T1069: Permission Groups Discovery</a></td>
         </tr>
@@ -143,6 +213,11 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1078/003/">T1078.003: Local Accounts</a></td>
             <td><ul><li><a href="CAR-2013-02-008">CAR-2013-02-008: Simultaneous Logins on a Host</a></li><li><a href="CAR-2013-02-012">CAR-2013-02-012: User Logged in to Multiple Hosts</a></li><li><a href="CAR-2013-05-003">CAR-2013-05-003: SMB Write Request</a></li><li><a href="CAR-2013-05-005">CAR-2013-05-005: SMB Copy and Execution</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1082/">T1082: System Information Discovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-03-001">CAR-2016-03-001: Host Discovery Commands</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1087/">T1087: Account Discovery</a></td>
         </tr>
@@ -154,6 +229,21 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1087/002/">T1087.002: Domain Account</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2016-03-001">CAR-2016-03-001: Host Discovery Commands</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1098/">T1098: Account Manipulation</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1105/">T1105: Ingress Tool Transfer</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li><li><a href="CAR-2021-05-005">CAR-2021-05-005: BITSAdmin Download File</a></li><li><a href="CAR-2021-05-006">CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments</a></li><li><a href="CAR-2021-05-007">CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1112/">T1112: Modify Registry</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2014-11-005">CAR-2014-11-005: Remote Registry</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li><li><a href="CAR-2021-11-001">CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li><li><a href="CAR-2021-12-002">CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'</a></li></ul></td>
+        </tr>
        <tr>
             <td ><a href="https://attack.mitre.org/techniques/T1127/">T1127: Trusted Developer Utilities Proxy Execution</a></td>
             <td><a href="https://attack.mitre.org/techniques/T1127/001/">T1127.001: MSBuild</a></td>
@@ -164,6 +254,21 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1136/001/">T1136.001: Local Account</a></td>
             <td><ul><li><a href="CAR-2021-05-010">CAR-2021-05-010: Create local admin accounts using net exe</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1140/">T1140: Deobfuscate/Decode Files or Information</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2021-05-009">CAR-2021-05-009: CertUtil With Decode Argument</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1187/">T1187: Forced Authentication</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-09-003">CAR-2013-09-003: SMB Session Setups</a></li></ul></td>
+        </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1197/">T1197: BITS Jobs</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2021-05-004">CAR-2021-05-004: BITS Job Persistence</a></li><li><a href="CAR-2021-05-005">CAR-2021-05-005: BITSAdmin Download File</a></li></ul></td>
+        </tr>
        <tr>
             <td ><a href="https://attack.mitre.org/techniques/T1204/">T1204: User Execution</a></td>
             <td><a href="https://attack.mitre.org/techniques/T1204/002/">T1204.002: Malicious File</a></td>
@@ -199,6 +304,11 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1222/002/">T1222.002: Linux and Mac File and Directory Permissions Modification</a></td>
             <td><ul><li><a href="CAR-2019-07-001">CAR-2019-07-001: Access Permission Modification</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1490/">T1490: Inhibit System Recovery</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2021-01-009">CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize</a></li><li><a href="CAR-2021-05-003">CAR-2021-05-003: BCDEdit Failure Recovery Modification</a></li></ul></td>
+        </tr>
        <tr>
             <td ><a href="https://attack.mitre.org/techniques/T1505/">T1505: Server Software Component</a></td>
             <td><a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003: Web Shell</a></td>
@@ -257,7 +367,11 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
         </tr>
        <tr>
-            <td ><a href="https://attack.mitre.org/techniques/T1548/">T1548: Abuse Elevation Control Mechanism</a></td>
+            <td rowspan="2"><a href="https://attack.mitre.org/techniques/T1548/">T1548: Abuse Elevation Control Mechanism</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2021-02-002">CAR-2021-02-002: Get System Elevation</a></li></ul></td>
+        </tr>
+       <tr>
             <td><a href="https://attack.mitre.org/techniques/T1548/002/">T1548.002: Bypass User Account Control</a></td>
             <td><ul><li><a href="CAR-2013-10-002">CAR-2013-10-002: DLL Injection via Load Library</a></li><li><a href="CAR-2019-04-001">CAR-2019-04-001: UAC Bypass</a></li><li><a href="CAR-2021-01-008">CAR-2021-01-008: Disable UAC</a></li></ul></td>
         </tr>
@@ -323,6 +437,11 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1569/002/">T1569.002: Service Execution</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li><li><a href="CAR-2014-03-005">CAR-2014-03-005: Remotely Launched Executables via Services</a></li><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
         </tr>
+       <tr>
+            <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1570/">T1570: Lateral Tool Transfer</a></td>
+            <td>(N/A - technique only)</td>
+            <td><ul><li><a href="CAR-2013-05-003">CAR-2013-05-003: SMB Write Request</a></li><li><a href="CAR-2013-05-005">CAR-2013-05-005: SMB Copy and Execution</a></li><li><a href="CAR-2014-03-001">CAR-2014-03-001: SMB Write Request - NamedPipes</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1574/">T1574: Hijack Execution Flow</a></td>
         </tr>

From f9472d0cc5249a012a8896ff7b892a16d4470971 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 16 Feb 2023 15:31:18 -0500
Subject: [PATCH 39/82] created workflow to automatically regenerate /docs on
 every push to master

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 .github/workflows/regenerate-docs.yml | 42 +++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 .github/workflows/regenerate-docs.yml

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
new file mode 100644
index 00000000..35e0fa3b
--- /dev/null
+++ b/.github/workflows/regenerate-docs.yml
@@ -0,0 +1,42 @@
+name: Regenerate /docs using the generate_*.py scripts
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  regenerate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Pull down repo
+        uses: actions/checkout@v3
+      - name: Clean /docs/analytics
+        shell: bash
+        run: rm -rfv ./docs/analytics
+      - name: Clean /docs/sensors
+        shell: bash
+        run: rm -rfv ./docs/sensors
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+      - name: Install script dependencies
+        run: pip install -r ./scripts/requirements.txt
+      - name: Regenerate analytics
+        working-directory: ./scripts
+        run: python generate_analytics.py
+      - name: Regenerate sensors
+        working-directory: ./scripts
+        run: python generate_sensors.py
+      - name: Regenerate attack nav layer
+        working-directory: ./scripts
+        run: python generate_attack_nav_layer.py
+      - name: Commit new static site
+        uses: stefanzweifel/git-auto-commit-action@v4
+        with:
+          commit_message: 'Automated commit to rebuild the static site'
+          commit_user_name: 'Build and Push Automation Script'
+          commit_user_email: '<>'

From 0c87a55d3acf6fa272b94c199e40bc00039f580e Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 19 Feb 2023 09:22:10 -0500
Subject: [PATCH 40/82] Make it work on pull request as well

---
 .github/workflows/regenerate-docs.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
index 35e0fa3b..c79041a7 100644
--- a/.github/workflows/regenerate-docs.yml
+++ b/.github/workflows/regenerate-docs.yml
@@ -1,6 +1,7 @@
 name: Regenerate /docs using the generate_*.py scripts
 
 on:
+  pull_request:
   push:
     branches: [master]
 
@@ -12,6 +13,8 @@ jobs:
     steps:
       - name: Pull down repo
         uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
       - name: Clean /docs/analytics
         shell: bash
         run: rm -rfv ./docs/analytics

From f6f2900bc7a71ea440519db9aa760cd3629333ff Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 19 Feb 2023 09:39:26 -0500
Subject: [PATCH 41/82] change branch

---
 .github/workflows/regenerate-docs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
index c79041a7..d903b050 100644
--- a/.github/workflows/regenerate-docs.yml
+++ b/.github/workflows/regenerate-docs.yml
@@ -14,7 +14,7 @@ jobs:
       - name: Pull down repo
         uses: actions/checkout@v3
         with:
-          ref: ${{ github.head_ref }}
+          ref: ${{ github.base_ref }}
       - name: Clean /docs/analytics
         shell: bash
         run: rm -rfv ./docs/analytics

From 4baf5a4f981a60abb53549e1b39e9d87f6472a9d Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 19 Feb 2023 09:42:02 -0500
Subject: [PATCH 42/82] change branch

---
 .github/workflows/regenerate-docs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
index d903b050..0e818dac 100644
--- a/.github/workflows/regenerate-docs.yml
+++ b/.github/workflows/regenerate-docs.yml
@@ -14,7 +14,7 @@ jobs:
       - name: Pull down repo
         uses: actions/checkout@v3
         with:
-          ref: ${{ github.base_ref }}
+          ref: ${{ github.ref }}
       - name: Clean /docs/analytics
         shell: bash
         run: rm -rfv ./docs/analytics

From 6c0b4c45d8a4ff7b0c283c003442aefd73071bc3 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 20 Feb 2023 00:17:57 -0500
Subject: [PATCH 43/82] hopefully pulls/commits to the fork now

---
 .github/workflows/regenerate-docs.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
index 0e818dac..cacffe54 100644
--- a/.github/workflows/regenerate-docs.yml
+++ b/.github/workflows/regenerate-docs.yml
@@ -1,7 +1,7 @@
 name: Regenerate /docs using the generate_*.py scripts
 
 on:
-  pull_request:
+  pull_request_target:
   push:
     branches: [master]
 
@@ -14,7 +14,8 @@ jobs:
       - name: Pull down repo
         uses: actions/checkout@v3
         with:
-          ref: ${{ github.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.head_ref }}
       - name: Clean /docs/analytics
         shell: bash
         run: rm -rfv ./docs/analytics

From dd0f9d72d751a9ce956b0059f4498a9e4de23228 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 20 Feb 2023 13:33:45 -0500
Subject: [PATCH 44/82] yaml linting dependencies

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/requirements.txt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index 37e19029..4e7bb9ed 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -17,3 +17,5 @@ six==1.15.0
 termcolor==1.1.0
 tzlocal==2.1
 urllib3==1.26.5
+yamale==4.0.4
+yamllint==1.29.0

From 4c176706dcc99e9ddad1bb554169ce6b5d97a155 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 20 Feb 2023 14:04:48 -0500
Subject: [PATCH 45/82] Update regenerate-docs.yml

---
 .github/workflows/regenerate-docs.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
index cacffe54..55b99e75 100644
--- a/.github/workflows/regenerate-docs.yml
+++ b/.github/workflows/regenerate-docs.yml
@@ -42,5 +42,6 @@ jobs:
         uses: stefanzweifel/git-auto-commit-action@v4
         with:
           commit_message: 'Automated commit to rebuild the static site'
+          commit_options: '--signoff'
           commit_user_name: 'Build and Push Automation Script'
           commit_user_email: '<>'

From 6d2c662ddc6262e92da4ae81a6febc5dc39d8d52 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 20 Feb 2023 23:30:10 -0500
Subject: [PATCH 46/82] finished linting

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 .github/workflows/lint-yaml.yml | 110 ++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 .github/workflows/lint-yaml.yml

diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
new file mode 100644
index 00000000..0d7d5ff6
--- /dev/null
+++ b/.github/workflows/lint-yaml.yml
@@ -0,0 +1,110 @@
+name: Lint the yaml
+
+on:
+  pull_request_target:
+  push:
+    branches: [master]
+
+jobs:
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull down repo
+        uses: actions/checkout@v3
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+      - name: Install script dependencies
+        run: pip install -r ./scripts/requirements.txt
+      - name: Run yamllint
+        run: yamllint .
+  analysis-schema:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull down repo
+        uses: actions/checkout@v3
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+      - name: Install script dependencies
+        run: pip install -r ./scripts/requirements.txt
+      - name: Analysis files need to have their id attribute be the same as their filename
+        run: exit 0
+  datamodel-schema:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull down repo
+        uses: actions/checkout@v3
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+      - name: Install script dependencies
+        run: pip install -r ./scripts/requirements.txt
+      - name: Analysis files need to have their id attribute be the same as their filename
+        run: exit 0
+  sensor-schema:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull down repo
+        uses: actions/checkout@v3
+      - name: Set up python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+          cache: 'pip'
+      - name: Install script dependencies
+        run: pip install -r ./scripts/requirements.txt
+      - name: Analysis files need to have their id attribute be the same as their filename
+        run: exit 0
+  filetype-is-yaml:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull down repo
+        uses: actions/checkout@v3
+      - name: Files should be .yaml not .yml and should also be actual files (ex. not directories)
+        shell: bash
+        run: find analytics data_model sensors -mindepth 1 -maxdepth 1 \( ! -name "*.yaml" \) -o \( ! -type f \)
+  id-filename-equivalence:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Pull down repo
+        uses: actions/checkout@v3
+      - name: Analytics files need to have their filename be '{id}.yaml'
+        run: >
+          ret=0;
+          for file in analytics/*.yaml; do
+            echo "Checking $file";
+            if ! [ "$(basename $file | sed -e "s/\.yaml$//")" = "$(yq '.id' < $file)" ]; then
+              echo "Failed";
+              ret=1;
+            fi;
+          done;
+          exit "$ret"
+      - name: Data model files need to have their filename be '{name but fully lowercase and with underscores replacing spaces}.yaml'
+        run: >
+          ret=0;
+          for file in data_model/*.yaml; do
+            echo "Checking $file";
+            if ! [ "$(basename $file | sed -e "s/\.yaml$//")" = "$(yq '.name | downcase | sub(" ", "_")' < $file)" ]; then
+              echo "Failed";
+              ret=1;
+            fi;
+          done;
+          exit "$ret"
+      - name: Sensor files need to have their filename be '{sensor_name but fully lowercase}_{sensor_version}.yaml'
+        run: >
+          ret=0;
+          for file in sensors/*.yaml; do
+            echo "Checking $file";
+            if ! [ "$(basename $file | sed -e "s/\.yaml$//")" = "$(yq '(.sensor_name | downcase) + "_" + .sensor_version' < $file)" ]; then
+              echo "Failed";
+              ret=1;
+            fi;
+          done;
+          exit "$ret"

From 281e0da5b13e71638c3124c8b437256d3a74a591 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 20 Feb 2023 23:42:39 -0500
Subject: [PATCH 47/82] fixed errors in the model yamls

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 data_model/module.yaml       | 6 +++---
 data_model/user_session.yaml | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/data_model/module.yaml b/data_model/module.yaml
index 01bc2b58..ff479301 100644
--- a/data_model/module.yaml
+++ b/data_model/module.yaml
@@ -1,6 +1,6 @@
 ---
-name: Library
-description: Libraries correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a shared library or module (DLLs in Windows) and their dependencies.
+name: Module
+description: Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies.
 actions:
   - name: load
     description: A module load event occurs when a PE image (dll or exe) is loaded into a process.
@@ -45,4 +45,4 @@ fields:
     example: 50
   - name: signature_valid
     description: Boolean indicator of whether the signature is current and not revoked
-    example: True
\ No newline at end of file
+    example: True
diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml
index 11c4c3fa..db865dfd 100755
--- a/data_model/user_session.yaml
+++ b/data_model/user_session.yaml
@@ -1,6 +1,6 @@
 ---
-name: User Sesssion
-description: User sessions are the user activities undertaken on the computer in the course of conducting standard user actions.
+name: User Session
+description: User sessions are the user activities undertaken on the computer in the course of conducting standard user actions. test this
 actions:
   - name: lock
     description: The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state.

From d912dd0a3fe20c0986119e5b4cad39509356fe64 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 00:04:25 -0500
Subject: [PATCH 48/82] fixed yamllint complaints about sensors

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 sensors/autoruns_13.98.yaml |  9 +++++++--
 sensors/osquery_4.1.2.yaml  |  6 ++++--
 sensors/osquery_4.6.0.yaml  |  4 +++-
 sensors/sysmon_10.4.yaml    | 18 +++++++++++++-----
 sensors/sysmon_11.0.yaml    | 18 +++++++++++++-----
 sensors/sysmon_13.yaml      | 18 +++++++++++++-----
 6 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/sensors/autoruns_13.98.yaml b/sensors/autoruns_13.98.yaml
index ac356f9d..132e439e 100644
--- a/sensors/autoruns_13.98.yaml
+++ b/sensors/autoruns_13.98.yaml
@@ -3,7 +3,12 @@ sensor_name: Autoruns
 sensor_version: 13.98
 sensor_developer: Microsoft
 sensor_url: 'https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx'
-sensor_description: 'Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, etc.at is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
+sensor_description: >
+  Autoruns reports Explorer shell extensions, toolbars, browser helper objects,
+  Winlogon notifications, auto-start services, etc.  It is provided as part of
+  the Windows Sysinternals suite of tools. It collects system information while
+  running in the background and supports storing the data in the Windows Event
+  Log.
 mappings:
   - object: file
     action: create
@@ -93,4 +98,4 @@ mappings:
       - name
       - value
 other_coverage:
-  - 'CAR-2013-01-002: Autorun Differences'      
+  - 'CAR-2013-01-002: Autorun Differences'
diff --git a/sensors/osquery_4.1.2.yaml b/sensors/osquery_4.1.2.yaml
index e09d5845..3a654b76 100755
--- a/sensors/osquery_4.1.2.yaml
+++ b/sensors/osquery_4.1.2.yaml
@@ -3,7 +3,9 @@ sensor_name: osquery
 sensor_version: 4.1.2
 sensor_developer: osquery project
 sensor_url: 'https://osquery.io/'
-sensor_description: 'osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.'
+sensor_description: >
+  osquery exposes an operating system as a high-performance relational database.
+  This allows you to write SQL-based queries to explore operating system data.
 mappings:
   - object: file
     action: create
@@ -133,4 +135,4 @@ mappings:
       - value
       - data
 other_coverage:
-  - 'N/A'
\ No newline at end of file
+  - 'N/A'
diff --git a/sensors/osquery_4.6.0.yaml b/sensors/osquery_4.6.0.yaml
index 7c738f55..982ef5ed 100755
--- a/sensors/osquery_4.6.0.yaml
+++ b/sensors/osquery_4.6.0.yaml
@@ -3,7 +3,9 @@ sensor_name: osquery
 sensor_version: 4.6.0
 sensor_developer: osquery project
 sensor_url: 'https://osquery.io/'
-sensor_description: 'osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.'
+sensor_description: >
+  osquery exposes an operating system as a high-performance relational database.
+  This allows you to write SQL-based queries to explore operating system data.
 mappings:
   - object: file
     action: create
diff --git a/sensors/sysmon_10.4.yaml b/sensors/sysmon_10.4.yaml
index 2b0a7189..fea48d41 100755
--- a/sensors/sysmon_10.4.yaml
+++ b/sensors/sysmon_10.4.yaml
@@ -3,7 +3,11 @@ sensor_name: Sysmon
 sensor_version: 10.4
 sensor_developer: Microsoft
 sensor_url: 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon'
-sensor_description: 'Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
+sensor_description: >
+  Sysmon is a freely available program from Microsoft that is provided as part
+  of the Windows Sysinternals suite of tools. It collects system information
+  while running in the background and supports storing it in the Windows Event
+  Log.
 mappings:
   - object: file
     action: create
@@ -36,7 +40,9 @@ mappings:
       - signer
   - object: flow
     action: start
-    notes: 'Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100% semantically identical to the start of a network flow.'
+    notes: >
+      Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100%
+      semantically identical to the start of a network flow.
     fields:
       - image_path
       - pid
@@ -87,7 +93,8 @@ mappings:
       - image_path
   - object: registry
     action: add
-    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
+    notes: >
+      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
     fields:
       - fqdn
       - pid
@@ -107,7 +114,8 @@ mappings:
       - value
   - object: registry
     action: remove
-    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
+    notes: >
+      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
     fields:
       - fqdn
       - pid
@@ -127,4 +135,4 @@ mappings:
       - start_address
       - start_module
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'
diff --git a/sensors/sysmon_11.0.yaml b/sensors/sysmon_11.0.yaml
index 592f3cf9..c4a6fec7 100755
--- a/sensors/sysmon_11.0.yaml
+++ b/sensors/sysmon_11.0.yaml
@@ -3,7 +3,11 @@ sensor_name: Sysmon
 sensor_version: 11.0
 sensor_developer: Microsoft
 sensor_url: 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon'
-sensor_description: 'Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
+sensor_description: >
+  Sysmon is a freely available program from Microsoft that is provided as part
+  of the Windows Sysinternals suite of tools. It collects system information
+  while running in the background and supports storing it in the Windows Event
+  Log.
 mappings:
   - object: file
     action: create
@@ -48,7 +52,9 @@ mappings:
       - signer
   - object: flow
     action: start
-    notes: 'Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100% semantically identical to the start of a network flow.'
+    notes: >
+      Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100%
+      semantically identical to the start of a network flow.
     fields:
       - image_path
       - pid
@@ -101,7 +107,8 @@ mappings:
       - image_path
   - object: registry
     action: add
-    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
+    notes: >
+      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
     fields:
       - fqdn
       - pid
@@ -121,7 +128,8 @@ mappings:
       - value
   - object: registry
     action: remove
-    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
+    notes: >
+      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
     fields:
       - fqdn
       - pid
@@ -141,4 +149,4 @@ mappings:
       - start_address
       - start_module
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'
diff --git a/sensors/sysmon_13.yaml b/sensors/sysmon_13.yaml
index 5c8d5619..699728b7 100644
--- a/sensors/sysmon_13.yaml
+++ b/sensors/sysmon_13.yaml
@@ -3,7 +3,11 @@ sensor_name: Sysmon
 sensor_version: 13
 sensor_developer: Microsoft
 sensor_url: 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon'
-sensor_description: 'Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
+sensor_description: >
+  Sysmon is a freely available program from Microsoft that is provided as part
+  of the Windows Sysinternals suite of tools. It collects system information
+  while running in the background and supports storing it in the Windows Event
+  Log.
 mappings:
   - object: file
     action: create
@@ -53,7 +57,9 @@ mappings:
       - signature_valid
   - object: flow
     action: start
-    notes: 'Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100% semantically identical to the start of a network flow.'
+    notes: >
+      Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100%
+      semantically identical to the start of a network flow.
     fields:
       - image_path
       - pid
@@ -107,7 +113,8 @@ mappings:
       - image_path
   - object: registry
     action: add
-    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
+    notes: >
+      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
     fields:
       - data
       - fqdn
@@ -140,7 +147,8 @@ mappings:
       - value
   - object: registry
     action: remove
-    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
+    notes: >
+      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
     fields:
       - fqdn
       - pid
@@ -161,4 +169,4 @@ mappings:
       - start_module
       - uid
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'

From 55cb11fcd361e08e085c68bb2284ac692eb570cb Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 00:21:03 -0500
Subject: [PATCH 49/82] Revert "fixed yamllint complaints about sensors"

This reverts commit d912dd0a3fe20c0986119e5b4cad39509356fe64.
---
 sensors/autoruns_13.98.yaml |  9 ++-------
 sensors/osquery_4.1.2.yaml  |  6 ++----
 sensors/osquery_4.6.0.yaml  |  4 +---
 sensors/sysmon_10.4.yaml    | 18 +++++-------------
 sensors/sysmon_11.0.yaml    | 18 +++++-------------
 sensors/sysmon_13.yaml      | 18 +++++-------------
 6 files changed, 20 insertions(+), 53 deletions(-)

diff --git a/sensors/autoruns_13.98.yaml b/sensors/autoruns_13.98.yaml
index 132e439e..ac356f9d 100644
--- a/sensors/autoruns_13.98.yaml
+++ b/sensors/autoruns_13.98.yaml
@@ -3,12 +3,7 @@ sensor_name: Autoruns
 sensor_version: 13.98
 sensor_developer: Microsoft
 sensor_url: 'https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx'
-sensor_description: >
-  Autoruns reports Explorer shell extensions, toolbars, browser helper objects,
-  Winlogon notifications, auto-start services, etc.  It is provided as part of
-  the Windows Sysinternals suite of tools. It collects system information while
-  running in the background and supports storing the data in the Windows Event
-  Log.
+sensor_description: 'Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, etc.at is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
 mappings:
   - object: file
     action: create
@@ -98,4 +93,4 @@ mappings:
       - name
       - value
 other_coverage:
-  - 'CAR-2013-01-002: Autorun Differences'
+  - 'CAR-2013-01-002: Autorun Differences'      
diff --git a/sensors/osquery_4.1.2.yaml b/sensors/osquery_4.1.2.yaml
index 3a654b76..e09d5845 100755
--- a/sensors/osquery_4.1.2.yaml
+++ b/sensors/osquery_4.1.2.yaml
@@ -3,9 +3,7 @@ sensor_name: osquery
 sensor_version: 4.1.2
 sensor_developer: osquery project
 sensor_url: 'https://osquery.io/'
-sensor_description: >
-  osquery exposes an operating system as a high-performance relational database.
-  This allows you to write SQL-based queries to explore operating system data.
+sensor_description: 'osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.'
 mappings:
   - object: file
     action: create
@@ -135,4 +133,4 @@ mappings:
       - value
       - data
 other_coverage:
-  - 'N/A'
+  - 'N/A'
\ No newline at end of file
diff --git a/sensors/osquery_4.6.0.yaml b/sensors/osquery_4.6.0.yaml
index 982ef5ed..7c738f55 100755
--- a/sensors/osquery_4.6.0.yaml
+++ b/sensors/osquery_4.6.0.yaml
@@ -3,9 +3,7 @@ sensor_name: osquery
 sensor_version: 4.6.0
 sensor_developer: osquery project
 sensor_url: 'https://osquery.io/'
-sensor_description: >
-  osquery exposes an operating system as a high-performance relational database.
-  This allows you to write SQL-based queries to explore operating system data.
+sensor_description: 'osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data.'
 mappings:
   - object: file
     action: create
diff --git a/sensors/sysmon_10.4.yaml b/sensors/sysmon_10.4.yaml
index fea48d41..2b0a7189 100755
--- a/sensors/sysmon_10.4.yaml
+++ b/sensors/sysmon_10.4.yaml
@@ -3,11 +3,7 @@ sensor_name: Sysmon
 sensor_version: 10.4
 sensor_developer: Microsoft
 sensor_url: 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon'
-sensor_description: >
-  Sysmon is a freely available program from Microsoft that is provided as part
-  of the Windows Sysinternals suite of tools. It collects system information
-  while running in the background and supports storing it in the Windows Event
-  Log.
+sensor_description: 'Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
 mappings:
   - object: file
     action: create
@@ -40,9 +36,7 @@ mappings:
       - signer
   - object: flow
     action: start
-    notes: >
-      Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100%
-      semantically identical to the start of a network flow.
+    notes: 'Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100% semantically identical to the start of a network flow.'
     fields:
       - image_path
       - pid
@@ -93,8 +87,7 @@ mappings:
       - image_path
   - object: registry
     action: add
-    notes: >
-      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
+    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
     fields:
       - fqdn
       - pid
@@ -114,8 +107,7 @@ mappings:
       - value
   - object: registry
     action: remove
-    notes: >
-      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
+    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
     fields:
       - fqdn
       - pid
@@ -135,4 +127,4 @@ mappings:
       - start_address
       - start_module
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
diff --git a/sensors/sysmon_11.0.yaml b/sensors/sysmon_11.0.yaml
index c4a6fec7..592f3cf9 100755
--- a/sensors/sysmon_11.0.yaml
+++ b/sensors/sysmon_11.0.yaml
@@ -3,11 +3,7 @@ sensor_name: Sysmon
 sensor_version: 11.0
 sensor_developer: Microsoft
 sensor_url: 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon'
-sensor_description: >
-  Sysmon is a freely available program from Microsoft that is provided as part
-  of the Windows Sysinternals suite of tools. It collects system information
-  while running in the background and supports storing it in the Windows Event
-  Log.
+sensor_description: 'Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
 mappings:
   - object: file
     action: create
@@ -52,9 +48,7 @@ mappings:
       - signer
   - object: flow
     action: start
-    notes: >
-      Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100%
-      semantically identical to the start of a network flow.
+    notes: 'Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100% semantically identical to the start of a network flow.'
     fields:
       - image_path
       - pid
@@ -107,8 +101,7 @@ mappings:
       - image_path
   - object: registry
     action: add
-    notes: >
-      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
+    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
     fields:
       - fqdn
       - pid
@@ -128,8 +121,7 @@ mappings:
       - value
   - object: registry
     action: remove
-    notes: >
-      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
+    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
     fields:
       - fqdn
       - pid
@@ -149,4 +141,4 @@ mappings:
       - start_address
       - start_module
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
diff --git a/sensors/sysmon_13.yaml b/sensors/sysmon_13.yaml
index 699728b7..5c8d5619 100644
--- a/sensors/sysmon_13.yaml
+++ b/sensors/sysmon_13.yaml
@@ -3,11 +3,7 @@ sensor_name: Sysmon
 sensor_version: 13
 sensor_developer: Microsoft
 sensor_url: 'https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon'
-sensor_description: >
-  Sysmon is a freely available program from Microsoft that is provided as part
-  of the Windows Sysinternals suite of tools. It collects system information
-  while running in the background and supports storing it in the Windows Event
-  Log.
+sensor_description: 'Sysmon is a freely available program from Microsoft that is provided as part of the Windows Sysinternals suite of tools. It collects system information while running in the background and supports storing it in the Windows Event Log.'
 mappings:
   - object: file
     action: create
@@ -57,9 +53,7 @@ mappings:
       - signature_valid
   - object: flow
     action: start
-    notes: >
-      Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100%
-      semantically identical to the start of a network flow.
+    notes: 'Mapped to Event 3: SYSMON_NETWORK_CONNECT, which may not be 100% semantically identical to the start of a network flow.'
     fields:
       - image_path
       - pid
@@ -113,8 +107,7 @@ mappings:
       - image_path
   - object: registry
     action: add
-    notes: >
-      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
+    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
     fields:
       - data
       - fqdn
@@ -147,8 +140,7 @@ mappings:
       - value
   - object: registry
     action: remove
-    notes: >
-      Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).
+    notes: 'Mapped to Event 12: SYSMON_REG_KEY (captures both adding & deleting).'
     fields:
       - fqdn
       - pid
@@ -169,4 +161,4 @@ mappings:
       - start_module
       - uid
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      

From 17c2e8633173a78d816df5dc84eebff908d7a51d Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 01:54:56 -0500
Subject: [PATCH 50/82] module.yaml was out of date from the docs, 'session'
 was misspelled in user_session, and then ran yamllint against those
 directories and fixed them (with the line length rule turned off)

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 .yamllint                      |  5 ++
 analytics/CAR-2013-01-002.yaml |  3 +-
 analytics/CAR-2013-01-003.yaml |  9 ++--
 analytics/CAR-2013-02-003.yaml |  1 +
 analytics/CAR-2013-02-008.yaml |  7 +--
 analytics/CAR-2013-02-012.yaml |  7 +--
 analytics/CAR-2013-03-001.yaml |  7 +--
 analytics/CAR-2013-04-002.yaml |  1 +
 analytics/CAR-2013-05-002.yaml |  1 +
 analytics/CAR-2013-05-003.yaml |  3 +-
 analytics/CAR-2013-05-004.yaml |  1 +
 analytics/CAR-2013-05-005.yaml |  1 +
 analytics/CAR-2013-05-009.yaml |  1 +
 analytics/CAR-2013-07-001.yaml |  1 +
 analytics/CAR-2013-07-002.yaml |  1 +
 analytics/CAR-2013-07-005.yaml |  9 ++--
 analytics/CAR-2013-08-001.yaml |  9 ++--
 analytics/CAR-2013-09-003.yaml |  1 +
 analytics/CAR-2013-09-005.yaml |  1 +
 analytics/CAR-2013-10-001.yaml | 11 ++--
 analytics/CAR-2013-10-002.yaml |  7 +--
 analytics/CAR-2014-02-001.yaml |  7 +--
 analytics/CAR-2014-03-001.yaml |  1 +
 analytics/CAR-2014-03-005.yaml |  7 +--
 analytics/CAR-2014-03-006.yaml |  1 +
 analytics/CAR-2014-04-003.yaml | 13 ++---
 analytics/CAR-2014-05-001.yaml |  1 +
 analytics/CAR-2014-05-002.yaml |  1 +
 analytics/CAR-2014-07-001.yaml |  1 +
 analytics/CAR-2014-11-002.yaml |  7 +--
 analytics/CAR-2014-11-003.yaml |  9 ++--
 analytics/CAR-2014-11-004.yaml | 11 ++--
 analytics/CAR-2014-11-005.yaml |  7 +--
 analytics/CAR-2014-11-006.yaml |  5 +-
 analytics/CAR-2014-11-007.yaml |  5 +-
 analytics/CAR-2014-11-008.yaml |  1 +
 analytics/CAR-2014-12-001.yaml | 11 ++--
 analytics/CAR-2015-04-001.yaml |  1 +
 analytics/CAR-2015-04-002.yaml |  1 +
 analytics/CAR-2015-07-001.yaml |  1 +
 analytics/CAR-2016-03-001.yaml | 23 +++++----
 analytics/CAR-2016-03-002.yaml | 15 +++---
 analytics/CAR-2016-04-002.yaml | 12 ++---
 analytics/CAR-2016-04-003.yaml | 10 ++--
 analytics/CAR-2016-04-004.yaml |  7 +--
 analytics/CAR-2016-04-005.yaml |  1 +
 analytics/CAR-2019-04-001.yaml | 16 +++---
 analytics/CAR-2019-04-002.yaml | 22 ++++----
 analytics/CAR-2019-04-003.yaml | 19 +++----
 analytics/CAR-2019-04-004.yaml | 23 ++++-----
 analytics/CAR-2019-07-001.yaml |  2 +-
 analytics/CAR-2019-07-002.yaml | 18 +++----
 analytics/CAR-2019-08-001.yaml | 14 ++---
 analytics/CAR-2019-08-002.yaml | 14 ++---
 analytics/CAR-2020-05-001.yaml |  4 +-
 analytics/CAR-2020-05-003.yaml | 10 ++--
 analytics/CAR-2020-09-001.yaml | 56 ++++++++++----------
 analytics/CAR-2020-09-002.yaml | 54 ++++++++++----------
 analytics/CAR-2020-09-003.yaml | 52 +++++++++----------
 analytics/CAR-2020-09-004.yaml | 64 +++++++++++------------
 analytics/CAR-2020-09-005.yaml | 54 ++++++++++----------
 analytics/CAR-2020-11-001.yaml | 11 ++--
 analytics/CAR-2020-11-002.yaml |  9 ++--
 analytics/CAR-2020-11-003.yaml |  9 ++--
 analytics/CAR-2020-11-004.yaml | 21 ++++----
 analytics/CAR-2020-11-005.yaml |  9 ++--
 analytics/CAR-2020-11-006.yaml |  9 ++--
 analytics/CAR-2020-11-007.yaml |  9 ++--
 analytics/CAR-2020-11-008.yaml |  9 ++--
 analytics/CAR-2020-11-009.yaml |  9 ++--
 analytics/CAR-2020-11-010.yaml |  7 +--
 analytics/CAR-2020-11-011.yaml |  9 ++--
 analytics/CAR-2021-01-001.yaml | 12 ++---
 analytics/CAR-2021-01-002.yaml |  6 +--
 analytics/CAR-2021-01-003.yaml |  6 +--
 analytics/CAR-2021-01-004.yaml |  6 +--
 analytics/CAR-2021-01-006.yaml | 32 ++++++------
 analytics/CAR-2021-01-007.yaml | 32 ++++++------
 analytics/CAR-2021-01-008.yaml | 30 +++++------
 analytics/CAR-2021-01-009.yaml | 30 +++++------
 analytics/CAR-2021-02-001.yaml | 16 +++---
 analytics/CAR-2021-02-002.yaml | 14 ++---
 analytics/CAR-2021-04-001.yaml | 10 ++--
 analytics/CAR-2021-05-001.yaml | 93 +++++++++++++++++-----------------
 analytics/CAR-2021-05-002.yaml | 90 ++++++++++++++++----------------
 analytics/CAR-2021-05-003.yaml | 83 +++++++++++++++---------------
 analytics/CAR-2021-05-004.yaml | 87 +++++++++++++++----------------
 analytics/CAR-2021-05-005.yaml | 93 +++++++++++++++++-----------------
 analytics/CAR-2021-05-006.yaml | 83 +++++++++++++++---------------
 analytics/CAR-2021-05-007.yaml | 83 +++++++++++++++---------------
 analytics/CAR-2021-05-008.yaml | 82 +++++++++++++++---------------
 analytics/CAR-2021-05-009.yaml | 83 +++++++++++++++---------------
 analytics/CAR-2021-05-010.yaml | 93 +++++++++++++++++-----------------
 analytics/CAR-2021-05-011.yaml | 89 ++++++++++++++++----------------
 analytics/CAR-2021-05-012.yaml | 85 ++++++++++++++++---------------
 analytics/CAR-2021-11-001.yaml | 15 +++---
 analytics/CAR-2021-11-002.yaml | 23 +++++----
 analytics/CAR-2021-12-001.yaml | 23 +++++----
 analytics/CAR-2021-12-002.yaml | 25 ++++-----
 analytics/CAR-2022-03-001.yaml | 56 ++++++++++----------
 data_model/authentication.yaml |  3 +-
 data_model/driver.yaml         |  2 +-
 data_model/email.yaml          | 19 +------
 data_model/file.yaml           |  2 +-
 data_model/flow.yaml           |  2 +-
 data_model/http.yaml           | 20 +-------
 data_model/module.yaml         |  2 +-
 data_model/process.yaml        |  2 +-
 data_model/service.yaml        |  2 +-
 data_model/socket.yaml         | 21 +-------
 data_model/user_session.yaml   |  3 +-
 sensors/autoruns_13.98.yaml    |  2 +-
 sensors/osquery_4.1.2.yaml     |  2 +-
 sensors/sysmon_10.4.yaml       |  2 +-
 sensors/sysmon_11.0.yaml       |  2 +-
 sensors/sysmon_13.yaml         |  2 +-
 116 files changed, 1131 insertions(+), 1116 deletions(-)
 create mode 100644 .yamllint

diff --git a/.yamllint b/.yamllint
new file mode 100644
index 00000000..75da2b70
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,5 @@
+---
+extends: default
+
+rules:
+  line-length: disable
diff --git a/analytics/CAR-2013-01-002.yaml b/analytics/CAR-2013-01-002.yaml
index 21f264af..53eeaf2b 100644
--- a/analytics/CAR-2013-01-002.yaml
+++ b/analytics/CAR-2013-01-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Autorun Differences
 submission_date: 2013/01/25
 information_domain: 'Analytic, Host'
@@ -11,7 +12,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-01-002
-description: |-
+description: |
   The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain [Persistence](https://attack.mitre.org/tactics/TA0003). Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.
 
   Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.
diff --git a/analytics/CAR-2013-01-003.yaml b/analytics/CAR-2013-01-003.yaml
index da1c5c6f..5d81ab3a 100644
--- a/analytics/CAR-2013-01-003.yaml
+++ b/analytics/CAR-2013-01-003.yaml
@@ -1,3 +1,4 @@
+---
 title: SMB Events Monitoring
 submission_date: 2013/01/25
 information_domain: Network
@@ -10,8 +11,8 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-01-003
-description: |-
-  [Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. 
+description: |
+  [Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.
 
   ### Output Description
 
@@ -28,8 +29,8 @@ coverage:
       - T1021.002
     coverage: Moderate
 implementations:
-  - description: 'Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved. '
-    code: |-
+  - description: 'Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved.'
+    code: |
       flow = search Flow:Message
       smb_events = filter flow where (dest_port == "445" and protocol == "smb")
       smb_events.file_name = smb_events.proto_info.file_name
diff --git a/analytics/CAR-2013-02-003.yaml b/analytics/CAR-2013-02-003.yaml
index f6e6fb2c..1c93c302 100644
--- a/analytics/CAR-2013-02-003.yaml
+++ b/analytics/CAR-2013-02-003.yaml
@@ -1,3 +1,4 @@
+---
 title: Processes Spawning cmd.exe
 submission_date: 2013/02/05
 information_domain: Host
diff --git a/analytics/CAR-2013-02-008.yaml b/analytics/CAR-2013-02-008.yaml
index 431f0b13..0e598289 100644
--- a/analytics/CAR-2013-02-008.yaml
+++ b/analytics/CAR-2013-02-008.yaml
@@ -1,3 +1,4 @@
+---
 title: Simultaneous Logins on a Host
 submission_date: 2013/02/18
 information_domain: Host
@@ -12,7 +13,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-02-008
-description: |-
+description: |
   Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.
 
   Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.
@@ -26,10 +27,10 @@ coverage:
       - T1078.003
     coverage: Low
 implementations:
-  - code: |-
+  - code: |
       users_list = search UserSession:Login
       users_grouped = group users_list by hostname
-      users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count 
+      users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count
       multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
       output multiple_logins
     type: pseudocode
diff --git a/analytics/CAR-2013-02-012.yaml b/analytics/CAR-2013-02-012.yaml
index 23992cfa..12e62d6f 100644
--- a/analytics/CAR-2013-02-012.yaml
+++ b/analytics/CAR-2013-02-012.yaml
@@ -1,3 +1,4 @@
+---
 title: User Logged in to Multiple Hosts
 submission_date: 2013/02/27
 information_domain: Host
@@ -12,7 +13,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-02-012
-description: |-
+description: |
   Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
 
   Certain users will likely appear as being logged into several machines and may need to be "whitelisted." Such users would include network admins or user names that are common to many hosts.
@@ -25,8 +26,8 @@ coverage:
     tactics:
       - TA0008
     subtechniques:
-       - T1078.002
-       - T1078.003
+      - T1078.002
+      - T1078.003
     coverage: Moderate
 d3fend_mappings:
   - iri: d3f:AuthenticationEventThresholding
diff --git a/analytics/CAR-2013-03-001.yaml b/analytics/CAR-2013-03-001.yaml
index 6d836429..e4a88bdb 100644
--- a/analytics/CAR-2013-03-001.yaml
+++ b/analytics/CAR-2013-03-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Reg.exe called from Command Shell
 submission_date: 2013/03/28
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-03-001
-description: |-
+description: |
   Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via `regedit.exe` or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility `reg.exe` provides a [command-line interface](https://en.wikipedia.org/wiki/Command-line_interface) to the registry, so that queries and modifications can be performed from a shell, such as `cmd.exe`. When a user is responsible for these actions, the parent of `cmd.exe` will likely be `explorer.exe`. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.
 
   ### Output Description
@@ -45,7 +46,7 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'To gain better context, it may be useful to also get information about the cmd process to know its parent. This may be helpful when tuning the analytic to an environment, if this behavior happens frequently. This may also help to rule out instances of users running '
-    code: |-
+    code: |
       processes = search Process:Create
       reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe")
       cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")
@@ -53,7 +54,7 @@ implementations:
       output reg_and_cmd
     type: pseudocode
   - description: DNIF version of the above pseudocode.
-    code: |-
+    code: |
       _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*reg\.exe.*)i AND $ParentProcess=regex(.*cmd\.exe.*)i as #A limit 100
       >>_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i NOT $ParentProcess=regex(.*explorer\.exe.*)i as #B limit 100
       >>_checkif sjoin #B.$PPID = #A.$CPID str_compare #B.$SystemName eq #A.$SystemName include
diff --git a/analytics/CAR-2013-04-002.yaml b/analytics/CAR-2013-04-002.yaml
index 895f76ad..dfe68372 100644
--- a/analytics/CAR-2013-04-002.yaml
+++ b/analytics/CAR-2013-04-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Quick execution of a series of suspicious commands
 submission_date: 2013/04/11
 information_domain: 'Analytic, Host'
diff --git a/analytics/CAR-2013-05-002.yaml b/analytics/CAR-2013-05-002.yaml
index 1b99a8a4..be7701c9 100644
--- a/analytics/CAR-2013-05-002.yaml
+++ b/analytics/CAR-2013-05-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Suspicious Run Locations
 submission_date: 2013/05/07
 information_domain: Host
diff --git a/analytics/CAR-2013-05-003.yaml b/analytics/CAR-2013-05-003.yaml
index bb292ac0..cd47a75e 100644
--- a/analytics/CAR-2013-05-003.yaml
+++ b/analytics/CAR-2013-05-003.yaml
@@ -1,3 +1,4 @@
+---
 title: SMB Write Request
 submission_date: 2013/05/13
 information_domain: 'Host, Network'
@@ -35,7 +36,7 @@ coverage:
       - T1078.003
     coverage: Moderate
 implementations:
-  - code: |-
+  - code: |
       flow = search Flow:Message
       smb_write = filter flow where (dest_port == "445" and protocol == "smb.write")
       smb_write.file_name = smb_write.proto_info.file_name
diff --git a/analytics/CAR-2013-05-004.yaml b/analytics/CAR-2013-05-004.yaml
index 791b5e1f..4c5b2b50 100644
--- a/analytics/CAR-2013-05-004.yaml
+++ b/analytics/CAR-2013-05-004.yaml
@@ -1,3 +1,4 @@
+---
 title: Execution with AT
 submission_date: 2013/05/13
 information_domain: Host
diff --git a/analytics/CAR-2013-05-005.yaml b/analytics/CAR-2013-05-005.yaml
index 2f13f84d..16a8c2fc 100644
--- a/analytics/CAR-2013-05-005.yaml
+++ b/analytics/CAR-2013-05-005.yaml
@@ -1,3 +1,4 @@
+---
 title: SMB Copy and Execution
 submission_date: 2013/05/13
 information_domain: 'Host, Network'
diff --git a/analytics/CAR-2013-05-009.yaml b/analytics/CAR-2013-05-009.yaml
index bcd79aeb..1e02ee42 100644
--- a/analytics/CAR-2013-05-009.yaml
+++ b/analytics/CAR-2013-05-009.yaml
@@ -1,3 +1,4 @@
+---
 title: Running executables with same hash and different names
 submission_date: 2013/05/23
 information_domain: Host
diff --git a/analytics/CAR-2013-07-001.yaml b/analytics/CAR-2013-07-001.yaml
index 0f013346..698dfc60 100644
--- a/analytics/CAR-2013-07-001.yaml
+++ b/analytics/CAR-2013-07-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Suspicious Arguments
 submission_date: 2013/07/05
 information_domain: Host
diff --git a/analytics/CAR-2013-07-002.yaml b/analytics/CAR-2013-07-002.yaml
index 613919fe..fa914804 100644
--- a/analytics/CAR-2013-07-002.yaml
+++ b/analytics/CAR-2013-07-002.yaml
@@ -1,3 +1,4 @@
+---
 title: RDP Connection Detection
 submission_date: 2013/07/24
 information_domain: 'Analytic, Network'
diff --git a/analytics/CAR-2013-07-005.yaml b/analytics/CAR-2013-07-005.yaml
index 8cbc5245..58b9fb34 100644
--- a/analytics/CAR-2013-07-005.yaml
+++ b/analytics/CAR-2013-07-005.yaml
@@ -1,3 +1,4 @@
+---
 title: Command Line Usage of Archiving Software
 submission_date: 2013/07/31
 information_domain: Host
@@ -12,7 +13,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-07-005
-description: |-
+description: |
   Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adversary has [collected](https://attack.mitre.org/tactics/TA0009), it is very likely that a [compressed archive](https://attack.mitre.org/techniques/T1560) will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.
 
   In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names.
@@ -25,18 +26,18 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'This analytic looks for the command line argument `a`, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.'
-    code: |-
+    code: |
       processes = search Process:Create
       rar_argument = filter processes where (command_line == "* a *")
       output rar_argument
     type: pseudocode
   - description: DNIF version of the above pseudocode.
-    code: |-
+    code: |
       _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100
     type: DNIF
     data_model: Sysmon native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 command="* a *"
     type: LogPoint
     data_model: LogPoint native
diff --git a/analytics/CAR-2013-08-001.yaml b/analytics/CAR-2013-08-001.yaml
index f89e5c10..f8a894ce 100644
--- a/analytics/CAR-2013-08-001.yaml
+++ b/analytics/CAR-2013-08-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Execution with schtasks
 submission_date: 2013/08/07
 information_domain: Host
@@ -20,18 +21,18 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'Look for instances of `schtasks.exe` running as processes. The `command_line` field is necessary to disambiguate between types of schtasks commands. These include the flags `/create`, `/run`, `/query`, `/delete`, `/change`, and `/end`.'
-    code: |-
+    code: |
       process = search Process:Create
       schtasks = filter process where (exe == "schtasks.exe")
       output schtasks
     type: pseudocode
   - description: DNIF version of the above pseudocode.
-    code: |-
+    code: |
       _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100
     type: DNIF
     data_model: Sysmon native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command IN ["*/create*", "*/run*", "*/query*", "*/delete*", "*/change*", "*/end*"]
     type: LogPoint
     data_model: LogPoint native
@@ -41,7 +42,7 @@ data_model_references:
 unit_tests:
   - configurations:
       - Windows 7
-    description: |-
+    description: |
       Create a new scheduled task with schtasks.exe and verify the analytic fires when the task executes.
       * From an admin account, open Windows command prompt (right click, run as administrator)
       * Execute `schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask`, substituting a time in the near future for 19:00
diff --git a/analytics/CAR-2013-09-003.yaml b/analytics/CAR-2013-09-003.yaml
index 4d877398..30babcfa 100644
--- a/analytics/CAR-2013-09-003.yaml
+++ b/analytics/CAR-2013-09-003.yaml
@@ -1,3 +1,4 @@
+---
 title: SMB Session Setups
 submission_date: 2013/09/12
 information_domain: Network
diff --git a/analytics/CAR-2013-09-005.yaml b/analytics/CAR-2013-09-005.yaml
index 237b11df..d72a51b0 100644
--- a/analytics/CAR-2013-09-005.yaml
+++ b/analytics/CAR-2013-09-005.yaml
@@ -1,3 +1,4 @@
+---
 title: Service Outlier Executables
 submission_date: 2013/09/23
 information_domain: Host
diff --git a/analytics/CAR-2013-10-001.yaml b/analytics/CAR-2013-10-001.yaml
index 00856f4a..941c16e3 100644
--- a/analytics/CAR-2013-10-001.yaml
+++ b/analytics/CAR-2013-10-001.yaml
@@ -1,7 +1,8 @@
+---
 title: User Login Activity Monitoring
 submission_date: 2013/10/03
 information_domain: 'Host, Network'
-platforms: 
+platforms:
   - Windows
   - Linux
   - macOS
@@ -13,7 +14,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-10-001
-description: |-
+description: |
   Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.
 
   Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users.
@@ -39,7 +40,7 @@ coverage:
 implementations:
   - name: Account Logon with Filtering
     description: This base pseudocode looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events.
-    code: |-
+    code: |
       logon_events = search User_Session:Login
       filtered_logons = filter logon_events where (
         user NOT IN TOP30(user))
@@ -47,12 +48,12 @@ implementations:
     type: Pseudocode
   - name: Account Logon with Filtering
     description: Splunk version of the above pseudocode. NOTE - this is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.
-    code: |-
+    code: |
       index=__your_win_event_log_index__ EventCode=4624|search NOT [search index=__your_win_event_log_index__ EventCode=4624|top 30 Account_Name|table Account_Name]
     type: Splunk
   - name: Account Logon with Filtering
     description: DNIF version of the above pseudocode.
-    code: |-
+    code: |
       _fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN group count_unique $ScopeID, $User limit 30
       >>_store in_disk david_test win_top_30 stack_replace
       >>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000
diff --git a/analytics/CAR-2013-10-002.yaml b/analytics/CAR-2013-10-002.yaml
index e8771801..cb6d6c99 100644
--- a/analytics/CAR-2013-10-002.yaml
+++ b/analytics/CAR-2013-10-002.yaml
@@ -1,3 +1,4 @@
+---
 title: DLL Injection via Load Library
 submission_date: 2013/10/07
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2013-10-002
-description: |-
+description: |
   Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx).
 
   -   Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx)
@@ -33,7 +34,7 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. '
-    code: |-
+    code: |
       remote_thread = search Thread:RemoteCreate
       remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
       remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")
@@ -41,7 +42,7 @@ implementations:
       output remote_thread
     type: pseudocode
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
     type: LogPoint
     data_model: LogPoint native
diff --git a/analytics/CAR-2014-02-001.yaml b/analytics/CAR-2014-02-001.yaml
index db26f0b9..6ae17df4 100644
--- a/analytics/CAR-2014-02-001.yaml
+++ b/analytics/CAR-2014-02-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Service Binary Modifications
 submission_date: 2014/02/14
 information_domain: Host
@@ -11,7 +12,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-02-001
-description: |-
+description: |
   Adversaries may modify the binary file for an existing service to achieve [Persistence](https://attack.mitre.org/tactics/TA0003) while potentially [evading defenses](https://attack.mitre.org/tactics/TA0005). If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.
 
   ### Output Description
@@ -40,14 +41,14 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as `msiexec.exe`, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.'
-    code: |-
+    code: |
       legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]
 
       file_change = search File:Create,Modify
       process = search Process:Create
       service_process = filter processes where (parent_exe == "services.exe")
       modified_service = join (search, filter) where (
-       file_change.time < service_process.time and 
+       file_change.time < service_process.time and
        file_change.file_path == service_process.image_path
       )
 
diff --git a/analytics/CAR-2014-03-001.yaml b/analytics/CAR-2014-03-001.yaml
index 1f24bb21..15948a46 100644
--- a/analytics/CAR-2014-03-001.yaml
+++ b/analytics/CAR-2014-03-001.yaml
@@ -1,3 +1,4 @@
+---
 title: SMB Write Request - NamedPipes
 submission_date: 2014/03/03
 information_domain: 'Host, Network'
diff --git a/analytics/CAR-2014-03-005.yaml b/analytics/CAR-2014-03-005.yaml
index 17887cbc..4eb4b626 100644
--- a/analytics/CAR-2014-03-005.yaml
+++ b/analytics/CAR-2014-03-005.yaml
@@ -1,3 +1,4 @@
+---
 title: Remotely Launched Executables via Services
 submission_date: 2014/03/18
 information_domain: 'Host, Network'
@@ -11,8 +12,8 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-03-005
-description: |-
-  There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. 
+description: |
+  There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality.
 
   When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.
 
@@ -32,7 +33,7 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'Look for processes launched from `services.exe` within 1 second of services.exe receiving a network connection.'
-    code: |-
+    code: |
       process = search Process:Create
       flow = search Flow:Start
       service = filter process where (parent_exe == "services.exe")
diff --git a/analytics/CAR-2014-03-006.yaml b/analytics/CAR-2014-03-006.yaml
index 99dd7772..b88fdfe8 100644
--- a/analytics/CAR-2014-03-006.yaml
+++ b/analytics/CAR-2014-03-006.yaml
@@ -1,3 +1,4 @@
+---
 title: RunDLL32.exe monitoring
 submission_date: 2014/03/28
 information_domain: Host
diff --git a/analytics/CAR-2014-04-003.yaml b/analytics/CAR-2014-04-003.yaml
index f5918290..edfe925f 100644
--- a/analytics/CAR-2014-04-003.yaml
+++ b/analytics/CAR-2014-04-003.yaml
@@ -1,3 +1,4 @@
+---
 title: Powershell Execution
 submission_date: 2014/04/11
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-04-003
-description: |-
+description: |
   [PowerShell](https://attack.mitre.org/techniques/T1059/001/) is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.
 
   Powershell can be used to hide monitored command line execution such as:
@@ -31,29 +32,29 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'Look for versions of `PowerShell` that were not launched interactively.'
-    code: |-
+    code: |
       process = search Process:Create
       powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" )
       output powershell
     type: pseudocode
   - description: Splunk version of the above pseudocode.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\powershell.exe" ParentImage!="C:\\Windows\\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName
     type: Splunk
     data_model: Sysmon native
   - description: EQL version of the above pseudocode.
-    code: |-
+    code: |
       process where subtype.create and
         (process_name == "powershell.exe" and parent_process_name != "explorer.exe")
     type: EQL
     data_model: EQL native
   - description: DNIF version of the above pseudocode.
-    code: |-
+    code: |
       _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=powershell.exe NOT $ParentProcess=regex(.*explorer.exe.*)i limit 30
     type: DNIF
     data_model: Sysmon native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_image="C:\Windows\explorer.exe"
     type: LogPoint
     data_model: LogPoint native
diff --git a/analytics/CAR-2014-05-001.yaml b/analytics/CAR-2014-05-001.yaml
index a9e8e43e..f98f9c21 100644
--- a/analytics/CAR-2014-05-001.yaml
+++ b/analytics/CAR-2014-05-001.yaml
@@ -1,3 +1,4 @@
+---
 title: RPC Activity
 submission_date: 2014/05/01
 information_domain: Network
diff --git a/analytics/CAR-2014-05-002.yaml b/analytics/CAR-2014-05-002.yaml
index 183f25c4..d783a870 100644
--- a/analytics/CAR-2014-05-002.yaml
+++ b/analytics/CAR-2014-05-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Services launching Cmd
 submission_date: 2014/05/05
 information_domain: Host
diff --git a/analytics/CAR-2014-07-001.yaml b/analytics/CAR-2014-07-001.yaml
index 49942a64..7ada440b 100644
--- a/analytics/CAR-2014-07-001.yaml
+++ b/analytics/CAR-2014-07-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Service Search Path Interception
 submission_date: 2014/07/17
 information_domain: Host
diff --git a/analytics/CAR-2014-11-002.yaml b/analytics/CAR-2014-11-002.yaml
index ab3575ed..6679b7b5 100644
--- a/analytics/CAR-2014-11-002.yaml
+++ b/analytics/CAR-2014-11-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Outlier Parents of Cmd
 submission_date: 2014/11/06
 information_domain: Host
@@ -11,10 +12,10 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-11-002
-description: |-
+description: |
   Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`.
 
-  While this analytic does not take the user into account, doing so could generate further interesting results. 
+  While this analytic does not take the user into account, doing so could generate further interesting results.
   It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don’t routinely launch a command prompt – for example Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.
 
 
@@ -31,7 +32,7 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'Create a baseline of parents of `cmd.exe` seen over the last 30 days and a list of parents of `cmd.exe` seen today. Remove parents in the baseline from parents seen today, leaving a list of new parents.'
-    code: |-
+    code: |
       processes = search Process:Create
       cmd = filter processes where (exe == "cmd.exe")
       cmd = from cmd select parent_exe
diff --git a/analytics/CAR-2014-11-003.yaml b/analytics/CAR-2014-11-003.yaml
index a6e11f36..323defb4 100644
--- a/analytics/CAR-2014-11-003.yaml
+++ b/analytics/CAR-2014-11-003.yaml
@@ -1,3 +1,4 @@
+---
 title: Debuggers for Accessibility Applications
 submission_date: 2014/11/21
 information_domain: Host
@@ -10,8 +11,8 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-11-003
-description: |-
-  The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. 
+description: |
+  The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.
 
   This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility.
 coverage:
@@ -24,13 +25,13 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the `system32` folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set.'
-    code: |-
+    code: |
       process = search Process:Create
       debuggers = filter process where (command_line match "$.* .*(sethc{{pipe}}utilman{{pipe}}osk{{pipe}}narrator{{pipe}}magnify)\.exe")
       output debuggers
     type: pseudocode
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 command IN ["$* *sethc.exe", "$* *utilman.exe", "$* *osk.exe", "$* *narrator.exe", "$* *magnify.exe"]
     type: LogPoint
     data_model: LogPoint native
diff --git a/analytics/CAR-2014-11-004.yaml b/analytics/CAR-2014-11-004.yaml
index 2d0fbb94..2f1a534d 100644
--- a/analytics/CAR-2014-11-004.yaml
+++ b/analytics/CAR-2014-11-004.yaml
@@ -1,3 +1,4 @@
+---
 title: Remote PowerShell Sessions
 submission_date: 2014/11/19
 information_domain: 'Host, Network'
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-11-004
-description: |-
+description: |
   According to [ATT&CK](https://attack.mitre.org/), [PowerShell](https://attack.mitre.org/techniques/T1059/001) can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe
 
   For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command `Enter-PSSession -ComputerName \<RemoteHost\>` creates a remote PowerShell session.
@@ -28,18 +29,18 @@ coverage:
       - T1021.006
     coverage: Moderate
 implementations:
-  - code: |-
+  - code: |
       process = search Process:Create
       wsmprovhost = filter process where (exe == "wsmprovhost.exe" and parent_exe == "svchost.exe")
     type: pseudocode
   - description: EQL version of the above pseudocode.
-    code: |-
+    code: |
       process where subtype.create and
-        (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")    
+        (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")
     type: EQL
     data_model: EQL native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 image="*\wsmprovhost.exe" parent_image="*\svchost.exe"
     type: LogPoint
     data_model: LogPoint native
diff --git a/analytics/CAR-2014-11-005.yaml b/analytics/CAR-2014-11-005.yaml
index 1e65cf78..b7353054 100644
--- a/analytics/CAR-2014-11-005.yaml
+++ b/analytics/CAR-2014-11-005.yaml
@@ -1,3 +1,4 @@
+---
 title: Remote Registry
 submission_date: 2014/11/19
 information_domain: 'Host, Network'
@@ -11,7 +12,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-11-005
-description: |-
+description: |
   An adversary can remotely [manipulate the registry](https://attack.mitre.org/techniques/T1112) of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique, [discover](https://attack.mitre.org/tactics/TA0007) the configuration of a host, achieve [Persistence](https://attack.mitre.org/tactics/TA0003), or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to [remotely enable](https://attack.mitre.org/techniques/T1569/002) the RemoteRegistry service, which can be detected with [CAR-2014-03-005](../CAR-2014-03-005).
 
   Remote access to the registry can be achieved via
@@ -19,7 +20,7 @@ description: |-
   -   Windows API function [RegConnectRegistry](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724840.aspx)
   -   command line via `reg.exe`
   -   graphically via `regedit.exe`
-  
+
   All of these behaviors call into the Windows API, which uses the NamedPipe `WINREG` over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.
 coverage:
   - technique: T1112
@@ -27,7 +28,7 @@ coverage:
       - TA0005
     coverage: Moderate
 implementations:
-  - code: |-
+  - code: |
       flows = search Flow:Message
       winreg = filter flows where (dest_port == 445 and proto_info.pipe == "WINREG")
       winreg_modify = filter flows where (proto_info.function == "Create*" or proto_info.function == "SetValue*")
diff --git a/analytics/CAR-2014-11-006.yaml b/analytics/CAR-2014-11-006.yaml
index 6569063f..2da7d7f9 100644
--- a/analytics/CAR-2014-11-006.yaml
+++ b/analytics/CAR-2014-11-006.yaml
@@ -1,3 +1,4 @@
+---
 title: Windows Remote Management (WinRM)
 submission_date: 2014/11/19
 information_domain: 'Host, Network'
@@ -20,8 +21,8 @@ coverage:
       - T1021.006
     coverage: Moderate
 implementations:
-  - description: 'Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis. '
-    code: |-
+  - description: 'Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis.'
+    code: |
       flow = search Flow:Start
       winrm = filter flow where (dest_port == 5985)
       winrm_s = filter flow where (dest_port == 5986)
diff --git a/analytics/CAR-2014-11-007.yaml b/analytics/CAR-2014-11-007.yaml
index 29c7c5ee..fbf94b55 100644
--- a/analytics/CAR-2014-11-007.yaml
+++ b/analytics/CAR-2014-11-007.yaml
@@ -1,3 +1,4 @@
+---
 title: Remote Windows Management Instrumentation (WMI) over RPC
 submission_date: 2014/11/19
 information_domain: 'Host, Network'
@@ -12,7 +13,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-11-007
-description: |-
+description: |
   As described in ATT&CK, an adversary can use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC ([CAR-2014-05-001](../CAR-2014-05-001)), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as [Event Tracing for Windows](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803.aspx). Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected.
 
   Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts.
@@ -28,7 +29,7 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. '
-    code: |-
+    code: |
       flows = search Flow:Message
       wmi_flow = filter flows where (dest_port == 135 and proto_info.rpc_interface == "IRemUnknown2")
       output wmi_flow
diff --git a/analytics/CAR-2014-11-008.yaml b/analytics/CAR-2014-11-008.yaml
index ad43b82a..dac63175 100644
--- a/analytics/CAR-2014-11-008.yaml
+++ b/analytics/CAR-2014-11-008.yaml
@@ -1,3 +1,4 @@
+---
 title: Command Launched from WinLogon
 submission_date: 2014/11/19
 information_domain: Host
diff --git a/analytics/CAR-2014-12-001.yaml b/analytics/CAR-2014-12-001.yaml
index 8f13dfa6..892a2c06 100644
--- a/analytics/CAR-2014-12-001.yaml
+++ b/analytics/CAR-2014-12-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Remotely Launched Executables via WMI
 submission_date: 2014/12/02
 information_domain: 'Host, Network'
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2014-12-001
-description: |-
+description: |
   Adversaries can use [Windows Management Instrumentation (WMI)](https://attack.mitre.org/techniques/T1047) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by [CAR-2014-11-007](../CAR-2014-11-007). After the WMI connection has been initialized, a process can be remotely launched using the command: `wmic /node:"<hostname>" process call create "<command line>"`, which is detected via [CAR-2016-03-002](../CAR-2016-03-002).
 
   This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.
@@ -26,7 +27,7 @@ description: |-
   -   ASCII `CF` (printable text only)
 
   This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.
-  The transfer syntax is 
+  The transfer syntax is
 
   -   UUID `8a885d04-1ceb-11c9-9fe8-08002b104860` (decoded)
   -   Hex `04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60` (raw)
@@ -47,7 +48,7 @@ coverage:
     coverage: High
 implementations:
   - description: 'Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from `wmiprvse.exe` in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.'
-    code: |-
+    code: |
       processes = search Process:Create
       wmi_children = filter processes where (parent_exe == "wmiprvse.exe")
 
@@ -55,8 +56,8 @@ implementations:
       wmi_flow = filter flows where (src_port >= 49152 and dest_port >= 49152 and proto_info.rpc_interface == "IRemUnknown2")
 
       remote_wmi_process = join wmi_children, wmi_flow where (
-       wmi_flow.time < wmi_children.time < wmi_flow.time + 1sec and 
-       wmi_flow.hostname == wmi_children.hostname 
+       wmi_flow.time < wmi_children.time < wmi_flow.time + 1sec and
+       wmi_flow.hostname == wmi_children.hostname
       )
 
       output remote_wmi_process
diff --git a/analytics/CAR-2015-04-001.yaml b/analytics/CAR-2015-04-001.yaml
index 1979d45b..00093f42 100644
--- a/analytics/CAR-2015-04-001.yaml
+++ b/analytics/CAR-2015-04-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Remotely Scheduled Tasks via AT
 submission_date: 2015/04/29
 information_domain: 'Host, Network'
diff --git a/analytics/CAR-2015-04-002.yaml b/analytics/CAR-2015-04-002.yaml
index 123815e6..5455c0f2 100644
--- a/analytics/CAR-2015-04-002.yaml
+++ b/analytics/CAR-2015-04-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Remotely Scheduled Tasks via Schtasks
 submission_date: 2015/04/29
 information_domain: 'Host, Network'
diff --git a/analytics/CAR-2015-07-001.yaml b/analytics/CAR-2015-07-001.yaml
index 786300f3..206c1b30 100644
--- a/analytics/CAR-2015-07-001.yaml
+++ b/analytics/CAR-2015-07-001.yaml
@@ -1,3 +1,4 @@
+---
 title: All Logins Since Last Boot
 submission_date: 2015/07/17
 information_domain: Host
diff --git a/analytics/CAR-2016-03-001.yaml b/analytics/CAR-2016-03-001.yaml
index 55e10a9e..4a86d577 100644
--- a/analytics/CAR-2016-03-001.yaml
+++ b/analytics/CAR-2016-03-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Host Discovery Commands
 submission_date: 2016/03/24
 information_domain: Host
@@ -12,7 +13,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2016-03-001
-description: |-
+description: |
   When entering on a host for the first time, an adversary may try to [discover](https://attack.mitre.org/tactics/TA0007) information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when [establishing persistence](https://attack.mitre.org/tactics/TA0003), [escalating privileges](https://attack.mitre.org/tactics/TA0004), or [moving laterally](https://attack.mitre.org/tactics/TA0008).
 
   Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.
@@ -68,34 +69,34 @@ coverage:
     coverage: Moderate
 implementations:
   - description: 'To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.'
-    code: |-
+    code: |
       process = search Process:Create
       info_command = filter process where (
-       exe == "hostname.exe" or 
-       exe == "ipconfig.exe" or 
-       exe == "net.exe" or 
-       exe == "quser.exe" or 
+       exe == "hostname.exe" or
+       exe == "ipconfig.exe" or
+       exe == "net.exe" or
+       exe == "quser.exe" or
        exe == "qwinsta.exe" or
        exe == "sc" and (command_line match " query" or command_line match " qc")) or
-       exe == "systeminfo.exe" or 
-       exe == "tasklist.exe" or 
+       exe == "systeminfo.exe" or
+       exe == "tasklist.exe" or
        exe == "whoami.exe"
       )
       output info_command
     type: pseudocode
   - description: Splunk version of the above pseudocode search.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=1 (Image="C:\\Windows\\*\\hostname.exe" OR Image="C:\\Windows\\*\\ipconfig.exe" OR Image="C:\\Windows\\*\\net.exe" OR Image="C:\\Windows\\*\\quser.exe" OR Image="C:\\Windows\\*\\qwinsta.exe" OR (Image="C:\\Windows\\*\\sc.exe" AND (CommandLine="* query *" OR CommandLine="* qc *")) OR Image="C:\\Windows\\*\\systeminfo.exe" OR Image="C:\\Windows\\*\\tasklist.exe" OR Image="C:\\Windows\\*\\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName
     type: Splunk
     data_mode: Sysmon native
   - description: EQL version of the above pseudocode search.
-    code: |-
+    code: |
       process where subtype.create and
         (process_name == "hostname.exe" or process_name == "ipconfig.exe" or process_name == "net.exe" or process_name == "quser.exe" process_name == "qwinsta.exe" or process_name == "systeminfo.exe" or process_name == "tasklist.exe" or process_name == "whoami.exe" or (process_name == "sc.exe" and (command_line == "* query *" or command_line == "* qc *")))
     type: EQL
     data_mode: EQL native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 (image in ["*\hostname.exe", "*\ipconfig.exe", "*\net.exe", "*\quser.exe", "*\qwinsta.exe", "*\systeminfo.exe", "*\tasklist.exe", "*\whoami.exe"] OR (image="*\sc.exe" command IN ["* query *", "* qc *"))
     type: LogPoint
     data_model: LogPoint native
diff --git a/analytics/CAR-2016-03-002.yaml b/analytics/CAR-2016-03-002.yaml
index 9b940e43..ff9fb3fb 100644
--- a/analytics/CAR-2016-03-002.yaml
+++ b/analytics/CAR-2016-03-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Create Remote Process via WMIC
 submission_date: 2016/03/28
 information_domain: Host
@@ -10,8 +11,8 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2016-03-002
-description: |-
-  Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\<hostname\>" process call create "\<command line\>"`. It is possible to also connect via IP address, in which case the string `"\<hostname\>"` would instead look like `IP Address`. 
+description: |
+  Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\<hostname\>" process call create "\<command line\>"`. It is possible to also connect via IP address, in which case the string `"\<hostname\>"` would instead look like `IP Address`.
 
   Although this analytic was created after [CAR-2014-12-001](../CAR-2014-12-001), it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility [PowerShell](https://attack.mitre.org/T1059/001).
 coverage:
@@ -20,29 +21,29 @@ coverage:
       - TA0002
     coverage: Low
 implementations:
-  - description: |-
+  - description: |
       Looks for instances of wmic.exe as well as the substrings in the command line:
       * `process call create`
       * `/node:`
-    code: |-
+    code: |
       processes = search Process:Create
       wmic = filter processes where (exe == "wmic.exe" and command_line == "* process call create *" and command_line == "* /node:*")
       output wmic
     type: pseudocode
   - description: Splunk version of the above pseudocode.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\wmic.exe" CommandLine="* process call create *"|search CommandLine="* /node:*"
     type: Splunk
     data_mode: Sysmon native
   - description: EQL version of the above pseudocode.
-    code: |-
+    code: |
       process where subtype.create and
         (process_name == "wmic.exe" and command_line == "* process call create ")
         |filter command_line == "* /node:*"
     type: EQL
     data_mode: EQL native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 image="C:\\Windows\\*\\wmic.exe" command="* process call create *" command="* /node:*"
     type: LogPoint
     data_mode: LogPoint native
diff --git a/analytics/CAR-2016-04-002.yaml b/analytics/CAR-2016-04-002.yaml
index 9306a8c0..aec4fb5b 100644
--- a/analytics/CAR-2016-04-002.yaml
+++ b/analytics/CAR-2016-04-002.yaml
@@ -16,7 +16,7 @@ contributors:
   - Cyware Labs
   - Lucas Heiligenstein
 id: CAR-2016-04-002
-description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. 
+description: 'It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious.
   1. This is often done using `wevtutil`, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
   2. Alerting when a `Clear Event Log` is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.
   3. Attackers may set the option of the sources of events with `Limit-EventLog -LogName Security -OverflowAction DoNotOverwrite` to not delete old Evenlog when the .evtx is full. By default the Security Log size is configured with the minimum value of 20 480KB (~23 000 EventLog). So if this option is enabled, all the new EventLogs will be automatically deleted. We can detect this behavior with the Security EventLog 1104.
@@ -32,7 +32,7 @@ coverage:
 implementations:
   - name: PseudoCode for dedicated EventID EventLog deletion
     description: 'When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For Security logs, its event code 1100 and 1102. For System logs, it is event code 104.'
-    code: |-
+    code: |
       ([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or
       ([log_name] == "System" and [event_code] == 104)
     type: pseudocode
@@ -44,13 +44,13 @@ implementations:
     type: Sigma
   - name: LogPoint version of the above pseudocode.
     description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104))
     type: LogPoint
     data_mode: LogPoint native
   - name: Splunk search - Detecting log clearing with wevtutil
-    description:  This search query looks for  wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.
-    code: |-
+    description: This search query looks for  wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.
+    code: |
           index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)
     data_model: Sysmon native
     type: Splunk
@@ -66,7 +66,7 @@ unit_tests:
     commands:
       - del C:\Windows\System32\winevt\logs\Security.evtx
       - Remove-Item C:\Windows\System32\winevt\logs\Security.evtx
-  - description: Unregister EventLog source 
+  - description: Unregister EventLog source
     commands:
       - Remove-EventLog -LogName Security
 data_model_references:
diff --git a/analytics/CAR-2016-04-003.yaml b/analytics/CAR-2016-04-003.yaml
index 9aeaa6df..43e97a08 100644
--- a/analytics/CAR-2016-04-003.yaml
+++ b/analytics/CAR-2016-04-003.yaml
@@ -1,3 +1,4 @@
+---
 title: User Activity from Stopping Windows Defensive Services
 submission_date: 2016/04/15
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE/NSA
 id: CAR-2016-04-003
-description: |-
+description: |
   Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.
 
   Stopping services events are Windows Event Code 7036.
@@ -23,19 +24,19 @@ coverage:
     coverage: Low
 implementations:
   - description: Windows Event code 7036 from the System log identifies if a service has stopped or started. This analytic looks for "Windows Defender" or "Windows Firewall" that has stopped.
-    code: |-
+    code: |
       log_name == "System" AND
       event_code == "7036"
       param1 in ["Windows Defender", "Windows Firewall"] AND
       param2 == "stopped"
     type: pseudocode
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WinServer channel="System" event_id=7036 param1 in ["Windows Defender", "Windows Firewall"] param2="stopped"
     type: LogPoint
     data_mode: LogPoint native
 unit_tests:
-  - configurations: 
+  - configurations:
       - Windows 7
     description: From an administrative user powershell console, run the Stop-Service command.
     commands:
@@ -45,4 +46,3 @@ d3fend_mappings:
   - iri: d3f:SystemDaemonMonitoring
     id: D3-SDM
     label: System Daemon Monitoring
-
diff --git a/analytics/CAR-2016-04-004.yaml b/analytics/CAR-2016-04-004.yaml
index af625e7d..19511124 100644
--- a/analytics/CAR-2016-04-004.yaml
+++ b/analytics/CAR-2016-04-004.yaml
@@ -1,3 +1,4 @@
+---
 title: Successful Local Account Login
 submission_date: 2016/04/18
 information_domain: Host
@@ -19,13 +20,13 @@ coverage:
       - T1550.002
     coverage: Moderate
 implementations:
-  - description: 'This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not "ANONYMOUS LOGON" '
-    code: |-
+  - description: 'This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not "ANONYMOUS LOGON".'
+    code: |
       EventCode == 4624 and [target_user_name] != "ANONYMOUS LOGON" and
       [authentication_package_name] == "NTLM"
     type: pseudocode
 unit_tests:
-  - configurations: 
+  - configurations:
       - Windows 7
     description: As an adminstrator, create a new user. Then, logon to the host with that new user. This is generate the event.
     commands:
diff --git a/analytics/CAR-2016-04-005.yaml b/analytics/CAR-2016-04-005.yaml
index c1c7b73d..202054a9 100644
--- a/analytics/CAR-2016-04-005.yaml
+++ b/analytics/CAR-2016-04-005.yaml
@@ -1,3 +1,4 @@
+---
 title: Remote Desktop Logon
 submission_date: 2016/04/19
 information_domain: Host
diff --git a/analytics/CAR-2019-04-001.yaml b/analytics/CAR-2019-04-001.yaml
index f466054d..cf9d40cf 100644
--- a/analytics/CAR-2019-04-001.yaml
+++ b/analytics/CAR-2019-04-001.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2019-04-001
-description: |-
+description: |
   Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool.
 coverage:
   - technique: T1548
@@ -22,12 +22,12 @@ coverage:
     coverage: Low
 implementations:
   - description: This Splunk query looks for specific invocations of UACME, representing different ways to bypass user account control.
-    code: |-
+    code: |
       index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"),  "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")
     type: splunk
     data_model: Sysmon native
-  - description: This is a pseudocode version of the above Splunk query. 
-    code: |-
+  - description: This is a pseudocode version of the above Splunk query.
+    code: |
       processes = search Process:Create
       possible_uac_bypass = filter processes where (
         integrity_level == "High" and
@@ -36,8 +36,8 @@ implementations:
         (image_path == "c:\program files\windows media player\osk.exe") or
         (parent_image_path == "c:\windows\system32\slui.exe") or
         (parent_command_line == '"c:\windows\system32\dism.exe"*""*.xml"' and image_path != "c:\users\*\appdata\local\temp\*\dismhost.exe") or
-        (command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or 
-        (parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe") 
+        (command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or
+        (parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe")
       )
       output possible_uac_bypass
     type: pseudocode
@@ -49,10 +49,10 @@ implementations:
     description: '[Sigma](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml) rule for detecting sdclt-based UAC bypass.'
     type: Sigma
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 integrity_level="High" ((parent_image="c:\windows\system32\fodhelper.exe" OR command='*.exe"*cleanmgr.exe /autoclean*' OR image="c:\program files\windows media player\osk.exe" OR parent_image="c:\windows\system32\slui.exe") OR (parent_command='"c:\windows\system32\dism.exe"*""*.xml"' -image="c:\users\*\appdata\local\temp\*\dismhost.exe") OR (parent_image="c:\windows\*dccw.exe" -image="c:\windows\system32\cttune.exe") OR (command='"c:\windows\system32\wusa.exe"*/quiet*' -user="NOT_TRANSLATED" path="c:\windows\system32\" -parent_image="c:\windows\explorer.exe"))
     type: LogPoint
-    data_mode: LogPoint native    
+    data_mode: LogPoint native
 data_model_references:
   - process/create/image_path
   - process/create/parent_image_path
diff --git a/analytics/CAR-2019-04-002.yaml b/analytics/CAR-2019-04-002.yaml
index bf7ad33b..b03834ef 100644
--- a/analytics/CAR-2019-04-002.yaml
+++ b/analytics/CAR-2019-04-002.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2019-04-002
-description: |-
+description: |
   Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.
 coverage:
   - technique: T1218
@@ -23,13 +23,13 @@ coverage:
 implementations:
   - name: Main Pattern
     description: This just looks for all executions of regsvr32.exe that have a parent of regsvr32.exe but are not regsvr32.exe themselves (which happens). This will have a very high FP rate, but likely not on the order of millions.
-    code: |-
+    code: |
       index=__your_sysmon_data__ EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
     type: splunk
     data_model: Sysmon native
   - name: Main Pattern - pseudocode
     description: This is a pseudocode version of the above main pattern.
-    code: |-
+    code: |
       processes = search Process:Create
       regsvr_processes = filter processes where (
         parent_image_path == "*regsvr32.exe" and image_path != "*regsvr32.exe*"
@@ -39,20 +39,20 @@ implementations:
     data_model: CAR
   - name: New items since last month
     description: This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).
-    code: |-
+    code: |
       index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | search NOT [
       search index=__your_sysmon_data__ earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | dedup CommandLine | fields CommandLine ]
     type: splunk
     data_model: Sysmon native
   - name: Spawning child processes
     description: This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting).
-    code: |-
+    code: |
       index=__your_sysmon_data__ EventCode=1 (ParentImage="C:\\Windows\\System32\\regsvr32.exe" OR ParentImage="C:\\Windows\\SysWOW64\\regsvr32.exe") AND Image!="C:\\Windows\\System32\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\regsvr32.exe" AND Image!="C:\\WINDOWS\\System32\\regsvr32.exe" AND Image!="C:\\WINDOWS\\SysWOW64\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\WerFault.exe" AND Image!="C:\\Windows\\System32\\wevtutil.exe" AND Image!="C:\\Windows\\System32\\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image
     type: splunk
     data_model: Sysmon native
   - name: Spawning child processes - pseudocode
     description: This is a pseudocode version of the above Splunk query for spawning child processes.
-    code: |-
+    code: |
       processes = search Process:Create
       regsvr_processes = filter processes where (
         (parent_image_path == "C:\Windows\System32\regsvr32.exe" or parent_image_path == "C:\Windows\SysWOW64\regsvr32.exe") and
@@ -67,24 +67,24 @@ implementations:
     data_model: CAR
   - name: Loading unsigned images
     description: This looks for unsigned images that may be loaded by regsvr32, while attempting to eliminate false positives stemming from Windows/Program Files binaries.
-    code: |-
-      index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded    
+    code: |
+      index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded
     type: splunk
     data_model: Sysmon native
   - name: Loading unsigned images - pseudocode
     description: This is a pseudocode version of the above Splunk query for loading unsigned images.
-    code: |-
+    code: |
       modules = search Module:Load
       unsigned_modules = filter modules where (
         (image_path == "C:\Windows\System32\regsvr32.exe" or image_path == "C:\Windows\SysWOW64\regsvr32.exe") and
-        signer == null and 
+        signer == null and
         module_path != "C:\Program Files*" and
         module_path != "C:\Windows\*"
       )
       output unsigned_modules
     type: pseudocode
     data_model: CAR
-unit_tests: 
+unit_tests:
   - description: Any of the [Atomic Red Team tests for regsvr32.exe](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md) should trigger this.
 data_model_references:
   - process/create/exe
diff --git a/analytics/CAR-2019-04-003.yaml b/analytics/CAR-2019-04-003.yaml
index 23eca7f8..aeb435f8 100644
--- a/analytics/CAR-2019-04-003.yaml
+++ b/analytics/CAR-2019-04-003.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2019-04-003
-description: |-
+description: |
   Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.
 
   Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.
@@ -24,18 +24,18 @@ coverage:
     coverage: Moderate
 implementations:
   - description: This looks for any and all usage of the scrobj DLL, which is what is used to run COM scriptlets, so it'll detect both loading from network as well as filesystem. This will have almost zero false positives so is suitable for alerting.
-    code: |-
+    code: |
       index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"
     type: splunk
     data_model: Sysmon native
-  - description: EQL version of the above Splunk search. 
-    code: |-
+  - description: EQL version of the above Splunk search.
+    code: |
       process where subtype.create and
         (process_path == "*regsvr32.exe" and command_line == "*scrobj.dll")
     type: EQL
     data_model: EQL native
   - description: Pseudocode version of the above Splunk search.
-    code: |-
+    code: |
       processes = search Process:Create
       squiblydoo_processes = filter processes where (
         image_path == "*regsvr32.exe" and command_line == "*scrobj.dll"
@@ -44,12 +44,13 @@ implementations:
     type: psuedocode
     data_model: CAR
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll"
     type: LogPoint
-    data_mode: LogPoint native   
-unit_tests: 
-  - description: The [Atomic Red Team test for Squiblydoo](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution) is a good test case for this.
+    data_mode: LogPoint native
+unit_tests:
+  - description: |
+      The [Atomic Red Team test for Squiblydoo](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution) is a good test case for this.
 data_model_references:
   - process/create/exe
   - process/create/command_line
diff --git a/analytics/CAR-2019-04-004.yaml b/analytics/CAR-2019-04-004.yaml
index 35c4e0c1..8884b942 100644
--- a/analytics/CAR-2019-04-004.yaml
+++ b/analytics/CAR-2019-04-004.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - MITRE
 id: CAR-2019-04-004
-description: |-
+description: |
   Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are “overtuned” to look for common access patterns used by Mimikatz.
 
   *This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn’t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.*
@@ -25,37 +25,36 @@ coverage:
 implementations:
   - name: Common Mimikatz GrantedAccess Patterns
     description: This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz.
-    code: |-
-      index=__your_sysmon_data__ EventCode=10 
+    code: |
+      index=__your_sysmon_data__ EventCode=10
       TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
       (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
-      CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)" 
+      CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)"
       | table _time hostname user SourceImage GrantedAccess
     type: splunk
     data_model: Sysmon native
   - name: Outliers
     description: This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers.
-    code: |-
+    code: |
       earliest=-d@d latest=now() index=__your_sysmon_data__
         EventCode=10
         TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
-        (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) 
-      | search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) 
-        | dedup SourceImage 
+        (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
+      | search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
+        | dedup SourceImage
         | fields SourceImage ]
       | table  _time hostname user SourceImage GrantedAccess
     type: splunk
     data_model: Sysmon native
   - description: LogPoint version of the above pseudocode.
-    code: |-
-      norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)" 
+    code: |
+      norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)"
       | fields log_ts, host, user, source_image, access
     type: LogPoint
-    data_mode: LogPoint native 
+    data_mode: LogPoint native
 references:
   - Credit to [Cyb3rWard0g](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/playbooks/windows/06_credential_access/credential_dumping_T1003/credentials_from_memory/mimikatz_logonpasswords.md), dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics.
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
     label: Process Spawn Analysis
-  
diff --git a/analytics/CAR-2019-07-001.yaml b/analytics/CAR-2019-07-001.yaml
index f5362b47..3e59e09e 100644
--- a/analytics/CAR-2019-07-001.yaml
+++ b/analytics/CAR-2019-07-001.yaml
@@ -55,7 +55,7 @@ implementations:
     code: |-
       norm_id=WindowsSysmon channel="Security" event_id=4670 object_type="File" -user_id="S-1-5-18"
     type: LogPoint
-    data_mode: LogPoint native 
+    data_mode: LogPoint native
 unit_tests:
   - description: 'For Windows - right click on any file and change its permissions under properties. Or, execute the following command: `icacls "C:\<fileName>" /grant :F`'
   - description: 'For Linux - execute the following command: `chmod 777 "fileName"`'
diff --git a/analytics/CAR-2019-07-002.yaml b/analytics/CAR-2019-07-002.yaml
index 291eb7b8..4d7b0669 100644
--- a/analytics/CAR-2019-07-002.yaml
+++ b/analytics/CAR-2019-07-002.yaml
@@ -13,8 +13,8 @@ contributors:
   - Tony Lambert/Red Canary
   - MITRE
 id: CAR-2019-07-002
-description: |-
-  [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. 
+description: |
+  [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
 
   ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
 
@@ -29,7 +29,7 @@ coverage:
 implementations:
   - name: Procdump - Process Create
     description: This base pseudocode looks for process create events where an instance of procdump is executed that references lsass in the command-line.
-    code: |-
+    code: |
       processes = search Process:Create
       procdump_lsass = filter processes where (
         exe = "procdump*.exe"  and
@@ -38,7 +38,7 @@ implementations:
     type: Pseudocode
   - name: Procdump - Process Create
     description: A Splunk/Sysmon version of the above pseudocode.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
     type: Splunk
     data_model: Sysmon native
@@ -47,7 +47,7 @@ implementations:
     type: EQL
   - name: Procdump - Process Access
     description: A related Splunk search, which instead of looking for process create events looks for process access events that target lsass.exe.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
     type: Splunk
     data_model: Sysmon native
@@ -55,15 +55,15 @@ implementations:
     description: 'A [Sigma Version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) of the above Splunk search, with some more stringent criteria around calltrace.'
     type: Sigma
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*"
     type: LogPoint
-    data_mode: LogPoint native 
+    data_mode: LogPoint native
 data_model_references:
   - process/create/exe
   - process/create/command_line
-unit_tests: 
-  - description: |-
+unit_tests:
+  - description: |
       1. Open a Windows Command Prompt or PowerShell instance.
       2. Navigate to folder containing ProcDump.
       3. Execute procdump.exe -ma lsass.exe lsass_dump
diff --git a/analytics/CAR-2019-08-001.yaml b/analytics/CAR-2019-08-001.yaml
index bf295634..9e3a73e5 100644
--- a/analytics/CAR-2019-08-001.yaml
+++ b/analytics/CAR-2019-08-001.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Tony Lambert/Red Canary
 id: CAR-2019-08-001
-description: |-
+description: |
   The Windows Task Manager may be used to dump the memory space of `lsass.exe` to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting `lsass.exe`, and clicking "Create dump file". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.
 
   This requires filesystem data to determine whether files have been created.
@@ -25,7 +25,7 @@ coverage:
 implementations:
   - name: Procdump - File Create
     description: This base pseudocode looks for file create events where a file with a name similar to lsass.dmp is created by the Windows task manager process.
-    code: |-
+    code: |
       files = search File:Create
       lsass_dump = filter files where (
         file_name = "lsass*.dmp"  and
@@ -34,26 +34,26 @@ implementations:
     type: Pseudocode
   - name: Procdump - File Create
     description: A Splunk/Sysmon version of the above pseudocode.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"
     type: Splunk
     data_model: Sysmon native
   - name: Procdump - File Create
     description: An EQL version of the above pseudocode.
-    code: |-
+    code: |
       file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"
     type: EQL
     data_model: EQL native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=11 file="*lsass*.dmp" source_image="C:\Windows\*\taskmgr.exe"
     type: LogPoint
     data_mode: LogPoint native
 data_model_references:
   - file/create/file_name
   - file/create/image_path
-unit_tests: 
-  - description: |-
+unit_tests:
+  - description: |
       1. Open Windows Task Manager as Administrator
       2. Select lsass.exe
       3. Right-click on lsass.exe and select "Create dump file".
diff --git a/analytics/CAR-2019-08-002.yaml b/analytics/CAR-2019-08-002.yaml
index b9074b4d..b45aee96 100644
--- a/analytics/CAR-2019-08-002.yaml
+++ b/analytics/CAR-2019-08-002.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Tony Lambert/Red Canary
 id: CAR-2019-08-002
-description: |-
+description: |
   The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching `ntdsutil.exe` as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, `ntds.dit`, to the specified folder path.
 
   This requires filesystem data to determine whether files have been created.
@@ -25,7 +25,7 @@ coverage:
 implementations:
   - name: NTDSUtil - File Create
     description: This base pseudocode looks for file create events where a file with a name of ntds.dit is created by the ntdsutil process.
-    code: |-
+    code: |
       files = search File:Create
       ntds_dump = filter files where (
         file_name = "ntds.dit"  and
@@ -34,26 +34,26 @@ implementations:
     type: Pseudocode
   - name: NTDSUtil - File Create
     description: A Splunk/Sysmon version of the above pseudocode.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"
     type: Splunk
     data_model: Sysmon native
   - name: NTDSUtil - File Create
     description: An EQL version of the above pseudocode.
-    code: |-
+    code: |
       file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"
     type: EQL
     data_model: EQL native
   - description: LogPoint version of the above pseudocode.
-    code: |-
+    code: |
       norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe"
     type: LogPoint
     data_mode: LogPoint native
 data_model_references:
   - file/create/file_name
   - file/create/image_path
-unit_tests: 
-  - description: |-
+unit_tests:
+  - description: |
       1. Open a Windows Command Prompt or PowerShell instance as Administrator
       2. Execute `ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q`
 d3fend_mappings:
diff --git a/analytics/CAR-2020-05-001.yaml b/analytics/CAR-2020-05-001.yaml
index 4f5981dd..afce6a9b 100644
--- a/analytics/CAR-2020-05-001.yaml
+++ b/analytics/CAR-2020-05-001.yaml
@@ -11,13 +11,13 @@ analytic_types:
 contributors:
   - Cyber National Mission Force (CNMF)
 id: CAR-2020-05-001
-description: |-
+description: |
   This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call [MiniDumpWriteDump](https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump). Tools like [SafetyKatz](https://github.com/GhostPack/SafetyKatz), [SafetyDump](https://github.com/m0rv4i/SafetyDump), and [Outflank-Dumpert](https://github.com/outflanknl/Dumpert) default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.
 
   The analytic is based on a [Sigma analytic](https://github.com/NVISO-BE/sigma-public/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml) contributed by Samir Bousseaden and written up in a [blog on MENASEC](https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html). It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in [CAR-2019-08-001](/analytics/CAR-2019-08-001/). In this iteration of the Sigma analytic, the `GrantedAccess` filter isn't included because it didn't seem to filter out any false positives and introduces the potential for evasion.
 
   This analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives.
-  
+
   NOTE - this analytic has no corresponding pseudocode implementation because the CAR data model doesn't currently support process access events.
 coverage:
   - technique: T1003
diff --git a/analytics/CAR-2020-05-003.yaml b/analytics/CAR-2020-05-003.yaml
index 1cc4a001..b75d8cd4 100644
--- a/analytics/CAR-2020-05-003.yaml
+++ b/analytics/CAR-2020-05-003.yaml
@@ -11,14 +11,14 @@ analytic_types:
 contributors:
   - Cyber National Mission Force (CNMF)
 id: CAR-2020-05-003
-description: |-
+description: |
   [LoLBAS](https://lolbas-project.github.io/) are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they're used (this would depend on your environment), but many others are very common and can't be simply alerted on.
 
   This analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives.
 
   The analytic needs to be tuned. The `1.5` in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting analytic when you have analysts looking at the screen and able to tune the analytic up and down, because the threshold may not be stable for very long.
-  
-  Note - this analytic is related to [CAR-2013-04-002](/analytics/CAR-2013-04-002), but differs by looking for a different set of binaries and also looking at standard deviation across command lines of these binaries instead of their execution within a short time window. 
+
+  Note - this analytic is related to [CAR-2013-04-002](/analytics/CAR-2013-04-002), but differs by looking for a different set of binaries and also looking at standard deviation across command lines of these binaries instead of their execution within a short time window.
 coverage:
   - technique: T1012
     tactics:
@@ -44,7 +44,7 @@ coverage:
 implementations:
   - name: LolBAS Rare Commands
     description: Pseudocode version of the below Splunk query.
-    code: |-
+    code: |
       processes = search Process:Create
       lolbas_processes = filter processes where (exe = "At.exe" OR exe = "Atbroker.exe" OR exe = "Bash.exe" OR exe = "Bitsadmin.exe" OR exe = "Certutil.exe" OR exe = "Cmd.exe" OR exe = "Cmdkey.exe" OR exe = "Cmstp.exe" OR exe = "Control.exe" OR exe = "Csc.exe" OR exe = "Cscript.exe" OR exe = "Dfsvc.exe" OR exe = "Diskshadow.exe" OR exe = "Dnscmd.exe" OR exe = "Esentutl.exe" OR exe = "Eventvwr.exe" OR exe = "Expand.exe" OR exe = "Extexport.exe" OR exe = "Extrac32.exe" OR exe = "Findstr.exe" OR exe = "Forfiles.exe" OR exe = "Ftp.exe" OR exe = "Gpscript.exe" OR exe = "Hh.exe" OR exe = "Ie4uinit.exe" OR exe = "Ieexec.exe" OR exe = "Infdefaultinstall.exe" OR exe = "Installutil.exe" OR exe = "Jsc.exe" OR exe = "Makecab.exe" OR exe = "Mavinject.exe" OR exe = "Microsoft.Workflow.r.exe" OR exe = "Mmc.exe" OR exe = "Msbuild.exe" OR exe = "Msconfig.exe" OR exe = "Msdt.exe" OR exe = "Mshta.exe" OR exe = "Msiexec.exe" OR exe = "Odbcconf.exe" OR exe = "Pcalua.exe" OR exe = "Pcwrun.exe" OR exe = "Presentationhost.exe" OR exe = "Print.exe" OR exe = "Reg.exe" OR exe = "Regasm.exe" OR exe = "Regedit.exe" OR exe = "Register-cimprovider.exe" OR exe = "Regsvcs.exe" OR exe = "Regsvr32.exe" OR exe = "Replace.exe" OR exe = "Rpcping.exe" OR exe = "Rundll32.exe" OR exe = "Runonce.exe" OR exe = "Runscripthelper.exe" OR exe = "Sc.exe" OR exe = "Schtasks.exe" OR exe = "Scriptrunner.exe" OR exe = "SyncAppvPublishingServer.exe" OR exe = "Tttracer.exe" OR exe = "Verclsid.exe" OR exe = "Wab.exe" OR exe = "Wmic.exe" OR exe = "Wscript.exe" OR exe = "Wsreset.exe" OR exe = "Xwizard.exe" OR exe = "Advpack.dll OR exe = "Comsvcs.dll OR exe = "Ieadvpack.dll OR exe = "Ieaframe.dll OR exe = "Mshtml.dll OR exe = "Pcwutl.dll OR exe = "Setupapi.dll OR exe = "Shdocvw.dll OR exe = "Shell32.dll OR exe = "Syssetup.dll OR exe = "Url.dll OR exe = "Zipfldr.dll OR exe = "Appvlp.exe" OR exe = "Bginfo.exe" OR exe = "Cdb.exe" OR exe = "csi.exe" OR exe = "Devtoolslauncher.exe" OR exe = "dnx.exe" OR exe = "Dxcap.exe" OR exe = "Excel.exe" OR exe = "Mftrace.exe" OR exe = "Msdeploy.exe" OR exe = "msxsl.exe" OR exe = "Powerpnt.exe" OR exe = "rcsi.exe" OR exe = "Sqler.exe" OR exe = "Sqlps.exe" OR exe = "SQLToolsPS.exe" OR exe = "Squirrel.exe" OR exe = "te.exe" OR exe = "Tracker.exe" OR exe = "Update.exe" OR exe = "vsjitdebugger.exe" OR exe = "Winword.exe" OR exe = "Wsl.exe" OR exe = "CL_Mutexverifiers.ps1 OR exe = "CL_Invocation.ps1 OR exe = "Manage-bde.wsf OR exe = "Pubprn.vbs OR exe = "Slmgr.vbs OR exe = "Syncappvpublishingserver.vbs OR exe = "winrm.vbs OR exe = "Pester.bat)
       process_count = count(lolbas_processes) by process
@@ -57,7 +57,7 @@ implementations:
     data_model: CAR native
   - name: LolBAS Rare Commands
     description: This Splunk query looks for instances of LoLBAS commands being executed, then stacks by rare command lines using a stddev.
-    code: |-
+    code: |
       index=__your_sysmon_index__ EventCode=1 (OriginalFileName = At.exe OR OriginalFileName = Atbroker.exe OR OriginalFileName = Bash.exe OR OriginalFileName = Bitsadmin.exe OR OriginalFileName = Certutil.exe OR OriginalFileName = Cmd.exe OR OriginalFileName = Cmdkey.exe OR OriginalFileName = Cmstp.exe OR OriginalFileName = Control.exe OR OriginalFileName = Csc.exe OR OriginalFileName = Cscript.exe OR OriginalFileName = Dfsvc.exe OR OriginalFileName = Diskshadow.exe OR OriginalFileName = Dnscmd.exe OR OriginalFileName = Esentutl.exe OR OriginalFileName = Eventvwr.exe OR OriginalFileName = Expand.exe OR OriginalFileName = Extexport.exe OR OriginalFileName = Extrac32.exe OR OriginalFileName = Findstr.exe OR OriginalFileName = Forfiles.exe OR OriginalFileName = Ftp.exe OR OriginalFileName = Gpscript.exe OR OriginalFileName = Hh.exe OR OriginalFileName = Ie4uinit.exe OR OriginalFileName = Ieexec.exe OR OriginalFileName = Infdefaultinstall.exe OR OriginalFileName = Installutil.exe OR OriginalFileName = Jsc.exe OR OriginalFileName = Makecab.exe OR OriginalFileName = Mavinject.exe OR OriginalFileName = Microsoft.Workflow.r.exe OR OriginalFileName = Mmc.exe OR OriginalFileName = Msbuild.exe OR OriginalFileName = Msconfig.exe OR OriginalFileName = Msdt.exe OR OriginalFileName = Mshta.exe OR OriginalFileName = Msiexec.exe OR OriginalFileName = Odbcconf.exe OR OriginalFileName = Pcalua.exe OR OriginalFileName = Pcwrun.exe OR OriginalFileName = Presentationhost.exe OR OriginalFileName = Print.exe OR OriginalFileName = Reg.exe OR OriginalFileName = Regasm.exe OR OriginalFileName = Regedit.exe OR OriginalFileName = Register-cimprovider.exe OR OriginalFileName = Regsvcs.exe OR OriginalFileName = Regsvr32.exe OR OriginalFileName = Replace.exe OR OriginalFileName = Rpcping.exe OR OriginalFileName = Rundll32.exe OR OriginalFileName = Runonce.exe OR OriginalFileName = Runscripthelper.exe OR OriginalFileName = Sc.exe OR OriginalFileName = Schtasks.exe OR OriginalFileName = Scriptrunner.exe OR OriginalFileName = SyncAppvPublishingServer.exe OR OriginalFileName = Tttracer.exe OR OriginalFileName = Verclsid.exe OR OriginalFileName = Wab.exe OR OriginalFileName = Wmic.exe OR OriginalFileName = Wscript.exe OR OriginalFileName = Wsreset.exe OR OriginalFileName = Xwizard.exe OR OriginalFileName = Advpack.dll OR OriginalFileName = Comsvcs.dll OR OriginalFileName = Ieadvpack.dll OR OriginalFileName = Ieaframe.dll OR OriginalFileName = Mshtml.dll OR OriginalFileName = Pcwutl.dll OR OriginalFileName = Setupapi.dll OR OriginalFileName = Shdocvw.dll OR OriginalFileName = Shell32.dll OR OriginalFileName = Syssetup.dll OR OriginalFileName = Url.dll OR OriginalFileName = Zipfldr.dll OR OriginalFileName = Appvlp.exe OR OriginalFileName = Bginfo.exe OR OriginalFileName = Cdb.exe OR OriginalFileName = csi.exe OR OriginalFileName = Devtoolslauncher.exe OR OriginalFileName = dnx.exe OR OriginalFileName = Dxcap.exe OR OriginalFileName = Excel.exe OR OriginalFileName = Mftrace.exe OR OriginalFileName = Msdeploy.exe OR OriginalFileName = msxsl.exe OR OriginalFileName = Powerpnt.exe OR OriginalFileName = rcsi.exe OR OriginalFileName = Sqler.exe OR OriginalFileName = Sqlps.exe OR OriginalFileName = SQLToolsPS.exe OR OriginalFileName = Squirrel.exe OR OriginalFileName = te.exe OR OriginalFileName = Tracker.exe OR OriginalFileName = Update.exe OR OriginalFileName = vsjitdebugger.exe OR OriginalFileName = Winword.exe OR OriginalFileName = Wsl.exe OR OriginalFileName = CL_Mutexverifiers.ps1 OR OriginalFileName = CL_Invocation.ps1 OR OriginalFileName = Manage-bde.wsf OR OriginalFileName = Pubprn.vbs OR OriginalFileName = Slmgr.vbs OR OriginalFileName = Syncappvpublishingserver.vbs OR OriginalFileName = winrm.vbs OR OriginalFileName = Pester.bat)|eval CommandLine=lower(CommandLine)|eventstats count(process) as procCount by process|eventstats avg(procCount) as avg stdev(procCount) as stdev|eval lowerBound=(avg-stdev*1.5)|eval isOutlier=if((procCount < lowerBound),1,0)|where isOutlier=1|table host, Image, ParentImage, CommandLine, ParentCommandLine, procCount
     type: Splunk
     data_model: Sysmon native
diff --git a/analytics/CAR-2020-09-001.yaml b/analytics/CAR-2020-09-001.yaml
index 66e4a411..ec4f8d76 100644
--- a/analytics/CAR-2020-09-001.yaml
+++ b/analytics/CAR-2020-09-001.yaml
@@ -4,48 +4,48 @@ submission_date: 2020/09/10
 information_domain: 'Host'
 platforms:
   - Windows
-subtypes: 
+subtypes:
   - File
 analytic_types:
   - Situational Awareness
 contributors:
   - Olaf Hartong
 id: CAR-2020-09-001
-description: |-
+description: |
   In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.
-coverage: 
+coverage:
   - technique: T1053
-    subtechniques: 
+    subtechniques:
       - T1053.005
-    tactics: 
+    tactics:
       - TA0002
       - TA0003
       - TA0004
     coverage: Low
 implementations:
-- name: Pseudocode - Windows task file creation
-  description: This is a pseudocode representation of the below splunk search.
-  code: |- 
-    files = search File:Create
-    task_files = filter files where (
-      (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*")  and
-      image_path != "C:\WINDOWS\system32\svchost.exe")
-    output task_files
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk search - Windows task file creation
-  description: This Splunk search looks for any files created under the Windows tasks directories. 
-  code: |- 
-    index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\
-    *" OR TargetFilename="C:\\Windows\\Tasks\\*")
-  data_model: Sysmon native
-  type: Splunk
-- name: LogPoint search - Windows task file creation
-  description: This LogPoint search looks for any files created under the Windows tasks directories. 
-  code: |- 
-    norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*")
-  data_model: LogPoint native
-  type: LogPoint
+  - name: Pseudocode - Windows task file creation
+    description: This is a pseudocode representation of the below splunk search.
+    code: |
+      files = search File:Create
+      task_files = filter files where (
+        (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*")  and
+        image_path != "C:\WINDOWS\system32\svchost.exe")
+      output task_files
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk search - Windows task file creation
+    description: This Splunk search looks for any files created under the Windows tasks directories.
+    code: |
+      index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\
+      *" OR TargetFilename="C:\\Windows\\Tasks\\*")
+    data_model: Sysmon native
+    type: Splunk
+  - name: LogPoint search - Windows task file creation
+    description: This LogPoint search looks for any files created under the Windows tasks directories.
+    code: |
+      norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*")
+    data_model: LogPoint native
+    type: LogPoint
 data_model_references:
   - file/create/file_path
   - file/create/image_path
diff --git a/analytics/CAR-2020-09-002.yaml b/analytics/CAR-2020-09-002.yaml
index 0efd59f9..6a02f789 100644
--- a/analytics/CAR-2020-09-002.yaml
+++ b/analytics/CAR-2020-09-002.yaml
@@ -4,45 +4,45 @@ submission_date: 2020/09/10
 information_domain: 'Host'
 platforms:
   - Windows
-subtypes: 
+subtypes:
   - Registry
 analytic_types:
   - Situational Awareness
 contributors:
   - Olaf Hartong
 id: CAR-2020-09-002
-description: |-
-  Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys. 
+description: |
+  Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys.
 coverage:
-  - technique: T1546 
+  - technique: T1546
     coverage: Moderate
-    subtechniques: 
+    subtechniques:
       - T1546.015
-    tactics: 
+    tactics:
       - TA0003
       - TA0004
 implementations:
-- name: Pseudocode - COM object registry entry modification
-  description: This is a pseudocode representation of the below splunk search.
-  code: |- 
-    registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) 
-    clsid_keys = filter registry_keys where (
-      key = "*\Software\Classes\CLSID\*")
-    output clsid_keys
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk search - COM object registry entry modification
-  description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key. 
-  code: |- 
-    index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Classes\\CLSID\\*"
-  data_model: Sysmon native
-  type: Splunk
-- name: LogPoint search - COM object registry entry modification
-  description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key.
-  code: |- 
-    norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Classes\CLSID\*"
-  data_model: LogPoint native
-  type: LogPoint
+  - name: Pseudocode - COM object registry entry modification
+    description: This is a pseudocode representation of the below splunk search.
+    code: |
+      registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit)
+      clsid_keys = filter registry_keys where (
+        key = "*\Software\Classes\CLSID\*")
+      output clsid_keys
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk search - COM object registry entry modification
+    description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key.
+    code: |
+      index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Classes\\CLSID\\*"
+    data_model: Sysmon native
+    type: Splunk
+  - name: LogPoint search - COM object registry entry modification
+    description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows COM Object registry key.
+    code: |
+      norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Classes\CLSID\*"
+    data_model: LogPoint native
+    type: LogPoint
 data_model_references:
   - registry/add/key
   - registry/remove/key
diff --git a/analytics/CAR-2020-09-003.yaml b/analytics/CAR-2020-09-003.yaml
index e7007ca1..ad9d78ab 100644
--- a/analytics/CAR-2020-09-003.yaml
+++ b/analytics/CAR-2020-09-003.yaml
@@ -4,44 +4,44 @@ submission_date: 2020/09/10
 information_domain: 'Host'
 platforms:
   - Windows
-subtypes: 
+subtypes:
   - Process
 analytic_types:
   - TTP
 contributors:
   - Olaf Hartong
 id: CAR-2020-09-003
-description: |-
+description: |
   Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.
 coverage:
-  - technique: T1562 
+  - technique: T1562
     coverage: Low
-    subtechniques: 
+    subtechniques:
       - T1562.006
-    tactics: 
+    tactics:
       - TA0005
 implementations:
-- name: Pseudocode - fltmc invocation
-  description: This is a pseudocode representation of the below splunk search.
-  code: |- 
-    processes = search Process:Create
-    fltmc_processes = filter processes where (
-      exe = "fltmc.exe" AND command_line = "*unload*")
-    output fltmc_processes
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk search - fltmc invocation
-  description: This Splunk search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
-  code: |- 
-    index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe") 
-  data_model: Sysmon native
-  type: Splunk
-- name: LogPoint search - fltmc invocation
-  description: This LogPoint search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
-  code: |- 
-    norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe") 
-  data_model: LogPoint native
-  type: LogPoint
+  - name: Pseudocode - fltmc invocation
+    description: This is a pseudocode representation of the below splunk search.
+    code: |
+      processes = search Process:Create
+      fltmc_processes = filter processes where (
+        exe = "fltmc.exe" AND command_line = "*unload*")
+      output fltmc_processes
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk search - fltmc invocation
+    description: This Splunk search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
+    code: |
+      index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe")
+    data_model: Sysmon native
+    type: Splunk
+  - name: LogPoint search - fltmc invocation
+    description: This LogPoint search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
+    code: |
+      norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe")
+    data_model: LogPoint native
+    type: LogPoint
 data_model_references:
   - process/create/exe
   - process/create/command_line
diff --git a/analytics/CAR-2020-09-004.yaml b/analytics/CAR-2020-09-004.yaml
index 133fac15..f3022347 100644
--- a/analytics/CAR-2020-09-004.yaml
+++ b/analytics/CAR-2020-09-004.yaml
@@ -5,52 +5,52 @@ information_domain: 'Host'
 platforms:
   - Windows
 subtypes:
-  - Process 
+  - Process
   - Registry
 analytic_types:
   - TTP
 contributors:
   - Olaf Hartong
 id: CAR-2020-09-004
-description: |-
+description: |
   Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as [PowerSploit](https://powersploit.readthedocs.io/en/latest/) in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.
 coverage:
   - technique: T1552
     coverage: Low
-    subtechniques: 
+    subtechniques:
       - T1552.001
       - T1552.002
-    tactics: 
+    tactics:
       - TA0006
 implementations:
-- name: Pseudocode - reg.exe password search & powersploit modules
-  description: This is a pseudocode representation of the below splunk search.
-  code: |- 
-    processes = search Process:Create
-      cred_processes = filter processes where (
-      command_line = "*reg* query HKLM /f password /t REG_SZ /s*" OR 
-      command_line = "reg* query HKCU /f password /t REG_SZ /s" OR
-      command_line = "*Get-UnattendedInstallFile*" OR
-      command_line = "*Get-Webconfig*" OR 
-      command_line = "*Get-ApplicationHost*" OR 
-      command_line = "*Get-SiteListPassword*" OR 
-      command_line = "*Get-CachedGPPPassword*" OR 
-      command_line = "*Get-RegistryAutoLogon*")
-    output cred_processes
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk Search - reg.exe password search & powersploit modules
-  description: This Splunk search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose.
-  code: |- 
-    ((index=__your_sysmon_index__ EventCode=1) OR (index=__your_win_syslog_index__ EventCode=4688)) (CommandLine="*reg* query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="*Get-UnattendedInstallFile*" OR CommandLine="*Get-Webconfig*" OR CommandLine="*Get-ApplicationHost*" OR CommandLine="*Get-SiteListPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR CommandLine="*Get-RegistryAutoLogon*") 
-  data_model: Sysmon native
-  type: Splunk
-- name: LogPoint search - reg.exe password search & powersploit modules
-  description: This LogPoint search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose.
-  code: |- 
-    norm_id=WindowsSysmon event_id=1 command IN ["*reg* query HKLM /f password /t REG_SZ /s*", "reg* query HKCU /f password /t REG_SZ /s", "*Get-UnattendedInstallFile*", "*Get-Webconfig*", "*Get-ApplicationHost*", "*Get-SiteListPassword*", "*Get-CachedGPPPassword*", "*Get-RegistryAutoLogon*"]
-  data_model: LogPoint native
-  type: LogPoint
+  - name: Pseudocode - reg.exe password search & powersploit modules
+    description: This is a pseudocode representation of the below splunk search.
+    code: |
+      processes = search Process:Create
+        cred_processes = filter processes where (
+        command_line = "*reg* query HKLM /f password /t REG_SZ /s*" OR
+        command_line = "reg* query HKCU /f password /t REG_SZ /s" OR
+        command_line = "*Get-UnattendedInstallFile*" OR
+        command_line = "*Get-Webconfig*" OR
+        command_line = "*Get-ApplicationHost*" OR
+        command_line = "*Get-SiteListPassword*" OR
+        command_line = "*Get-CachedGPPPassword*" OR
+        command_line = "*Get-RegistryAutoLogon*")
+      output cred_processes
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk Search - reg.exe password search & powersploit modules
+    description: This Splunk search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose.
+    code: |
+      ((index=__your_sysmon_index__ EventCode=1) OR (index=__your_win_syslog_index__ EventCode=4688)) (CommandLine="*reg* query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="*Get-UnattendedInstallFile*" OR CommandLine="*Get-Webconfig*" OR CommandLine="*Get-ApplicationHost*" OR CommandLine="*Get-SiteListPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR CommandLine="*Get-RegistryAutoLogon*")
+    data_model: Sysmon native
+    type: Splunk
+  - name: LogPoint search - reg.exe password search & powersploit modules
+    description: This LogPoint search looks for command lines of reg.exe used to search for passwords, as well as those of powersploit modules for the same purpose.
+    code: |
+      norm_id=WindowsSysmon event_id=1 command IN ["*reg* query HKLM /f password /t REG_SZ /s*", "reg* query HKCU /f password /t REG_SZ /s", "*Get-UnattendedInstallFile*", "*Get-Webconfig*", "*Get-ApplicationHost*", "*Get-SiteListPassword*", "*Get-CachedGPPPassword*", "*Get-RegistryAutoLogon*"]
+    data_model: LogPoint native
+    type: LogPoint
 data_model_references:
   - process/create/command_line
 d3fend_mappings:
diff --git a/analytics/CAR-2020-09-005.yaml b/analytics/CAR-2020-09-005.yaml
index c6a49657..b3976467 100644
--- a/analytics/CAR-2020-09-005.yaml
+++ b/analytics/CAR-2020-09-005.yaml
@@ -11,40 +11,40 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-09-005
-description: |-
-  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse. 
+description: |
+  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.
 coverage:
   - technique: T1546
     coverage: Moderate
-    subtechniques: 
+    subtechniques:
       - T1546.010
-    tactics: 
+    tactics:
       - TA0003
       - TA0004
 implementations:
-- name: Pseudocode - AppInit DLL registry modification
-  description: This is a pseudocode representation of the below splunk search.
-  code: |- 
-    registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) 
-    appinit_keys = filter registry_keys where (
-      key = "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" OR 
-      key = "*\SOFTWARE\\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*""
-      )
-    output clsid_keys
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk search - AppInit DLL registry modification
-  description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys.
-  code: |- 
-    index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) (TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*" OR TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*")
-  data_model: Sysmon native
-  type: Splunk
-- name: LogPoint search - AppInit DLL registry modification
-  description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys.
-  code: |- 
-    norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object IN ["*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*", "*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*"]
-  data_model: LogPoint native
-  type: LogPoint
+  - name: Pseudocode - AppInit DLL registry modification
+    description: This is a pseudocode representation of the below splunk search.
+    code: |
+      registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit)
+      appinit_keys = filter registry_keys where (
+        key = "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" OR
+        key = "*\SOFTWARE\\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*""
+        )
+      output clsid_keys
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk search - AppInit DLL registry modification
+    description: This Splunk search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys.
+    code: |
+      index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) (TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*" OR TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*")
+    data_model: Sysmon native
+    type: Splunk
+  - name: LogPoint search - AppInit DLL registry modification
+    description: This LogPoint search looks for any registry keys that were created, deleted, or renamed, as well as any registry values that were set or renamed under the Windows AppInit DLL registry keys.
+    code: |
+      norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object IN ["*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*", "*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*"]
+    data_model: LogPoint native
+    type: LogPoint
 data_model_references:
   - registry/add/key
   - registry/remove/key
diff --git a/analytics/CAR-2020-11-001.yaml b/analytics/CAR-2020-11-001.yaml
index 1253de8e..65b10d86 100644
--- a/analytics/CAR-2020-11-001.yaml
+++ b/analytics/CAR-2020-11-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Boot or Logon Initialization Scripts
 submission_date: 2020/11/30
 information_domain: Host
@@ -11,8 +12,8 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-001
-description: |-
-  Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.  
+description: |
+  Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.
 coverage:
   - technique: T1037
     tactics:
@@ -24,7 +25,7 @@ coverage:
 implementations:
   - name: Pseudocode - logon run script key added to registry using reg.exe on commandline, or new logon scipt keys in registry from any source.
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       logon_script_key_processes = filter processes where (
         command_line = "*reg*add*\Environment*UserInitMprLogonScript")
@@ -36,13 +37,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search -- logon scripts
     description: Look for commands for adding a logon script as a registry value, as well as direct registry events for the same thing.
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\System32\\reg.exe" CommandLine="*add*\\Environment*UserInitMprLogonScript") OR (index=__your_sysmon_index__ (EventCode=12 OR EventCode=14 OR EventCode=13) TargetObject="*\\Environment*UserInitMprLogonScript")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search -- logon scripts
     description: Look for commands for adding a logon script as a registry value, as well as direct registry events for the same thing.
-    code: |- 
+    code: |
       norm_id=WindowsSysmon ((event_id=1 image="C:\Windows\System32\reg.exe" command="*add*\Environment*UserInitMprLogonScript") OR (event_id IN [12, 13, 14] target_object="*\Environment*UserInitMprLogonScript"))
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-002.yaml b/analytics/CAR-2020-11-002.yaml
index 87d86c7e..d676caf0 100644
--- a/analytics/CAR-2020-11-002.yaml
+++ b/analytics/CAR-2020-11-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Local Network Sniffing
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-002
-description: |-
+description: |
   Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.
 coverage:
   - technique: T1040
@@ -21,7 +22,7 @@ coverage:
 implementations:
   - name: Pseudocode - commands containing known network sniffing application names
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       sniffer_processes = filter processes where (
         exe = "tshark.exe" OR
@@ -35,13 +36,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - common network traffic sniffing apps being run
     description: look for common network traffic sniffing apps being run
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1) (Image="*tshark.exe" OR Image="*windump.exe" OR (Image="*logman.exe" AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\Windows Event Reporting\\Core\\EventReporting.AgentService.exe") OR Image="*tcpdump.exe" OR Image="*wprui.exe" OR Image="*wpr.exe")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - common network traffic sniffing apps being run
     description: look for common network traffic sniffing apps being run
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=1 (image="*\tshark.exe" OR image="*\windump.exe" OR (image="*\logman.exe" -parent_image="?" -parent_image="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe") OR image="*\tcpdump.exe" OR image="*\wprui.exe" OR image="*\wpr.exe")
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-003.yaml b/analytics/CAR-2020-11-003.yaml
index 5223e141..acc8da98 100644
--- a/analytics/CAR-2020-11-003.yaml
+++ b/analytics/CAR-2020-11-003.yaml
@@ -1,3 +1,4 @@
+---
 title: DLL Injection with Mavinject
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-003
-description: |-
+description: |
   Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
 coverage:
   - technique: T1055
@@ -23,7 +24,7 @@ coverage:
 implementations:
   - name: Pseudocode - mavinject process and its common argument
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       mavinject_processes = filter processes where (
         exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*"
@@ -32,13 +33,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - mavinject
     description: Search for instances of mavinject.exe or mavinject32.exe
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - mavinject
     description: Search for instances of mavinject.exe or mavinject32.exe
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=1 (image="C:\Windows\SysWOW64\mavinject.exe" OR image="C:\Windows\System32\mavinject.exe" OR command="*\INJECTRUNNING*")
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-004.yaml b/analytics/CAR-2020-11-004.yaml
index 1cb9f909..84f833ad 100644
--- a/analytics/CAR-2020-11-004.yaml
+++ b/analytics/CAR-2020-11-004.yaml
@@ -1,3 +1,4 @@
+---
 title: Processes Started From Irregular Parent
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-004
-description: |-
+description: |
   Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.
 coverage:
   - technique: T1055
@@ -22,7 +23,7 @@ coverage:
 implementations:
   - name: Pseudocode - common processes that do not have the correct parent
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       mismatch_processes = filter processes where ( parent_exe exists AND
         (exe="smss.exe" AND (parent_exe!="smss.exe" AND parent_exe!="System") OR
@@ -41,7 +42,7 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - parent/child mismatch
     description: Looks for processes that do not have the expected parent. Common Splunk forwarder applications that break these rules are whitelisted; unique environments may require additional whitelist items.
-    code: |-
+    code: |
       (index=__your_sysmon_index__ EventCode=1) AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe" AND
       ((Image="C:\\Windows\System32\\smss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="System")) OR
       (Image="C:\\Windows\\System32\\csrss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
@@ -58,13 +59,13 @@ implementations:
     type: Splunk
   - name: LogPoint Search - parent/child mismatch
     description: Looks for processes that do not have the expected parent. Unique environments may require additional whitelist items.
-    code: |-
-      norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR 
-      (image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR 
-      (image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe"  (-parent_image="*\wininit.exe"  -parent_image="*\winlogon.exe")) OR 
-      (image="*\LogonUI.exe"  (-parent_image="*\winlogon.exe"  -parent_image="*\wininit.exe")) OR (image="*\services.exe"  -parent_image="*\wininit.exe") OR 
-      (image="*\spoolsv.exe"  -parent_image="*\services.exe") OR (image="*\taskhost.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR 
-      (image="*\taskhostw.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR 
+    code: |
+      norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR
+      (image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR
+      (image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe"  (-parent_image="*\wininit.exe"  -parent_image="*\winlogon.exe")) OR
+      (image="*\LogonUI.exe"  (-parent_image="*\winlogon.exe"  -parent_image="*\wininit.exe")) OR (image="*\services.exe"  -parent_image="*\wininit.exe") OR
+      (image="*\spoolsv.exe"  -parent_image="*\services.exe") OR (image="*\taskhost.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR
+      (image="*\taskhostw.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR
       (image="*\userinit.exe"  (-parent_image="*\dwm.exe"  -parent_image="*\winlogon.exe")))
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-005.yaml b/analytics/CAR-2020-11-005.yaml
index 0618b71c..920597b5 100644
--- a/analytics/CAR-2020-11-005.yaml
+++ b/analytics/CAR-2020-11-005.yaml
@@ -1,3 +1,4 @@
+---
 title: Clear Powershell Console Command History
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-005
-description: |-
+description: |
   Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.
 coverage:
   - technique: T1070
@@ -22,7 +23,7 @@ coverage:
 implementations:
   - name: Pseudocode - clear or disable Powershell console history via commandline
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       clear_commands = filter processes where (
         command_line ="*rm (Get-PSReadlineOption).HistorySavePath*" OR command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR command_line="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*")  OR command_linee="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
@@ -31,13 +32,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - clear command history via Powershell
     description: Look for powershell commands that would clear command history
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1) (CommandLine="*rm (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*del (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR CommandLine="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="del*Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - clear command history via Powershell
     description: Look for powershell commands that would clear command history
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).HistorySavePath*" OR command="*del (Get-PSReadlineOption).HistorySavePath*" OR command="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR command="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-006.yaml b/analytics/CAR-2020-11-006.yaml
index 77b482b5..ae16c632 100644
--- a/analytics/CAR-2020-11-006.yaml
+++ b/analytics/CAR-2020-11-006.yaml
@@ -1,3 +1,4 @@
+---
 title: Local Permission Group Discovery
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-006
-description: |-
+description: |
   Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.
 coverage:
   - technique: T1069
@@ -23,7 +24,7 @@ coverage:
 implementations:
   - name: Pseudocode - net.exe instances
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       net_processes = filter processes where (
         exe = "net.exe" AND (
@@ -37,13 +38,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - net.exe instances
     description: Look for instances of net.exe
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1) Image="C:\\Windows\\System32\\net.exe" AND (CommandLine="* user*" OR CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="*get-localgroup*" OR CommandLine="*get-ADPrincipalGroupMembership*")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - net.exe instances
     description: Look for instances of net.exe
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=1 image="C:\Windows\System32\net.exe" (command="* user*" OR command="* group*" OR command="* localgroup*" OR command="*get-localgroup*" OR command="*get-ADPrincipalGroupMembership*")
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-007.yaml b/analytics/CAR-2020-11-007.yaml
index be69d59c..a9b5e3ea 100644
--- a/analytics/CAR-2020-11-007.yaml
+++ b/analytics/CAR-2020-11-007.yaml
@@ -1,3 +1,4 @@
+---
 title: Network Share Connection Removal
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-007
-description: |-
+description: |
   Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.
 coverage:
   - technique: T1070
@@ -22,7 +23,7 @@ coverage:
 implementations:
   - name: Pseudocode - network shares being removed via the command line
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       target_processes = filter processes where (
         (exe="C:\\Windows\\System32\\net.exe" AND command_line="*delete*") OR
@@ -33,13 +34,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - delete network shares
     description: looks network shares being deleted from the command line
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1) ((Image="C:\\Windows\\System32\\net.exe" AND CommandLine="*delete*") OR CommandLine="*Remove-SmbShare*" OR CommandLine="*Remove-FileShare*")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - delete network shares
     description: looks network shares being deleted from the command line
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\System32\net.exe" command="*delete*") OR command="*Remove-SmbShare*" OR command="*Remove-FileShare*")
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-008.yaml b/analytics/CAR-2020-11-008.yaml
index 7f7437a0..629561c4 100644
--- a/analytics/CAR-2020-11-008.yaml
+++ b/analytics/CAR-2020-11-008.yaml
@@ -1,3 +1,4 @@
+---
 title: MSBuild and msxsl
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-008
-description: |-
+description: |
   Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.
 coverage:
   - technique: T1127
@@ -22,7 +23,7 @@ coverage:
 implementations:
   - name: Pseudocode - msbuild
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       target_processes = filter processes where (
         (exe="C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe" OR exe="C:\Windows\Microsoft.NET\Framework*\msbuild.exe" OR exe="C:\users\*\appdata\roaming\microsoft\msxsl.exe") AND
@@ -32,13 +33,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - msbuild
     description: Looks for all instances of msbuild.exe or msxsl.exe
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\bin\\MSBuild.exe" OR Image="C:\\Windows\\Microsoft.NET\\Framework*\\msbuild.exe" OR Image="C:\\users\\*\\appdata\\roaming\\microsoft\\msxsl.exe") ParentImage!="*\\Microsoft Visual Studio*")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - msbuild
     description: Looks for all instances of msbuild.exe or msxsl.exe
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=1 (image IN ["C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe", "C:\Windows\Microsoft.NET\Framework*\msbuild.exe", "C:\Users\*\appdata\roaming\microsoft\msxsl.exe") -parent_image="*\Microsoft Visual Studio*")
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-009.yaml b/analytics/CAR-2020-11-009.yaml
index df030754..0ec150c2 100644
--- a/analytics/CAR-2020-11-009.yaml
+++ b/analytics/CAR-2020-11-009.yaml
@@ -1,3 +1,4 @@
+---
 title: Compiled HTML Access
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-009
-description: |-
+description: |
   Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.
 coverage:
   - technique: T1218
@@ -22,7 +23,7 @@ coverage:
 implementations:
   - name: Pseudocode - instances of hh.exe
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe")
       output target_processes
@@ -30,13 +31,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - hh.exe
     description: looks all instances of hh.exe
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe")
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - hh.exe
     description: looks all instances of hh.exe
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe")
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-010.yaml b/analytics/CAR-2020-11-010.yaml
index 0212b6fb..5ade0c80 100644
--- a/analytics/CAR-2020-11-010.yaml
+++ b/analytics/CAR-2020-11-010.yaml
@@ -1,3 +1,4 @@
+---
 title: CMSTP
 submission_date: 2020/11/30
 information_domain: Host
@@ -24,7 +25,7 @@ coverage:
 implementations:
   - name: Pseudocode - CMSTP
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       target_processes = filter processes where (
         exe="C:\Windows\System32\CMSTP.exe" AND
@@ -34,13 +35,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - CMSTP
     description: looks for instances of CMSTP.exe that are combined with external communication
-    code: |- 
+    code: |
       (index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - CMSTP
     description: looks for instances of CMSTP.exe that are combined with external communication
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id=3 image="C:\Windows\System32\CMSTP.exe" -source_address IN HOMENET
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2020-11-011.yaml b/analytics/CAR-2020-11-011.yaml
index e1f258f7..77c9de4c 100644
--- a/analytics/CAR-2020-11-011.yaml
+++ b/analytics/CAR-2020-11-011.yaml
@@ -1,3 +1,4 @@
+---
 title: Registry Edit from Screensaver
 submission_date: 2020/11/30
 information_domain: Host
@@ -10,7 +11,7 @@ analytic_types:
 contributors:
   - Olaf Hartong
 id: CAR-2020-11-011
-description: |-
+description: |
   Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.
 coverage:
   - technique: T1546
@@ -23,7 +24,7 @@ coverage:
 implementations:
   - name: Pseudocode - Screensaver
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       reg_events = search Registry:add or Registry:edit
       scr_reg_events = filter processes where (
         key="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" AND
@@ -32,13 +33,13 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - Screensaver
     description: looks creations of edits of the SCRNSAVE.exe registry key
-    code: |- 
+    code: |
       index=your_sysmon_index (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE"
     data_model: Sysmon native
     type: Splunk
   - name: LogPoint Search - Screensaver
     description: looks creations of edits of the SCRNSAVE.exe registry key
-    code: |- 
+    code: |
       norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"
     data_model: LogPoint native
     type: LogPoint
diff --git a/analytics/CAR-2021-01-001.yaml b/analytics/CAR-2021-01-001.yaml
index 47c65367..2f365dcb 100644
--- a/analytics/CAR-2021-01-001.yaml
+++ b/analytics/CAR-2021-01-001.yaml
@@ -20,12 +20,12 @@ coverage:
     tactics:
       - TA0007
 implementations:
-- name: Splunk search - Identifying Internal hosts and services for lateral movement
-  description: It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services. This can be detected using the following query
-  code: |-
-    sourcetype='firewall_logs' dest_ip = 'internal_subnet' | stats dc(dest_port) as pcount by src_ip | where pcount >5
-  data_model: Sysmon native
-  type: Splunk
+  - name: Splunk search - Identifying Internal hosts and services for lateral movement
+    description: It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services. This can be detected using the following query
+    code: |-
+      sourcetype='firewall_logs' dest_ip = 'internal_subnet' | stats dc(dest_port) as pcount by src_ip | where pcount >5
+    data_model: Sysmon native
+    type: Splunk
 data_model_references:
   - flow/start/dest_ip
 d3fend_mappings:
diff --git a/analytics/CAR-2021-01-002.yaml b/analytics/CAR-2021-01-002.yaml
index fb7c93e5..e0769459 100644
--- a/analytics/CAR-2021-01-002.yaml
+++ b/analytics/CAR-2021-01-002.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Cyware Labs
 id: CAR-2021-01-002
-description: |-
+description: |
   Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.
 coverage:
   - technique: T1059
@@ -20,8 +20,8 @@ coverage:
       - TA0002
 implementations:
   - name: Splunk search - Identifying possible malware activity via unusually long command line strings
-    description:  This is a Splunk query that determines the average length of a command per user and searches for a command string that is multiple times longer than the average length
-    code: |-
+    description: This is a Splunk query that determines the average length of a command per user and searches for a command string that is multiple times longer than the average length
+    code: |
       index=* sourcetype="xmlwineventlog" EventCode=4688  |eval cmd_len=len(CommandLine) | eventstats avg(cmd_len) as avg by host| stats max(cmd_len) as maxlen, values(avg) as avgperhost by host, CommandLine | where maxlen > 10*avgperhost
     data_model: Sysmon native
     type: Splunk
diff --git a/analytics/CAR-2021-01-003.yaml b/analytics/CAR-2021-01-003.yaml
index 86758b7d..e153def1 100644
--- a/analytics/CAR-2021-01-003.yaml
+++ b/analytics/CAR-2021-01-003.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Cyware Labs
 id: CAR-2021-01-003
-description: |-
+description: |
   In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
 coverage:
   - technique: T1070
@@ -22,8 +22,8 @@ coverage:
       - TA0005
 implementations:
   - name: Splunk search - Detecting log clearing with wevtutil
-    description:  This search query looks for an instance where wevtutil is invoked along with a command that may cause the system to remove Windows Event logs.
-    code: |-
+    description: This search query looks for an instance where wevtutil is invoked along with a command that may cause the system to remove Windows Event logs.
+    code: |
       index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)
     data_model: Sysmon native
     type: Splunk
diff --git a/analytics/CAR-2021-01-004.yaml b/analytics/CAR-2021-01-004.yaml
index 2fe6d478..1a584d9c 100644
--- a/analytics/CAR-2021-01-004.yaml
+++ b/analytics/CAR-2021-01-004.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Cyware Labs
 id: CAR-2021-01-004
-description: |-
+description: |
   After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.
 coverage:
   - technique: T1068
@@ -20,8 +20,8 @@ coverage:
       - TA0004
 implementations:
   - name: Splunk search - Unusual Child Process For Spoolsv.exe Or Connhost.exe
-    description:  This query looks for processes spawned by spoolsv.exe or connhost.exe externally, thus alerting us of potentially malicious activity.
-    code: |-
+    description: This query looks for processes spawned by spoolsv.exe or connhost.exe externally, thus alerting us of potentially malicious activity.
+    code: |
       (index=__your_sysmon_index__ EventCode=1) (Image=C:\\Windows\\System32\\spoolsv.exe* OR Image=C:\\Windows\\System32\\conhost.exe) ParentImage = "C:\\Windows\\System32\\cmd.exe"
     data_model: Sysmon native
     type: Splunk
diff --git a/analytics/CAR-2021-01-006.yaml b/analytics/CAR-2021-01-006.yaml
index 3c1b1909..8e408f66 100644
--- a/analytics/CAR-2021-01-006.yaml
+++ b/analytics/CAR-2021-01-006.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Cyware Labs
 id: CAR-2021-01-006
-description: |-
+description: |
   Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
 coverage:
   - technique: T1559
@@ -21,21 +21,21 @@ coverage:
     tactics:
       - TA0002
 implementations:
-- name: Splunk search - Unusual Child Process spawned using DDE exploit
-  description:  This Splunk query looks for any executable invocations from an Excel file.
-  code: |-
-    index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe"
-  data_model: Sysmon native
-  type: Splunk
-- name: Splunk search - Unusual Child Process spawned using DDE exploit
-  description:  This Splunk query looks for any executable invocations from an Excel file.
-  code: |-
-    processes = search Process:Create
-    target_processes = filter processes where (
-         (parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe")
-         AND image="*.exe"
-         )
-  type: Pseudocode
+  - name: Splunk search - Unusual Child Process spawned using DDE exploit
+    description: This Splunk query looks for any executable invocations from an Excel file.
+    code: |
+      index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe"
+    data_model: Sysmon native
+    type: Splunk
+  - name: Splunk search - Unusual Child Process spawned using DDE exploit
+    description: This Splunk query looks for any executable invocations from an Excel file.
+    code: |
+      processes = search Process:Create
+      target_processes = filter processes where (
+           (parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe")
+           AND image="*.exe"
+           )
+    type: Pseudocode
 data_model_references:
   - process/create/command_line
 d3fend_mappings:
diff --git a/analytics/CAR-2021-01-007.yaml b/analytics/CAR-2021-01-007.yaml
index ba2cf335..2ebcdd70 100644
--- a/analytics/CAR-2021-01-007.yaml
+++ b/analytics/CAR-2021-01-007.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Cyware Labs
 id: CAR-2021-01-007
-description: |-
+description: |
   In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
 coverage:
   - technique: T1562
@@ -21,21 +21,21 @@ coverage:
     tactics:
       - TA0005
 implementations:
-- name: Splunk search - Detecting Tampering of Windows Defender Command Prompt
-  description:  This query looks for the specific use of service control for querying or trying to stop Windows Defender.
-  code: |-
-    index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe"  | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$"
-  data_model: Sysmon native
-  type: Splunk
-- name: Splunk search - Detecting Tampering of Windows Defender Command Prompt
-  description:  This query looks for the specific use of service control for querying or trying to stop Windows Defender.
-  code: |-
-    processes = search Process:Create
-    target_processes = filter processes where (
-                       (exe="C:\\Windows\\System32\\sc.exe") AND (command_line="sc *config*" OR command_line="sc *stop*" OR command_line="sc *query*")
-                       )
-    output target_processes
-  type: pseudocode
+  - name: Splunk search - Detecting Tampering of Windows Defender Command Prompt
+    description: This query looks for the specific use of service control for querying or trying to stop Windows Defender.
+    code: |
+      index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe"  | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$"
+    data_model: Sysmon native
+    type: Splunk
+  - name: Splunk search - Detecting Tampering of Windows Defender Command Prompt
+    description: This query looks for the specific use of service control for querying or trying to stop Windows Defender.
+    code: |
+      processes = search Process:Create
+      target_processes = filter processes where (
+                         (exe="C:\\Windows\\System32\\sc.exe") AND (command_line="sc *config*" OR command_line="sc *stop*" OR command_line="sc *query*")
+                         )
+      output target_processes
+    type: pseudocode
 data_model_references:
   - process/create/command_line
 d3fend_mappings:
diff --git a/analytics/CAR-2021-01-008.yaml b/analytics/CAR-2021-01-008.yaml
index 42bcb323..6e0b03a5 100644
--- a/analytics/CAR-2021-01-008.yaml
+++ b/analytics/CAR-2021-01-008.yaml
@@ -21,21 +21,21 @@ coverage:
     tactics:
       - TA0004
 implementations:
-- name: Detect disabling of UAC via reg.exe
-  description:  This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.
-  code: |-
-    sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
-  data_model: Sysmon native
-  type: Splunk
-- name: Detect disabling of UAC via reg.exe
-  description:  This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.
-  code: |-
-    processes = search Process:Create
-    cmd_processes = filter processes where (
-                    (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
-                    )
-  data_model: Sysmon native
-  type: pseudocode
+  - name: Detect disabling of UAC via reg.exe
+    description: This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.
+    code: |
+      sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
+    data_model: Sysmon native
+    type: Splunk
+  - name: Detect disabling of UAC via reg.exe
+    description: This query looks for the specific use of reg.exe in correlation to commands aimed at disabling UAC.
+    code: |
+      processes = search Process:Create
+      cmd_processes = filter processes where (
+                      (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
+                      )
+    data_model: Sysmon native
+    type: pseudocode
 data_model_references:
   - process/create/image_path
   - process/create/command_line
diff --git a/analytics/CAR-2021-01-009.yaml b/analytics/CAR-2021-01-009.yaml
index e3d088da..cf0f96fe 100644
--- a/analytics/CAR-2021-01-009.yaml
+++ b/analytics/CAR-2021-01-009.yaml
@@ -1,4 +1,3 @@
-
 ---
 title: Detecting Shadow Copy Deletion or Resize
 submission_date: 2020/12/11
@@ -13,8 +12,7 @@ analytic_types:
 contributors:
   - Cyware Labs, Lucas Heiligenstein
 id: CAR-2021-01-009
-description: |-
-  After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.
+description: After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.
 coverage:
   - technique: T1490
     coverage: Low
@@ -22,18 +20,18 @@ coverage:
       - TA0040
 implementations:
   - name: Splunk Search - Detecting Shadow Copy Deletion or Resize
-    description:  This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity.
-    code: |-
+    description: This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity.
+    code: |
       ((EventCode="4688" OR EventCode="1") (CommandLine="*vssadmin* *delete* *shadows*" OR CommandLine="*wmic* *shadowcopy* *delete*" OR CommandLine="*vssadmin* *resize* *shadowstorage*")) OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="*Win32_ShadowCopy*")
     type: Splunk
   - name: Elastic Search - Detecting Shadow Copy Deletion or Resize
     description: This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity.
-    code: |- 
+    code: |
       (EventCode:("4688" OR "1") AND process.command_line:(*vssadmin*\ *delete*\ *shadows* OR *wmic*\ *shadowcopy*\ *delete* OR *vssadmin*\ *resize*\ *shadowstorage*)) OR (EventCode:"5857" AND ProviderName:"MSVSS__PROVIDER") OR (EventCode:"5858" AND Operation:*Win32_ShadowCopy*)
     type: Elastic
   - name: LogPoint Search - Detecting Shadow Copy Deletion or Resize
     description: This query looks for the deletion or resizing of shadow copy volumes, which may possibly indicate malicious activity.
-    code: |- 
+    code: |
       (EventCode IN ["4688", "1"] CommandLine IN ["*vssadmin* *delete* *shadows*", "*wmic* *shadowcopy* *delete*", "*vssadmin* *resize* *shadowstorage*"]) OR (EventCode IN "5857" ProviderName IN "MSVSS__PROVIDER") OR (EventCode IN "5858" Operation IN "*Win32_ShadowCopy*")
     type: LogPoint
 data_model_references:
@@ -43,12 +41,12 @@ d3fend_mappings:
     id: D3-PSA
     label: Process Spawn Analysis
 unit_tests:
-- description: Shadow copy deletion with vssadmin
-  commands:
-  - 'vssadmin.exe delete shadows /all /quiet'
-- description: Shadow copy deletion with wmic
-  commands:
-  - 'wmic shadowcopy delete'
-- description: Shadow copy resize with vssadmin
-  commands:
-  - 'vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB'
+  - description: Shadow copy deletion with vssadmin
+    commands:
+      - 'vssadmin.exe delete shadows /all /quiet'
+  - description: Shadow copy deletion with wmic
+    commands:
+      - 'wmic shadowcopy delete'
+  - description: Shadow copy resize with vssadmin
+    commands:
+      - 'vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB'
diff --git a/analytics/CAR-2021-02-001.yaml b/analytics/CAR-2021-02-001.yaml
index f4986f19..eafd966e 100644
--- a/analytics/CAR-2021-02-001.yaml
+++ b/analytics/CAR-2021-02-001.yaml
@@ -11,8 +11,8 @@ analytic_types:
 contributors:
   - Nichols Jasper
 id: CAR-2021-02-001
-description: |-
-  A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. 
+description: |
+  A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.
 coverage:
   - technique: T1505
     tactics:
@@ -23,12 +23,12 @@ coverage:
 implementations:
   - name: Pseudocode - Look for suspicious process tree beginning with web service
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process:Create
       suspicious_processes = filter processes where (
         (parent_exe == "w3wp.exe" OR
          parent_exe == "httpd.exe" OR
-         parent_exe == "tomcat*.exe" OR 
+         parent_exe == "tomcat*.exe" OR
          parent_exe == "nginx.exe" ) AND
         (exe == "cmd.exe" OR
          exe == "powershell.exe" OR
@@ -41,11 +41,11 @@ implementations:
     data_model: CAR native
     type: Pseudocode
   - name: Splunk Search - webshell-indicative process tree
-    description: Look for host enumeration commands spawned by web services. 
-    code: |-
-      (index=__your_sysmon_index__ EventCode=1) 
+    description: Look for host enumeration commands spawned by web services.
+    code: |
+      (index=__your_sysmon_index__ EventCode=1)
       (ParentImage="C:\\Windows\\System32\\*w3wp.exe" OR ParentImage="*httpd.exe" OR ParentImage="*tomcat*.exe" OR ParentImage="*nginx.exe")
-      (Image="C:\\Windows\\System32\\cmd.exe OR Image="C:\\Windows\\SysWOW64\\cmd.exe" OR Image="C:\\Windows\\System32\\*\\powershell.exe OR Image="C:\\Windows\SysWOW64\\*\powershell.exe OR Image="C:\\Windows\\System32\\net.exe" OR Image="C:\\Windows\\System32\\hostname.exe" OR Image="C:\\Windows\\System32\\whoami.exe" OR Image="*systeminfo.exe OR Image="C:\\Windows\\System32\\ipconfig.exe") 
+      (Image="C:\\Windows\\System32\\cmd.exe OR Image="C:\\Windows\\SysWOW64\\cmd.exe" OR Image="C:\\Windows\\System32\\*\\powershell.exe OR Image="C:\\Windows\SysWOW64\\*\powershell.exe OR Image="C:\\Windows\\System32\\net.exe" OR Image="C:\\Windows\\System32\\hostname.exe" OR Image="C:\\Windows\\System32\\whoami.exe" OR Image="*systeminfo.exe OR Image="C:\\Windows\\System32\\ipconfig.exe")
     data_model: Sysmon native
     type: Splunk
 data_model_references:
diff --git a/analytics/CAR-2021-02-002.yaml b/analytics/CAR-2021-02-002.yaml
index afde9d72..7d659e80 100644
--- a/analytics/CAR-2021-02-002.yaml
+++ b/analytics/CAR-2021-02-002.yaml
@@ -11,9 +11,9 @@ analytic_types:
 contributors:
   - Sebastien Damaye
 id: CAR-2021-02-002
-description: |-
-  Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.  
-coverage: 
+description: |
+  Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.
+coverage:
   - technique: T1548
     tactics:
       - TA0004
@@ -22,7 +22,7 @@ coverage:
 implementations:
   - name: Pseudocode - Meterpreter and Cobalt Strike
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process
       suspicious_processes = filter processes where (
         (parent_image_path == C:\Windows\System32\services.exe" AND
@@ -36,14 +36,14 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - Meterpreter and Cobalt Strike
     description: Look for instances GetSystem elevation performed by Meterpreter or Cobalt Strike
-    code: |- 
+    code: |
       index=__your_sysmon_index__ (ParentImage="C:\\Windows\\System32\\services.exe" Image="C:\\Windows\\System32\\cmd.exe" (CommandLine="*echo*" AND CommandLine="*\\pipe\\*"))
       OR (Image="C:\\Windows\\System32\\rundll32.exe" CommandLine="*,a /p:*")
     data_model: Sysmon native
     type: Splunk
   - name: Pseudocode - Empire and PoshC2
     description: This is a pseudocode representation of the below splunk search.
-    code: |- 
+    code: |
       processes = search Process
       suspicious_processes = filter processes where (
         (image_path == "C:\Windows\System32\cmd.exe" OR
@@ -55,7 +55,7 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - Empire and PoshC2
     description: Look for instances GetSystem elevation performed by Empire or PoshC2
-    code: |- 
+    code: |
       index=__your_sysmon_index__ (Image="C:\\Windows\\System32\\cmd.exe" OR CommandLine="*%COMSPEC%*") (CommandLine="*echo*" AND CommandLine="*\pipe\*")
     data_model: Sysmon native
     type: Splunk
diff --git a/analytics/CAR-2021-04-001.yaml b/analytics/CAR-2021-04-001.yaml
index 7f4fdd01..34fb05a9 100644
--- a/analytics/CAR-2021-04-001.yaml
+++ b/analytics/CAR-2021-04-001.yaml
@@ -11,7 +11,7 @@ analytic_types:
 contributors:
   - Sebastien Damaye
 id: CAR-2021-04-001
-description: |-
+description: |
   [Masquerading (T1036)](https://attack.mitre.org/techniques/T1036/) is defined by ATT&CK as follows:
 
   "Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names."
@@ -45,7 +45,7 @@ coverage:
 implementations:
   - name: Pseudocode - Common Windows Process Masquerading
     description: Looks for mismatches between process names and their image paths.
-    code: |- 
+    code: |
       processes = search Process:*
       suspicious_processes = filter processes where (
         (exe=svchost.exe AND (image_path!="C:\\Windows\\System32\\svchost.exe" OR process_path!="C:\\Windows\\SysWow64\\svchost.exe"))
@@ -58,13 +58,13 @@ implementations:
         OR (exe=services.exe AND image_path!="C:\\Windows\\System32\\services.exe")
         OR (exe=lsm.exe AND image_path!="C:\\Windows\\System32\\lsm.exe")
         OR (exe=explorer.exe AND image_path!="C:\\Windows\\explorer.exe")
-        ) 
+        )
       output suspicious_processes
     data_model: CAR native
     type: Pseudocode
   - name: Splunk Search - Common Windows Process Masquerading
     description: Splunk search version of the above pseudocode.
-    code: |-
+    code: |
       index=__your_sysmon_index__ source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (
       (process_name=svchost.exe AND NOT (process_path="C:\\Windows\\System32\\svchost.exe" OR process_path="C:\\Windows\\SysWow64\\svchost.exe"))
       OR (process_name=smss.exe AND NOT process_path="C:\\Windows\\System32\\smss.exe")
@@ -76,7 +76,7 @@ implementations:
       OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe")
       OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe")
       OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe")
-      ) 
+      )
     data_model: Sysmon native
     type: Splunk
 data_model_references:
diff --git a/analytics/CAR-2021-05-001.yaml b/analytics/CAR-2021-05-001.yaml
index 87557c43..efe51f48 100644
--- a/analytics/CAR-2021-05-001.yaml
+++ b/analytics/CAR-2021-05-001.yaml
@@ -1,61 +1,62 @@
+---
 title: Attempt To Add Certificate To Untrusted Store
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-001
-description: Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity. 
+description: Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity.
 coverage:
-- technique: T1553
-  tactics:
-  - TA0005
-  coverage: Moderate
-  subtechniques:
-  - T1553.004
+  - technique: T1553
+    tactics:
+      - TA0005
+    coverage: Moderate
+    subtechniques:
+      - T1553.004
 implementations:
-- name: Splunk code
-  description: You must be ingesting data that records process activity from your
-    hosts to populate the Endpoint data model in the Processes node. You must also
-    be ingesting logs with both the process name and command line from your endpoints.
-    The command-line arguments are mapped to the "process" field in the Endpoint data
-    model.
-  code: '| tstats count min(_time) as firstTime values(Processes.process) as process
-    max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=*certutil*
-    (Processes.process=*-addstore*) by Processes.parent_process Processes.process_name
-    Processes.user'
-  type: Splunk
-  data_model: Endpoint
-- name: Pseudocode – detect attempts to add a certificate to a certificate store
-  description: Pseudocode implementation of the splunk search below
-  code: |- 
-      processes = search Process:Create
-      addstore_commands = filter processes where (
-        exe =”C:\Windows\System32\certutil.exe” AND command_line="*-addstore*” )
-      output addstore_commands
-  data_model: CAR native
-  type: Pseudocode
+  - name: Splunk code
+    description: You must be ingesting data that records process activity from your
+      hosts to populate the Endpoint data model in the Processes node. You must also
+      be ingesting logs with both the process name and command line from your endpoints.
+      The command-line arguments are mapped to the "process" field in the Endpoint data
+      model.
+    code: '| tstats count min(_time) as firstTime values(Processes.process) as process
+      max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=*certutil*
+      (Processes.process=*-addstore*) by Processes.parent_process Processes.process_name
+      Processes.user'
+    type: Splunk
+    data_model: Endpoint
+  - name: Pseudocode – detect attempts to add a certificate to a certificate store
+    description: Pseudocode implementation of the splunk search below
+    code: |
+        processes = search Process:Create
+        addstore_commands = filter processes where (
+          exe =”C:\Windows\System32\certutil.exe” AND command_line="*-addstore*” )
+        output addstore_commands
+    data_model: CAR native
+    type: Pseudocode
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1553.004](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1553.004
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log) using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1553.004](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1553.004)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1553.004
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-002.yaml b/analytics/CAR-2021-05-002.yaml
index 203c8308..78d0d311 100644
--- a/analytics/CAR-2021-05-002.yaml
+++ b/analytics/CAR-2021-05-002.yaml
@@ -1,61 +1,61 @@
+---
 title: Batch File Write to System32
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-002
 description: While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.
 coverage:
-- technique: T1204
-  subtechniques: 
-  - T1204.002
-  tactics:
-  - TA0002
-  coverage: Moderate
+  - technique: T1204
+    subtechniques:
+      - T1204.002
+    tactics:
+      - TA0002
+    coverage: Moderate
 implementations:
-- name: Pseudocode – Batch file created in the Windows system32 directory tree
-  description: Pseudocode implementation of the Splunk search below
-  code: |- 
-      files = search File:create
-      batch_files = filter files where (
-        extension =".bat" AND file_path = "C:\Windows\system32*" )
-      output batch_files
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: You must be ingesting data that records the file-system activity from
-    your hosts to populate the Endpoint file-system data-model node. If you are using
-    Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which
-    you want to collect data.
-  code: '| tstats count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest)
-    as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user
-    from datamodel=Endpoint.Filesystem by Filesystem.file_path   | rex field=file_name
-    "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat'
-  type: Splunk
-  data_model: Endpoint
-
+  - name: Pseudocode – Batch file created in the Windows system32 directory tree
+    description: Pseudocode implementation of the Splunk search below
+    code: |
+        files = search File:create
+        batch_files = filter files where (
+          extension =".bat" AND file_path = "C:\Windows\system32*" )
+        output batch_files
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: You must be ingesting data that records the file-system activity from
+      your hosts to populate the Endpoint file-system data-model node. If you are using
+      Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which
+      you want to collect data.
+    code: '| tstats count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest)
+      as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user
+      from datamodel=Endpoint.Filesystem by Filesystem.file_path   | rex field=file_name
+      "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1204.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1204.002)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1204.002
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log) using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1204.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1204.002)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1204.002
 data_model_references:
-- file/create/extension
-- file/create/file_path
+  - file/create/extension
+  - file/create/file_path
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-003.yaml b/analytics/CAR-2021-05-003.yaml
index 7fd2b3fe..0691da52 100644
--- a/analytics/CAR-2021-05-003.yaml
+++ b/analytics/CAR-2021-05-003.yaml
@@ -1,59 +1,60 @@
+---
 title: BCDEdit Failure Recovery Modification
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-003
 description: This search looks for flags passed to bcdedit.exe modifications to the
   built-in Windows error recovery boot configurations. This is typically used by ransomware
   to prevent recovery.
 coverage:
-- technique: T1490
-  tactics:
-  - TA0040
-  coverage: Moderate
+  - technique: T1490
+    tactics:
+      - TA0040
+    coverage: Moderate
 implementations:
-- name: Pseudocode – detect attempts to add a certificate to a certificate store
-  description: Pseudocode implementation of the splunk search below
-  code: |- 
-      processes = search Process:Create
-      bcdedit_commands = filter processes where (
-        exe = "C:\Windows\System32\bcdedit.exe" AND command_line="*recoveryenabled*" )
-      output bcedit_commands
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: You must be ingesting endpoint data that tracks process activity, including
-    parent-child relationships from your endpoints to populate the Endpoint data model
-    in the Processes node. Tune based on parent process names.
-  code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-    where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*"
-    (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name
-    Processes.dest Processes.user'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – detect attempts to add a certificate to a certificate store
+    description: Pseudocode implementation of the splunk search below
+    code: |
+        processes = search Process:Create
+        bcdedit_commands = filter processes where (
+          exe = "C:\Windows\System32\bcdedit.exe" AND command_line="*recoveryenabled*" )
+        output bcedit_commands
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: You must be ingesting endpoint data that tracks process activity, including
+      parent-child relationships from your endpoints to populate the Endpoint data model
+      in the Processes node. Tune based on parent process names.
+    code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+      where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*"
+      (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name
+      Processes.dest Processes.user'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1490](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1490)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1490
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log)  using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1490](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1490)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1490
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-004.yaml b/analytics/CAR-2021-05-004.yaml
index 5dde8045..993b4906 100644
--- a/analytics/CAR-2021-05-004.yaml
+++ b/analytics/CAR-2021-05-004.yaml
@@ -1,14 +1,15 @@
+---
 title: BITS Job Persistence
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-004
 description: The following query identifies Microsoft Background Intelligent Transfer
   Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint.
@@ -18,48 +19,48 @@ description: The following query identifies Microsoft Background Intelligent Tra
   to be used to upload files and this may require further network data analysis to
   identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.
 coverage:
-- technique: T1197
-  tactics:
-  - TA0005
-  - TA0003
-  coverage: Moderate
+  - technique: T1197
+    tactics:
+      - TA0005
+      - TA0003
+    coverage: Moderate
 implementations:
-- name: Pseudocode – detect a BITS job being scheduled
-  description: Pseudocode implementation of the splunk search below
-  code: |- 
-      processes = search Process:Create
-      bitsadmin_commands = filter processes where (
-        exe ="C:\Windows\System32\bitsadmin.exe" AND command_line includes one of [*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*,*resume*])
-      output bitsadmin_commands
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: To successfully implement this search you need to be ingesting information
-    on process that include the name of the process responsible for the changes from
-    your endpoints into the `Endpoint` datamodel in the `Processes` node.
-  code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-    where Processes.process_name=bitsadmin.exe Processes.process IN (*create*, *addfile*,
-    *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*,
-    *resume* ) by Processes.dest Processes.user Processes.parent_process Processes.process_name
-    Processes.process Processes.process_id Processes.parent_process_id'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – detect a BITS job being scheduled
+    description: Pseudocode implementation of the splunk search below
+    code: |
+        processes = search Process:Create
+        bitsadmin_commands = filter processes where (
+          exe ="C:\Windows\System32\bitsadmin.exe" AND command_line includes one of [*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*,*resume*])
+        output bitsadmin_commands
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: To successfully implement this search you need to be ingesting information
+      on process that include the name of the process responsible for the changes from
+      your endpoints into the `Endpoint` datamodel in the `Processes` node.
+    code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+      where Processes.process_name=bitsadmin.exe Processes.process IN (*create*, *addfile*,
+      *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*,
+      *resume* ) by Processes.dest Processes.user Processes.parent_process Processes.process_name
+      Processes.process Processes.process_id Processes.parent_process_id'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1197
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1197
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-005.yaml b/analytics/CAR-2021-05-005.yaml
index 7df8e149..8918e864 100644
--- a/analytics/CAR-2021-05-005.yaml
+++ b/analytics/CAR-2021-05-005.yaml
@@ -1,14 +1,15 @@
+---
 title: BITSAdmin Download File
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-005
 description: The following query identifies Microsoft Background Intelligent Transfer
   Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote
@@ -23,51 +24,51 @@ description: The following query identifies Microsoft Background Intelligent Tra
   malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose`
   to list out the jobs during investigation.
 coverage:
-- technique: T1197
-  tactics:
-  - TA0005
-  - TA0003
-  coverage: Moderate
-- technique: T1105
-  tactics:
-  - TA0011
-  coverage: Moderate
+  - technique: T1197
+    tactics:
+      - TA0005
+      - TA0003
+    coverage: Moderate
+  - technique: T1105
+    tactics:
+      - TA0011
+    coverage: Moderate
 implementations:
-- name: Pseudocode – detect BITS transfer jobs
-  description: Pseudocode implementation of the Splunk search below
-  code: |- 
-      processes = search Process:Create
-      bitsadmin_commands = filter processes where (
-        exe ="C:\Windows\System32\bitsadmin.exe" AND command_line = *transfer*)
-      output bitsadmin_commands
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: To successfully implement this search you need to be ingesting information
-    on process that include the name of the process responsible for the changes from
-    your endpoints into the `Endpoint` datamodel in the `Processes` node.
-  code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-    where Processes.process_name=bitsadmin.exe Processes.process=*transfer* by Processes.dest
-    Processes.user Processes.parent_process Processes.process_name Processes.process
-    Processes.process_id Processes.parent_process_id'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – detect BITS transfer jobs
+    description: Pseudocode implementation of the Splunk search below
+    code: |
+        processes = search Process:Create
+        bitsadmin_commands = filter processes where (
+          exe ="C:\Windows\System32\bitsadmin.exe" AND command_line = *transfer*)
+        output bitsadmin_commands
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: To successfully implement this search you need to be ingesting information
+      on process that include the name of the process responsible for the changes from
+      your endpoints into the `Endpoint` datamodel in the `Processes` node.
+    code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+      where Processes.process_name=bitsadmin.exe Processes.process=*transfer* by Processes.dest
+      Processes.user Processes.parent_process Processes.process_name Processes.process
+      Processes.process_id Processes.parent_process_id'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1197
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1197](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1197)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1197
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-006.yaml b/analytics/CAR-2021-05-006.yaml
index 9a9a1404..10ee4f93 100644
--- a/analytics/CAR-2021-05-006.yaml
+++ b/analytics/CAR-2021-05-006.yaml
@@ -1,14 +1,15 @@
+---
 title: CertUtil Download With URLCache and Split Arguments
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-006
 description: Certutil.exe may download a file from a remote destination using `-urlcache`.
   This behavior does require a URL to be passed on the command-line. In addition,
@@ -18,46 +19,46 @@ description: Certutil.exe may download a file from a remote destination using `-
   During triage, capture any files on disk and review. Review the reputation of the
   remote IP or domain in question.
 coverage:
-- technique: T1105
-  tactics:
-  - TA0011
-  coverage: Moderate
+  - technique: T1105
+    tactics:
+      - TA0011
+    coverage: Moderate
 implementations:
-- name: Pseudocode – CertUtil download
-  description: Pseudocode implementation of the Splunk search below
-  code: |- 
-      processes = search Process:Create
-      certutil_downloads = filter processes where (
-        exe ="C:\Windows\System32\certutil.exe" AND command_line = *urlcache* AND command_line = *split*)
-      output certutil_downloads
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: To successfully implement this search you need to be ingesting information
-    on process that include the name of the process responsible for the changes from
-    your endpoints into the `Endpoint` datamodel in the `Processes` node.
-  code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-    where Processes.process_name=certutil.exe Processes.process=*urlcache* Processes.process=*split*
-    by Processes.dest Processes.user Processes.parent_process Processes.process_name
-    Processes.process Processes.process_id Processes.parent_process_id'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – CertUtil download
+    description: Pseudocode implementation of the Splunk search below
+    code: |
+        processes = search Process:Create
+        certutil_downloads = filter processes where (
+          exe ="C:\Windows\System32\certutil.exe" AND command_line = *urlcache* AND command_line = *split*)
+        output certutil_downloads
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: To successfully implement this search you need to be ingesting information
+      on process that include the name of the process responsible for the changes from
+      your endpoints into the `Endpoint` datamodel in the `Processes` node.
+    code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+      where Processes.process_name=certutil.exe Processes.process=*urlcache* Processes.process=*split*
+      by Processes.dest Processes.user Processes.parent_process Processes.process_name
+      Processes.process Processes.process_id Processes.parent_process_id'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1105
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log)  using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1105
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-007.yaml b/analytics/CAR-2021-05-007.yaml
index 43b21121..b8e2842d 100644
--- a/analytics/CAR-2021-05-007.yaml
+++ b/analytics/CAR-2021-05-007.yaml
@@ -1,14 +1,15 @@
+---
 title: CertUtil Download With VerifyCtl and Split Arguments
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-007
 description: 'Certutil.exe may download a file from a remote destination using `-VerifyCtl`.
   This behavior does require a URL to be passed on the command-line. In addition,
@@ -18,46 +19,46 @@ description: 'Certutil.exe may download a file from a remote destination using `
   the remote IP or domain in question. Using `-VerifyCtl`, the file will either be
   written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash>`. '
 coverage:
-- technique: T1105
-  tactics:
-  - TA0011
-  coverage: Moderate
+  - technique: T1105
+    tactics:
+      - TA0011
+    coverage: Moderate
 implementations:
-- name: Pseudocode – CertUtil download with VerifyCtl
-  description: Pseudocode implementation of the Splunk search below
-  code: |- 
-      processes = search Process:Create
-      certutil_downloads = filter processes where (
-        exe = "C:\Windows\System32\certutil.exe" AND command_line = *verifyctl* AND command_line = *split*)
-      output certutil_downloads
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: To successfully implement this search you need to be ingesting information
-    on process that include the name of the process responsible for the changes from
-    your endpoints into the `Endpoint` datamodel in the `Processes` node.
-  code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-    where Processes.process_name=certutil.exe Processes.process=*verifyctl* Processes.process=*split*
-    by Processes.dest Processes.user Processes.parent_process Processes.process_name
-    Processes.process Processes.process_id Processes.parent_process_id'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – CertUtil download with VerifyCtl
+    description: Pseudocode implementation of the Splunk search below
+    code: |
+        processes = search Process:Create
+        certutil_downloads = filter processes where (
+          exe = "C:\Windows\System32\certutil.exe" AND command_line = *verifyctl* AND command_line = *split*)
+        output certutil_downloads
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: To successfully implement this search you need to be ingesting information
+      on process that include the name of the process responsible for the changes from
+      your endpoints into the `Endpoint` datamodel in the `Processes` node.
+    code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+      where Processes.process_name=certutil.exe Processes.process=*verifyctl* Processes.process=*split*
+      by Processes.dest Processes.user Processes.parent_process Processes.process_name
+      Processes.process Processes.process_id Processes.parent_process_id'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1105
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log)  using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1105](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1105
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-008.yaml b/analytics/CAR-2021-05-008.yaml
index a5671c49..d5dcd378 100644
--- a/analytics/CAR-2021-05-008.yaml
+++ b/analytics/CAR-2021-05-008.yaml
@@ -1,59 +1,59 @@
+---
 title: Certutil exe certificate extraction
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-008
 description: This search looks for arguments to certutil.exe indicating the manipulation
   or extraction of Certificate. This certificate can then be used to sign new authentication
   tokens specially inside Federated environments such as Windows ADFS.
 coverage:
-- technique: T1606
-  subtechniques:
-  - T1606.002
-  tactics:
-  - TA0006
-  coverage: Moderate
+  - technique: T1606
+    subtechniques:
+      - T1606.002
+    tactics:
+      - TA0006
+    coverage: Moderate
 implementations:
-- name: Pseudocode – CertUtil certificate extraction
-  description: Pseudocode implementation of the Splunk search below
-  code: |- 
-      processes = search Process:Create
-      certutil_downloads = filter processes where (
-        exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * )
-      output certutil_downloads
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: Splunk implementation 
-  code: '| tstats count min(_time) as firstTime values(Processes.process) as process
-    max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe
-    Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name
-    Processes.process Processes.user'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – CertUtil certificate extraction
+    description: Pseudocode implementation of the Splunk search below
+    code: |
+        processes = search Process:Create
+        certutil_downloads = filter processes where (
+          exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * )
+        output certutil_downloads
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: Splunk implementation
+    code: '| tstats count min(_time) as firstTime values(Processes.process) as process
+      max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe
+      Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name
+      Processes.process Processes.user'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1606.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1606.002)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1606.002
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log) using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: Execute the atomic test [T1606.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1606.002) against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1606.002
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-009.yaml b/analytics/CAR-2021-05-009.yaml
index 76c6177d..3583fae4 100644
--- a/analytics/CAR-2021-05-009.yaml
+++ b/analytics/CAR-2021-05-009.yaml
@@ -1,14 +1,15 @@
+---
 title: CertUtil With Decode Argument
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-009
 description: CertUtil.exe may be used to `encode` and `decode` a file, including PE
   and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----`
@@ -19,46 +20,46 @@ description: CertUtil.exe may be used to `encode` and `decode` a file, including
   further execution. During triage, identify the source of the file being decoded.
   Review its contents or execution behavior for further analysis.
 coverage:
-- technique: T1140
-  tactics:
-  - TA0005
-  coverage: Moderate
+  - technique: T1140
+    tactics:
+      - TA0005
+    coverage: Moderate
 implementations:
-- name: Pseudocode – CertUtil with Decode Argument
-  description: Pseudocode implementation of the Splunk search below
-  code: |- 
-      processes = search Process:Create
-      certutil_downloads = filter processes where (
-        exe =”C:\Windows\System32\certutil.exe” AND command_line = *decode* )
-      output certutil_downloads
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: To successfully implement this search you need to be ingesting information
-    on process that include the name of the process responsible for the changes from
-    your endpoints into the `Endpoint` datamodel in the `Processes` node.
-  code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-    where Processes.process_name=certutil.exe Processes.process=*decode* by Processes.dest
-    Processes.user Processes.parent_process Processes.process_name Processes.process
-    Processes.process_id Processes.parent_process_id'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – CertUtil with Decode Argument
+    description: Pseudocode implementation of the Splunk search below
+    code: |
+        processes = search Process:Create
+        certutil_downloads = filter processes where (
+          exe =”C:\Windows\System32\certutil.exe” AND command_line = *decode* )
+        output certutil_downloads
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: To successfully implement this search you need to be ingesting information
+      on process that include the name of the process responsible for the changes from
+      your endpoints into the `Endpoint` datamodel in the `Processes` node.
+    code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+      where Processes.process_name=certutil.exe Processes.process=*decode* by Processes.dest
+      Processes.user Processes.parent_process Processes.process_name Processes.process
+      Processes.process_id Processes.parent_process_id'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1140](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1140)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1140
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log) using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1140](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1140)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1140
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-010.yaml b/analytics/CAR-2021-05-010.yaml
index 285fc5a1..1d743225 100644
--- a/analytics/CAR-2021-05-010.yaml
+++ b/analytics/CAR-2021-05-010.yaml
@@ -1,63 +1,64 @@
+---
 title: Create local admin accounts using net exe
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-010
 description: This search looks for the creation of local administrator accounts using
   net.exe.
 coverage:
-- technique: T1136
-  subtechniques: 
-  - T1136.001
-  tactics:
-  - TA0003
-  coverage: Moderate
+  - technique: T1136
+    subtechniques:
+      - T1136.001
+    tactics:
+      - TA0003
+    coverage: Moderate
 implementations:
-- name: Pseudocode – CertUtil certificate extraction
-  description: Pseudocode implementation of the Splunk search below
-  code: |- 
-      processes = search Process:Create
-      certutil_downloads = filter processes where (
-        (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND command_line = * -exportPFX * )
-      output certutil_downloads
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: You must be ingesting data that records process activity from your
-    hosts to populate the Endpoint data model in the Processes node. You must also
-    be ingesting logs with both the process name and command line from your endpoints.
-    The command-line arguments are mapped to the "process" field in the Endpoint data
-    model.
-  code: '| tstats count values(Processes.user) as user values(Processes.parent_process)
-    as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-    where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND
-    (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*)
-    by Processes.process Processes.process_name Processes.dest   |`create_local_admin_accounts_using_net_exe_filter`'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – CertUtil certificate extraction
+    description: Pseudocode implementation of the Splunk search below
+    code: |
+        processes = search Process:Create
+        certutil_downloads = filter processes where (
+          (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND command_line = * -exportPFX * )
+        output certutil_downloads
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: You must be ingesting data that records process activity from your
+      hosts to populate the Endpoint data model in the Processes node. You must also
+      be ingesting logs with both the process name and command line from your endpoints.
+      The command-line arguments are mapped to the "process" field in the Endpoint data
+      model.
+    code: '| tstats count values(Processes.user) as user values(Processes.parent_process)
+      as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+      where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND
+      (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*)
+      by Processes.process Processes.process_name Processes.dest   |`create_local_admin_accounts_using_net_exe_filter`'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1136.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1136.001)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1136.001
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log)  using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1136.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1136.001)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1136.001
 data_model_references:
-- process/create/exe
-- process/create/command_line
+  - process/create/exe
+  - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-05-011.yaml b/analytics/CAR-2021-05-011.yaml
index 3b2abc44..4d112621 100644
--- a/analytics/CAR-2021-05-011.yaml
+++ b/analytics/CAR-2021-05-011.yaml
@@ -1,59 +1,60 @@
+---
 title: Create Remote Thread into LSASS
 submission_date: 2021/05/11
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-011
-description: Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials. 
+description: Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.
 coverage:
-- technique: T1003
-  subtechniques: 
-  - T1003.001
-  tactics:
-  - TA0006
-  coverage: Moderate
+  - technique: T1003
+    subtechniques:
+      - T1003.001
+    tactics:
+      - TA0006
+    coverage: Moderate
 implementations:
-- name: Pseudocode – Remote thread creation into LSASS
-  description: Pseudocode implementation of the Splunk search below. The CAR data model does not currently contain a Target Image field, for remote thread creation, so this code Is somewhat inexact. See the Splunk implementation for a more precise search for the lsass image target. 
-  code: |- 
-      remote_threads = search Thread:remote_create
-      lsass_remote_create = filter remote_threads where "lsass" in raw event
-      output lsass_remote_create
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: This search needs Sysmon Logs with a Sysmon configuration, which includes
-    EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We
-    strongly recommend that you specify your environment-specific configurations (index,
-    source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition
-    with configurations for your Splunk environment. The search also uses a post-filter
-    macro designed to filter out known false positives.
-  code: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime
-    max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId |
-    rename Computer as dest'
-  type: Splunk
-  data_model: ''
+  - name: Pseudocode – Remote thread creation into LSASS
+    description: Pseudocode implementation of the Splunk search below. The CAR data model does not currently contain a Target Image field, for remote thread creation, so this code Is somewhat inexact. See the Splunk implementation for a more precise search for the lsass image target.
+    code: |
+        remote_threads = search Thread:remote_create
+        lsass_remote_create = filter remote_threads where "lsass" in raw event
+        output lsass_remote_create
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: >
+      This search needs Sysmon Logs with a Sysmon configuration, which includes
+      EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We
+      strongly recommend that you specify your environment-specific configurations (index,
+      source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition
+      with configurations for your Splunk environment. The search also uses a post-filter
+      macro designed to filter out known false positives.
+    code: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime
+      max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId |
+      rename Computer as dest'
+    type: Splunk
+    data_model: ''
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1003.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1003.001)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1003.001
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: >
+      Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log) using the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1003.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1003.001) against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1003.001
 data_model_references:
-- thread/remote_create
+  - thread/remote_create
 d3fend_mappings:
   - iri: d3f:SystemCallAnalysis
     id: D3-SCA
diff --git a/analytics/CAR-2021-05-012.yaml b/analytics/CAR-2021-05-012.yaml
index c8f9bcfb..c1b099ec 100644
--- a/analytics/CAR-2021-05-012.yaml
+++ b/analytics/CAR-2021-05-012.yaml
@@ -1,60 +1,61 @@
+---
 title: Create Service In Suspicious File Path
 submission_date: 2021/05/11
 update_date: 2021/04/05
 information_domain: Analytic
 platforms:
-- Windows
+  - Windows
 subtypes:
-- Process
+  - Process
 analytic_types:
-- TTP
+  - TTP
 contributors:
-- Splunk Threat Research <research@splunk.com>
+  - Splunk Threat Research <research@splunk.com>
 id: CAR-2021-05-012
 description: This detection is to identify a creation of "user mode service" where
   the service file path is located in non-common service folder in windows.
 coverage:
-- technique: T1569
-  subtechniques: 
-  - T1569.001
-  - T1569.002
-  tactics:
-  - TA0002
-  coverage: Moderate
+  - technique: T1569
+    subtechniques:
+      - T1569.001
+      - T1569.002
+    tactics:
+      - TA0002
+    coverage: Moderate
 implementations:
-- name: Pseudocode – Service in Suspicious File Path
-  description: Pseudocode implementation of the Splunk search below. 
-  code: |- 
-      services = search Service:create
-      suspicious_services = filter services where image_path = "*\.exe" AND image_path does not contain ["C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"] )
-      output suspicious_services
-  data_model: CAR native
-  type: Pseudocode
-- name: Splunk code
-  description: To successfully implement this search, you need to be ingesting logs
-    with the Service name, Service File Name Service Start type, and Service Type
-    from your endpoints.
-  code: ' `wineventlog_system` EventCode=7045  Service_File_Name = "*\.exe" NOT (Service_File_Name
-    IN ("C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"))
-    Service_Type = "user mode service" | stats count min(_time) as firstTime max(_time)
-    as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type'
-  type: Splunk
-  data_model: Endpoint
+  - name: Pseudocode – Service in Suspicious File Path
+    description: Pseudocode implementation of the Splunk search below.
+    code: |
+        services = search Service:create
+        suspicious_services = filter services where image_path = "*\.exe" AND image_path does not contain ["C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"] )
+        output suspicious_services
+    data_model: CAR native
+    type: Pseudocode
+  - name: Splunk code
+    description: To successfully implement this search, you need to be ingesting logs
+      with the Service name, Service File Name Service Start type, and Service Type
+      from your endpoints.
+    code: ' `wineventlog_system` EventCode=7045  Service_File_Name = "*\.exe" NOT (Service_File_Name
+      IN ("C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"))
+      Service_Type = "user mode service" | stats count min(_time) as firstTime max(_time)
+      as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type'
+    type: Splunk
+    data_model: Endpoint
 unit_tests:
-- configurations:
-  - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
-  description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log)  using
-    the Splunk attack range with the commands below
-  commands:
-  - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
-- configurations:
-  - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
-  description: execute the atomic test [T1569.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1569.001)
-    against a Windows target.
-  commands:
-  - Invoke-AtomicTest T1569.001
+  - configurations:
+      - Using Splunk [Attack Range](https://github.com/splunk/attack_range)
+    description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log) using
+      the Splunk attack range with the commands below
+    commands:
+      - python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
+  - configurations:
+      - Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
+    description: execute the atomic test [T1569.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1569.001)
+      against a Windows target.
+    commands:
+      - Invoke-AtomicTest T1569.001
 data_model_references:
-- service/create/image_path
+  - service/create/image_path
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
diff --git a/analytics/CAR-2021-11-001.yaml b/analytics/CAR-2021-11-001.yaml
index ad67773a..a06daa7a 100644
--- a/analytics/CAR-2021-11-001.yaml
+++ b/analytics/CAR-2021-11-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Registry Edit with Creation of SafeDllSearchMode Key Set to 0
 submission_date: 2021/11/24
 information_domain: Host
@@ -28,7 +29,7 @@ coverage:
 implementations:
   - name: Creation of SafeDllSearchMode
     description: This detects SafeDllSearchMode creation, either via a new process (command line) or direct registry manipulation.
-    code: |- 
+    code: |
       processes = search Process:create
       safe_dll_search_processes = filter processes where command_line CONTAINS("*SafeDllSearchMode*") AND ((command_line CONTAINS("*reg*") AND command_line CONTAINS("*add*") AND command_line CONTAINS("*/d*")) OR (command_line CONTAINS("*Set-ItemProperty*") AND command_line CONTAINS(*-value*)) OR ((command_line CONTAINS("*00000000*") AND command_line CONTAINS(*0*)))
       reg_keys = search Registry:value_edit
@@ -38,33 +39,33 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - Creation of SafeDllSearchMode
     description: This is a Splunk representation of the above pseudocode.
-    code: |- 
+    code: |
       (source="WinEventLog:*" ((((EventCode="4688" OR EventCode="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) (CommandLine="*00000000*" OR CommandLine="*0*") CommandLine="*SafeDllSearchMode*") OR ((EventCode="4657") ObjectValueName="SafeDllSearchMode" value="0")) OR ((EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)")))
     data_model: Win. Eventlog/Sysmon native
     type: Splunk
   - name: Elastic Search - Creation of SafeDllSearchMode
     description: This is an Elastic representation of the above pseudocode.
-    code: |- 
+    code: |
       (((EventCode:("4688" OR "1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:(*00000000* OR *0*) AND process.command_line:*SafeDllSearchMode*) OR (EventCode:"4657" AND winlog.event_data.ObjectValueName:"SafeDllSearchMode" AND value:"0")) OR (EventCode:"13" AND winlog.event_data.EventType:"SetValue" AND winlog.event_data.TargetObject:*SafeDllSearchMode AND winlog.event_data.Details:"DWORD\ \(0x00000000\)"))
     data_model: Win. Eventlog/Sysmon native
     type: Elastic
   - name: LogPoint Search - Creation of SafeDllSearchMode
     description: This is a LogPoint representation of the above pseudocode.
-    code: |- 
+    code: |
       (((EventCode IN ["4688", "1"] ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine IN ["*00000000*", "*0*"] CommandLine="*SafeDllSearchMode*") OR (EventCode IN "4657" ObjectValueName="SafeDllSearchMode" value="0")) OR (EventCode IN "13" EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)"))
     data_model: Win. Eventlog/Sysmon native
     type: LogPoint
 unit_tests:
   - description: Execute command with cmd
     commands:
-    - reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0
+      - reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0
   - description: Execute command with powershell
     commands:
-    - Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0
+      - Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0
 data_model_references:
   - process/create/command_line
   - registry/add/key
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
-    label: Process Spawn Analysis
\ No newline at end of file
+    label: Process Spawn Analysis
diff --git a/analytics/CAR-2021-11-002.yaml b/analytics/CAR-2021-11-002.yaml
index e3f63718..543d9480 100644
--- a/analytics/CAR-2021-11-002.yaml
+++ b/analytics/CAR-2021-11-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Registry Edit with Modification of Userinit, Shell or Notify
 submission_date: 2021/11/28
 information_domain: Host
@@ -11,7 +12,7 @@ analytic_types:
 contributors:
   - Lucas Heiligenstein
 id: CAR-2021-11-002
-description: |-
+description: |
   Detection of modification of the registry key values of `Notify`, `Userinit`, and `Shell` located in `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` and `HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\`. When a user logs on, the Registry key values of `Notify`, `Userinit` and `Shell` are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload.
 coverage:
   - technique: T1547
@@ -28,7 +29,7 @@ coverage:
 implementations:
   - name: Userinit/Shell/Notify Registry Modifications
     description: This detects logon registry key modification, either via a new process (command line) or direct registry manipulation.
-    code: |- 
+    code: |
       processes = search Process:create
       logon_reg_processes = filter processes where command_line CONTAINS("*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*") AND (command_line CONTAINS("*Userinit*") OR command_line CONTAINS("*Shell*") OR command_line CONTAINS("*Notify*")) AND (((command_line CONTAINS("*reg*") OR command_line CONTAINS("*add*") OR command_line CONTAINS("*/d*")) OR (command_line CONTAINS("*Set-ItemProperty*") OR command_line CONTAINS("*New-ItemProperty*") OR command_line CONTAINS("*-value*"))))
       reg_keys = search Registry:value_edit
@@ -38,26 +39,26 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - Modification of Userinit, Shell or Notify
     description: This is a Splunk representation of the above pseudocode.
-    code: |- 
+    code: |
       (((((EventCode="4688" OR EventCode="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR ((CommandLine="*Set-ItemProperty*" OR CommandLine="*New-ItemProperty*") CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" (CommandLine="*Userinit*" OR CommandLine="*Shell*" OR CommandLine="*Notify*")) OR ((EventCode="4657") (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify"))) OR ((EventCode="13") (TargetObject="*Userinit" OR TargetObject="*Shell" OR TargetObject="*Notify"))))
     type: Splunk
   - name: Elastic Search - Modification of Userinit, Shell or Notify
     description: This is an ElasticSearch representation of the above pseudocode.
-    code: |- 
+    code: |
       (((EventCode:("4688" OR "1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:(*Set\-ItemProperty* OR *New\-ItemProperty*) AND process.command_line:*\-value*)) AND process.command_line:*\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon* AND process.command_line:(*Userinit* OR *Shell* OR *Notify*)) OR (EventCode:"4657" AND winlog.event_data.ObjectValueName:("Userinit" OR "Shell" OR "Notify"))) OR (EventCode:"13" AND winlog.event_data.TargetObject:(*Userinit OR *Shell OR *Notify)))
     type: Elastic
   - name: LogPoint Search - Modification of Userinit, Shell or Notify
     description: This is a LogPoint representation of the above pseudocode.
-    code: |- 
+    code: |
       (((EventCode IN ["4688", "1"] ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine IN ["*Set-ItemProperty*", "*New-ItemProperty*"] CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" CommandLine IN ["*Userinit*", "*Shell*", "*Notify*"]) OR (EventCode IN "4657" ObjectValueName IN ["Userinit", "Shell", "Notify"])) OR (EventCode IN "13" TargetObject IN ["*Userinit", "*Shell", "*Notify"]))
     type: LogPoint
 unit_tests:
-- description: Modification on Registry Key with cmd. Calc.exe will be launched when user will login
-  commands:
-  - reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe
-- description: Modification on Registry Key with Powershell. Calc.exe will be launched when user will login
-  commands:
-  - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Userinit -Value C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe
+  - description: Modification on Registry Key with cmd. Calc.exe will be launched when user will login
+    commands:
+      - reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe
+  - description: Modification on Registry Key with Powershell. Calc.exe will be launched when user will login
+    commands:
+      - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Userinit -Value C:\Windows\system32\userinit.exe,C:\Windows\system32\calc.exe
 data_model_references:
   - process/create/command_line
   - registry/add/key
diff --git a/analytics/CAR-2021-12-001.yaml b/analytics/CAR-2021-12-001.yaml
index 6713cb71..56a9d317 100644
--- a/analytics/CAR-2021-12-001.yaml
+++ b/analytics/CAR-2021-12-001.yaml
@@ -1,3 +1,4 @@
+---
 title: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths
 submission_date: 2021/12/04
 information_domain: Host
@@ -23,7 +24,7 @@ coverage:
 implementations:
   - name: Creation of Suspicious Scheduled Tasks
     description: This detects the creation of suspicious scheduled tasks, either via a new process (command line) or direct through the corresponding Windows EIDs.
-    code: |- 
+    code: |
       processes = search Process:create
       susp_tasks_processes = filter processes where command_line CONTAINS("*SCHTASKS*") AND (command_line CONTAINS("*/CREATE*") OR command_line CONTAINS("*/CHANGE*")) AND (command_line CONTAINS("*.cmd*") OR command_line CONTAINS("*.ps1*") OR command_line CONTAINS("*.vbs*") OR command_line CONTAINS("*.py*") OR command_line CONTAINS("*.js*") OR command_line CONTAINS("*.exe*") OR command_line CONTAINS("*.bat*") OR (command_line CONTAINS("*javascript*") OR command_line CONTAINS("*powershell*") OR command_line CONTAINS("*wmic*") OR command_line CONTAINS("*rundll32*") OR command_line CONTAINS("*cmd*") OR command_line CONTAINS("*cscript*") OR command_line CONTAINS("*wscript*") OR command_line CONTAINS("*regsvr32*") OR command_line CONTAINS("*mshta*") OR command_line CONTAINS("*bitsadmin*") OR command_line CONTAINS("*certutil*") OR command_line CONTAINS("*msiexec*") OR command_line CONTAINS("*javaw*") OR (command_line CONTAINS("*%APPDATA%*") OR command_line CONTAINS("*\\AppData\\Roaming*") OR command_line CONTAINS("*%PUBLIC%*") OR command_line CONTAINS("*C:\\Users\\Public*") OR command_line CONTAINS("*%ProgramData%*") OR command_line CONTAINS("*C:\\ProgramData*") OR command_line CONTAINS("*%TEMP%*") OR command_line CONTAINS("*\\AppData\\Local\\Temp*") OR command_line CONTAINS("*\\Windows\\PLA\\System*") OR command_line CONTAINS("*\\tasks*") OR command_line CONTAINS("*\\Registration\\CRMLog*") OR command_line CONTAINS("*\\FxsTmp*") OR command_line CONTAINS("*\\spool\\drivers\\color*") OR command_line CONTAINS("*\\tracing*"))))
       tasks = search Task:create
@@ -33,29 +34,29 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path.
     description: This is a Splunk representation of the above pseudocode search.
-    code: |- 
+    code: |
       (((EventCode="4688" OR EventCode="1") CommandLine="*SCHTASKS*" (CommandLine="*/CREATE*" OR CommandLine="*/CHANGE*")) ((CommandLine="*.cmd*" OR CommandLine="*.ps1*" OR CommandLine="*.vbs*" OR CommandLine="*.py*" OR CommandLine="*.js*" OR CommandLine="*.exe*" OR CommandLine="*.bat*") OR (CommandLine="*javascript*" OR CommandLine="*powershell*" OR CommandLine="*wmic*" OR CommandLine="*rundll32*" OR CommandLine="*cmd*" OR CommandLine="*cscript*" OR CommandLine="*wscript*" OR CommandLine="*regsvr32*" OR CommandLine="*mshta*" OR CommandLine="*bitsadmin*" OR CommandLine="*certutil*" OR CommandLine="*msiexec*" OR CommandLine="*javaw*") OR (CommandLine="*%APPDATA%*" OR CommandLine="*\\AppData\\Roaming*" OR CommandLine="*%PUBLIC%*" OR CommandLine="*C:\\Users\\Public*" OR CommandLine="*%ProgramData%*" OR CommandLine="*C:\\ProgramData*" OR CommandLine="*%TEMP%*" OR CommandLine="*\\AppData\\Local\\Temp*" OR CommandLine="*\\Windows\\PLA\\System*" OR CommandLine="*\\tasks*" OR CommandLine="*\\Registration\\CRMLog*" OR CommandLine="*\\FxsTmp*" OR CommandLine="*\\spool\\drivers\\color*" OR CommandLine="*\\tracing*"))) OR ((EventCode="4698" OR EventCode="4702") ((TaskContent="*.cmd*" OR TaskContent="*.ps1*" OR TaskContent="*.vbs*" OR TaskContent="*.py*" OR TaskContent="*.js*" OR TaskContent="*.exe*" OR TaskContent="*.bat*") OR (TaskContent="*javascript*" OR TaskContent="*powershell*" OR TaskContent="*wmic*" OR TaskContent="*rundll32*" OR TaskContent="*cmd*" OR TaskContent="*cscript*" OR TaskContent="*wscript*" OR TaskContent="*regsvr32*" OR TaskContent="*mshta*" OR TaskContent="*bitsadmin*" OR TaskContent="*certutil*" OR TaskContent="*msiexec*" OR TaskContent="*javaw*") OR (TaskContent="*%APPDATA%*" OR TaskContent="*\\AppData\\Roaming*" OR TaskContent="*%PUBLIC%*" OR TaskContent="*C:\\Users\\Public*" OR TaskContent="*%ProgramData%*" OR TaskContent="*C:\\ProgramData*" OR TaskContent="*%TEMP%*" OR TaskContent="*\\AppData\\Local\\Temp*" OR TaskContent="*\\Windows\\PLA\\System*" OR TaskContent="*\\tasks*" OR TaskContent="*\\Registration\\CRMLog*" OR TaskContent="*\\FxsTmp*" OR TaskContent="*\\spool\\drivers\\color*" OR TaskContent="*\\tracing*")))
     type: Splunk
   - name: Elastic Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path.
     description: This is an ElasticSearch representation of the above pseudocode search.
-    code: |- 
+    code: |
       ((winlog.event_id:("4688" OR "1") AND process.command_line:*SCHTASKS* AND process.command_line:(*\/CREATE* OR *\/CHANGE*)) AND (process.command_line:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR process.command_line:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR process.command_line:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*))) OR (winlog.event_id:("4698" OR "4702") AND (winlog.event_data.TaskContent:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR winlog.event_data.TaskContent:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR winlog.event_data.TaskContent:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*)))
     type: Elastic
   - name: LogPoint Search - Scheduled Task creation or modification containing suspicious script, extension or user writable path.
     description: This is a LogPoint representation of the above pseudocode search.
-    code: |- 
+    code: |
       ((event_id IN ["4688", "1"] CommandLine="*SCHTASKS*" CommandLine IN ["*/CREATE*", "*/CHANGE*"]) (CommandLine IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR CommandLine IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR CommandLine IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"])) OR (event_id IN ["4698", "4702"] (TaskContent IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR TaskContent IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR TaskContent IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"]))
     type: LogPoint
 unit_tests:
-- description: Creation Scheduled Task with cmd. Calc.exe will be launched every minute
-  commands:
-  - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "CALC_TASK" /TR "C:\Windows\System32\calc.exe"
-- description: Creation Scheduled Task with cmd. Ping will be launched every minute
-  commands:
-  - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "PING_TASK" /TR "cmd /c ping 8.8.8.8"
+  - description: Creation Scheduled Task with cmd. Calc.exe will be launched every minute
+    commands:
+      - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "CALC_TASK" /TR "C:\Windows\System32\calc.exe"
+  - description: Creation Scheduled Task with cmd. Ping will be launched every minute
+    commands:
+      - SCHTASKS /CREATE /SC MINUTE /MO 1 /TN "PING_TASK" /TR "cmd /c ping 8.8.8.8"
 data_model_references:
   - process/create/command_line
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
-    label: Process Spawn Analysis
\ No newline at end of file
+    label: Process Spawn Analysis
diff --git a/analytics/CAR-2021-12-002.yaml b/analytics/CAR-2021-12-002.yaml
index 372f942e..64197ced 100644
--- a/analytics/CAR-2021-12-002.yaml
+++ b/analytics/CAR-2021-12-002.yaml
@@ -1,3 +1,4 @@
+---
 title: Modification of Default Startup Folder in the Registry Key 'Common Startup'
 submission_date: 2021/12/06
 information_domain: Host
@@ -11,7 +12,7 @@ analytic_types:
 contributors:
   - Lucas Heiligenstein
 id: CAR-2021-12-002
-description: Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. 
+description: Detection of the modification of the registry key `Common Startup` located in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\` and `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\`. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.
 coverage:
   - technique: T1547
     tactics:
@@ -27,7 +28,7 @@ coverage:
 implementations:
   - name: Common Startup Registry Key Modification
     description: This detects modification of the `Common Startup` registry key value, either via a new process (command line) or direct registry manipulation.
-    code: |- 
+    code: |
       processes = search Process:create
       logon_reg_processes = filter processes where (command_line CONTAINS("*reg*") AND command_line CONTAINS("*add*") AND command_line CONTAINS("*/d*") OR (command_line CONTAINS("*Set-ItemProperty*") AND command_line CONTAINS("*-value*")) AND command_line CONTAINS("*Common Startup*"))
       reg_keys = search Registry:value_edit
@@ -37,30 +38,30 @@ implementations:
     type: Pseudocode
   - name: Splunk Search - Modification of default Startup Folder in the Registry Key "Common Startup"
     description: This is a Splunk representation of the above pseudocode search.
-    code: |- 
+    code: |
       (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR ((EventCode="4657" ObjectValueName="Common Startup") OR (EventCode="13" TargetObject="*Common Startup")))
     type: Splunk
   - name: Elastic Search - Modification of default Startup Folder in the Registry Key "Common Startup"
     description: This is an ElasticSeearech representation of the above pseudocode search.
-    code: |- 
+    code: |
       ((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup") OR (winlog.event_id:"13" AND winlog.event_data.TargetObject:"*Common Startup"))
     type: Elastic
   - name: LogPoint Search - Modification of default Startup Folder in the Registry Key "Common Startup"
     description: This is a LogPoint representation of the above pseudocode search.
-    code: |- 
+    code: |
       ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup") OR (event_id="13" TargetObject="*Common Startup"))
     type: LogPoint
 unit_tests:
-- description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon
-  commands:
-  - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f
-- description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon
-  commands:
-  - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder
+  - description: Modification on Registry Key with cmd. Files in new_malicious_startup_folder will be launched when user logon
+    commands:
+      - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup" /d "C:\Users\Lucas\Documents\new_malicious_startup_folder" /f
+  - description: Modification on Registry Key with Powershell. Files in new_malicious_startup_folder will be launched when user logon
+    commands:
+      - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Common Startup" -Value C:\Users\Lucas\Documents\new_malicious_startup_folder
 data_model_references:
   - process/create/command_line
   - registry/add/key
 d3fend_mappings:
   - iri: d3f:ProcessSpawnAnalysis
     id: D3-PSA
-    label: Process Spawn Analysis
\ No newline at end of file
+    label: Process Spawn Analysis
diff --git a/analytics/CAR-2022-03-001.yaml b/analytics/CAR-2022-03-001.yaml
index 00003160..752d5b13 100644
--- a/analytics/CAR-2022-03-001.yaml
+++ b/analytics/CAR-2022-03-001.yaml
@@ -1,4 +1,3 @@
-
 ---
 title: Disable Windows Event Logging
 submission_date: 2022/03/14
@@ -12,7 +11,7 @@ analytic_types:
 contributors:
   - Lucas Heiligenstein
 id: CAR-2022-03-001
-description: |-
+description: |
   Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more. This data is used by security tools and analysts to generate detections. There are different ways to perform this attack.
   1. The first one is to create the Registry Key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt`. This action will not generate Security EventLog 4657 or Sysmon EventLog 13 because the value of the key remains empty. However, if an attacker uses powershell to perform this attack (and not cmd), a Security EventLog 4663 will be generated (but 4663 generates a lot of noise).
   2. The second way is to disable the service EventLog (display name Windows Event Log). After disabed, attacker must reboot the system. The action of disabling or put in manual the service will modify the Registry Key value `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\start`, therefore Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system.
@@ -22,53 +21,52 @@ description: |-
 coverage:
   - technique: T1562
     subtechniques:
-    - T1562.002
+      - T1562.002
     tactics:
-    - TA0005
+      - TA0005
     coverage: Moderate
 implementations:
   - name: Detection of Disable Windows Event Logging
     description: This detects the disabling of Windows Event Logging, via process command line or registry key value manipulation.
-    code: |-
+    code: |
       processes = search Process:create
       susp_processes = filter processes where ((command_line CONTAINS("*New-Item*") OR command_line CONTAINS("*reg add*")) OR command_line CONTAINS("*MiniNt*")) OR (command_line CONTAINS("*Stop-Service*")AND command_line CONTAINS("*EventLog*")) OR (command_line CONTAINS("*EventLog*") AND (command_line CONTAINS("*Set-Service*") OR command_line CONTAINS("*reg add*") OR command_line CONTAINS("*Set-ItemProperty*") OR command_line CONTAINS("*New-ItemProperty*") OR command_line CONTAINS("*sc config*"))) OR (command_line CONTAINS("*auditpol*") AND (command_line CONTAINS("*/set*") OR command_line CONTAINS("*/clear*") OR command_line CONTAINS("*/revove*"))) OR ((command_line CONTAINS("*wevtutil*") AND (command_line CONTAINS("*sl*") OR command_line CONTAINS("*set-log*"))))
-      
       reg_keys = search Registry:value_edit
       event_log_reg_keys = filter reg_keys where Key="*EventLog*" AND (value="Start" OR value="File" OR value="MaxSize")
       output susp_processes, event_log_reg_keys
     type: Pseudocode
   - name: Detection of Disable Windows Event Logging
     description: Splunk version of the CAR pseudocode.
-    code: |-
+    code: |
       ((EventCode="4688" OR EventCode="1") ((CommandLine="*New-Item*" OR CommandLine="*reg add*") CommandLine="*MiniNt*")OR (CommandLine="*Stop-Service*" CommandLine="*EventLog*")OR (CommandLine="*EventLog*" (CommandLine="*Set-Service*" OR CommandLine="*reg add*" OR CommandLine="*Set-ItemProperty*" OR CommandLine="*New-ItemProperty*" OR CommandLine="*sc config*")) OR (CommandLine="*auditpol*" (CommandLine="*/set*" OR CommandLine="*/clear*" OR CommandLine="*/revove*")) OR ((CommandLine="*wevtutil*" (CommandLine="*sl*" OR CommandLine="*set-log*")))) OR (EventCode="4719") OR ((EventCode="4657" OR EventCode="13") (ObjectName="*EventLog*") (ObjectValueName="Start" OR ObjectValueName="File" OR ObjectValueName="MaxSize"))
     type: Splunk
   - name: Detection of Disable Windows Event Logging
     description: LogPoint version of the CAR pseudocode.
-    code: |-
+    code: |
       ((((((EventCode IN ["4688", "1"] CommandLine="*New-Item*" CommandLine="*reg add*" CommandLine IN "*MiniNt*") OR (CommandLine="*Stop-Service*" CommandLine="*EventLog*")) OR (CommandLine IN ["*Set-Service*", "*reg add*", "*Set-ItemProperty*", "*New-ItemProperty*", "*sc config*"] CommandLine IN "*EventLog*")) OR (CommandLine IN "*auditpol*" CommandLine IN ["*/set*", "*/clear*", "*/revove*"])) OR (CommandLine IN "*wevtutil*" CommandLine IN ["*sl*", "*set-log*"]) OR EventCode IN "4719") OR (EventCode IN ["4657", "13"] ObjectName IN "*EventLog*" ObjectValueName IN ["Start", "File", "MaxSize"]))
     type: LogPoint
 unit_tests:
-- description: MiniNt Registry Key creation with cmd.
-  commands:
-  - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
-- description: MiniNt Registry Key creation with powershell.
-  commands:
-  - New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\MiniNt"
-- description: Disable EvenLog Service with Set-Service.
-  commands:
-  - Set-Service -Name EventLog -StartupType Disabled
-- description: Registry Key modification to disable EventLog Service.
-  commands:
-  - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" /v start /t REG_DWORD /d 0x00000004 /f
-- description: Stop EventLog Service with Stop-Service.
-  commands:
-  - Stop-Service -Name EventLog -Force
-- description: Audit configuration modification to disable EventLog with auditpol.
-  commands:
-  - auditpol.exe /set /subcategory:"Process Creation" /success:Disable /failure:Disable
-- description: Modification of Security EventLog path with wevtutil.
-  commands:
-  - wevtutil.exe sl Security /logfilename:"C:\Windows\System32\winevt\Not-Important-Log.evtx"
+  - description: MiniNt Registry Key creation with cmd.
+    commands:
+      - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
+  - description: MiniNt Registry Key creation with powershell.
+    commands:
+      - New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\MiniNt"
+  - description: Disable EvenLog Service with Set-Service.
+    commands:
+      - Set-Service -Name EventLog -StartupType Disabled
+  - description: Registry Key modification to disable EventLog Service.
+    commands:
+      - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog" /v start /t REG_DWORD /d 0x00000004 /f
+  - description: Stop EventLog Service with Stop-Service.
+    commands:
+      - Stop-Service -Name EventLog -Force
+  - description: Audit configuration modification to disable EventLog with auditpol.
+    commands:
+      - auditpol.exe /set /subcategory:"Process Creation" /success:Disable /failure:Disable
+  - description: Modification of Security EventLog path with wevtutil.
+    commands:
+      - wevtutil.exe sl Security /logfilename:"C:\Windows\System32\winevt\Not-Important-Log.evtx"
 data_model_references:
   - registry/value_edit/value
   - process/create/command_line
diff --git a/data_model/authentication.yaml b/data_model/authentication.yaml
index bf6fcbb1..130efe0e 100644
--- a/data_model/authentication.yaml
+++ b/data_model/authentication.yaml
@@ -12,7 +12,7 @@ fields:
   - name: app_name
     description: Name of the application that made the authentication request
     example: ssh, win:local
-  - name:  method
+  - name: method
     description: The authentication method that was used.
     example: SMAL, Kerberos
   - name: auth_service
@@ -66,4 +66,3 @@ fields:
   - name: target_user
     description: Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.
     example: HOST1\LOCALUSER2
-
diff --git a/data_model/driver.yaml b/data_model/driver.yaml
index e111f703..c76cb4f1 100644
--- a/data_model/driver.yaml
+++ b/data_model/driver.yaml
@@ -39,4 +39,4 @@ fields:
     example: 1533
   - name: signature_valid
     description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked
-    example: True
\ No newline at end of file
+    example: true
diff --git a/data_model/email.yaml b/data_model/email.yaml
index 70a1a0f8..4deb4539 100644
--- a/data_model/email.yaml
+++ b/data_model/email.yaml
@@ -16,7 +16,7 @@ fields:
   - name: action_reason
     description: The rationale given for blocking, redirecting, or quarantining an email.
     example: "Malformed Message"
-  - name:  attachment_name
+  - name: attachment_name
     description: Filename of any email attachment that may exist.
     example: "cuddly-cats.pdf"
   - name: attachment_size
@@ -75,20 +75,3 @@ fields:
   - name: to
     description: the content of the To field in the email header; does not necessarily match up with real recipients.
     example: "adam@example.com"
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/data_model/file.yaml b/data_model/file.yaml
index 72c5df33..80b292db 100755
--- a/data_model/file.yaml
+++ b/data_model/file.yaml
@@ -90,7 +90,7 @@ fields:
     example: 0644 (linux) or NTFS ACL
   - name: signature_valid
     description: Boolean indicator of whether the signature is valid; empty if file is not signed.
-    example: True
+    example: true
   - name: uid
     description: The user ID or SID for the acting entity.
     example: S-1-5-18
diff --git a/data_model/flow.yaml b/data_model/flow.yaml
index 6095ae51..30f6f2c2 100644
--- a/data_model/flow.yaml
+++ b/data_model/flow.yaml
@@ -89,4 +89,4 @@ fields:
     example: TCP
   - name: uid
     description: User ID or SID of the flow-handling entity.
-    example: S-1-5-18
\ No newline at end of file
+    example: S-1-5-18
diff --git a/data_model/http.yaml b/data_model/http.yaml
index 044f9429..c2499a66 100644
--- a/data_model/http.yaml
+++ b/data_model/http.yaml
@@ -14,7 +14,7 @@ fields:
   - name: hostname
     description: hostname on which the request was seen.
     example: HOST1
-  - name:  request_body_bytes
+  - name: request_body_bytes
     description: Integer value corresponding to the total number of bytes in the request.
     example: 180
   - name: http_version
@@ -60,21 +60,3 @@ fields:
   - name: user_agent_version
     description: User Agent Version. Note that some User Agent strings may not label versions in the same way.
     example: 4.0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/data_model/module.yaml b/data_model/module.yaml
index ff479301..733fdc44 100644
--- a/data_model/module.yaml
+++ b/data_model/module.yaml
@@ -45,4 +45,4 @@ fields:
     example: 50
   - name: signature_valid
     description: Boolean indicator of whether the signature is current and not revoked
-    example: True
+    example: true
diff --git a/data_model/process.yaml b/data_model/process.yaml
index 725f63d8..90279c51 100644
--- a/data_model/process.yaml
+++ b/data_model/process.yaml
@@ -79,7 +79,7 @@ fields:
     example: "{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}"
   - name: signature_valid
     description: Boolean indicator of whether signature is current and not revoked.
-    example: True
+    example: true
   - name: target_guid
     description: Global Unique Identifier for the target process (only for process access events).
   - name: target_pid
diff --git a/data_model/service.yaml b/data_model/service.yaml
index c47159fc..61081c26 100644
--- a/data_model/service.yaml
+++ b/data_model/service.yaml
@@ -42,4 +42,4 @@ fields:
     example: 1860
   - name: uid
     description: The ID of SID of the user who acted on the service
-    example: S-1-5-18
\ No newline at end of file
+    example: S-1-5-18
diff --git a/data_model/socket.yaml b/data_model/socket.yaml
index ed3c9f1d..c5e3b3e9 100644
--- a/data_model/socket.yaml
+++ b/data_model/socket.yaml
@@ -12,12 +12,12 @@ fields:
   - name: pid
     description: ID of the process that acted on the socket
     example: 3930
-  - name:  image_path
+  - name: image_path
     description: Path to the executable that initiated the socket event.
     example: C:/user/adam/malware.exe
   - name: success
     description: Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested)
-    example: True
+    example: true
   - name: family
     description: The type of socket in question
     example: AF_UNIX, AF_INET, AF_INET6
@@ -39,20 +39,3 @@ fields:
   - name: local_path
     description: In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.
     example: "/tmp/foo"
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml
index db865dfd..d7fc350c 100755
--- a/data_model/user_session.yaml
+++ b/data_model/user_session.yaml
@@ -42,5 +42,4 @@ fields:
     example: S-1-5-18
   - name: login_successful
     description: Boolean indicator of whether a login attempt was successful
-    example: False
-
+    example: false
diff --git a/sensors/autoruns_13.98.yaml b/sensors/autoruns_13.98.yaml
index ac356f9d..e839766c 100644
--- a/sensors/autoruns_13.98.yaml
+++ b/sensors/autoruns_13.98.yaml
@@ -93,4 +93,4 @@ mappings:
       - name
       - value
 other_coverage:
-  - 'CAR-2013-01-002: Autorun Differences'      
+  - 'CAR-2013-01-002: Autorun Differences'
diff --git a/sensors/osquery_4.1.2.yaml b/sensors/osquery_4.1.2.yaml
index e09d5845..eb6a5566 100755
--- a/sensors/osquery_4.1.2.yaml
+++ b/sensors/osquery_4.1.2.yaml
@@ -133,4 +133,4 @@ mappings:
       - value
       - data
 other_coverage:
-  - 'N/A'
\ No newline at end of file
+  - 'N/A'
diff --git a/sensors/sysmon_10.4.yaml b/sensors/sysmon_10.4.yaml
index 2b0a7189..93cdad7b 100755
--- a/sensors/sysmon_10.4.yaml
+++ b/sensors/sysmon_10.4.yaml
@@ -127,4 +127,4 @@ mappings:
       - start_address
       - start_module
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'
diff --git a/sensors/sysmon_11.0.yaml b/sensors/sysmon_11.0.yaml
index 592f3cf9..a4ac2c16 100755
--- a/sensors/sysmon_11.0.yaml
+++ b/sensors/sysmon_11.0.yaml
@@ -141,4 +141,4 @@ mappings:
       - start_address
       - start_module
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'
diff --git a/sensors/sysmon_13.yaml b/sensors/sysmon_13.yaml
index 5c8d5619..c4cf7f21 100644
--- a/sensors/sysmon_13.yaml
+++ b/sensors/sysmon_13.yaml
@@ -161,4 +161,4 @@ mappings:
       - start_module
       - uid
 other_coverage:
-  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'      
+  - 'CAR-2019-04-004: Credential Dumping via Mimikatz'

From 4c7f892478e3b76228c536ec6e27746e04df07a2 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 04:21:50 -0500
Subject: [PATCH 51/82] whoops kept some testing text

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 data_model/user_session.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml
index d7fc350c..d268ec57 100755
--- a/data_model/user_session.yaml
+++ b/data_model/user_session.yaml
@@ -1,6 +1,6 @@
 ---
 name: User Session
-description: User sessions are the user activities undertaken on the computer in the course of conducting standard user actions. test this
+description: User sessions are the user activities undertaken on the computer in the course of conducting standard user actions.
 actions:
   - name: lock
     description: The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state.

From 1ff2bfc98dc4f57d1798242b0cb9233ef006c0bb Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 04:22:42 -0500
Subject: [PATCH 52/82] typo where 'data_mode' was used instead of 'data_model'

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 analytics/CAR-2016-03-001.yaml | 4 ++--
 analytics/CAR-2016-03-002.yaml | 6 +++---
 analytics/CAR-2016-04-002.yaml | 2 +-
 analytics/CAR-2016-04-003.yaml | 2 +-
 analytics/CAR-2016-04-005.yaml | 2 +-
 analytics/CAR-2019-04-001.yaml | 2 +-
 analytics/CAR-2019-04-003.yaml | 2 +-
 analytics/CAR-2019-04-004.yaml | 2 +-
 analytics/CAR-2019-07-001.yaml | 2 +-
 analytics/CAR-2019-07-002.yaml | 2 +-
 analytics/CAR-2019-08-001.yaml | 2 +-
 analytics/CAR-2019-08-002.yaml | 2 +-
 analytics/CAR-2020-05-001.yaml | 2 +-
 13 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/analytics/CAR-2016-03-001.yaml b/analytics/CAR-2016-03-001.yaml
index 4a86d577..b0f899e2 100644
--- a/analytics/CAR-2016-03-001.yaml
+++ b/analytics/CAR-2016-03-001.yaml
@@ -88,13 +88,13 @@ implementations:
     code: |
       index=__your_sysmon_index__ EventCode=1 (Image="C:\\Windows\\*\\hostname.exe" OR Image="C:\\Windows\\*\\ipconfig.exe" OR Image="C:\\Windows\\*\\net.exe" OR Image="C:\\Windows\\*\\quser.exe" OR Image="C:\\Windows\\*\\qwinsta.exe" OR (Image="C:\\Windows\\*\\sc.exe" AND (CommandLine="* query *" OR CommandLine="* qc *")) OR Image="C:\\Windows\\*\\systeminfo.exe" OR Image="C:\\Windows\\*\\tasklist.exe" OR Image="C:\\Windows\\*\\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName
     type: Splunk
-    data_mode: Sysmon native
+    data_model: Sysmon native
   - description: EQL version of the above pseudocode search.
     code: |
       process where subtype.create and
         (process_name == "hostname.exe" or process_name == "ipconfig.exe" or process_name == "net.exe" or process_name == "quser.exe" process_name == "qwinsta.exe" or process_name == "systeminfo.exe" or process_name == "tasklist.exe" or process_name == "whoami.exe" or (process_name == "sc.exe" and (command_line == "* query *" or command_line == "* qc *")))
     type: EQL
-    data_mode: EQL native
+    data_model: EQL native
   - description: LogPoint version of the above pseudocode.
     code: |
       norm_id=WindowsSysmon event_id=1 (image in ["*\hostname.exe", "*\ipconfig.exe", "*\net.exe", "*\quser.exe", "*\qwinsta.exe", "*\systeminfo.exe", "*\tasklist.exe", "*\whoami.exe"] OR (image="*\sc.exe" command IN ["* query *", "* qc *"))
diff --git a/analytics/CAR-2016-03-002.yaml b/analytics/CAR-2016-03-002.yaml
index ff9fb3fb..60808188 100644
--- a/analytics/CAR-2016-03-002.yaml
+++ b/analytics/CAR-2016-03-002.yaml
@@ -34,19 +34,19 @@ implementations:
     code: |
       index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\wmic.exe" CommandLine="* process call create *"|search CommandLine="* /node:*"
     type: Splunk
-    data_mode: Sysmon native
+    data_model: Sysmon native
   - description: EQL version of the above pseudocode.
     code: |
       process where subtype.create and
         (process_name == "wmic.exe" and command_line == "* process call create ")
         |filter command_line == "* /node:*"
     type: EQL
-    data_mode: EQL native
+    data_model: EQL native
   - description: LogPoint version of the above pseudocode.
     code: |
       norm_id=WindowsSysmon event_id=1 image="C:\\Windows\\*\\wmic.exe" command="* process call create *" command="* /node:*"
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 data_model_references:
   - process/create/exe
   - process/create/command_line
diff --git a/analytics/CAR-2016-04-002.yaml b/analytics/CAR-2016-04-002.yaml
index aec4fb5b..f5637fa5 100644
--- a/analytics/CAR-2016-04-002.yaml
+++ b/analytics/CAR-2016-04-002.yaml
@@ -47,7 +47,7 @@ implementations:
     code: |
       norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104))
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
   - name: Splunk search - Detecting log clearing with wevtutil
     description: This search query looks for  wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.
     code: |
diff --git a/analytics/CAR-2016-04-003.yaml b/analytics/CAR-2016-04-003.yaml
index 43e97a08..b5a49423 100644
--- a/analytics/CAR-2016-04-003.yaml
+++ b/analytics/CAR-2016-04-003.yaml
@@ -34,7 +34,7 @@ implementations:
     code: |
       norm_id=WinServer channel="System" event_id=7036 param1 in ["Windows Defender", "Windows Firewall"] param2="stopped"
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 unit_tests:
   - configurations:
       - Windows 7
diff --git a/analytics/CAR-2016-04-005.yaml b/analytics/CAR-2016-04-005.yaml
index 202054a9..cd055c4b 100644
--- a/analytics/CAR-2016-04-005.yaml
+++ b/analytics/CAR-2016-04-005.yaml
@@ -33,7 +33,7 @@ implementations:
     code: |-
       norm_id=WinServer event_id=4624 package="Negotiate" log_level="INFO" logon_type=10
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 d3fend_mappings:
   - iri: d3f:RemoteTerminalSessionDetection
     id: D3-RTSD
diff --git a/analytics/CAR-2019-04-001.yaml b/analytics/CAR-2019-04-001.yaml
index cf9d40cf..25eef8e3 100644
--- a/analytics/CAR-2019-04-001.yaml
+++ b/analytics/CAR-2019-04-001.yaml
@@ -52,7 +52,7 @@ implementations:
     code: |
       norm_id=WindowsSysmon event_id=1 integrity_level="High" ((parent_image="c:\windows\system32\fodhelper.exe" OR command='*.exe"*cleanmgr.exe /autoclean*' OR image="c:\program files\windows media player\osk.exe" OR parent_image="c:\windows\system32\slui.exe") OR (parent_command='"c:\windows\system32\dism.exe"*""*.xml"' -image="c:\users\*\appdata\local\temp\*\dismhost.exe") OR (parent_image="c:\windows\*dccw.exe" -image="c:\windows\system32\cttune.exe") OR (command='"c:\windows\system32\wusa.exe"*/quiet*' -user="NOT_TRANSLATED" path="c:\windows\system32\" -parent_image="c:\windows\explorer.exe"))
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 data_model_references:
   - process/create/image_path
   - process/create/parent_image_path
diff --git a/analytics/CAR-2019-04-003.yaml b/analytics/CAR-2019-04-003.yaml
index aeb435f8..cfe44e7e 100644
--- a/analytics/CAR-2019-04-003.yaml
+++ b/analytics/CAR-2019-04-003.yaml
@@ -47,7 +47,7 @@ implementations:
     code: |
       norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll"
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 unit_tests:
   - description: |
       The [Atomic Red Team test for Squiblydoo](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution) is a good test case for this.
diff --git a/analytics/CAR-2019-04-004.yaml b/analytics/CAR-2019-04-004.yaml
index 8884b942..e248298d 100644
--- a/analytics/CAR-2019-04-004.yaml
+++ b/analytics/CAR-2019-04-004.yaml
@@ -51,7 +51,7 @@ implementations:
       norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)"
       | fields log_ts, host, user, source_image, access
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 references:
   - Credit to [Cyb3rWard0g](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/playbooks/windows/06_credential_access/credential_dumping_T1003/credentials_from_memory/mimikatz_logonpasswords.md), dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics.
 d3fend_mappings:
diff --git a/analytics/CAR-2019-07-001.yaml b/analytics/CAR-2019-07-001.yaml
index 3e59e09e..6f2507d7 100644
--- a/analytics/CAR-2019-07-001.yaml
+++ b/analytics/CAR-2019-07-001.yaml
@@ -55,7 +55,7 @@ implementations:
     code: |-
       norm_id=WindowsSysmon channel="Security" event_id=4670 object_type="File" -user_id="S-1-5-18"
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 unit_tests:
   - description: 'For Windows - right click on any file and change its permissions under properties. Or, execute the following command: `icacls "C:\<fileName>" /grant :F`'
   - description: 'For Linux - execute the following command: `chmod 777 "fileName"`'
diff --git a/analytics/CAR-2019-07-002.yaml b/analytics/CAR-2019-07-002.yaml
index 4d7b0669..f6e7a5e9 100644
--- a/analytics/CAR-2019-07-002.yaml
+++ b/analytics/CAR-2019-07-002.yaml
@@ -58,7 +58,7 @@ implementations:
     code: |
       norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*"
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 data_model_references:
   - process/create/exe
   - process/create/command_line
diff --git a/analytics/CAR-2019-08-001.yaml b/analytics/CAR-2019-08-001.yaml
index 9e3a73e5..433ae5f5 100644
--- a/analytics/CAR-2019-08-001.yaml
+++ b/analytics/CAR-2019-08-001.yaml
@@ -48,7 +48,7 @@ implementations:
     code: |
       norm_id=WindowsSysmon event_id=11 file="*lsass*.dmp" source_image="C:\Windows\*\taskmgr.exe"
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 data_model_references:
   - file/create/file_name
   - file/create/image_path
diff --git a/analytics/CAR-2019-08-002.yaml b/analytics/CAR-2019-08-002.yaml
index b45aee96..61df744d 100644
--- a/analytics/CAR-2019-08-002.yaml
+++ b/analytics/CAR-2019-08-002.yaml
@@ -48,7 +48,7 @@ implementations:
     code: |
       norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe"
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 data_model_references:
   - file/create/file_name
   - file/create/image_path
diff --git a/analytics/CAR-2020-05-001.yaml b/analytics/CAR-2020-05-001.yaml
index afce6a9b..8bbff1f4 100644
--- a/analytics/CAR-2020-05-001.yaml
+++ b/analytics/CAR-2020-05-001.yaml
@@ -38,7 +38,7 @@ implementations:
       norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" call_trace IN ["*dbghelp.dll*", "*dbgcore.dll*"]
       | fields log_ts host source_process_id source_image
     type: LogPoint
-    data_mode: LogPoint native
+    data_model: LogPoint native
 d3fend_mappings:
   - iri: d3f:SystemCallAnalysis
     id: D3-SCA

From 47a06b1ebf252824d6e500f4660b92d5ed03d37c Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 04:39:36 -0500
Subject: [PATCH 53/82] added schema matching - schemas based off of the
 template files, generate scripts, and current data.  matching is non-strict
 so unexpected elements should be accepted.

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 .github/workflows/lint-yaml.yml | 12 ++++-----
 scripts/analytic_schema.yaml    | 43 +++++++++++++++++++++++++++++++++
 scripts/datamodel_schema.yaml   | 15 ++++++++++++
 scripts/sensor_schema.yaml      | 19 +++++++++++++++
 4 files changed, 83 insertions(+), 6 deletions(-)
 create mode 100644 scripts/analytic_schema.yaml
 create mode 100644 scripts/datamodel_schema.yaml
 create mode 100644 scripts/sensor_schema.yaml

diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
index 0d7d5ff6..bd01a7a1 100644
--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -32,8 +32,8 @@ jobs:
           cache: 'pip'
       - name: Install script dependencies
         run: pip install -r ./scripts/requirements.txt
-      - name: Analysis files need to have their id attribute be the same as their filename
-        run: exit 0
+      - name: Validate against analysis schema
+        run: yamale -s scripts/analytic_schema.yaml --no-strict analytics/
   datamodel-schema:
     runs-on: ubuntu-latest
     steps:
@@ -46,8 +46,8 @@ jobs:
           cache: 'pip'
       - name: Install script dependencies
         run: pip install -r ./scripts/requirements.txt
-      - name: Analysis files need to have their id attribute be the same as their filename
-        run: exit 0
+      - name: Validate against data model schema
+        run: yamale -s scripts/datamodel_schema.yaml --no-strict data_model/
   sensor-schema:
     runs-on: ubuntu-latest
     steps:
@@ -60,8 +60,8 @@ jobs:
           cache: 'pip'
       - name: Install script dependencies
         run: pip install -r ./scripts/requirements.txt
-      - name: Analysis files need to have their id attribute be the same as their filename
-        run: exit 0
+      - name: Validate against sensor schema
+        run: yamale -s scripts/sensor_schema.yaml --no-strict sensors/
   filetype-is-yaml:
     runs-on: ubuntu-latest
     steps:
diff --git a/scripts/analytic_schema.yaml b/scripts/analytic_schema.yaml
new file mode 100644
index 00000000..fa31a0e3
--- /dev/null
+++ b/scripts/analytic_schema.yaml
@@ -0,0 +1,43 @@
+---
+title: str()
+submission_date: regex('\d{4}/\d{2}/\d{2}', name='year/month/day')
+update_date: regex('\d{4}/\d{2}/\d{2}', name='year/month/day', required=False)
+information_domain: str()
+platforms: list(str(), required=False)
+subtypes: list(str())
+analytic_types: list(str())
+contributors: list(str(), required=False)
+id: str()
+description: str()
+coverage: list(include('coverage_item'), required=False)
+implementations: list(include('implementation'), required=False)
+unit_tests: list(include('unit_test'), required=False)
+true_positives: list(include('true_positive'), required=False)
+data_model_references: list(str(), required=False)
+references: list(str(), required=False)
+d3fend_mappings: list(include('d3fend_mapping'), required=False)
+---
+coverage_item:
+  technique: str()
+  subtechniques: list(str(), required=False)
+  tactics: list(str())
+  coverage: str()
+implementation:
+  name: str(required=False)
+  description: str(required=False)
+  code: str(required=False)
+  data_model: str(required=False)
+  type: str()
+unit_test:
+  configurations: list(str(), required=False)
+  description: subset(str())
+  commands: list(str(), required=False)
+true_positive:
+  source: str()
+  description: str(required=False)
+  event_snippet: str(required=False)
+  full_event: str(required=False)
+d3fend_mapping:
+  iri: str()
+  id: str()
+  label: str()
diff --git a/scripts/datamodel_schema.yaml b/scripts/datamodel_schema.yaml
new file mode 100644
index 00000000..7a771983
--- /dev/null
+++ b/scripts/datamodel_schema.yaml
@@ -0,0 +1,15 @@
+---
+name: str()
+description: str()
+actions: list(include('action'))
+fields: list(include('field'))
+coverage_map: map(map(str(), key=str()), str(), required=False)
+---
+action:
+  name: str()
+  description: str()
+field:
+  name: str()
+  description: str()
+  example: subset(any(), allow_empty=True)
+
diff --git a/scripts/sensor_schema.yaml b/scripts/sensor_schema.yaml
new file mode 100644
index 00000000..84b59bf4
--- /dev/null
+++ b/scripts/sensor_schema.yaml
@@ -0,0 +1,19 @@
+---
+sensor_name: str()
+sensor_version: any(str(), num())
+sensor_developer: str()
+sensor_url: str() # consider using a regex to validate that it is actually a url
+sensor_description: str(required=False)
+data_model_coverage: str()
+analytic_coverage: list(include('analytic'), required=False)
+mappings: list(include('mapping'))
+other_coverage: list(str())
+---
+analytic:
+  full_title: str()
+  id: str()
+mapping:
+  object: str()
+  action: str()
+  notes: str()
+  fields: list(str())

From fe539056b946958e1f2e5054ce5f0950f6b52858 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 04:50:08 -0500
Subject: [PATCH 54/82] a field in the sensor schema should've been optional

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/sensor_schema.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/sensor_schema.yaml b/scripts/sensor_schema.yaml
index 84b59bf4..16463b85 100644
--- a/scripts/sensor_schema.yaml
+++ b/scripts/sensor_schema.yaml
@@ -4,7 +4,7 @@ sensor_version: any(str(), num())
 sensor_developer: str()
 sensor_url: str() # consider using a regex to validate that it is actually a url
 sensor_description: str(required=False)
-data_model_coverage: str()
+data_model_coverage: str(required=False)
 analytic_coverage: list(include('analytic'), required=False)
 mappings: list(include('mapping'))
 other_coverage: list(str())

From f3fbf0547a60f54f7b9db68b5ed4bcba84df2f63 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 04:50:29 -0500
Subject: [PATCH 55/82] run yamllint against the data files, not other yaml
 files that might be in the repo

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 .github/workflows/lint-yaml.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint-yaml.yml b/.github/workflows/lint-yaml.yml
index bd01a7a1..ae757313 100644
--- a/.github/workflows/lint-yaml.yml
+++ b/.github/workflows/lint-yaml.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Install script dependencies
         run: pip install -r ./scripts/requirements.txt
       - name: Run yamllint
-        run: yamllint .
+        run: yamllint analytics/ data_model/ sensors/
   analysis-schema:
     runs-on: ubuntu-latest
     steps:

From 2961ff80b1445ae8ded5fc2f2fd505b3e5f665a6 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Tue, 21 Feb 2023 05:08:39 -0500
Subject: [PATCH 56/82] remove an extraneous attribute in the datamodel schema

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/datamodel_schema.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/scripts/datamodel_schema.yaml b/scripts/datamodel_schema.yaml
index 7a771983..bf9c1aa7 100644
--- a/scripts/datamodel_schema.yaml
+++ b/scripts/datamodel_schema.yaml
@@ -3,7 +3,6 @@ name: str()
 description: str()
 actions: list(include('action'))
 fields: list(include('field'))
-coverage_map: map(map(str(), key=str()), str(), required=False)
 ---
 action:
   name: str()
@@ -12,4 +11,3 @@ field:
   name: str()
   description: str()
   example: subset(any(), allow_empty=True)
-

From 24e3dc9ed58404e0a41a71c69077c3f6286312f0 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 23 Feb 2023 16:45:58 -0500
Subject: [PATCH 57/82] grabbed cleaned up datamodels from the yaml branch

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 data_model/authentication.yaml |  3 +--
 data_model/driver.yaml         |  2 +-
 data_model/email.yaml          | 19 +------------------
 data_model/file.yaml           |  2 +-
 data_model/flow.yaml           |  2 +-
 data_model/http.yaml           | 20 +-------------------
 data_model/module.yaml         |  6 +++---
 data_model/process.yaml        |  2 +-
 data_model/service.yaml        |  2 +-
 data_model/socket.yaml         | 21 ++-------------------
 data_model/user_session.yaml   |  5 ++---
 11 files changed, 15 insertions(+), 69 deletions(-)

diff --git a/data_model/authentication.yaml b/data_model/authentication.yaml
index bf6fcbb1..130efe0e 100644
--- a/data_model/authentication.yaml
+++ b/data_model/authentication.yaml
@@ -12,7 +12,7 @@ fields:
   - name: app_name
     description: Name of the application that made the authentication request
     example: ssh, win:local
-  - name:  method
+  - name: method
     description: The authentication method that was used.
     example: SMAL, Kerberos
   - name: auth_service
@@ -66,4 +66,3 @@ fields:
   - name: target_user
     description: Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.
     example: HOST1\LOCALUSER2
-
diff --git a/data_model/driver.yaml b/data_model/driver.yaml
index e111f703..c76cb4f1 100644
--- a/data_model/driver.yaml
+++ b/data_model/driver.yaml
@@ -39,4 +39,4 @@ fields:
     example: 1533
   - name: signature_valid
     description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked
-    example: True
\ No newline at end of file
+    example: true
diff --git a/data_model/email.yaml b/data_model/email.yaml
index 70a1a0f8..4deb4539 100644
--- a/data_model/email.yaml
+++ b/data_model/email.yaml
@@ -16,7 +16,7 @@ fields:
   - name: action_reason
     description: The rationale given for blocking, redirecting, or quarantining an email.
     example: "Malformed Message"
-  - name:  attachment_name
+  - name: attachment_name
     description: Filename of any email attachment that may exist.
     example: "cuddly-cats.pdf"
   - name: attachment_size
@@ -75,20 +75,3 @@ fields:
   - name: to
     description: the content of the To field in the email header; does not necessarily match up with real recipients.
     example: "adam@example.com"
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/data_model/file.yaml b/data_model/file.yaml
index 72c5df33..80b292db 100755
--- a/data_model/file.yaml
+++ b/data_model/file.yaml
@@ -90,7 +90,7 @@ fields:
     example: 0644 (linux) or NTFS ACL
   - name: signature_valid
     description: Boolean indicator of whether the signature is valid; empty if file is not signed.
-    example: True
+    example: true
   - name: uid
     description: The user ID or SID for the acting entity.
     example: S-1-5-18
diff --git a/data_model/flow.yaml b/data_model/flow.yaml
index 6095ae51..30f6f2c2 100644
--- a/data_model/flow.yaml
+++ b/data_model/flow.yaml
@@ -89,4 +89,4 @@ fields:
     example: TCP
   - name: uid
     description: User ID or SID of the flow-handling entity.
-    example: S-1-5-18
\ No newline at end of file
+    example: S-1-5-18
diff --git a/data_model/http.yaml b/data_model/http.yaml
index 044f9429..c2499a66 100644
--- a/data_model/http.yaml
+++ b/data_model/http.yaml
@@ -14,7 +14,7 @@ fields:
   - name: hostname
     description: hostname on which the request was seen.
     example: HOST1
-  - name:  request_body_bytes
+  - name: request_body_bytes
     description: Integer value corresponding to the total number of bytes in the request.
     example: 180
   - name: http_version
@@ -60,21 +60,3 @@ fields:
   - name: user_agent_version
     description: User Agent Version. Note that some User Agent strings may not label versions in the same way.
     example: 4.0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/data_model/module.yaml b/data_model/module.yaml
index 01bc2b58..733fdc44 100644
--- a/data_model/module.yaml
+++ b/data_model/module.yaml
@@ -1,6 +1,6 @@
 ---
-name: Library
-description: Libraries correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a shared library or module (DLLs in Windows) and their dependencies.
+name: Module
+description: Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies.
 actions:
   - name: load
     description: A module load event occurs when a PE image (dll or exe) is loaded into a process.
@@ -45,4 +45,4 @@ fields:
     example: 50
   - name: signature_valid
     description: Boolean indicator of whether the signature is current and not revoked
-    example: True
\ No newline at end of file
+    example: true
diff --git a/data_model/process.yaml b/data_model/process.yaml
index 725f63d8..90279c51 100644
--- a/data_model/process.yaml
+++ b/data_model/process.yaml
@@ -79,7 +79,7 @@ fields:
     example: "{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}"
   - name: signature_valid
     description: Boolean indicator of whether signature is current and not revoked.
-    example: True
+    example: true
   - name: target_guid
     description: Global Unique Identifier for the target process (only for process access events).
   - name: target_pid
diff --git a/data_model/service.yaml b/data_model/service.yaml
index c47159fc..61081c26 100644
--- a/data_model/service.yaml
+++ b/data_model/service.yaml
@@ -42,4 +42,4 @@ fields:
     example: 1860
   - name: uid
     description: The ID of SID of the user who acted on the service
-    example: S-1-5-18
\ No newline at end of file
+    example: S-1-5-18
diff --git a/data_model/socket.yaml b/data_model/socket.yaml
index ed3c9f1d..c5e3b3e9 100644
--- a/data_model/socket.yaml
+++ b/data_model/socket.yaml
@@ -12,12 +12,12 @@ fields:
   - name: pid
     description: ID of the process that acted on the socket
     example: 3930
-  - name:  image_path
+  - name: image_path
     description: Path to the executable that initiated the socket event.
     example: C:/user/adam/malware.exe
   - name: success
     description: Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested)
-    example: True
+    example: true
   - name: family
     description: The type of socket in question
     example: AF_UNIX, AF_INET, AF_INET6
@@ -39,20 +39,3 @@ fields:
   - name: local_path
     description: In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.
     example: "/tmp/foo"
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml
index 11c4c3fa..d268ec57 100755
--- a/data_model/user_session.yaml
+++ b/data_model/user_session.yaml
@@ -1,5 +1,5 @@
 ---
-name: User Sesssion
+name: User Session
 description: User sessions are the user activities undertaken on the computer in the course of conducting standard user actions.
 actions:
   - name: lock
@@ -42,5 +42,4 @@ fields:
     example: S-1-5-18
   - name: login_successful
     description: Boolean indicator of whether a login attempt was successful
-    example: False
-
+    example: false

From 89e10e8121e57eb64693bf7e8b0b4da09468d37e Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 23 Feb 2023 17:30:29 -0500
Subject: [PATCH 58/82] added coverage map attribute and fixed some weird file
 permissions

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 data_model/authentication.yaml |  2 +-
 data_model/driver.yaml         |  8 +++++++
 data_model/email.yaml          |  2 +-
 data_model/file.yaml           | 35 +++++++++++++++++++++++++++++
 data_model/flow.yaml           | 18 +++++++++++++++
 data_model/module.yaml         | 13 +++++++++++
 data_model/process.yaml        | 24 ++++++++++++++++++++
 data_model/registry.yaml       | 40 ++++++++++++++++++++++++++++++++++
 data_model/service.yaml        | 13 +++++++++++
 data_model/socket.yaml         | 28 ++++++++++++++++++++++++
 data_model/thread.yaml         | 13 +++++++++++
 data_model/user_session.yaml   |  0
 12 files changed, 194 insertions(+), 2 deletions(-)
 mode change 100755 => 100644 data_model/file.yaml
 mode change 100755 => 100644 data_model/thread.yaml
 mode change 100755 => 100644 data_model/user_session.yaml

diff --git a/data_model/authentication.yaml b/data_model/authentication.yaml
index 130efe0e..7e1ce18f 100644
--- a/data_model/authentication.yaml
+++ b/data_model/authentication.yaml
@@ -1,6 +1,6 @@
 ---
 name: Authentication
-description: Authentication events occur whenever a user attempts to login to a system, or a user or process attempts to access a privileged system resource.
+description: An authentication event occurs whenever a user or process attempts to access a privileged system resource. Examples include logging into a system, or elevating privilege.
 actions:
   - name: success
     description: The event corresponding to an authentication service responding positively to an authentication request.
diff --git a/data_model/driver.yaml b/data_model/driver.yaml
index c76cb4f1..8daf9af8 100644
--- a/data_model/driver.yaml
+++ b/data_model/driver.yaml
@@ -40,3 +40,11 @@ fields:
   - name: signature_valid
     description: Boolean indicator of whether the driver is signed and whether the signature is current and not revoked
     example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]
diff --git a/data_model/email.yaml b/data_model/email.yaml
index 4deb4539..fe42a138 100644
--- a/data_model/email.yaml
+++ b/data_model/email.yaml
@@ -1,6 +1,6 @@
 ---
 name: Email
-description: Email events are at the email server level.
+description: Email events are at the mail server level.
 actions:
   - name: deliver
     description: The event corresponding to an email being sent to an end recipient.
diff --git a/data_model/file.yaml b/data_model/file.yaml
old mode 100755
new mode 100644
index 80b292db..eb8022ce
--- a/data_model/file.yaml
+++ b/data_model/file.yaml
@@ -94,3 +94,38 @@ fields:
   - name: uid
     description: The user ID or SID for the acting entity.
     example: S-1-5-18
+coverage_map:
+  create:
+    company: ["autoruns_13.98", "sysmon_13"]
+    creation_time: ["autoruns_13.98", "sysmon_13"]
+    file_name: ["autoruns_13.98"]
+    file_path: ["sysmon_13"]
+    fqdn: ["autoruns_13.98", "sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["autoruns_13.98"]
+    pid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+  delete:
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    uid: ["sysmon_13"]
+  modify:
+    company: ["autoruns_13.98"]
+    creation_time: ["autoruns_13.98"]
+    file_name: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    md5_hash: ["autoruns_13.98"]
+    sha256_hash: ["autoruns_13.98"]
+    signature_valid: ["autoruns_13.98"]
+    signer: ["autoruns_13.98"]
+  timestomp:
+    creation_time: ["sysmon_13"]
+    file_path: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    previous_creation_time: ["sysmon_13"]
+    uid: ["sysmon_13"]
diff --git a/data_model/flow.yaml b/data_model/flow.yaml
index 30f6f2c2..96ad7fde 100644
--- a/data_model/flow.yaml
+++ b/data_model/flow.yaml
@@ -90,3 +90,21 @@ fields:
   - name: uid
     description: User ID or SID of the flow-handling entity.
     example: S-1-5-18
+coverage_map:
+  start:
+    dest_hostname: ["sysmon_13"]
+    dest_ip: ["sysmon_13"]
+    dest_port: ["sysmon_13"]
+    exe: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    src_fdqn: ["sysmon_13"]
+    src_hostname: ["sysmon_13"]
+    src_ip: ["sysmon_13"]
+    src_port: ["sysmon_13"]
+    start_time: ["sysmon_13"]
+    transport_protocol: ["sysmon_13"]
+    uid: ["sysmon_13"]
+    user: ["sysmon_13"]
diff --git a/data_model/module.yaml b/data_model/module.yaml
index 733fdc44..0e7475a0 100644
--- a/data_model/module.yaml
+++ b/data_model/module.yaml
@@ -46,3 +46,16 @@ fields:
   - name: signature_valid
     description: Boolean indicator of whether the signature is current and not revoked
     example: true
+coverage_map:
+  load:
+    fqdn: ["sysmon_13"]
+    hostname: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    md5_hash: ["sysmon_13"]
+    module_name: ["sysmon_13"]
+    module_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sha1_hash: ["sysmon_13"]
+    signature_valid: ["sysmon_13"]
+    signer: ["sysmon_13"]
+    tid: ["sysmon_13"]
diff --git a/data_model/process.yaml b/data_model/process.yaml
index 90279c51..cb19890a 100644
--- a/data_model/process.yaml
+++ b/data_model/process.yaml
@@ -93,3 +93,27 @@ fields:
   - name: uid
     description: User ID under which original process is running.
     example: 509
+coverage_map:
+  access:
+    access_level: ["sysmon_13"]
+    call_trace: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    guid: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    sid: ["sysmon_13"]
+    target_guid: ["sysmon_13"]
+    target_pid: ["sysmon_13"]
+    target_name: ["sysmon_13"]
+  create:
+    command_line: ["sysmon_13"]
+    current_working_directory: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    integrity_level: ["sysmon_13"]
+    parent_command_line: ["sysmon_13"]
+    parent_guid: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    ppid: ["sysmon_13"]
+    sha256_hash: ["sysmon_13"]
+    sid: ["sysmon_13"]
diff --git a/data_model/registry.yaml b/data_model/registry.yaml
index 3812dc76..c799c42a 100644
--- a/data_model/registry.yaml
+++ b/data_model/registry.yaml
@@ -44,3 +44,43 @@ fields:
   - name: new_content
     description: The data within the new value, or the new name of a key, after an edit event.
     example: \%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs
+coverage_map:
+  add:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98"]
+  key_edit:
+    data: ["autoruns_13.98", "sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98", "sysmon_13"]
+    key: ["autoruns_13.98", "sysmon_13"]
+    image_path: ["sysmon_13"]
+    new_content: ["autoruns_13.98", "sysmon_13"]
+    pid: ["sysmon_13"]
+    type: ["autoruns_13.98"]
+    user: ["sysmon_13"]
+    value: ["autoruns_13.98", "sysmon_13"]
+  remove:
+    data: ["sysmon_13"]
+    fqdn: ["sysmon_13"]
+    hive: ["sysmon_13"]
+    key: ["sysmon_13"]
+    image_path: ["sysmon_13"]
+    pid: ["sysmon_13"]
+    user: ["sysmon_13"]
+  value_edit:
+    data: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    hive: ["autoruns_13.98"]
+    key: ["autoruns_13.98"]
+    new_content: ["autoruns_13.98"]
+    type: ["autoruns_13.98"]
+    value: ["autoruns_13.98"]
diff --git a/data_model/service.yaml b/data_model/service.yaml
index 61081c26..c8a98aef 100644
--- a/data_model/service.yaml
+++ b/data_model/service.yaml
@@ -43,3 +43,16 @@ fields:
   - name: uid
     description: The ID of SID of the user who acted on the service
     example: S-1-5-18
+coverage_map:
+  create:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]
+  delete:
+    command_line: ["autoruns_13.98"]
+    exe: ["autoruns_13.98"]
+    fqdn: ["autoruns_13.98"]
+    hostname: ["autoruns_13.98"]
+    image_path: ["autoruns_13.98"]
diff --git a/data_model/socket.yaml b/data_model/socket.yaml
index c5e3b3e9..1603eb17 100644
--- a/data_model/socket.yaml
+++ b/data_model/socket.yaml
@@ -39,3 +39,31 @@ fields:
   - name: local_path
     description: In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.
     example: "/tmp/foo"
+coverage_map:
+  bind:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
+  listen:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
+  close:
+    family: ["osquery_4.6.0"]
+    image_path: ["osquery_4.6.0"]
+    local_address: ["osquery_4.6.0"]
+    local_port: ["osquery_4.6.0"]
+    pid: ["osquery_4.6.0"]
+    protocol: ["osquery_4.6.0"]
+    remote_address: ["osquery_4.6.0"]
+    remote_port: ["osquery_4.6.0"]
diff --git a/data_model/thread.yaml b/data_model/thread.yaml
old mode 100755
new mode 100644
index 868c9eb1..cf28cc00
--- a/data_model/thread.yaml
+++ b/data_model/thread.yaml
@@ -56,3 +56,16 @@ fields:
   - name: uid
     description: The ID of SID of the user who directly or indirectly acted on the thread
     example: S-1-5-18
+coverage_map:
+  remote_create:
+    hostname: ["sysmon_13"]
+    src_pid: ["sysmon_13"]
+    src_tid: ["sysmon_13"]
+    start_address: ["sysmon_13"]
+    start_function: ["sysmon_13"]
+    start_module: ["sysmon_13"]
+    start_module_name: ["sysmon_13"]
+    tgt_pid: ["sysmon_13"]
+    tgt_tid: ["sysmon_13"]
+    uid: ["sysmon_13"]
+    user: ["sysmon_13"]
diff --git a/data_model/user_session.yaml b/data_model/user_session.yaml
old mode 100755
new mode 100644

From ad45f849219d8d38173085403b0d7bfd68ec6ddb Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 23 Feb 2023 23:30:02 -0500
Subject: [PATCH 59/82] implemented data model template

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/authentication.md   | 231 ++++++++++--
 docs/data_model/driver.md           | 119 +++++--
 docs/data_model/email.md            | 351 ++++++++++++++++--
 docs/data_model/file.md             | 531 +++++++++++++++++++++++++---
 docs/data_model/flow.md             | 312 +++++++++++++---
 docs/data_model/http.md             | 255 +++++++++++--
 docs/data_model/module.md           | 133 +++++--
 docs/data_model/process.md          | 328 +++++++++++++++--
 docs/data_model/registry.md         | 178 ++++++++--
 docs/data_model/service.md          | 197 +++++++++--
 docs/data_model/socket.md           | 142 ++++++--
 docs/data_model/thread.md           | 224 ++++++++++--
 docs/data_model/user_session.md     | 197 +++++++++--
 scripts/datamodel_index_template.md |   0
 scripts/datamodel_sensors.md        |   0
 scripts/datamodel_template.md       |  36 ++
 scripts/generate_datamodels.py      |  52 +++
 17 files changed, 2899 insertions(+), 387 deletions(-)
 create mode 100644 scripts/datamodel_index_template.md
 create mode 100644 scripts/datamodel_sensors.md
 create mode 100644 scripts/datamodel_template.md
 create mode 100644 scripts/generate_datamodels.py

diff --git a/docs/data_model/authentication.md b/docs/data_model/authentication.md
index ece6b8a4..d8df090a 100755
--- a/docs/data_model/authentication.md
+++ b/docs/data_model/authentication.md
@@ -1,45 +1,214 @@
 ---
 title: "Authentication"
 ---
-
 An authentication event occurs whenever a user or process attempts to access a privileged system resource. Examples include logging into a system, or elevating privilege.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|failure|The event corresponding to an authentication service responding negatively to an authentication request.
-|error|The event corresponding to the case when an authentication requests results in an any kind of unexpected error.
-|success|The event corresponding to an authentication service responding positively to an authentication request.
+|error|The event corresponding to the case when an authentication request results in any kind of unexpected error.|
+|failure|The event corresponding to an authentication service responding negatively to an authentication request.|
+|success|The event corresponding to an authentication service responding positively to an authentication request.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-ad_domain|Active Directory domain from which the authentication request was generated; may differ from the target_ad_domain.|`ad2.mitre.org`|
-app_name|Name of the application that made the authentication request.|`ssh, win:local`|
-auth_service|The name of the service that was utilized to accomplish authentication.|`Okta, ActiveDirectory`|
-auth_target|machine for which authentication was requested; may be different than the host that the request is made from.|`HOST2`|
-decision_reason|The justification for approving or denying an authentication request.|`password is invalid`|
-fqdn|The fully qualified domain name for the host from which authentication was requested.|`HOST1.mitre.org`|
-hostname|Hostname of the host from which authentication was requested.|`HOST1`|
-method|The authentication method that was used.|`SMAL, Kerberos`|
-response_time|Duration of time it took for an authentication response to be received.|`12ms`|
-target_ad_domain|The Active Directory domain within which authentication was requested.|`ad.mitre.org`|
-target_uid|User ID or SID for the user being authenticated.|`S-1-5-19`|
-target_user|Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.|`HOST1\LOCALUSER2`|
-target_user_role|IPAM access control role for the user being authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|`System Administrator Role`|
-target_user_type|User ID or SID for the user being authenticated.|`Administrator, Standard, Guest`|
-uid|User ID for the process that initiated the authentication request.|`S-1-5-18`|
-user|Name of the user that initiated the request.|`HOST1\LOCALUSER1`|
-user_agent|The user agent through which the request was made.|`aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4`|
-user_role|IPAM access control role for the user that initiated the authentication request.|`DNS Record Administrator Role`|
-user_type|type of user that initiated the request.|`Administrator, Standard, Guest`|
+ad_domain|Active Directory domain from which the authentication request was generated; may differ from the target_ad_domain.|ad2.mitre.org
+app_name|Name of the application that made the authentication request|ssh, win:local
+auth_service|The name of the service that was utilized to accomplish authentication|Okta, ActiveDirectory
+auth_target|machine for which authentication was requested; may be different than the host that the request is made from.|HOST2
+decision_reason|The justification for approving or denying an authentication request.|password is invalid
+fqdn|The fully qualified domain name for the host from which authentication was requested.|HOST1.mitre.org
+hostname|Hostname of the host from which authentication was requested.|HOST1
+method|The authentication method that was used.|SMAL, Kerberos
+response_time|Duration of time it took for an authentication response to be received.|12ms
+target_ad_domain|The Active Directory domain within which authentication was requested.|ad.mitre.org
+target_uid|User ID for the user being authenticated.|S-1-5-19
+target_user|Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.|HOST1\LOCALUSER2
+target_user_role|IPAM access control role for the user being authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|System Administrator Role
+target_user_type|type of user that was authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|Administrator, Standard, Guest
+uid|User ID for the process that initiated the authentication request.|S-1-5-18
+user|Name of the user that initiated the request.|HOST1\LOCALUSER1
+user_agent|The user agent through which the request was made.|aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4
+user_role|IPAM access control role for the user that initiated the authentication request.|DNS Record Administrator Role
+user_type|type of user that initiated the request.|Administrator, Standard, Guest
 
 ## Coverage Map
-
-| | **ad_domain** | **app_name** | **auth_service** | **auth_target** | **decision_reason** | **fqdn** | **hostname** | **method** | **response_time** | **target_ad_domain** | **target_uid** | **target_user** | **target_user_role** | **target_user_type** | **uid** | **user** | **user_agent** | **user_role** | **user_type |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **failure** | | | | | | | | | | | | | | | | | | | |
-| **error** | | | | | | | | | | | | | | | | | | | |
-| **success** | | | | | | | | | | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>ad_domain</th>
+      
+      <th>app_name</th>
+      
+      <th>auth_service</th>
+      
+      <th>auth_target</th>
+      
+      <th>decision_reason</th>
+      
+      <th>fqdn</th>
+      
+      <th>hostname</th>
+      
+      <th>method</th>
+      
+      <th>response_time</th>
+      
+      <th>target_ad_domain</th>
+      
+      <th>target_uid</th>
+      
+      <th>target_user</th>
+      
+      <th>target_user_role</th>
+      
+      <th>target_user_type</th>
+      
+      <th>uid</th>
+      
+      <th>user</th>
+      
+      <th>user_agent</th>
+      
+      <th>user_role</th>
+      
+      <th>user_type</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>error</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>failure</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>success</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
index 4961179d..03de8f08 100755
--- a/docs/data_model/driver.md
+++ b/docs/data_model/driver.md
@@ -1,35 +1,114 @@
 ---
 title: "Driver"
 ---
-
 A driver is software that runs in the operating system kernel. Drivers are generally used to allow a computer to communicate with hardware devices but have access to important kernel resources.
 
 ## Actions
-
 |Action|Description|
 |---|---|
 |load|The event corresponding to the operating system kernel loading a driver into memory.|
-|unload|The event corresponding to the operating system kernel unloading a driver from memory.
+|unload|The event corresponding to the operating system kernel unloading a driver from memory.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-base_address|A hex address indicating where the driver is loaded into the kernel.|`0xFFFFF8000405F000`|
-fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`|
-hostname|The hostname of the host, without the domain.|`HOST1`|
-image_path|The file system location of the driver.|`C:\Windows\System32\drivers\scsiport.sys`|
-md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`|
-module_name|The name of the driver or program.|`NvStreamKms.sys`|
-pid|The Process ID that loaded or unloaded the driver.|`1533`|
-sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`|
-sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`|
-signature_valid|Boolean indicator of whether the driver is signed and whether the signature is current and not revoked.|`True`|
-signer|The name of the organization which signed the driver.|`Microsoft Corporation`|
+base_address|A hex address indicating where the driver is loaded into the kernel.|18446735277684027392
+fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
+hostname|The hostname of the host, without the domain.|HOST1
+image_path|The file system location of the driver.|C:\Windows\System32\drivers\scsiport.sys
+md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
+module_name|The name of the driver or program.|NvStreamKms.sys
+pid|The Process ID that loaded or unloaded the driver|1533
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
+signature_valid|Boolean indicator of whether the driver is signed and whether the signature is current and not revoked|True
+signer|The name of the organization which signed the driver.|Microsoft Corporation
 
 ## Coverage Map
-
-| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** |
-|---|---|---|---|---|---|---|---|---|---|---|---|
-| **load** | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | |
-| **unload**| | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>base_address</th>
+      
+      <th>fqdn</th>
+      
+      <th>hostname</th>
+      
+      <th>image_path</th>
+      
+      <th>md5_hash</th>
+      
+      <th>module_name</th>
+      
+      <th>pid</th>
+      
+      <th>sha1_hash</th>
+      
+      <th>sha256_hash</th>
+      
+      <th>signature_valid</th>
+      
+      <th>signer</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>load</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>unload</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/email.md b/docs/data_model/email.md
index f9151074..7f73bf40 100755
--- a/docs/data_model/email.md
+++ b/docs/data_model/email.md
@@ -1,51 +1,328 @@
 ---
 title: "Email"
 ---
-
 Email events are at the mail server level.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|block|The event corresponding to an email being blcoked by the email server.
-|delete|The event corresponding to an email being deleted.
-|deliver|The event corresponding to an email being sent to an end recipient.
-|redirect|The event corresponding to an email being redirected.
-|quarantine|The event corresponding to an email being qurantined for security reasons.
+|block|The event corresponding to an email being blocked by the email server.|
+|delete|The event corresponding to an email being deleted.|
+|deliver|The event corresponding to an email being sent to an end recipient.|
+|quarantine|The event corresponding to an email being quarantined for security reasons.|
+|redirect|The event corresponding to an email being redirected.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-action_reason|The rationale given for blocking, redirecting, or quarantining an email.|`Malformed Message`|
-attachment_mime_type|The MIME type of the attachment.|`.docx`|
-attachment_name|Filename of any email attachment that may exist.|`cuddly-cats.pdf`|
-attachment_size|Filesize of the attachment.|`567 Kb`|
-date|SMTP date header, which is actually a date time group.|`Thu Jul 18 09:30:00 PDT 2019`|
-dest_address|Recipient email address, taken from the SMTP "Recipient" field.|`adam@example.com`|
-dest_ip|The destination IP address for the email.|`221.174.222.111`|
-dest_port|The destination port for the email.|`993`|
-from|Displayed sender name from the Message Information header; can be easily forged.|`eve@trusted-advisors.com`|
-message_body|Content of the email, not including subject.|`Hello World`|
-message_links|URLs extracted from the email body.|`https://www.cnn.com`|
-message_type|Content protocol of the message body|`html`|
-return_address|Email address to which replies should be sent, also known as Return-Path or Reply-To; may differ from the src_address.|`eve_secondary@example.com`|
-server_relay|The Received portion of the SMTP header, which provides the chain of hosts that the email passed through during delivery; each link usually contains an IP address, domain, and datetime group.||
-smtp_uid|Distinct ID used to distingquish emails.|`MN2PR09MB4876CCE7F183A83E6BA1C4C1CBF50@PP34399.prod.outlook.com`|
-src_address|Email address of the sender, taken from the "Sender" SMTP field.|`eve@example.com`|
-src_domain|The domain portion of the src_address.|`example.com`|
-src_ip|Originating IP address.|`172.183.195.200`|
-src_port|Originating port.|`1248`|
-subject|Subject line of the email.|`Lo0k Younger Whl1e L0slng We19ht!!`|
-to|The content of the To field in the email header; does not necessarily match up with real recipients.|`adam@example.com`|
+action_reason|The rationale given for blocking, redirecting, or quarantining an email.|Malformed Message
+attachment_mime_type|The MIME type of the attachment.|.docx
+attachment_name|Filename of any email attachment that may exist.|cuddly-cats.pdf
+attachment_size|Filesize of the attachment.|567 Kb
+date|SMTP date header, which is actually a date time group.|Thu Jul 18 09:30:00 PDT 2019
+dest_address|Recipient email address, taken from the SMTP "Recipient" field.|adam@example.com
+dest_ip|The destination IP address for the email.|221.174.222.111
+dest_port|The destination port for the email.|993
+from|Displayed sender name from the Message Information header; can be easily forged.|eve@trusted-advisors.com
+message_body|Content of the email, not including subject.|Hello World
+message_links|URLs extracted from the email body.|https://www.cnn.com
+message_type|Content protocol of the message body|html
+return_address|Email address to which replies should be sent, also known as Return-Path or Reply-To; may differ from the src_address.|eve_secondary@example.com
+server_relay|The Received portion of the SMTP header, which provides the chain of hosts that the email passed through during delivery; each link usually contains an IP address, domain, and datetime group.|
+smtp_uid|Distint ID used to distinguish emails.|MN2PR09MB4876CCE7F183A83E6BA1C4C1CBF50@PP34399.prod.outlook.com
+src_address|Email address of the sender, taken from the "Sender" SMTP field.|eve@example.com
+src_domain|The domain portion of the src_address.|example.com
+src_ip|Originating IP address.|172.183.195.200
+src_port|Originating port.|1248
+subject|Subject line of the email.|Lo0k Younger Whl1e L0slng We19ht!!
+to|the content of the To field in the email header; does not necessarily match up with real recipients.|adam@example.com
 
 ## Coverage Map
-
-| | **action_reason** | **attachment_mime_type** | **attachment_name** | **attachment_size** | **date** | **dest_address** | **dest_ip** | **dest_port** | **from** | **message_body** | **message_links** | **message_type** | **return_address** | **server_relay** | **smtp_uid** | **src_address** | **src_domain** | **src_ip** | **src_port** | **subject** | **to** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|--|--|
-| **block** | | | | | | | | | | | | | | | | | | | | | |
-| **delete** | | | | | | | | | | | | | | | | | | | | | |
-| **deliver** | | | | | | | | | | | | | | | | | | | | | |
-| **redirect** | | | | | | | | | | | | | | | | | | | | | |
-| **quarantine** | | | | | | | | | | | | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>action_reason</th>
+      
+      <th>attachment_mime_type</th>
+      
+      <th>attachment_name</th>
+      
+      <th>attachment_size</th>
+      
+      <th>date</th>
+      
+      <th>dest_address</th>
+      
+      <th>dest_ip</th>
+      
+      <th>dest_port</th>
+      
+      <th>from</th>
+      
+      <th>message_body</th>
+      
+      <th>message_links</th>
+      
+      <th>message_type</th>
+      
+      <th>return_address</th>
+      
+      <th>server_relay</th>
+      
+      <th>smtp_uid</th>
+      
+      <th>src_address</th>
+      
+      <th>src_domain</th>
+      
+      <th>src_ip</th>
+      
+      <th>src_port</th>
+      
+      <th>subject</th>
+      
+      <th>to</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>block</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>delete</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>deliver</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>quarantine</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>redirect</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index c0593471..c41c21ba 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -1,60 +1,509 @@
 ---
 title: "File"
 ---
-
 A resource for storing information available to a computer program.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|timestomp|The modification of an attribute, such as creation time. The file metadata may change, but the contents of the file remain the same.|
+|acl_modify|The event corresponding with changing permissions on a file.|
 |create|The event corresponding to the creation of a file.|
 |delete|The event corresponding to the deletion of a file.|
 |modify|The event corresponding to the modification of a file or its metadata.|
 |read|The event corresponding to the accessing of a file to be read.|
+|timestomp|The modification of an attribute, such as creation time. The file metadata may change, but the contents of the file remain the same.|
 |write|The event corresponding to the accessing of a file in order to write new instructions or information into a file.|
-|acl_modify|The event corresponding with changing permissions on a file.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|company|The name of the organization listed in the file located at `image_path`.
-|content|The contents of the file.|`Hello World`|
-|creation_time|The creation time of the file as described in UTC and including the date.|`05/14/2015 12:47:06`|
-|extension|The file extension of the file.|`docx`|
-|file_name|The name of the file.|`MyWordDoc.docx`|
-|file_path|The full path to the file on the file system.|`C:\users\fakeuser\documents\MyFile.docx`|
-|gid|The group ID of the file|`801`|
-|group|The group owner of the file|`admin`|
-|owner_uid|The user ID or SID of the owner of the file.|`501`|
-|owner|The username of the owner of the file.|`adam`|
-|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`|
-|hostname|The hostname of the host, without the domain.|`HOST1`|
-|image_path|The file system location of the executable that is associated with the `pid` that generated this event.|`C:\Windows\system32\notepad.exe`|
-|link_target|The target path of a symbolic link.|`C:\my_special_file.exe`|
-|md5_hash|An MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`|
-|mime_type|The MIME type of the file.|`PE`|
-|mode|The mode or permissions set of the file.|`0644 (linux) or NTFS ACL`|
-|pid|The process ID for the process that generated this file event, represented in decimal notation.|`738`|
-|ppid|The process ID of the parent process of the process associated with this file event, represented in decimal notation.|`1860`|
-|previous_creation_time|The creation_time associated with the file before it was changed for this file event.|`05/14/2015 12:47:06`|
-|sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`|
-|sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`|
-|signer|The company listed on the certificate of the program at `image_path` if that program is signed.|`Microsoft Corporation`|
-|signature_valid|Boolean indicator of whether the signature is valid; empty if file is not signed.|`True`|
-|user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as "\<DOMAIN>\\\<USER>". Because threads are allowed to impersonate users, this may be different than the user context of the process.|`HOST1\LOCALUSER`|
-|uid|The user ID or SID for the acting entity.|`S-1-5-18`|
+company|The name of the organization listed in the file located at `image_path`.|
+content|The contents of the file.|Hello World
+creation_time|The creation time of the file as described in UTC and including the date.|05/14/2015 12:47:06
+extension|The file extension of the file.|.docx
+file_name|The name of the file.|MyWordDoc.docx
+file_path|The full path to the file on the file system.|C:\users\fakeuser\documents\MyFile.
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
+gid|The group ID of the file.|801
+group|The group owner of the file.|admin
+hostname|The hostname of the host, without the domain.|HOST1
+image_path|The file system location of the executable that is associated with the pid that generated this event.|C:\Windows\system32\notepad.exe
+link_target|The target path of a symbolic link.|C:\my_special_file.exe
+md5_hash|An MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
+mime_type|The MIME type of the file.|PE
+mode|The mode or permissions set of the file.|0644 (linux) or NTFS ACL
+owner|The username of the owner of the file.|adam
+owner_uid|The user ID of the owner of the file.|501
+pid|The process ID for the process that generated this file event, represented in decimal notation.|738
+ppid|The process ID of the parent process of the process associated with this file event, represented in decimal notation.|1860
+previous_creation_time|The creation_time associated with the file before it was changed for this file event.|05/14/2015 12:47:06
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
+signature_valid|Boolean indicator of whether the signature is valid; empty if file is not signed.|True
+signer|The company listed on the certificate of the program at `image_path` if that program is signed.|Microsoft Corporation
+uid|The user ID or SID for the acting entity.|S-1-5-18
+user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as <DOMAIN>\<USER>. Because threads are allowed to impersonate users, this may be different than the user context of the process.|HOST1\LOCALUSER
 
 ## Coverage Map
-
-| | **company** | **content** | **creation_time** | **file_extension** | **file_gid** | **file_group** | **file_name** | **file_path** | **file_uid** | **file_user** | **fqdn** | **hostname** | **image_path** | **link_target** | **md5_hash** | **mime_type** | **mode** | **pid** | **ppid** | **previous_creation_time** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **uid** | **user** | 
-| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **create** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | |
-| **delete** | | | | | | | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | |
-| **modify** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | [Autoruns](../sensors/autoruns_13.98) | | | | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | |
-| **read** | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **timestomp** | | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | |
-| **write** | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **acl_modify** | | | | | | | | | | | | | | | | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>company</th>
+      
+      <th>content</th>
+      
+      <th>creation_time</th>
+      
+      <th>extension</th>
+      
+      <th>file_name</th>
+      
+      <th>file_path</th>
+      
+      <th>fqdn</th>
+      
+      <th>gid</th>
+      
+      <th>group</th>
+      
+      <th>hostname</th>
+      
+      <th>image_path</th>
+      
+      <th>link_target</th>
+      
+      <th>md5_hash</th>
+      
+      <th>mime_type</th>
+      
+      <th>mode</th>
+      
+      <th>owner</th>
+      
+      <th>owner_uid</th>
+      
+      <th>pid</th>
+      
+      <th>ppid</th>
+      
+      <th>previous_creation_time</th>
+      
+      <th>sha1_hash</th>
+      
+      <th>sha256_hash</th>
+      
+      <th>signature_valid</th>
+      
+      <th>signer</th>
+      
+      <th>uid</th>
+      
+      <th>user</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>acl_modify</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>create</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>delete</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>modify</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>read</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>timestomp</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>write</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
index 4a484a88..a7ad5ff0 100755
--- a/docs/data_model/flow.md
+++ b/docs/data_model/flow.md
@@ -1,54 +1,286 @@
 ---
 title: "Flow"
 ---
-
 A sequence of packets from a source computer to a destination, which may be another host, a multicast group, or a broadcast domain. This may be captured at network or host level.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|start|The event corresponding to the beginning of collection of flow data in a given time period.
-|end|The event corresponding to the ending of collection of flow data in a given time period.
-|message|A flow message pertains to any event between start and end when content is sent over the connection (may imply TCP). This often implies use of traffic content collected via PCAP or a similar mechanism.
+|end|The event corresponding to the ending of collection of flow data in a given time period.|
+|message|A flow message pertains to any event between start and end when content is sent over the connection (may imply TCP). This often implies use of traffic content collected via PCAP or a similar mechanism.|
+|start|The event corresponding to the beginning of collection of flow data in a given time period.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|application_protocol|The name of the layer 7 (OSI model) protocol contained within the flow.|`HTTP`|
-|content|The ASCII printable characters of the flow. This corresponds to content from PCAP data or similar formats.|`GET https://www.google.com/ HTTP/1.1`|
-|dest_ip|The destination IP address of the flow.|`192.168.1.5`|
-|dest_port|The destination port of the flow.|`1900`|
-|dest_fqdn|The fully qualified domain name that corresponds to `dest_ip`.|`dest_example.example.com`|
-|dest_hostname|The hostname that corresponds to `dest_ip`|`test-pc`|
-|end_time|The datetime stamp, in UTC, when the flow ended.|`5/15/2015 03:59:53.176 AM`|
-|exe|The basename of the `image_path`. This will need to be collected from the host.|`Chrome.exe`|
-|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`|
-|hostname|The hostname of the active host, without the domain.|`HOST1`|
-|image_path|The file system path of the process that opened the flow. This will need to be collected from the host.|`C:\path\to\example.exe`|
-|in_bytes|Integer value of total number of bytes received.|`13200`|
-|out_bytes|Integer value of total number of bytes sent.|`1337`|
-|network_direction|Direction of the original packet of the flow initiator, relative to network perimeter.|`in (flow originated outside the network and was directed into it)`|
-|packet_count|The total packet count seen at time of logging.|`4`|
-|pid|The process ID of the process that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|`738`|
-|ppid|The process ID for the process's parent that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|`1860`|
-|proto_info|A text decoded version of traffic in the flow specific to the protocol. The application layer information from the flow parsed according to the protocol in question. For instance, SMB information or HTTP headers and content.|`SMB2 Write Request Len:165 Off:0 Fileusername\private\filename.pptx`, `SRVSVC NetShareGetInfo response`|
-|src_ip|The source IP address of the flow.|`10.0.0.54`|
-|src_port|The source port of the flow packet.|`50438`|
-|src_fqdn|The fully qualified domain name that corresponds to `src_ip`.|`src_domain.example.com`|
-|src_hostname|The hostname that corresponds to `src_ip`.|`src_example`|
-|start_time|The starting time date stamp, in UTC, of the flow data.|`05/14/2015 11:59:59 PM`|
-|tcp_flags|TCP flags.|`SYN, ACK, PSH`|
-|transport_protocol|The name of the layer 4 (OSI model) network protocol contained within the flow|`TCP`|
-|uid|User ID or SID of the flow-handling entity|`S-1-5-18`|
-|user|The user that ran the process.|`HOST1\LOCALUSER`|
-
+application_protocol|Name of the layer 7 protocol contained within the flow.|HTTP
+content|The ASCII printable characters of the flow. This corresponds to content from PCAP data or similar formats.|GET https://www.google.com/ HTTP/1.1
+dest_fqdn|The fully qualified domain name that corresponds to `dest_ip`.|dest_example.example.com
+dest_hostname|The hostname that corresponds to `dest_ip`.|dest_example
+dest_ip|The destination IP address of the flow.|192.168.1.5
+dest_port|The destination port of the flow.|192.168.1.5
+end_time|The datetime stamp, in UTC, when the flow ended.|05/15/2015 03:59:53.176 AM
+exe|The basename of the `image_path`. This will need to be collected from the host.|Chrome.exe
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
+hostname|The hostname of the host, without the domain.|HOST1
+image_path|The file system path of the process that opened the flow. This will need to be collected from the host.|C:\path\to\example.exe
+in_bytes|Integer value of total number of bytes received.|13200
+network_direction|Direction of the original of the flow initiator, relative to network perimiter.|in (flow originated outside the network and was directed into it)
+out_bytes|Integer value of total number of bytes sent.|1337
+packet_count|The total packet count seen at time of logging.|4
+pid|The total packet count seen at time of logging.|738
+ppid|The process ID for the process’s parent that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|1860
+proto_info|A text decoded version of traffic in the flow specific to the protocol. The application layer information from the flow parsed according to the protocol in question. For instance, SMB information or HTTP headers and content.|SMB2 Write Request Len:165 Off:0 Fileusername\private\filename.pptx, SRVSVC NetShareGetInfo response
+src_fqdn|The fully qualified domain name that corresponds to `src_ip`.|src_domain.example.com
+src_hostname|The hostname that corresponds to `src_ip`.|src_example
+src_ip|The source IP address of the flow.|10.0.0.54
+src_port|The source port of the flow.|50438
+start_time|The starting time date stamp, in UTC, of the flow data.|05/14/2015 11:59:59 PM
+tcp_flags|flags turned on in the TCP header.|ACK, PSH
+transport_protocol|Layer 4 protocol contained within the flow.|TCP
+uid|User ID or SID of the flow-handling entity.|S-1-5-18
+user|The user that ran the process.|HOST1\LOCALUSER
 
 ## Coverage Map
-
-| | **application_protocol** | **content** | **dest_fqdn** | **dest_hostname** | **dest_ip** | **dest_port** | **end_time** | **exe** | **fqdn** | **hostname** | **image_path** | **in_bytes** | **out_bytes** | **network_direction** | **packet_count** | **pid** | **ppid** | **proto_info** | **src_fqdn** | **src_hostname** | **src_ip** | **src_port** | **start_time** | **tcp_flags** | **transport_protocol** | **uid** | **user** |
-| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **end** | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **message** | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **start** | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13)| [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | 
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>application_protocol</th>
+      
+      <th>content</th>
+      
+      <th>dest_fqdn</th>
+      
+      <th>dest_hostname</th>
+      
+      <th>dest_ip</th>
+      
+      <th>dest_port</th>
+      
+      <th>end_time</th>
+      
+      <th>exe</th>
+      
+      <th>fqdn</th>
+      
+      <th>hostname</th>
+      
+      <th>image_path</th>
+      
+      <th>in_bytes</th>
+      
+      <th>network_direction</th>
+      
+      <th>out_bytes</th>
+      
+      <th>packet_count</th>
+      
+      <th>pid</th>
+      
+      <th>ppid</th>
+      
+      <th>proto_info</th>
+      
+      <th>src_fqdn</th>
+      
+      <th>src_hostname</th>
+      
+      <th>src_ip</th>
+      
+      <th>src_port</th>
+      
+      <th>start_time</th>
+      
+      <th>tcp_flags</th>
+      
+      <th>transport_protocol</th>
+      
+      <th>uid</th>
+      
+      <th>user</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>end</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>message</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>start</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index 34dc04fd..b4a9bc5a 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -1,45 +1,236 @@
 ---
-title: "File"
+title: "HTTP"
 ---
-
 HTTP events represents requests made over the network via the HTTP protocol.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|get|The event corresponding to an HTTP GET request.
-|post|The event corresponding to an HTTP POST request.
-|put|The event corresponding to an HTTP PUT request.
-|tunnel|The event corresponding to an HTTP TUNNEL request.
+|get|The event corresponding to an HTTP GET request.|
+|post|The event corresponding to an HTTP POST request.|
+|put|The event corresponding to an HTTP PUT request.|
+|tunnel|The event corresponding to an HTTP TUNNEL request.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|hostname|hostname on which the request was seen.|HOST1
-|request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180
-|http_version|HTTP version that is specified in the header.|1.1
-|request_body_content|Body of the HTTP request; usually specifies the exact content being requested.|varies as content is unique. If referrer is http://cnn.com as in example below, expect the body content to likely be an article from CNN.
-|request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com
-|requester_ip_address|IP address from which the request was made.|151.101.131.5
-|response_body_types|Integer value corresponding to the total number of bytes in the response.|2910
-|response_body_content|Content of the response (does not include header).|
-|response_status_code|HTTP protocol status code in response header|200
-|url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview
-|url_domain|Domain portion of the URL.|www.mitre.org
-|url_remainder|the path after the root domain|/about/corporate-overview
-|url_scheme|type of user that initiated the request.|https
-|user_agent_full| User agent string associated with the request|HOST1\LOCALUSER1
-|user_agent_name|The user agent through which the request was made.|"Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv)</br>AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36"
-|user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7)
-|user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0
+hostname|hostname on which the request was seen.|HOST1
+http_version|HTTP version that is specified in the header.|1.1
+request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180
+request_body_content|Body of the HTTP request; usually specifies the exact content being requested.|
+request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com
+requester_ip_address|IP address from which the request was made.|10.0.211.200
+response_body_bytes|Integer value corresponding to the total number of bytes in the response.|2910
+response_body_content|Content of the response (does not include header).|
+response_status_code|HTTP protocol status code in response header|200
+url_domain|Domain portion of the URL.|www.mitre.org
+url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview
+url_remainder|the path after the root domain|/about/corporate-overview
+url_scheme|type of user that initiated the request.|https
+user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7)
+user_agent_full|User agent string associated with the request|HOST1\LOCALUSER1
+user_agent_name|The user agent through which the request was made.|Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36
+user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0
 
 ## Coverage Map
-
-| | **hostname** | **request_body_bytes** | **http_version** | **request_body_content** | **request_referrer** | **requester_ip_address** | **response_body_types** | **response_body_content** | **response_status_codes** | **url_full** | **url_domain** | **url_remainder** | **url_scheme** | **user_agent_full** | **user_agent_device** | **user_agent_version** |
-| --- | --- | ---| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
-| **get** | | | | | | | | | | | | | | | | |
-| **post** | | | | | | | | | | | | | | | | |
-| **put** | | | | | | | | | | | | | | | | |
-| **tunnel** | | | | | | | | | | | | | | | | |
\ No newline at end of file
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>hostname</th>
+      
+      <th>http_version</th>
+      
+      <th>request_body_bytes</th>
+      
+      <th>request_body_content</th>
+      
+      <th>request_referrer</th>
+      
+      <th>requester_ip_address</th>
+      
+      <th>response_body_bytes</th>
+      
+      <th>response_body_content</th>
+      
+      <th>response_status_code</th>
+      
+      <th>url_domain</th>
+      
+      <th>url_full</th>
+      
+      <th>url_remainder</th>
+      
+      <th>url_scheme</th>
+      
+      <th>user_agent_device</th>
+      
+      <th>user_agent_full</th>
+      
+      <th>user_agent_name</th>
+      
+      <th>user_agent_version</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>get</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>post</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>put</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>tunnel</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
index c291ab30..8a1c5493 100755
--- a/docs/data_model/module.md
+++ b/docs/data_model/module.md
@@ -1,37 +1,128 @@
 ---
 title: "Module"
 ---
-
 Modules correspond to executable (and potentially non-executable) content, and are loaded as a contiguous region of memory into the address space of a process. Each process will have the main image loaded as a module and shared libraries (DLLs in Windows) and their dependencies.
 
 ## Actions
-
 |Action|Description|
 |---|---|
 |load|A module load event occurs when a PE image (dll or exe) is loaded into a process.|
 |unload|When the module is unloaded from memory, upon destruction of the process or by calling an API such as FreeLibrary, the unload event is triggered.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|base_address|A hex address indicating where the module is loaded into the process’s virtual address space|`0xFFFFF8000405F000`|
-|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`|
-|hostname|The hostname of the active host, without the domain.|`HOST1`|
-|image_path|The file system location of the process image.|`C:\path\to\example.exe`|
-|md5_hash|The MD5 hash of the contents of the file located at `module_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`|
-|module_path|The full file system path to the module loaded into the memory space of the process.|`C:\windows\system32\kernel32.exe`|
-|module_name|The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.|`kernel32.exe`|
-|pid|Process ID of the process in which the module is loaded (or unloaded).|`738`|
-|sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`|
-|sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`|
-|signature_valid|Boolean indicator of whether the signature is current and not revoked.|`True`|
-|signer|The name of the organization which signed the module.|`Microsoft Corporation`|
-|tid|The thread ID of the thread responsible for the load or unload event.|`50`|
+base_address|A hex address indicating where the module is loaded into the process’s virtual address space.|18446735277684027392
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
+hostname|The hostname of the host, without the domain.|HOST1
+image_path|The file system location of the process image.|C:\path\to\example.exe
+md5_hash|The MD5 hash of the contents of the file located at `module_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
+module_name|The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.|kernel32.exe
+module_path|The full file system path to the module loaded into the memory space of the process.|C:\windows\system32\kernel32.exe
+pid|Process ID of the process in which the module is loaded (or unloaded).|738
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
+signature_valid|Boolean indicator of whether the signature is current and not revoked|True
+signer|The name of the organization which signed the module.|Microsoft Corporation
+tid|The thread ID of the thread responsible for the load or unload event.|50
 
 ## Coverage Map
-
-| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **module_path** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **tid** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **load** | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13)  | [Sysmon]( ../sensors/sysmon_13)  | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13)  | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) |
-| **unload** | | | | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>base_address</th>
+      
+      <th>fqdn</th>
+      
+      <th>hostname</th>
+      
+      <th>image_path</th>
+      
+      <th>md5_hash</th>
+      
+      <th>module_name</th>
+      
+      <th>module_path</th>
+      
+      <th>pid</th>
+      
+      <th>sha1_hash</th>
+      
+      <th>sha256_hash</th>
+      
+      <th>signature_valid</th>
+      
+      <th>signer</th>
+      
+      <th>tid</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>load</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>unload</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index 7ed4995c..7af938a0 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -1,54 +1,304 @@
 ---
 title: "Process"
 ---
-
 A process is a running program on a computer.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|access|The event corresponding to a process accessing the memory space of another process.
+|access|The vent corresponding to a process accessing the memory space of another process.|
 |create|The event corresponding to a process creation in Windows. In the kernel, these are often captured with the callback [PsSetCreateProcessNotifyRoutine](https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951%28v=vs.85%29.aspx).|
-|terminate|The event corresponding to a process destruction in Windows. In the kernel, these are also captured with the callback [PsSetCreateProcessNotifyRoutine](https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951%28v=vs.85%29.aspx), but with point to a NULL structure.|
+|terminate|The event corresponding to a process destruction in Windows. In the kernel, these are also captured with the callback [PsSetCreateProcessNotifyRoutine](https://msdn.microsoft.com/en-us/library/windows/hardware/ff559951%28v=vs.85%29.aspx), but with a pointer to a NULL structure.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|access_level|Permissions level at which the target process is accessed.|`0x40`|
-|call_trace|The stack trace showing the context of a process open/access call.|`C:\Windows\SYSTEM32\ntdll.dll+a5594|C:\Windows\system32\KERNELBASE.dll+1e865`|
-|command_line|The command line string contains all arguments passed to the process upon execution.|`example arg1 arg2`, `example.exe`, `C:\path\example.exe /flag1`|
-|current_working_directory|The absolute path to the current working directory of the process.|`c:\windows\system32\`|
-|exe|The basename of the `image_path`.|`example.exe`|
-|env_vars|The environment variables within a process's memory space, as a string.|`SHELL=/bin/zsh`|
-|fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|`HOST1.EXAMPLE_DOMAIN.COM`|
-|guid|Globally unique identifier for the process.|`{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}`|
-|hostname|The hostname of the host, without the domain.|`HOST1`|
-|image_path|The file path of the executable associated with this process. This may act as a pivot to [`file:file_path`](https://car.mitre.org/wiki/Data_Model/file#file_path).|`C:\path\to\example.exe`|
-|integrity_level|The Windows integrity level associated with the process. MUST be one of: low, medium, high, or system.|`high`|
-|md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|`5eb63bbbe01eeed093cb22bb8f5acdc3`|
-|parent_command_line|All of the arguments passed to the parent process upon execution.|`c:\\windows\\system32\\dism.exe foo.xml`|
-|parent_exe|The `exe` field of the parent process. This is a substring of `parent_image_path`|`example_parent.exe`|
-|parent_guid|Globally unique identifier for the parent of the initiating process.|`{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}`|
-|parent_image_path|The `image_path` field of the parent process.|`C:\path\to\example_parent.exe`|
-|pid|The process ID for the process, represented in decimal notation.|`738`|
-|ppid|The process ID for the process's parent, represented in decimal notation. In the parent process, this will be the `pid` field.|`1860`|
-|sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|`2aae6c35c94fcfb415dbe95f408b9ce91ee846ed`|
-|sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|`68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728`|
-|sid|The security identifier or UID of the `user` token that the process is running under.|`S-1-5-18`|
-|signer|The company that signed the file.|`True`|
-|signature_valid|Boolean indicator of whether signature is current and not revoked.|`True`|
-|target_address|Specific address range which is accessed by another process.|`08048000-0804c000`|
-|target_guid|Globally Unique Identifier for the target process (only for process access events).|`{A23EAE89-BD56-5903-0000-0010E9D95EFC}`|
-|target_pid|ID of the target process (only for process access events).|`1338`|
-|target_name|Name of the process that is accessed.|`C:\Windows\System32\winlogon.exe`|
-|user|The user token that process was created with. May be a local, domain or SYSTEM user. Formatted with "\<DOMAIN>\\\<USER>". Individual threads in the process may gain more privilege or change tokens, so the active token in any thread is not necessarily the one the process was created under.|`HOST1\LOCALUSER`|
+access_level|Permissions level at which the target process is accessed.|64
+call_trace|Stack trace showing context of process open/access call.|
+command_line|The command line string contains all arguments passed to the process upon execution.|example.exe arg1 arg2
+current_working_directory|The absolute path to the current working directory of the process.|c:\temp
+env_vars|The environment variables within a process's memory space, as a string.|SHELL=/bin/zsh
+exe|The basename of the `image_path`.|example.exe
+fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
+guid|Global unique identifier for the initiating process.|{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
+hostname|The hostname of the host, without the domain.|HOST1
+image_path|The file path of the executable associated with this process. This may act as a pivot to [file:file_path](https://car.mitre.org/wiki/Data_Model/file#file_path).|C:\path\to\example.exe
+integrity_level|The Windows integrity level associated with the process. MUST be one of low, medium, high, or system.|High
+md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
+parent_command_line|All of the arguments passed to the parent process upon execution.|c:\windows\system32\dism.exe foo.xml
+parent_exe|The `exe` field of the parent process. This is a substring of `parent_image_path`.|example_parent.exe
+parent_guid|Global unique identifier of the parent of the initiating process.|{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
+parent_image_path|The `image_path` field of the parent process.|C:\path\to\example_parent.exe
+pid|The process ID for the process, represented in decimal notation.|738
+ppid|The process ID for the process's parent, represented in decimal notation. In the parent process, this will be the `pid` field.|1860
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
+sid|The Windows security identifier of the `user` token that the process is running under.|S-1-5-18
+signature_valid|Boolean indicator of whether signature is current and not revoked.|True
+signer|The name of the company that signed the file.|FooCorp
+target_address|Specific address range which is accessed by another process.|08048000-0804c000
+target_guid|Global Unique Identifier for the target process (only for process access events).|
+target_name|Name of the process that is accessed.|C:\Windows\System32\winlogon.exe
+target_pid|ID of the target process (only for process access events).|
+uid|User ID under which original process is running.|509
+user|The user token that process was created with. May be a local, domain or SYSTEM user. Formatted with "<DOMAIN>\<USER>". Individual threads in the process may gain more privilege or change tokens, so the active token in any thread is not necessarily the one the process was created under.|HOST1\LOCALUSER
 
 ## Coverage Map
-
-| | **access_level** | **call_trace** | **command_line** | **current_working_directory** | **exe** | **env_vars** | **fqdn** | **guid** | **hostname** | **image_path** | **integrity_level** | **md5_hash** | **parent_command_line** | **parent_exe** | **parent_guid** | **parent_image_path** | **pid** | **ppid** | **sha1_hash** | **sha256_hash** | **sid** | **signer** | **signature_valid** | **target_address** | **target_guid** | **target_pid** | **target_name** | **user** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **access** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | |
-**create** | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | | | |
-| **terminate** | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>access_level</th>
+      
+      <th>call_trace</th>
+      
+      <th>command_line</th>
+      
+      <th>current_working_directory</th>
+      
+      <th>env_vars</th>
+      
+      <th>exe</th>
+      
+      <th>fqdn</th>
+      
+      <th>guid</th>
+      
+      <th>hostname</th>
+      
+      <th>image_path</th>
+      
+      <th>integrity_level</th>
+      
+      <th>md5_hash</th>
+      
+      <th>parent_command_line</th>
+      
+      <th>parent_exe</th>
+      
+      <th>parent_guid</th>
+      
+      <th>parent_image_path</th>
+      
+      <th>pid</th>
+      
+      <th>ppid</th>
+      
+      <th>sha1_hash</th>
+      
+      <th>sha256_hash</th>
+      
+      <th>sid</th>
+      
+      <th>signature_valid</th>
+      
+      <th>signer</th>
+      
+      <th>target_address</th>
+      
+      <th>target_guid</th>
+      
+      <th>target_name</th>
+      
+      <th>target_pid</th>
+      
+      <th>uid</th>
+      
+      <th>user</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>access</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>create</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>terminate</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index 8faa412c..61b74771 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -1,40 +1,170 @@
 ---
 title: "Registry"
 ---
-
 The registry is a system-defined database in which applications and system components store and retrieve configuration data. The data stored in the registry varies according to the version of Microsoft Windows. Applications use the registry API to retrieve, modify, or delete registry data.
 
 ## Actions
-
 |Action|Description|
 |---|---|
 |add|The event corresponding to the act of adding a registry key, hive, type, or value.|
-|name_edit|The event corresponding to the act of editing the name of an existing registry key or value.|
+|key_edit|The event corresponding to the act of editing the name of an existing registry key.|
 |remove|The event corresponding to the act of deleting an existing registry key, hive, type, or value.|
-|value_edit|The event corresponding to the act of editing the contents of an existing registry value.|
+|value_edit|The event corresponding to the act of editing the content of an existing registry value.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|fqdn|The fully qualified domain name for the host on which the registry access took place.|`host1.example.net`|
-|hostname|The hostname of the host, without the domain.|`HOST1`|
-|hive|The logical group of keys, subkeys, and values in the registry.|`HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE`
-|key|The registry key specified in the event. Similar to a folder in a traditional file system,|`HKLM\SYSTEM\CurrentControlSet\services\RpcSs`|
-|image_path|Inherited from the [process](https://car.mitre.org/wiki/Data_Model/process) that made the registry access.|`C:\Windows\System32\cmd.exe`|
-|new_content|The data within the new value, or the new name of a key or value, after an edit event.|`\%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs`|
-|pid|Inherited from the [process](https://car.mitre.org/wiki/Data_Model/process) that made the registry access.|`1337`|
-|user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as "\<DOMAIN>\\\<USER>". Because threads are allowed to impersonate users, this may be different than the user context of the process.| |
-|value|The descriptive name for the data being stored in the key.|`InstalledVersion`|
-|value_data|The contents of the value, typically a text string.|`%SystemRoot%\system32\svchost.exe -k rpcss`|
-|value_type|The type of data being stored in the value. Types include binary data, 32 bit numbers, strings, etc.|`REG_SZ`,`REG_MULTI_SZ`,`REG_DWORD`,`REG_BINARY`,`REG_QWORD`,`REG_EXPAND_SZ`|
+data|The content of `value`, typically a text string.|\%SystemRoot%\system32\svchost.exe -k rpcss
+fqdn|The fully qualified domain name for the host on which the registry access took place.|HOST1.EXAMPLE_DOMAIN.COM
+hive|The logical group of keys, subkeys, and values in the registry.|HKEY_CURRENT_USER
+hostname|The hostname of the host, without the domain.|HOST1
+image_path|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|C:\path\to\example.exe
+key|The registry key of the event. Similar to a folder in a traditional file system.|HKLM\SYSTEM\CurrentControlSet\services\RpcSs
+new_content|The data within the new value, or the new name of a key, after an edit event.|\%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs
+pid|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|738
+type|The type of data being stored in `value`. Types include binary data, 32 bit numbers, strings, etc.|REG_BINARY
+user|The user in the context of the process that performed the action on the registry key.|HOST1\LOCALUSER
+value|The descriptive name for the data being stored.|InstalledVersion
 
 ## Coverage Map
-
-| | **data** | **fqdn** | **hostname** | **hive** | **key** | **image_path** | **new_content** | **pid** | **type** | **user** | **value** |
-|---|---|---|---|---|---|---|---|---|---|---|---|
-| **add** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | 
-| 
-**key_edit** | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)</br>[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)< /br>[Sysmon](../sensors/sysmon_13) |
-| **remove** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | 
-| **value_edit** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| | [Autoruns](../sensors/autoruns_13.98) | 
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>data</th>
+      
+      <th>fqdn</th>
+      
+      <th>hive</th>
+      
+      <th>hostname</th>
+      
+      <th>image_path</th>
+      
+      <th>key</th>
+      
+      <th>new_content</th>
+      
+      <th>pid</th>
+      
+      <th>type</th>
+      
+      <th>user</th>
+      
+      <th>value</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>add</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>key_edit</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>remove</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>value_edit</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
index c8128f21..6c97eb60 100755
--- a/docs/data_model/service.md
+++ b/docs/data_model/service.md
@@ -1,40 +1,185 @@
 ---
 title: "Service"
 ---
-
 Services, or a service application, can be started automatically at system boot, by a user through the services control panel applet, or by an application that uses service functions. Services can execute even when no user is logged into the system.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|create|The event corresponding to the act of creating a new service.
-|delete|The event corresponding to the act of deleting a service.
-|pause|The event corresponding to the act of pausing a currently running service.
-|start|The event corresponding to the act of starting a new service.
-|stop|The event corresponding to the act of stopping a service that is currently running.
+|create|The event corresponding to the act of creating a new service.|
+|delete|The event corresponding to the act of deleting a service.|
+|pause|The event corresponding to the act of pausing a currently running service.|
+|start|The event corresponding to the act of starting a new service.|
+|stop|The event corresponding to the act of stopping a service that is currently running.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|command_line|The command line that service is started with.|`C:\windows\system32\svchost.exe -k rpcss`
-|exe|The executable for the service.|`svchost.exe`
-|fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|`Example: HOST1.EXAMPLE_DOMAIN.COM`
-|hostname|The hostname of the host, without the domain.|`HOST1`
-|image_path|Where in the file system the executable is located.|`C:\path\to\example.exe`
-|name|The name of the service.|`RpcSs`
-|ppid|The process ID of the process's parent, represented in decimal notation. In the parent process, this will be the pid field.|`1860`
-|pid|The process ID for the process, represented in decimal notation.|`738`
-|uid|The ID or SID of the user who acted on the service.|`S-1-5-18`
-|user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as "\<DOMAIN\>\\\<USER>". Because threads are allowed to impersonate users, this may be different than the user context of the process. For service events, the user is almost always NT AUTHORITY\SYSTEM.|`NT AUTHORITY\SYSTEM`
+command_line|The command line that service is started with.|C:\windows\system32\svchost.exe -k rpcss
+exe|The executable for the service.|svchost.exe
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
+hostname|The hostname of the host, without the domain.|HOST1
+image_path|Where in the file system the service executable is located.|C:\path\to\example.exe
+name|The name of the service.|RpcSs
+pid|The process ID for the process of the service, represented in decimal notation.|718
+ppid|The process ID of the process’s parent or the service, represented in decimal notation. In the parent process, this will be the pid field.|1860
+uid|The ID of SID of the user who acted on the service|S-1-5-18
+user|The user token that service was created with.|HOST1\LOCALUSER
 
 ## Coverage Map
-
-| | **command_line** | **exe** | **fqdn** | **hostname** | **image_path** | **name** | **pid** | **ppid** | **uid** | **user** |
-|---|---|---|---|---|---|---|---|---|---|---|
-| **create** |  [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | | | |
-| **delete** |  [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | | | |
-| **pause** | | | | | | | | | | |
-| **start** | | | | | | | | | | | 
-| **stop** | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>command_line</th>
+      
+      <th>exe</th>
+      
+      <th>fqdn</th>
+      
+      <th>hostname</th>
+      
+      <th>image_path</th>
+      
+      <th>name</th>
+      
+      <th>pid</th>
+      
+      <th>ppid</th>
+      
+      <th>uid</th>
+      
+      <th>user</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>create</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>delete</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>pause</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>start</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>stop</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
index 0f4758f5..2ed0be97 100755
--- a/docs/data_model/socket.md
+++ b/docs/data_model/socket.md
@@ -1,37 +1,133 @@
 ---
 title: "Socket"
 ---
-
-Socket events are low-level events that may or may not result in a flow. Socket listening events in particular can be helpful in detecting malicious activity.
+Socket events are low-level events that may or may not result in a flow. Socket listenining events in particular can be helpful in detecting malicious activity.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|bind|The event corresponding to a socket binding to a specific address.
-|listen|The event corresponding to a socket being opened into a listening status, usually on a specific local port.|
+|bind|The event corresponding to a socket binding to a specific address|
 |close|The event corresponding to a socket being closed.|
+|listen|The event corresponding to a socket being opened into a listening status, usually on a specific local port.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|family|The type of socket in question.|`AF_UNIX, AF_INET, AF_INET6`|
-|image_path|Path to the executable that initiated the socket event.|`C:/user/adam/malware.exe`|
-|local_address|IP address on which the socket will accept connections; does not include the port number.|`10.0.211.200`|
-|local_path|In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.|`/tmp/foo`|
-|local_port|Port number on which the socket is bound at the local end. This pertains to TCP and UDP sockets but not IP sockets.|`48777`|
-|pid|ID of the process that acted on the socket.|`3930`|
-|protocol|The type of connection that was attempted on the socket.|`TCP`|
-|remote_address|IP address with which the socket is communicating on the remote end.|`199.121.21.20`|
-|remote_port|Port number on which the socket is bound at the remote end.|`559`|
-|success|Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested).|`True`|
+family|The type of socket in question|AF_UNIX, AF_INET, AF_INET6
+image_path|Path to the executable that initiated the socket event.|C:/user/adam/malware.exe
+local_address|IP address on which the socket will accept connections; does not include the port number.|10.0.211.200
+local_path|In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.|/tmp/foo
+local_port|Port number on which the socket is bound at the local end. This pertains to TCP and UDP sockets but not IP sockets.|48777
+pid|ID of the process that acted on the socket|3930
+protocol|The type of connection that was attempted on the socket|TCP
+remote_address|IP address with which the socket is communicating on the remote end.|199.121.21.20
+remote_port|Port number on which the socket is bound at the remote end.|559
+success|Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested)|True
 
 ## Coverage Map
-
-| | **family** | **image_path** | **local_address** | **local_path** | **local_port** | **pid** | **protocol** | **remote_address** | **remote_port** | **success** |
-|---|---|---|---|---|---|---|---|---|---|---|
-| **bind** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | |
-| **listen** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | |
-| **close** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | o[osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | |
-
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>family</th>
+      
+      <th>image_path</th>
+      
+      <th>local_address</th>
+      
+      <th>local_path</th>
+      
+      <th>local_port</th>
+      
+      <th>pid</th>
+      
+      <th>protocol</th>
+      
+      <th>remote_address</th>
+      
+      <th>remote_port</th>
+      
+      <th>success</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>bind</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>close</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>listen</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
index ac505bdf..276728d6 100755
--- a/docs/data_model/thread.md
+++ b/docs/data_model/thread.md
@@ -1,44 +1,214 @@
 ---
 title: "Thread"
 ---
-
 A thread of execution is the smallest sequence of programmed instructions that can be managed independently by a scheduler, which is typically part of the operating system. A thread is typically a component of a process. Multiple threads can exist within the same process and share resources such as memory, while different processes do not share these resources. The threads of a process share executable code instructions and context, such as the values of variables at any given moment.
 
 ## Actions
-
 |Action|Description|
 |---|---|
 |create|The event corresponding to the act of creating a new thread.|
+|remote_create|A subset of thread create events that correspond to thread injection, that is, when a process creates a thread in another process. For a remote_create event the src_pid and tgt_pid are different.|
 |suspend|The event corresponding to the act of suspending a thread which is currently running.|
 |terminate|The event corresponding to the act of terminating a running thread.|
-|remote_create|A subset of thread create events that correspond to thread injection, that is, when a process creates a thread in another process. For a remote_create event the src_pid and tgt_pid are different.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|hostname|The hostname of the active host, without the domain.|`HOST1`|
-|src_pid|The process ID of the process that created the thread.|`6016`|
-|src_tid|The thread ID of the thread that created the event.|`9012`|
-|stack_base|The base address of the thread’s stack.|`0xfffff880081a9000`|
-|stack_limit|The limit of the thread’s stack.|`0xfffff880081a3000`|
-|start_address|The memory address at which the thread's execution starts.|`0xfffff880046dc3e0`|
-|start_function|The function at `start_address`|`LoadLibrary`|
-|start_module|The module in which `start_address` resides.|`C:\windows\system32\ntdll.dll`|
-|start_module_name|The short name of the `start_module.`|`ntdll.dll`|
-|subprocess_tag|Identifies the service if the thread is owned by a service; otherwise, it is listed as zero.|`0`|
-|tgt_pid|The process ID of the process in which the new thread runs.|`4`|
-|tgt_tid|The thread ID of the new thread that was created.|`6964`|
-|uid|The ID or SID of the user who directly or indirectly acted on the thread.|`S-1-5-18`|
-|user|The user context in which the source thread was running. May be a local, domain or SYSTEM user. Formatted as "\<DOMAIN>\\\<USER>". Because threads are allowed to impersonate users, this may be different than the user context of the process.|`HOST1\LOCALUSER`|
-|user_stack_base|The base address of the thread’s stack.|`0x0`|
-|user_stack_limit|The limit of the thread’s stack.|`0x0`|
+hostname|The hostname of the active host, without the domain.|HOST1
+src_pid|The process ID of the process that created the thread.|6016
+src_tid|The thread ID of the thread that created the event.|9012
+stack_base|The base address of the thread's stack.|18446735827508301824
+stack_limit|The limit of the thread's stack.|18446735827508277248
+start_address|The memory address at which the thread's execution starts.|18446735827446645728
+start_function|The function at `start_address`.|LoadLibrary
+start_module|The module in which `start_address` resides.|C:\windows\system32\ntdll.dll
+start_module_name|The short name of the `start_module`.|ntdll.dll
+tgt_pid|The process ID of the process in which the new thread runs.|232
+tgt_tid|The thread ID of the new thread that was created.|6964
+uid|The ID of SID of the user who directly or indirectly acted on the thread|S-1-5-18
+user|The user context in which the source thread was running. May be a local, domain or SYSTEM user. Formatted as <DOMAIN>\<USER>. Because threads are allowed to impersonate users, this may be different than the user context of the process.|HOST1\LOCALUSER
+user_stack_base|The base address of the thread's stack.|0
+user_stack_limit|The limit of the thread's stack.|0
 
 ## Coverage Map
-
-| | **hostname** | **src_pid** | **src_tid** | **stack_base** | **stack_limit** | **start_address** | **start_function** | **start_module** | **start_module_name** | **subprocess_tag** | **tgt_pid** | **tgt_tid** | **uid** | **user** | **user_stack_base** | **user_stack_limit** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **create** | | | | | | | | | | | | | | | | |
-| **remote_create** | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | |[Sysmon]( ../sensors/sysmon_13) |[Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | |
-| **suspend** | | | | | | | | | | | | | | | | | |
-| **terminate** | | | | | | | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>hostname</th>
+      
+      <th>src_pid</th>
+      
+      <th>src_tid</th>
+      
+      <th>stack_base</th>
+      
+      <th>stack_limit</th>
+      
+      <th>start_address</th>
+      
+      <th>start_function</th>
+      
+      <th>start_module</th>
+      
+      <th>start_module_name</th>
+      
+      <th>tgt_pid</th>
+      
+      <th>tgt_tid</th>
+      
+      <th>uid</th>
+      
+      <th>user</th>
+      
+      <th>user_stack_base</th>
+      
+      <th>user_stack_limit</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>create</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>remote_create</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>suspend</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>terminate</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/docs/data_model/user_session.md b/docs/data_model/user_session.md
index 849b7c65..980fee94 100755
--- a/docs/data_model/user_session.md
+++ b/docs/data_model/user_session.md
@@ -1,40 +1,185 @@
 ---
 title: "User Session"
 ---
-
 User sessions are the user activities undertaken on the computer in the course of conducting standard user actions.
 
 ## Actions
-
 |Action|Description|
 |---|---|
-|lock|The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state.
-|login|The event corresponding to the act of a user logging into a machine.
-|logout|The event corresponding to the act of a user logging out of a machine.
-|reconnect|The event corresponding to the act of a user reconnecting when an RDP session disconnects but the user is not logged off.
-|unlock|The event corresponding to the act of a user unlocking a machine currently in a locked state.
+|lock|The event corresponding to the act of a user locking a machine such that they are still logged into the machine but unable to access it without re-entering credentials, effectively entering the machine into a locked state.|
+|login|The event corresponding to the act of a user logging into a machine.|
+|logout|The event corresponding to the act of a user logging out of a machine.|
+|reconnect|The event corresponding to the act of a user reconnecting when an RDP session disconnects but the user is not logged off.|
+|unlock|The event corresponding to the act of a user unlocking a machine currently in a locked state.|
 
 ## Fields
-
 |Field|Description|Example|
 |---|---|---|
-|dest_ip|The destination IP address of the user session. Only applicable to remote or RDP sessions.|`192.168.1.5`
-|dest_port|The destination port of the user session. Only applicable to remote or RDP sessions.|`1900`
-|hostname|The hostname of the host, without the domain.|`HOST1`
-|login_successful|Boolean indicator of whether a login attempt was successful.|`False`
-|login_type|The type of login that was accomplished or attempted.|`interactive`,`local`,`rdp`,`remote`
-|login_id|A hex value corresponding to the session. The login id will persist until logout occurs.|`0xf61f3`
-|src_ip|The source IP address of the user session. Only applicable to remote or RDP sessions.|`10.0.0.54`
-|src_port|The source port of the user session. Only applicable to remote or RDP sessions.|`50438`
-|uid|ID or SID of the user for which a session event occured.|`S-1-5-18`
-|user|The user affiliated with the session. May be a local, domain or SYSTEM user.|`HOST1\LOCALUSER`
+dest_ip|The destination IP address of the user session. Only applicable to remote or RDP sessions.|192.168.1.5
+dest_port|The destination port of the user session. Only applicable to remote or RDP sessions.|1900
+hostname|The hostname of the host, without the domain.|HOST1
+login_id|A hex value corresponding to the session. The logon id will persist until logout occurs.|1008115
+login_successful|Boolean indicator of whether a login attempt was successful|False
+login_type|The type of login that was accomplished or attempted|interactive,local,rdp,remote
+src_ip|The source IP address of the user session. Only applicable to remote or RDP sessions.|10.0.0.54
+src_port|The source port of the user session. Only applicable to remote or RDP sessions.|50438
+uid|ID or SID of the user for which a session event ocurred|S-1-5-18
+user|The user affiliated with the session. May be a local, domain or SYSTEM user.|HOST1\LOCALUSER
 
 ## Coverage Map
-
-| | **dest_ip** | **dest_port** | **hostname** | **login_successful** | **login_type** | **logon_id** | **src_ip** | **src_port** | **uid** | **user** |
-|---|---|---|---|---|---|---|---|---|---|---|
-| **lock** | | | | | | | | | | |
-| **login** | | | | | | | | | | |
-| **logout** | | | | | | | | | | |
-| **reconnect** | | | | | | | | | | |
-| **unlock** | | | | | | | | | | |
+<table>
+  <thead>
+    <tr>
+      <th />
+      
+      <th>dest_ip</th>
+      
+      <th>dest_port</th>
+      
+      <th>hostname</th>
+      
+      <th>login_id</th>
+      
+      <th>login_successful</th>
+      
+      <th>login_type</th>
+      
+      <th>src_ip</th>
+      
+      <th>src_port</th>
+      
+      <th>uid</th>
+      
+      <th>user</th>
+      
+    </tr>
+  </thead>
+  <tbody>
+    
+    <tr>
+      <th>lock</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>login</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>logout</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>reconnect</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+    <tr>
+      <th>unlock</th>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+      <td style="white-space: pre-wrap;"></td>
+      
+    </tr>
+    
+  </tbody>
+</table>
\ No newline at end of file
diff --git a/scripts/datamodel_index_template.md b/scripts/datamodel_index_template.md
new file mode 100644
index 00000000..e69de29b
diff --git a/scripts/datamodel_sensors.md b/scripts/datamodel_sensors.md
new file mode 100644
index 00000000..e69de29b
diff --git a/scripts/datamodel_template.md b/scripts/datamodel_template.md
new file mode 100644
index 00000000..60545676
--- /dev/null
+++ b/scripts/datamodel_template.md
@@ -0,0 +1,36 @@
+---
+title: "{{ datamodel['name'] }}"
+---
+{{ datamodel['description'] }}
+
+## Actions
+|Action|Description|
+|---|---|{% for action in datamodel['actions']|sort(attribute='name') %}
+|{{ action['name'] }}|{{ action['description'] }}|{% endfor %}
+
+## Fields
+|Field|Description|Example|
+|---|---|---|{% for field in datamodel['fields']|sort(attribute='name') %}
+{{ field['name'] }}|{{ field['description'] }}|{% if 'example' in field %}{{ field['example'] }}{% endif %}{% endfor %}
+
+## Coverage Map
+<table>
+  <thead>
+    <tr>
+      <th />
+      {% for field in datamodel['fields']|sort(attribute='name') %}
+      <th>{{ field['name'] }}</th>
+      {% endfor %}
+    </tr>
+  </thead>
+  <tbody>
+    {% for action in datamodel['actions']|sort(attribute='name') %}
+    <tr>
+      <th>{{ action['name'] }}</th>
+      {% for field in datamodel['fields']|sort(attribute='name') %}
+      <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and 'action' in datamodel['coverage_map'] and 'field' in datamodel['coverage_map']['action'] %}{{ datamodel['coverage_map'][action][field]|join('&#10') }}{% endif %}</td>
+      {% endfor %}
+    </tr>
+    {% endfor %}
+  </tbody>
+</table>
diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py
new file mode 100644
index 00000000..a35413a9
--- /dev/null
+++ b/scripts/generate_datamodels.py
@@ -0,0 +1,52 @@
+"""
+This script generates the data model portion of the site for each YAML data model mapping file.
+"""
+from glob import glob
+from jinja2 import Template
+from os import path
+from pathlib import Path
+from yaml import safe_load
+
+def parse_yaml():
+    datamodel_files = glob(path.join(path.dirname(__file__), "..", "data_model", "*.yaml"))
+    datamodels = {}
+    for file in datamodel_files:
+        with open(file, encoding="utf-8") as f:
+            datamodels[file] = safe_load(f.read())
+    return datamodels
+
+def cached_load_sensor():
+  sensors = {}
+  def load_sensor(filename):
+      if filename not in sensors:
+          sensor_file = path.join(path.dirname(__file__), "..", "sensors", f"{filename}.yaml")
+          with open(sensor_file, encoding="utf-8") as f:
+              sensors[filename] = safe_load(f.read())
+      return sensors[filename]
+  return load_sensor
+
+def replace_sensor_names_with_markdown(datamodels, load_sensor):
+    def replace_sensor_name_with_markdown(sensor_filename):
+        return f"[{load_sensor(sensor_filename)['sensor_name']}]('../sensors/{sensor_filename}')"
+
+    for model in datamodels.values():
+        if 'coverage_map' in model:
+            for action in model['coverage_map']:
+                for field, sensor_filenames in model['coverage_map'][action].items():
+                    model['coverage_map'][action][field] = [replace_sensor_name_with_markdown(sensor_filename) for sensor_filename in sensor_filenames]
+
+def generate_markdown(datamodels):
+    with open('datamodel_template.md') as f:
+        datamodel_template = Template(f.read())
+    for model in datamodels:
+        with open(f'../docs/data_model/{Path(model).stem}.md', 'w', encoding='utf-8') as f:
+            f.write(datamodel_template.render(datamodel=datamodels[model]))
+
+def main():
+    datamodels = parse_yaml()
+    load_sensor = cached_load_sensor()
+    replace_sensor_names_with_markdown(datamodels, load_sensor)
+    generate_markdown(datamodels)
+
+if __name__ == "__main__":
+    main()

From 8ca29c21df13f28b5ac7853f1b678d5a336b3876 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 23 Feb 2023 23:39:45 -0500
Subject: [PATCH 60/82] changed up whitespace and also used td instead of th

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/authentication.md |  86 +----------
 docs/data_model/driver.md         |  40 +-----
 docs/data_model/email.md          | 142 +-----------------
 docs/data_model/file.md           | 230 +-----------------------------
 docs/data_model/flow.md           | 118 +--------------
 docs/data_model/http.md           |  98 +------------
 docs/data_model/module.md         |  46 +-----
 docs/data_model/process.md        | 126 +---------------
 docs/data_model/registry.md       |  68 +--------
 docs/data_model/service.md        |  76 +---------
 docs/data_model/socket.md         |  50 +------
 docs/data_model/thread.md         |  88 +-----------
 docs/data_model/user_session.md   |  76 +---------
 scripts/datamodel_template.md     |  12 +-
 14 files changed, 54 insertions(+), 1202 deletions(-)

diff --git a/docs/data_model/authentication.md b/docs/data_model/authentication.md
index d8df090a..d7875fad 100755
--- a/docs/data_model/authentication.md
+++ b/docs/data_model/authentication.md
@@ -38,176 +38,96 @@ user_type|type of user that initiated the request.|Administrator, Standard, Gues
   <thead>
     <tr>
       <th />
-      
       <th>ad_domain</th>
-      
       <th>app_name</th>
-      
       <th>auth_service</th>
-      
       <th>auth_target</th>
-      
       <th>decision_reason</th>
-      
       <th>fqdn</th>
-      
       <th>hostname</th>
-      
       <th>method</th>
-      
       <th>response_time</th>
-      
       <th>target_ad_domain</th>
-      
       <th>target_uid</th>
-      
       <th>target_user</th>
-      
       <th>target_user_role</th>
-      
       <th>target_user_type</th>
-      
       <th>uid</th>
-      
       <th>user</th>
-      
       <th>user_agent</th>
-      
       <th>user_role</th>
-      
       <th>user_type</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>error</th>
-      
+      <td>error</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>failure</th>
-      
+      <td>failure</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>success</th>
-      
+      <td>success</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
index 03de8f08..c76509dc 100755
--- a/docs/data_model/driver.md
+++ b/docs/data_model/driver.md
@@ -29,85 +29,49 @@ signer|The name of the organization which signed the driver.|Microsoft Corporati
   <thead>
     <tr>
       <th />
-      
       <th>base_address</th>
-      
       <th>fqdn</th>
-      
       <th>hostname</th>
-      
       <th>image_path</th>
-      
       <th>md5_hash</th>
-      
       <th>module_name</th>
-      
       <th>pid</th>
-      
       <th>sha1_hash</th>
-      
       <th>sha256_hash</th>
-      
       <th>signature_valid</th>
-      
       <th>signer</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>load</th>
-      
+      <td>load</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>unload</th>
-      
+      <td>unload</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/email.md b/docs/data_model/email.md
index 7f73bf40..824f2ead 100755
--- a/docs/data_model/email.md
+++ b/docs/data_model/email.md
@@ -42,286 +42,154 @@ to|the content of the To field in the email header; does not necessarily match u
   <thead>
     <tr>
       <th />
-      
       <th>action_reason</th>
-      
       <th>attachment_mime_type</th>
-      
       <th>attachment_name</th>
-      
       <th>attachment_size</th>
-      
       <th>date</th>
-      
       <th>dest_address</th>
-      
       <th>dest_ip</th>
-      
       <th>dest_port</th>
-      
       <th>from</th>
-      
       <th>message_body</th>
-      
       <th>message_links</th>
-      
       <th>message_type</th>
-      
       <th>return_address</th>
-      
       <th>server_relay</th>
-      
       <th>smtp_uid</th>
-      
       <th>src_address</th>
-      
       <th>src_domain</th>
-      
       <th>src_ip</th>
-      
       <th>src_port</th>
-      
       <th>subject</th>
-      
       <th>to</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>block</th>
-      
+      <td>block</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>delete</th>
-      
+      <td>delete</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>deliver</th>
-      
+      <td>deliver</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>quarantine</th>
-      
+      <td>quarantine</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>redirect</th>
-      
+      <td>redirect</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index c41c21ba..6567ce71 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -49,460 +49,244 @@ user|The user context in which the thread that caused this event was running. Ma
   <thead>
     <tr>
       <th />
-      
       <th>company</th>
-      
       <th>content</th>
-      
       <th>creation_time</th>
-      
       <th>extension</th>
-      
       <th>file_name</th>
-      
       <th>file_path</th>
-      
       <th>fqdn</th>
-      
       <th>gid</th>
-      
       <th>group</th>
-      
       <th>hostname</th>
-      
       <th>image_path</th>
-      
       <th>link_target</th>
-      
       <th>md5_hash</th>
-      
       <th>mime_type</th>
-      
       <th>mode</th>
-      
       <th>owner</th>
-      
       <th>owner_uid</th>
-      
       <th>pid</th>
-      
       <th>ppid</th>
-      
       <th>previous_creation_time</th>
-      
       <th>sha1_hash</th>
-      
       <th>sha256_hash</th>
-      
       <th>signature_valid</th>
-      
       <th>signer</th>
-      
       <th>uid</th>
-      
       <th>user</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>acl_modify</th>
-      
+      <td>acl_modify</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>create</th>
-      
+      <td>create</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>delete</th>
-      
+      <td>delete</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>modify</th>
-      
+      <td>modify</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>read</th>
-      
+      <td>read</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>timestomp</th>
-      
+      <td>timestomp</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>write</th>
-      
+      <td>write</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
index a7ad5ff0..7993de0b 100755
--- a/docs/data_model/flow.md
+++ b/docs/data_model/flow.md
@@ -46,240 +46,128 @@ user|The user that ran the process.|HOST1\LOCALUSER
   <thead>
     <tr>
       <th />
-      
       <th>application_protocol</th>
-      
       <th>content</th>
-      
       <th>dest_fqdn</th>
-      
       <th>dest_hostname</th>
-      
       <th>dest_ip</th>
-      
       <th>dest_port</th>
-      
       <th>end_time</th>
-      
       <th>exe</th>
-      
       <th>fqdn</th>
-      
       <th>hostname</th>
-      
       <th>image_path</th>
-      
       <th>in_bytes</th>
-      
       <th>network_direction</th>
-      
       <th>out_bytes</th>
-      
       <th>packet_count</th>
-      
       <th>pid</th>
-      
       <th>ppid</th>
-      
       <th>proto_info</th>
-      
       <th>src_fqdn</th>
-      
       <th>src_hostname</th>
-      
       <th>src_ip</th>
-      
       <th>src_port</th>
-      
       <th>start_time</th>
-      
       <th>tcp_flags</th>
-      
       <th>transport_protocol</th>
-      
       <th>uid</th>
-      
       <th>user</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>end</th>
-      
+      <td>end</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>message</th>
-      
+      <td>message</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>start</th>
-      
+      <td>start</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index b4a9bc5a..dd44ad8c 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -37,199 +37,109 @@ user_agent_version|User Agent Version. Note that some User Agent strings may not
   <thead>
     <tr>
       <th />
-      
       <th>hostname</th>
-      
       <th>http_version</th>
-      
       <th>request_body_bytes</th>
-      
       <th>request_body_content</th>
-      
       <th>request_referrer</th>
-      
       <th>requester_ip_address</th>
-      
       <th>response_body_bytes</th>
-      
       <th>response_body_content</th>
-      
       <th>response_status_code</th>
-      
       <th>url_domain</th>
-      
       <th>url_full</th>
-      
       <th>url_remainder</th>
-      
       <th>url_scheme</th>
-      
       <th>user_agent_device</th>
-      
       <th>user_agent_full</th>
-      
       <th>user_agent_name</th>
-      
       <th>user_agent_version</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>get</th>
-      
+      <td>get</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>post</th>
-      
+      <td>post</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>put</th>
-      
+      <td>put</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>tunnel</th>
-      
+      <td>tunnel</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
index 8a1c5493..ed072e29 100755
--- a/docs/data_model/module.md
+++ b/docs/data_model/module.md
@@ -31,97 +31,55 @@ tid|The thread ID of the thread responsible for the load or unload event.|50
   <thead>
     <tr>
       <th />
-      
       <th>base_address</th>
-      
       <th>fqdn</th>
-      
       <th>hostname</th>
-      
       <th>image_path</th>
-      
       <th>md5_hash</th>
-      
       <th>module_name</th>
-      
       <th>module_path</th>
-      
       <th>pid</th>
-      
       <th>sha1_hash</th>
-      
       <th>sha256_hash</th>
-      
       <th>signature_valid</th>
-      
       <th>signer</th>
-      
       <th>tid</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>load</th>
-      
+      <td>load</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>unload</th>
-      
+      <td>unload</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index 7af938a0..997a5f29 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -48,256 +48,136 @@ user|The user token that process was created with. May be a local, domain or SYS
   <thead>
     <tr>
       <th />
-      
       <th>access_level</th>
-      
       <th>call_trace</th>
-      
       <th>command_line</th>
-      
       <th>current_working_directory</th>
-      
       <th>env_vars</th>
-      
       <th>exe</th>
-      
       <th>fqdn</th>
-      
       <th>guid</th>
-      
       <th>hostname</th>
-      
       <th>image_path</th>
-      
       <th>integrity_level</th>
-      
       <th>md5_hash</th>
-      
       <th>parent_command_line</th>
-      
       <th>parent_exe</th>
-      
       <th>parent_guid</th>
-      
       <th>parent_image_path</th>
-      
       <th>pid</th>
-      
       <th>ppid</th>
-      
       <th>sha1_hash</th>
-      
       <th>sha256_hash</th>
-      
       <th>sid</th>
-      
       <th>signature_valid</th>
-      
       <th>signer</th>
-      
       <th>target_address</th>
-      
       <th>target_guid</th>
-      
       <th>target_name</th>
-      
       <th>target_pid</th>
-      
       <th>uid</th>
-      
       <th>user</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>access</th>
-      
+      <td>access</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>create</th>
-      
+      <td>create</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>terminate</th>
-      
+      <td>terminate</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index 61b74771..fc6fbdbb 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -31,139 +31,79 @@ value|The descriptive name for the data being stored.|InstalledVersion
   <thead>
     <tr>
       <th />
-      
       <th>data</th>
-      
       <th>fqdn</th>
-      
       <th>hive</th>
-      
       <th>hostname</th>
-      
       <th>image_path</th>
-      
       <th>key</th>
-      
       <th>new_content</th>
-      
       <th>pid</th>
-      
       <th>type</th>
-      
       <th>user</th>
-      
       <th>value</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>add</th>
-      
+      <td>add</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>key_edit</th>
-      
+      <td>key_edit</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>remove</th>
-      
+      <td>remove</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>value_edit</th>
-      
+      <td>value_edit</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
index 6c97eb60..37311c84 100755
--- a/docs/data_model/service.md
+++ b/docs/data_model/service.md
@@ -31,154 +31,88 @@ user|The user token that service was created with.|HOST1\LOCALUSER
   <thead>
     <tr>
       <th />
-      
       <th>command_line</th>
-      
       <th>exe</th>
-      
       <th>fqdn</th>
-      
       <th>hostname</th>
-      
       <th>image_path</th>
-      
       <th>name</th>
-      
       <th>pid</th>
-      
       <th>ppid</th>
-      
       <th>uid</th>
-      
       <th>user</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>create</th>
-      
+      <td>create</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>delete</th>
-      
+      <td>delete</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>pause</th>
-      
+      <td>pause</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>start</th>
-      
+      <td>start</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>stop</th>
-      
+      <td>stop</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
index 2ed0be97..87e9346b 100755
--- a/docs/data_model/socket.md
+++ b/docs/data_model/socket.md
@@ -29,104 +29,60 @@ success|Boolean indicator of whether the socket event was successful (e.g. the s
   <thead>
     <tr>
       <th />
-      
       <th>family</th>
-      
       <th>image_path</th>
-      
       <th>local_address</th>
-      
       <th>local_path</th>
-      
       <th>local_port</th>
-      
       <th>pid</th>
-      
       <th>protocol</th>
-      
       <th>remote_address</th>
-      
       <th>remote_port</th>
-      
       <th>success</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>bind</th>
-      
+      <td>bind</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>close</th>
-      
+      <td>close</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>listen</th>
-      
+      <td>listen</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
index 276728d6..372b7a5b 100755
--- a/docs/data_model/thread.md
+++ b/docs/data_model/thread.md
@@ -35,179 +35,99 @@ user_stack_limit|The limit of the thread's stack.|0
   <thead>
     <tr>
       <th />
-      
       <th>hostname</th>
-      
       <th>src_pid</th>
-      
       <th>src_tid</th>
-      
       <th>stack_base</th>
-      
       <th>stack_limit</th>
-      
       <th>start_address</th>
-      
       <th>start_function</th>
-      
       <th>start_module</th>
-      
       <th>start_module_name</th>
-      
       <th>tgt_pid</th>
-      
       <th>tgt_tid</th>
-      
       <th>uid</th>
-      
       <th>user</th>
-      
       <th>user_stack_base</th>
-      
       <th>user_stack_limit</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>create</th>
-      
+      <td>create</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>remote_create</th>
-      
+      <td>remote_create</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>suspend</th>
-      
+      <td>suspend</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>terminate</th>
-      
+      <td>terminate</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/docs/data_model/user_session.md b/docs/data_model/user_session.md
index 980fee94..efa07e5f 100755
--- a/docs/data_model/user_session.md
+++ b/docs/data_model/user_session.md
@@ -31,154 +31,88 @@ user|The user affiliated with the session. May be a local, domain or SYSTEM user
   <thead>
     <tr>
       <th />
-      
       <th>dest_ip</th>
-      
       <th>dest_port</th>
-      
       <th>hostname</th>
-      
       <th>login_id</th>
-      
       <th>login_successful</th>
-      
       <th>login_type</th>
-      
       <th>src_ip</th>
-      
       <th>src_port</th>
-      
       <th>uid</th>
-      
       <th>user</th>
-      
     </tr>
   </thead>
   <tbody>
     
     <tr>
-      <th>lock</th>
-      
+      <td>lock</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>login</th>
-      
+      <td>login</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>logout</th>
-      
+      <td>logout</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>reconnect</th>
-      
+      <td>reconnect</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
     <tr>
-      <th>unlock</th>
-      
+      <td>unlock</td>
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
       <td style="white-space: pre-wrap;"></td>
-      
     </tr>
     
   </tbody>
diff --git a/scripts/datamodel_template.md b/scripts/datamodel_template.md
index 60545676..c87ee743 100644
--- a/scripts/datamodel_template.md
+++ b/scripts/datamodel_template.md
@@ -17,19 +17,15 @@ title: "{{ datamodel['name'] }}"
 <table>
   <thead>
     <tr>
-      <th />
-      {% for field in datamodel['fields']|sort(attribute='name') %}
-      <th>{{ field['name'] }}</th>
-      {% endfor %}
+      <th />{% for field in datamodel['fields']|sort(attribute='name') %}
+      <th>{{ field['name'] }}</th>{% endfor %}
     </tr>
   </thead>
   <tbody>
     {% for action in datamodel['actions']|sort(attribute='name') %}
     <tr>
-      <th>{{ action['name'] }}</th>
-      {% for field in datamodel['fields']|sort(attribute='name') %}
-      <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and 'action' in datamodel['coverage_map'] and 'field' in datamodel['coverage_map']['action'] %}{{ datamodel['coverage_map'][action][field]|join('&#10') }}{% endif %}</td>
-      {% endfor %}
+      <td>{{ action['name'] }}</td>{% for field in datamodel['fields']|sort(attribute='name') %}
+      <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and 'action' in datamodel['coverage_map'] and 'field' in datamodel['coverage_map']['action'] %}{{ datamodel['coverage_map'][action][field]|join('&#10') }}{% endif %}</td>{% endfor %}
     </tr>
     {% endfor %}
   </tbody>

From a51838f83e68c713e37f272d8dd2d129e7d23da2 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 23 Feb 2023 23:42:53 -0500
Subject: [PATCH 61/82] changed whitespace again and simplified table structure

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/authentication.md | 184 ++++++------
 docs/data_model/driver.md         |  91 +++---
 docs/data_model/email.md          | 298 +++++++++----------
 docs/data_model/file.md           | 476 +++++++++++++++---------------
 docs/data_model/flow.md           | 248 ++++++++--------
 docs/data_model/http.md           | 209 +++++++------
 docs/data_model/module.md         | 103 +++----
 docs/data_model/process.md        | 264 ++++++++---------
 docs/data_model/registry.md       | 149 +++++-----
 docs/data_model/service.md        | 166 +++++------
 docs/data_model/socket.md         | 112 ++++---
 docs/data_model/thread.md         | 189 ++++++------
 docs/data_model/user_session.md   | 166 +++++------
 scripts/datamodel_template.md     |  22 +-
 14 files changed, 1278 insertions(+), 1399 deletions(-)

diff --git a/docs/data_model/authentication.md b/docs/data_model/authentication.md
index d7875fad..0fe02166 100755
--- a/docs/data_model/authentication.md
+++ b/docs/data_model/authentication.md
@@ -35,100 +35,92 @@ user_type|type of user that initiated the request.|Administrator, Standard, Gues
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>ad_domain</th>
-      <th>app_name</th>
-      <th>auth_service</th>
-      <th>auth_target</th>
-      <th>decision_reason</th>
-      <th>fqdn</th>
-      <th>hostname</th>
-      <th>method</th>
-      <th>response_time</th>
-      <th>target_ad_domain</th>
-      <th>target_uid</th>
-      <th>target_user</th>
-      <th>target_user_role</th>
-      <th>target_user_type</th>
-      <th>uid</th>
-      <th>user</th>
-      <th>user_agent</th>
-      <th>user_role</th>
-      <th>user_type</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>error</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>failure</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>success</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>ad_domain</th>
+    <th>app_name</th>
+    <th>auth_service</th>
+    <th>auth_target</th>
+    <th>decision_reason</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>method</th>
+    <th>response_time</th>
+    <th>target_ad_domain</th>
+    <th>target_uid</th>
+    <th>target_user</th>
+    <th>target_user_role</th>
+    <th>target_user_type</th>
+    <th>uid</th>
+    <th>user</th>
+    <th>user_agent</th>
+    <th>user_role</th>
+    <th>user_type</th>
+  </tr>
+  <tr>
+    <td>error</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>failure</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>success</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
index c76509dc..9784cf17 100755
--- a/docs/data_model/driver.md
+++ b/docs/data_model/driver.md
@@ -26,53 +26,46 @@ signer|The name of the organization which signed the driver.|Microsoft Corporati
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>base_address</th>
-      <th>fqdn</th>
-      <th>hostname</th>
-      <th>image_path</th>
-      <th>md5_hash</th>
-      <th>module_name</th>
-      <th>pid</th>
-      <th>sha1_hash</th>
-      <th>sha256_hash</th>
-      <th>signature_valid</th>
-      <th>signer</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>load</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>unload</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>base_address</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>md5_hash</th>
+    <th>module_name</th>
+    <th>pid</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+  </tr>
+  <tr>
+    <td>load</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>unload</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/email.md b/docs/data_model/email.md
index 824f2ead..c69f9950 100755
--- a/docs/data_model/email.md
+++ b/docs/data_model/email.md
@@ -39,158 +39,148 @@ to|the content of the To field in the email header; does not necessarily match u
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>action_reason</th>
-      <th>attachment_mime_type</th>
-      <th>attachment_name</th>
-      <th>attachment_size</th>
-      <th>date</th>
-      <th>dest_address</th>
-      <th>dest_ip</th>
-      <th>dest_port</th>
-      <th>from</th>
-      <th>message_body</th>
-      <th>message_links</th>
-      <th>message_type</th>
-      <th>return_address</th>
-      <th>server_relay</th>
-      <th>smtp_uid</th>
-      <th>src_address</th>
-      <th>src_domain</th>
-      <th>src_ip</th>
-      <th>src_port</th>
-      <th>subject</th>
-      <th>to</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>block</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>delete</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>deliver</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>quarantine</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>redirect</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>action_reason</th>
+    <th>attachment_mime_type</th>
+    <th>attachment_name</th>
+    <th>attachment_size</th>
+    <th>date</th>
+    <th>dest_address</th>
+    <th>dest_ip</th>
+    <th>dest_port</th>
+    <th>from</th>
+    <th>message_body</th>
+    <th>message_links</th>
+    <th>message_type</th>
+    <th>return_address</th>
+    <th>server_relay</th>
+    <th>smtp_uid</th>
+    <th>src_address</th>
+    <th>src_domain</th>
+    <th>src_ip</th>
+    <th>src_port</th>
+    <th>subject</th>
+    <th>to</th>
+  </tr>
+  <tr>
+    <td>block</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>delete</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>deliver</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>quarantine</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>redirect</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index 6567ce71..9997cd0d 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -46,248 +46,236 @@ user|The user context in which the thread that caused this event was running. Ma
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>company</th>
-      <th>content</th>
-      <th>creation_time</th>
-      <th>extension</th>
-      <th>file_name</th>
-      <th>file_path</th>
-      <th>fqdn</th>
-      <th>gid</th>
-      <th>group</th>
-      <th>hostname</th>
-      <th>image_path</th>
-      <th>link_target</th>
-      <th>md5_hash</th>
-      <th>mime_type</th>
-      <th>mode</th>
-      <th>owner</th>
-      <th>owner_uid</th>
-      <th>pid</th>
-      <th>ppid</th>
-      <th>previous_creation_time</th>
-      <th>sha1_hash</th>
-      <th>sha256_hash</th>
-      <th>signature_valid</th>
-      <th>signer</th>
-      <th>uid</th>
-      <th>user</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>acl_modify</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>create</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>delete</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>modify</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>read</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>timestomp</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>write</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>company</th>
+    <th>content</th>
+    <th>creation_time</th>
+    <th>extension</th>
+    <th>file_name</th>
+    <th>file_path</th>
+    <th>fqdn</th>
+    <th>gid</th>
+    <th>group</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>link_target</th>
+    <th>md5_hash</th>
+    <th>mime_type</th>
+    <th>mode</th>
+    <th>owner</th>
+    <th>owner_uid</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>previous_creation_time</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <td>acl_modify</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>create</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>delete</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>modify</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>read</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>timestomp</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>write</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
index 7993de0b..2cb51127 100755
--- a/docs/data_model/flow.md
+++ b/docs/data_model/flow.md
@@ -43,132 +43,124 @@ user|The user that ran the process.|HOST1\LOCALUSER
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>application_protocol</th>
-      <th>content</th>
-      <th>dest_fqdn</th>
-      <th>dest_hostname</th>
-      <th>dest_ip</th>
-      <th>dest_port</th>
-      <th>end_time</th>
-      <th>exe</th>
-      <th>fqdn</th>
-      <th>hostname</th>
-      <th>image_path</th>
-      <th>in_bytes</th>
-      <th>network_direction</th>
-      <th>out_bytes</th>
-      <th>packet_count</th>
-      <th>pid</th>
-      <th>ppid</th>
-      <th>proto_info</th>
-      <th>src_fqdn</th>
-      <th>src_hostname</th>
-      <th>src_ip</th>
-      <th>src_port</th>
-      <th>start_time</th>
-      <th>tcp_flags</th>
-      <th>transport_protocol</th>
-      <th>uid</th>
-      <th>user</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>end</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>message</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>start</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>application_protocol</th>
+    <th>content</th>
+    <th>dest_fqdn</th>
+    <th>dest_hostname</th>
+    <th>dest_ip</th>
+    <th>dest_port</th>
+    <th>end_time</th>
+    <th>exe</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>in_bytes</th>
+    <th>network_direction</th>
+    <th>out_bytes</th>
+    <th>packet_count</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>proto_info</th>
+    <th>src_fqdn</th>
+    <th>src_hostname</th>
+    <th>src_ip</th>
+    <th>src_port</th>
+    <th>start_time</th>
+    <th>tcp_flags</th>
+    <th>transport_protocol</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <td>end</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>message</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>start</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index dd44ad8c..0e239f2f 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -34,113 +34,104 @@ user_agent_version|User Agent Version. Note that some User Agent strings may not
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>hostname</th>
-      <th>http_version</th>
-      <th>request_body_bytes</th>
-      <th>request_body_content</th>
-      <th>request_referrer</th>
-      <th>requester_ip_address</th>
-      <th>response_body_bytes</th>
-      <th>response_body_content</th>
-      <th>response_status_code</th>
-      <th>url_domain</th>
-      <th>url_full</th>
-      <th>url_remainder</th>
-      <th>url_scheme</th>
-      <th>user_agent_device</th>
-      <th>user_agent_full</th>
-      <th>user_agent_name</th>
-      <th>user_agent_version</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>get</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>post</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>put</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>tunnel</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>hostname</th>
+    <th>http_version</th>
+    <th>request_body_bytes</th>
+    <th>request_body_content</th>
+    <th>request_referrer</th>
+    <th>requester_ip_address</th>
+    <th>response_body_bytes</th>
+    <th>response_body_content</th>
+    <th>response_status_code</th>
+    <th>url_domain</th>
+    <th>url_full</th>
+    <th>url_remainder</th>
+    <th>url_scheme</th>
+    <th>user_agent_device</th>
+    <th>user_agent_full</th>
+    <th>user_agent_name</th>
+    <th>user_agent_version</th>
+  </tr>
+  <tr>
+    <td>get</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>post</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>put</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>tunnel</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
index ed072e29..effbc1f9 100755
--- a/docs/data_model/module.md
+++ b/docs/data_model/module.md
@@ -28,59 +28,52 @@ tid|The thread ID of the thread responsible for the load or unload event.|50
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>base_address</th>
-      <th>fqdn</th>
-      <th>hostname</th>
-      <th>image_path</th>
-      <th>md5_hash</th>
-      <th>module_name</th>
-      <th>module_path</th>
-      <th>pid</th>
-      <th>sha1_hash</th>
-      <th>sha256_hash</th>
-      <th>signature_valid</th>
-      <th>signer</th>
-      <th>tid</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>load</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>unload</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>base_address</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>md5_hash</th>
+    <th>module_name</th>
+    <th>module_path</th>
+    <th>pid</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+    <th>tid</th>
+  </tr>
+  <tr>
+    <td>load</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>unload</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index 997a5f29..9f45513d 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -45,140 +45,132 @@ user|The user token that process was created with. May be a local, domain or SYS
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>access_level</th>
-      <th>call_trace</th>
-      <th>command_line</th>
-      <th>current_working_directory</th>
-      <th>env_vars</th>
-      <th>exe</th>
-      <th>fqdn</th>
-      <th>guid</th>
-      <th>hostname</th>
-      <th>image_path</th>
-      <th>integrity_level</th>
-      <th>md5_hash</th>
-      <th>parent_command_line</th>
-      <th>parent_exe</th>
-      <th>parent_guid</th>
-      <th>parent_image_path</th>
-      <th>pid</th>
-      <th>ppid</th>
-      <th>sha1_hash</th>
-      <th>sha256_hash</th>
-      <th>sid</th>
-      <th>signature_valid</th>
-      <th>signer</th>
-      <th>target_address</th>
-      <th>target_guid</th>
-      <th>target_name</th>
-      <th>target_pid</th>
-      <th>uid</th>
-      <th>user</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>access</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>create</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>terminate</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>access_level</th>
+    <th>call_trace</th>
+    <th>command_line</th>
+    <th>current_working_directory</th>
+    <th>env_vars</th>
+    <th>exe</th>
+    <th>fqdn</th>
+    <th>guid</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>integrity_level</th>
+    <th>md5_hash</th>
+    <th>parent_command_line</th>
+    <th>parent_exe</th>
+    <th>parent_guid</th>
+    <th>parent_image_path</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>sid</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+    <th>target_address</th>
+    <th>target_guid</th>
+    <th>target_name</th>
+    <th>target_pid</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <td>access</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>create</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>terminate</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index fc6fbdbb..8acfe66b 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -28,83 +28,74 @@ value|The descriptive name for the data being stored.|InstalledVersion
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>data</th>
-      <th>fqdn</th>
-      <th>hive</th>
-      <th>hostname</th>
-      <th>image_path</th>
-      <th>key</th>
-      <th>new_content</th>
-      <th>pid</th>
-      <th>type</th>
-      <th>user</th>
-      <th>value</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>add</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>key_edit</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>remove</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>value_edit</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>data</th>
+    <th>fqdn</th>
+    <th>hive</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>key</th>
+    <th>new_content</th>
+    <th>pid</th>
+    <th>type</th>
+    <th>user</th>
+    <th>value</th>
+  </tr>
+  <tr>
+    <td>add</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>key_edit</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>remove</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>value_edit</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
index 37311c84..a576112e 100755
--- a/docs/data_model/service.md
+++ b/docs/data_model/service.md
@@ -28,92 +28,82 @@ user|The user token that service was created with.|HOST1\LOCALUSER
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>command_line</th>
-      <th>exe</th>
-      <th>fqdn</th>
-      <th>hostname</th>
-      <th>image_path</th>
-      <th>name</th>
-      <th>pid</th>
-      <th>ppid</th>
-      <th>uid</th>
-      <th>user</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>create</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>delete</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>pause</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>start</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>stop</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>command_line</th>
+    <th>exe</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>name</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <td>create</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>delete</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>pause</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>start</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>stop</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
index 87e9346b..d5d9f840 100755
--- a/docs/data_model/socket.md
+++ b/docs/data_model/socket.md
@@ -26,64 +26,56 @@ success|Boolean indicator of whether the socket event was successful (e.g. the s
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>family</th>
-      <th>image_path</th>
-      <th>local_address</th>
-      <th>local_path</th>
-      <th>local_port</th>
-      <th>pid</th>
-      <th>protocol</th>
-      <th>remote_address</th>
-      <th>remote_port</th>
-      <th>success</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>bind</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>close</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>listen</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>family</th>
+    <th>image_path</th>
+    <th>local_address</th>
+    <th>local_path</th>
+    <th>local_port</th>
+    <th>pid</th>
+    <th>protocol</th>
+    <th>remote_address</th>
+    <th>remote_port</th>
+    <th>success</th>
+  </tr>
+  <tr>
+    <td>bind</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>close</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>listen</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
index 372b7a5b..22668139 100755
--- a/docs/data_model/thread.md
+++ b/docs/data_model/thread.md
@@ -32,103 +32,94 @@ user_stack_limit|The limit of the thread's stack.|0
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>hostname</th>
-      <th>src_pid</th>
-      <th>src_tid</th>
-      <th>stack_base</th>
-      <th>stack_limit</th>
-      <th>start_address</th>
-      <th>start_function</th>
-      <th>start_module</th>
-      <th>start_module_name</th>
-      <th>tgt_pid</th>
-      <th>tgt_tid</th>
-      <th>uid</th>
-      <th>user</th>
-      <th>user_stack_base</th>
-      <th>user_stack_limit</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>create</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>remote_create</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>suspend</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>terminate</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>hostname</th>
+    <th>src_pid</th>
+    <th>src_tid</th>
+    <th>stack_base</th>
+    <th>stack_limit</th>
+    <th>start_address</th>
+    <th>start_function</th>
+    <th>start_module</th>
+    <th>start_module_name</th>
+    <th>tgt_pid</th>
+    <th>tgt_tid</th>
+    <th>uid</th>
+    <th>user</th>
+    <th>user_stack_base</th>
+    <th>user_stack_limit</th>
+  </tr>
+  <tr>
+    <td>create</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>remote_create</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>suspend</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>terminate</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/user_session.md b/docs/data_model/user_session.md
index efa07e5f..28aba06c 100755
--- a/docs/data_model/user_session.md
+++ b/docs/data_model/user_session.md
@@ -28,92 +28,82 @@ user|The user affiliated with the session. May be a local, domain or SYSTEM user
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />
-      <th>dest_ip</th>
-      <th>dest_port</th>
-      <th>hostname</th>
-      <th>login_id</th>
-      <th>login_successful</th>
-      <th>login_type</th>
-      <th>src_ip</th>
-      <th>src_port</th>
-      <th>uid</th>
-      <th>user</th>
-    </tr>
-  </thead>
-  <tbody>
-    
-    <tr>
-      <td>lock</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>login</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>logout</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>reconnect</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-    <tr>
-      <td>unlock</td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-      <td style="white-space: pre-wrap;"></td>
-    </tr>
-    
-  </tbody>
+  <tr>
+    <th />
+    <th>dest_ip</th>
+    <th>dest_port</th>
+    <th>hostname</th>
+    <th>login_id</th>
+    <th>login_successful</th>
+    <th>login_type</th>
+    <th>src_ip</th>
+    <th>src_port</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <td>lock</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>login</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>logout</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>reconnect</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <td>unlock</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
 </table>
\ No newline at end of file
diff --git a/scripts/datamodel_template.md b/scripts/datamodel_template.md
index c87ee743..bacad3aa 100644
--- a/scripts/datamodel_template.md
+++ b/scripts/datamodel_template.md
@@ -15,18 +15,12 @@ title: "{{ datamodel['name'] }}"
 
 ## Coverage Map
 <table>
-  <thead>
-    <tr>
-      <th />{% for field in datamodel['fields']|sort(attribute='name') %}
-      <th>{{ field['name'] }}</th>{% endfor %}
-    </tr>
-  </thead>
-  <tbody>
-    {% for action in datamodel['actions']|sort(attribute='name') %}
-    <tr>
-      <td>{{ action['name'] }}</td>{% for field in datamodel['fields']|sort(attribute='name') %}
-      <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and 'action' in datamodel['coverage_map'] and 'field' in datamodel['coverage_map']['action'] %}{{ datamodel['coverage_map'][action][field]|join('&#10') }}{% endif %}</td>{% endfor %}
-    </tr>
-    {% endfor %}
-  </tbody>
+  <tr>
+    <th />{% for field in datamodel['fields']|sort(attribute='name') %}
+    <th>{{ field['name'] }}</th>{% endfor %}
+  </tr>{% for action in datamodel['actions']|sort(attribute='name') %}
+  <tr>
+    <td>{{ action['name'] }}</td>{% for field in datamodel['fields']|sort(attribute='name') %}
+    <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and 'action' in datamodel['coverage_map'] and 'field' in datamodel['coverage_map']['action'] %}{{ datamodel['coverage_map'][action][field]|join('&#10') }}{% endif %}</td>{% endfor %}
+  </tr>{% endfor %}
 </table>

From ffac3732937d369575d0bdc700075ffc51104f79 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 23 Feb 2023 23:44:48 -0500
Subject: [PATCH 62/82] trying with th again

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/authentication.md |  6 +++---
 docs/data_model/driver.md         |  4 ++--
 docs/data_model/email.md          | 10 +++++-----
 docs/data_model/file.md           | 14 +++++++-------
 docs/data_model/flow.md           |  6 +++---
 docs/data_model/http.md           |  8 ++++----
 docs/data_model/module.md         |  4 ++--
 docs/data_model/process.md        |  6 +++---
 docs/data_model/registry.md       |  8 ++++----
 docs/data_model/service.md        | 10 +++++-----
 docs/data_model/socket.md         |  6 +++---
 docs/data_model/thread.md         |  8 ++++----
 docs/data_model/user_session.md   | 10 +++++-----
 scripts/datamodel_template.md     |  2 +-
 14 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/docs/data_model/authentication.md b/docs/data_model/authentication.md
index 0fe02166..6aa929be 100755
--- a/docs/data_model/authentication.md
+++ b/docs/data_model/authentication.md
@@ -58,7 +58,7 @@ user_type|type of user that initiated the request.|Administrator, Standard, Gues
     <th>user_type</th>
   </tr>
   <tr>
-    <td>error</td>
+    <th>error</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -80,7 +80,7 @@ user_type|type of user that initiated the request.|Administrator, Standard, Gues
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>failure</td>
+    <th>failure</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -102,7 +102,7 @@ user_type|type of user that initiated the request.|Administrator, Standard, Gues
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>success</td>
+    <th>success</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
index 9784cf17..f4a9bac0 100755
--- a/docs/data_model/driver.md
+++ b/docs/data_model/driver.md
@@ -41,7 +41,7 @@ signer|The name of the organization which signed the driver.|Microsoft Corporati
     <th>signer</th>
   </tr>
   <tr>
-    <td>load</td>
+    <th>load</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -55,7 +55,7 @@ signer|The name of the organization which signed the driver.|Microsoft Corporati
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>unload</td>
+    <th>unload</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/email.md b/docs/data_model/email.md
index c69f9950..fad83d7f 100755
--- a/docs/data_model/email.md
+++ b/docs/data_model/email.md
@@ -64,7 +64,7 @@ to|the content of the To field in the email header; does not necessarily match u
     <th>to</th>
   </tr>
   <tr>
-    <td>block</td>
+    <th>block</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -88,7 +88,7 @@ to|the content of the To field in the email header; does not necessarily match u
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>delete</td>
+    <th>delete</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -112,7 +112,7 @@ to|the content of the To field in the email header; does not necessarily match u
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>deliver</td>
+    <th>deliver</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -136,7 +136,7 @@ to|the content of the To field in the email header; does not necessarily match u
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>quarantine</td>
+    <th>quarantine</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -160,7 +160,7 @@ to|the content of the To field in the email header; does not necessarily match u
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>redirect</td>
+    <th>redirect</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index 9997cd0d..117d3ce2 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -76,7 +76,7 @@ user|The user context in which the thread that caused this event was running. Ma
     <th>user</th>
   </tr>
   <tr>
-    <td>acl_modify</td>
+    <th>acl_modify</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -105,7 +105,7 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>create</td>
+    <th>create</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -134,7 +134,7 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>delete</td>
+    <th>delete</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -163,7 +163,7 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>modify</td>
+    <th>modify</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -192,7 +192,7 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>read</td>
+    <th>read</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -221,7 +221,7 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>timestomp</td>
+    <th>timestomp</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -250,7 +250,7 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>write</td>
+    <th>write</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
index 2cb51127..f0219d4f 100755
--- a/docs/data_model/flow.md
+++ b/docs/data_model/flow.md
@@ -74,7 +74,7 @@ user|The user that ran the process.|HOST1\LOCALUSER
     <th>user</th>
   </tr>
   <tr>
-    <td>end</td>
+    <th>end</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -104,7 +104,7 @@ user|The user that ran the process.|HOST1\LOCALUSER
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>message</td>
+    <th>message</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -134,7 +134,7 @@ user|The user that ran the process.|HOST1\LOCALUSER
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>start</td>
+    <th>start</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index 0e239f2f..e1db30e3 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -55,7 +55,7 @@ user_agent_version|User Agent Version. Note that some User Agent strings may not
     <th>user_agent_version</th>
   </tr>
   <tr>
-    <td>get</td>
+    <th>get</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -75,7 +75,7 @@ user_agent_version|User Agent Version. Note that some User Agent strings may not
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>post</td>
+    <th>post</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -95,7 +95,7 @@ user_agent_version|User Agent Version. Note that some User Agent strings may not
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>put</td>
+    <th>put</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -115,7 +115,7 @@ user_agent_version|User Agent Version. Note that some User Agent strings may not
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>tunnel</td>
+    <th>tunnel</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
index effbc1f9..4d3a21a2 100755
--- a/docs/data_model/module.md
+++ b/docs/data_model/module.md
@@ -45,7 +45,7 @@ tid|The thread ID of the thread responsible for the load or unload event.|50
     <th>tid</th>
   </tr>
   <tr>
-    <td>load</td>
+    <th>load</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -61,7 +61,7 @@ tid|The thread ID of the thread responsible for the load or unload event.|50
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>unload</td>
+    <th>unload</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index 9f45513d..94851bfa 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -78,7 +78,7 @@ user|The user token that process was created with. May be a local, domain or SYS
     <th>user</th>
   </tr>
   <tr>
-    <td>access</td>
+    <th>access</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -110,7 +110,7 @@ user|The user token that process was created with. May be a local, domain or SYS
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>create</td>
+    <th>create</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -142,7 +142,7 @@ user|The user token that process was created with. May be a local, domain or SYS
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>terminate</td>
+    <th>terminate</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index 8acfe66b..3c13a1df 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -43,7 +43,7 @@ value|The descriptive name for the data being stored.|InstalledVersion
     <th>value</th>
   </tr>
   <tr>
-    <td>add</td>
+    <th>add</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -57,7 +57,7 @@ value|The descriptive name for the data being stored.|InstalledVersion
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>key_edit</td>
+    <th>key_edit</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -71,7 +71,7 @@ value|The descriptive name for the data being stored.|InstalledVersion
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>remove</td>
+    <th>remove</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -85,7 +85,7 @@ value|The descriptive name for the data being stored.|InstalledVersion
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>value_edit</td>
+    <th>value_edit</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
index a576112e..3e8d5881 100755
--- a/docs/data_model/service.md
+++ b/docs/data_model/service.md
@@ -42,7 +42,7 @@ user|The user token that service was created with.|HOST1\LOCALUSER
     <th>user</th>
   </tr>
   <tr>
-    <td>create</td>
+    <th>create</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -55,7 +55,7 @@ user|The user token that service was created with.|HOST1\LOCALUSER
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>delete</td>
+    <th>delete</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -68,7 +68,7 @@ user|The user token that service was created with.|HOST1\LOCALUSER
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>pause</td>
+    <th>pause</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -81,7 +81,7 @@ user|The user token that service was created with.|HOST1\LOCALUSER
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>start</td>
+    <th>start</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -94,7 +94,7 @@ user|The user token that service was created with.|HOST1\LOCALUSER
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>stop</td>
+    <th>stop</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
index d5d9f840..3ec92b26 100755
--- a/docs/data_model/socket.md
+++ b/docs/data_model/socket.md
@@ -40,7 +40,7 @@ success|Boolean indicator of whether the socket event was successful (e.g. the s
     <th>success</th>
   </tr>
   <tr>
-    <td>bind</td>
+    <th>bind</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -53,7 +53,7 @@ success|Boolean indicator of whether the socket event was successful (e.g. the s
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>close</td>
+    <th>close</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -66,7 +66,7 @@ success|Boolean indicator of whether the socket event was successful (e.g. the s
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>listen</td>
+    <th>listen</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
index 22668139..61157f2e 100755
--- a/docs/data_model/thread.md
+++ b/docs/data_model/thread.md
@@ -51,7 +51,7 @@ user_stack_limit|The limit of the thread's stack.|0
     <th>user_stack_limit</th>
   </tr>
   <tr>
-    <td>create</td>
+    <th>create</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -69,7 +69,7 @@ user_stack_limit|The limit of the thread's stack.|0
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>remote_create</td>
+    <th>remote_create</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -87,7 +87,7 @@ user_stack_limit|The limit of the thread's stack.|0
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>suspend</td>
+    <th>suspend</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -105,7 +105,7 @@ user_stack_limit|The limit of the thread's stack.|0
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>terminate</td>
+    <th>terminate</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/user_session.md b/docs/data_model/user_session.md
index 28aba06c..4ece7e60 100755
--- a/docs/data_model/user_session.md
+++ b/docs/data_model/user_session.md
@@ -42,7 +42,7 @@ user|The user affiliated with the session. May be a local, domain or SYSTEM user
     <th>user</th>
   </tr>
   <tr>
-    <td>lock</td>
+    <th>lock</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -55,7 +55,7 @@ user|The user affiliated with the session. May be a local, domain or SYSTEM user
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>login</td>
+    <th>login</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -68,7 +68,7 @@ user|The user affiliated with the session. May be a local, domain or SYSTEM user
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>logout</td>
+    <th>logout</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -81,7 +81,7 @@ user|The user affiliated with the session. May be a local, domain or SYSTEM user
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>reconnect</td>
+    <th>reconnect</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -94,7 +94,7 @@ user|The user affiliated with the session. May be a local, domain or SYSTEM user
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
-    <td>unlock</td>
+    <th>unlock</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/scripts/datamodel_template.md b/scripts/datamodel_template.md
index bacad3aa..b7da1720 100644
--- a/scripts/datamodel_template.md
+++ b/scripts/datamodel_template.md
@@ -20,7 +20,7 @@ title: "{{ datamodel['name'] }}"
     <th>{{ field['name'] }}</th>{% endfor %}
   </tr>{% for action in datamodel['actions']|sort(attribute='name') %}
   <tr>
-    <td>{{ action['name'] }}</td>{% for field in datamodel['fields']|sort(attribute='name') %}
+    <th>{{ action['name'] }}</th>{% for field in datamodel['fields']|sort(attribute='name') %}
     <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and 'action' in datamodel['coverage_map'] and 'field' in datamodel['coverage_map']['action'] %}{{ datamodel['coverage_map'][action][field]|join('&#10') }}{% endif %}</td>{% endfor %}
   </tr>{% endfor %}
 </table>

From 69374821e667307baaf9885ad366286cf78b19ed Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Thu, 23 Feb 2023 23:51:11 -0500
Subject: [PATCH 63/82] wrapped examples with code tags

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/authentication.md | 38 +++++++++++-----------
 docs/data_model/driver.md         | 22 ++++++-------
 docs/data_model/email.md          | 40 +++++++++++------------
 docs/data_model/file.md           | 50 ++++++++++++++--------------
 docs/data_model/flow.md           | 54 +++++++++++++++----------------
 docs/data_model/http.md           | 30 ++++++++---------
 docs/data_model/module.md         | 26 +++++++--------
 docs/data_model/process.md        | 52 ++++++++++++++---------------
 docs/data_model/registry.md       | 22 ++++++-------
 docs/data_model/service.md        | 20 ++++++------
 docs/data_model/socket.md         | 20 ++++++------
 docs/data_model/thread.md         | 30 ++++++++---------
 docs/data_model/user_session.md   | 20 ++++++------
 scripts/datamodel_template.md     |  2 +-
 14 files changed, 213 insertions(+), 213 deletions(-)

diff --git a/docs/data_model/authentication.md b/docs/data_model/authentication.md
index 6aa929be..0b9cf264 100755
--- a/docs/data_model/authentication.md
+++ b/docs/data_model/authentication.md
@@ -13,25 +13,25 @@ An authentication event occurs whenever a user or process attempts to access a p
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-ad_domain|Active Directory domain from which the authentication request was generated; may differ from the target_ad_domain.|ad2.mitre.org
-app_name|Name of the application that made the authentication request|ssh, win:local
-auth_service|The name of the service that was utilized to accomplish authentication|Okta, ActiveDirectory
-auth_target|machine for which authentication was requested; may be different than the host that the request is made from.|HOST2
-decision_reason|The justification for approving or denying an authentication request.|password is invalid
-fqdn|The fully qualified domain name for the host from which authentication was requested.|HOST1.mitre.org
-hostname|Hostname of the host from which authentication was requested.|HOST1
-method|The authentication method that was used.|SMAL, Kerberos
-response_time|Duration of time it took for an authentication response to be received.|12ms
-target_ad_domain|The Active Directory domain within which authentication was requested.|ad.mitre.org
-target_uid|User ID for the user being authenticated.|S-1-5-19
-target_user|Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.|HOST1\LOCALUSER2
-target_user_role|IPAM access control role for the user being authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|System Administrator Role
-target_user_type|type of user that was authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|Administrator, Standard, Guest
-uid|User ID for the process that initiated the authentication request.|S-1-5-18
-user|Name of the user that initiated the request.|HOST1\LOCALUSER1
-user_agent|The user agent through which the request was made.|aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4
-user_role|IPAM access control role for the user that initiated the authentication request.|DNS Record Administrator Role
-user_type|type of user that initiated the request.|Administrator, Standard, Guest
+ad_domain|Active Directory domain from which the authentication request was generated; may differ from the target_ad_domain.|<code>ad2.mitre.org</code>
+app_name|Name of the application that made the authentication request|<code>ssh, win:local</code>
+auth_service|The name of the service that was utilized to accomplish authentication|<code>Okta, ActiveDirectory</code>
+auth_target|machine for which authentication was requested; may be different than the host that the request is made from.|<code>HOST2</code>
+decision_reason|The justification for approving or denying an authentication request.|<code>password is invalid</code>
+fqdn|The fully qualified domain name for the host from which authentication was requested.|<code>HOST1.mitre.org</code>
+hostname|Hostname of the host from which authentication was requested.|<code>HOST1</code>
+method|The authentication method that was used.|<code>SMAL, Kerberos</code>
+response_time|Duration of time it took for an authentication response to be received.|<code>12ms</code>
+target_ad_domain|The Active Directory domain within which authentication was requested.|<code>ad.mitre.org</code>
+target_uid|User ID for the user being authenticated.|<code>S-1-5-19</code>
+target_user|Name of the user being authenticated; this only pertains to privilage escalation events where the current user is not necessarily the same as the target user.|<code>HOST1\LOCALUSER2</code>
+target_user_role|IPAM access control role for the user being authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|<code>System Administrator Role</code>
+target_user_type|type of user that was authenticated; this only pertains to privilege escalation events where the current user is not necessarily the same as the target user.|<code>Administrator, Standard, Guest</code>
+uid|User ID for the process that initiated the authentication request.|<code>S-1-5-18</code>
+user|Name of the user that initiated the request.|<code>HOST1\LOCALUSER1</code>
+user_agent|The user agent through which the request was made.|<code>aws-cli/2.0.0 Python/3.7.4 Darwin/18.7.0 botocore/2.0.0dev4</code>
+user_role|IPAM access control role for the user that initiated the authentication request.|<code>DNS Record Administrator Role</code>
+user_type|type of user that initiated the request.|<code>Administrator, Standard, Guest</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
index f4a9bac0..e2591c76 100755
--- a/docs/data_model/driver.md
+++ b/docs/data_model/driver.md
@@ -12,17 +12,17 @@ A driver is software that runs in the operating system kernel. Drivers are gener
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-base_address|A hex address indicating where the driver is loaded into the kernel.|18446735277684027392
-fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
-hostname|The hostname of the host, without the domain.|HOST1
-image_path|The file system location of the driver.|C:\Windows\System32\drivers\scsiport.sys
-md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
-module_name|The name of the driver or program.|NvStreamKms.sys
-pid|The Process ID that loaded or unloaded the driver|1533
-sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
-sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
-signature_valid|Boolean indicator of whether the driver is signed and whether the signature is current and not revoked|True
-signer|The name of the organization which signed the driver.|Microsoft Corporation
+base_address|A hex address indicating where the driver is loaded into the kernel.|<code>18446735277684027392</code>
+fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|<code>HOST1.EXAMPLE_DOMAIN.COM</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+image_path|The file system location of the driver.|<code>C:\Windows\System32\drivers\scsiport.sys</code>
+md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|<code>5eb63bbbe01eeed093cb22bb8f5acdc3</code>
+module_name|The name of the driver or program.|<code>NvStreamKms.sys</code>
+pid|The Process ID that loaded or unloaded the driver|<code>1533</code>
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|<code>2aae6c35c94fcfb415dbe95f408b9ce91ee846ed</code>
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|<code>68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728</code>
+signature_valid|Boolean indicator of whether the driver is signed and whether the signature is current and not revoked|<code>True</code>
+signer|The name of the organization which signed the driver.|<code>Microsoft Corporation</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/email.md b/docs/data_model/email.md
index fad83d7f..96979db9 100755
--- a/docs/data_model/email.md
+++ b/docs/data_model/email.md
@@ -15,27 +15,27 @@ Email events are at the mail server level.
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-action_reason|The rationale given for blocking, redirecting, or quarantining an email.|Malformed Message
-attachment_mime_type|The MIME type of the attachment.|.docx
-attachment_name|Filename of any email attachment that may exist.|cuddly-cats.pdf
-attachment_size|Filesize of the attachment.|567 Kb
-date|SMTP date header, which is actually a date time group.|Thu Jul 18 09:30:00 PDT 2019
-dest_address|Recipient email address, taken from the SMTP "Recipient" field.|adam@example.com
-dest_ip|The destination IP address for the email.|221.174.222.111
-dest_port|The destination port for the email.|993
-from|Displayed sender name from the Message Information header; can be easily forged.|eve@trusted-advisors.com
-message_body|Content of the email, not including subject.|Hello World
-message_links|URLs extracted from the email body.|https://www.cnn.com
-message_type|Content protocol of the message body|html
-return_address|Email address to which replies should be sent, also known as Return-Path or Reply-To; may differ from the src_address.|eve_secondary@example.com
+action_reason|The rationale given for blocking, redirecting, or quarantining an email.|<code>Malformed Message</code>
+attachment_mime_type|The MIME type of the attachment.|<code>.docx</code>
+attachment_name|Filename of any email attachment that may exist.|<code>cuddly-cats.pdf</code>
+attachment_size|Filesize of the attachment.|<code>567 Kb</code>
+date|SMTP date header, which is actually a date time group.|<code>Thu Jul 18 09:30:00 PDT 2019</code>
+dest_address|Recipient email address, taken from the SMTP "Recipient" field.|<code>adam@example.com</code>
+dest_ip|The destination IP address for the email.|<code>221.174.222.111</code>
+dest_port|The destination port for the email.|<code>993</code>
+from|Displayed sender name from the Message Information header; can be easily forged.|<code>eve@trusted-advisors.com</code>
+message_body|Content of the email, not including subject.|<code>Hello World</code>
+message_links|URLs extracted from the email body.|<code>https://www.cnn.com</code>
+message_type|Content protocol of the message body|<code>html</code>
+return_address|Email address to which replies should be sent, also known as Return-Path or Reply-To; may differ from the src_address.|<code>eve_secondary@example.com</code>
 server_relay|The Received portion of the SMTP header, which provides the chain of hosts that the email passed through during delivery; each link usually contains an IP address, domain, and datetime group.|
-smtp_uid|Distint ID used to distinguish emails.|MN2PR09MB4876CCE7F183A83E6BA1C4C1CBF50@PP34399.prod.outlook.com
-src_address|Email address of the sender, taken from the "Sender" SMTP field.|eve@example.com
-src_domain|The domain portion of the src_address.|example.com
-src_ip|Originating IP address.|172.183.195.200
-src_port|Originating port.|1248
-subject|Subject line of the email.|Lo0k Younger Whl1e L0slng We19ht!!
-to|the content of the To field in the email header; does not necessarily match up with real recipients.|adam@example.com
+smtp_uid|Distint ID used to distinguish emails.|<code>MN2PR09MB4876CCE7F183A83E6BA1C4C1CBF50@PP34399.prod.outlook.com</code>
+src_address|Email address of the sender, taken from the "Sender" SMTP field.|<code>eve@example.com</code>
+src_domain|The domain portion of the src_address.|<code>example.com</code>
+src_ip|Originating IP address.|<code>172.183.195.200</code>
+src_port|Originating port.|<code>1248</code>
+subject|Subject line of the email.|<code>Lo0k Younger Whl1e L0slng We19ht!!</code>
+to|the content of the To field in the email header; does not necessarily match up with real recipients.|<code>adam@example.com</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index 117d3ce2..f9f669e4 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -18,31 +18,31 @@ A resource for storing information available to a computer program.
 |Field|Description|Example|
 |---|---|---|
 company|The name of the organization listed in the file located at `image_path`.|
-content|The contents of the file.|Hello World
-creation_time|The creation time of the file as described in UTC and including the date.|05/14/2015 12:47:06
-extension|The file extension of the file.|.docx
-file_name|The name of the file.|MyWordDoc.docx
-file_path|The full path to the file on the file system.|C:\users\fakeuser\documents\MyFile.
-fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
-gid|The group ID of the file.|801
-group|The group owner of the file.|admin
-hostname|The hostname of the host, without the domain.|HOST1
-image_path|The file system location of the executable that is associated with the pid that generated this event.|C:\Windows\system32\notepad.exe
-link_target|The target path of a symbolic link.|C:\my_special_file.exe
-md5_hash|An MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
-mime_type|The MIME type of the file.|PE
-mode|The mode or permissions set of the file.|0644 (linux) or NTFS ACL
-owner|The username of the owner of the file.|adam
-owner_uid|The user ID of the owner of the file.|501
-pid|The process ID for the process that generated this file event, represented in decimal notation.|738
-ppid|The process ID of the parent process of the process associated with this file event, represented in decimal notation.|1860
-previous_creation_time|The creation_time associated with the file before it was changed for this file event.|05/14/2015 12:47:06
-sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
-sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
-signature_valid|Boolean indicator of whether the signature is valid; empty if file is not signed.|True
-signer|The company listed on the certificate of the program at `image_path` if that program is signed.|Microsoft Corporation
-uid|The user ID or SID for the acting entity.|S-1-5-18
-user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as <DOMAIN>\<USER>. Because threads are allowed to impersonate users, this may be different than the user context of the process.|HOST1\LOCALUSER
+content|The contents of the file.|<code>Hello World</code>
+creation_time|The creation time of the file as described in UTC and including the date.|<code>05/14/2015 12:47:06</code>
+extension|The file extension of the file.|<code>.docx</code>
+file_name|The name of the file.|<code>MyWordDoc.docx</code>
+file_path|The full path to the file on the file system.|<code>C:\users\fakeuser\documents\MyFile.</code>
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|<code>HOST1.EXAMPLE_DOMAIN.COM</code>
+gid|The group ID of the file.|<code>801</code>
+group|The group owner of the file.|<code>admin</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+image_path|The file system location of the executable that is associated with the pid that generated this event.|<code>C:\Windows\system32\notepad.exe</code>
+link_target|The target path of a symbolic link.|<code>C:\my_special_file.exe</code>
+md5_hash|An MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|<code>5eb63bbbe01eeed093cb22bb8f5acdc3</code>
+mime_type|The MIME type of the file.|<code>PE</code>
+mode|The mode or permissions set of the file.|<code>0644 (linux) or NTFS ACL</code>
+owner|The username of the owner of the file.|<code>adam</code>
+owner_uid|The user ID of the owner of the file.|<code>501</code>
+pid|The process ID for the process that generated this file event, represented in decimal notation.|<code>738</code>
+ppid|The process ID of the parent process of the process associated with this file event, represented in decimal notation.|<code>1860</code>
+previous_creation_time|The creation_time associated with the file before it was changed for this file event.|<code>05/14/2015 12:47:06</code>
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|<code>2aae6c35c94fcfb415dbe95f408b9ce91ee846ed</code>
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|<code>68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728</code>
+signature_valid|Boolean indicator of whether the signature is valid; empty if file is not signed.|<code>True</code>
+signer|The company listed on the certificate of the program at `image_path` if that program is signed.|<code>Microsoft Corporation</code>
+uid|The user ID or SID for the acting entity.|<code>S-1-5-18</code>
+user|The user context in which the thread that caused this event was running. May be a local, domain or SYSTEM user. Formatted as <DOMAIN>\<USER>. Because threads are allowed to impersonate users, this may be different than the user context of the process.|<code>HOST1\LOCALUSER</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
index f0219d4f..7a859f48 100755
--- a/docs/data_model/flow.md
+++ b/docs/data_model/flow.md
@@ -13,33 +13,33 @@ A sequence of packets from a source computer to a destination, which may be anot
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-application_protocol|Name of the layer 7 protocol contained within the flow.|HTTP
-content|The ASCII printable characters of the flow. This corresponds to content from PCAP data or similar formats.|GET https://www.google.com/ HTTP/1.1
-dest_fqdn|The fully qualified domain name that corresponds to `dest_ip`.|dest_example.example.com
-dest_hostname|The hostname that corresponds to `dest_ip`.|dest_example
-dest_ip|The destination IP address of the flow.|192.168.1.5
-dest_port|The destination port of the flow.|192.168.1.5
-end_time|The datetime stamp, in UTC, when the flow ended.|05/15/2015 03:59:53.176 AM
-exe|The basename of the `image_path`. This will need to be collected from the host.|Chrome.exe
-fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
-hostname|The hostname of the host, without the domain.|HOST1
-image_path|The file system path of the process that opened the flow. This will need to be collected from the host.|C:\path\to\example.exe
-in_bytes|Integer value of total number of bytes received.|13200
-network_direction|Direction of the original of the flow initiator, relative to network perimiter.|in (flow originated outside the network and was directed into it)
-out_bytes|Integer value of total number of bytes sent.|1337
-packet_count|The total packet count seen at time of logging.|4
-pid|The total packet count seen at time of logging.|738
-ppid|The process ID for the process’s parent that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|1860
-proto_info|A text decoded version of traffic in the flow specific to the protocol. The application layer information from the flow parsed according to the protocol in question. For instance, SMB information or HTTP headers and content.|SMB2 Write Request Len:165 Off:0 Fileusername\private\filename.pptx, SRVSVC NetShareGetInfo response
-src_fqdn|The fully qualified domain name that corresponds to `src_ip`.|src_domain.example.com
-src_hostname|The hostname that corresponds to `src_ip`.|src_example
-src_ip|The source IP address of the flow.|10.0.0.54
-src_port|The source port of the flow.|50438
-start_time|The starting time date stamp, in UTC, of the flow data.|05/14/2015 11:59:59 PM
-tcp_flags|flags turned on in the TCP header.|ACK, PSH
-transport_protocol|Layer 4 protocol contained within the flow.|TCP
-uid|User ID or SID of the flow-handling entity.|S-1-5-18
-user|The user that ran the process.|HOST1\LOCALUSER
+application_protocol|Name of the layer 7 protocol contained within the flow.|<code>HTTP</code>
+content|The ASCII printable characters of the flow. This corresponds to content from PCAP data or similar formats.|<code>GET https://www.google.com/ HTTP/1.1</code>
+dest_fqdn|The fully qualified domain name that corresponds to `dest_ip`.|<code>dest_example.example.com</code>
+dest_hostname|The hostname that corresponds to `dest_ip`.|<code>dest_example</code>
+dest_ip|The destination IP address of the flow.|<code>192.168.1.5</code>
+dest_port|The destination port of the flow.|<code>192.168.1.5</code>
+end_time|The datetime stamp, in UTC, when the flow ended.|<code>05/15/2015 03:59:53.176 AM</code>
+exe|The basename of the `image_path`. This will need to be collected from the host.|<code>Chrome.exe</code>
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|<code>HOST1.EXAMPLE_DOMAIN.COM</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+image_path|The file system path of the process that opened the flow. This will need to be collected from the host.|<code>C:\path\to\example.exe</code>
+in_bytes|Integer value of total number of bytes received.|<code>13200</code>
+network_direction|Direction of the original of the flow initiator, relative to network perimiter.|<code>in (flow originated outside the network and was directed into it)</code>
+out_bytes|Integer value of total number of bytes sent.|<code>1337</code>
+packet_count|The total packet count seen at time of logging.|<code>4</code>
+pid|The total packet count seen at time of logging.|<code>738</code>
+ppid|The process ID for the process’s parent that owns the socket responsible for the flow, represented in decimal notation. This will need to be collected from the host.|<code>1860</code>
+proto_info|A text decoded version of traffic in the flow specific to the protocol. The application layer information from the flow parsed according to the protocol in question. For instance, SMB information or HTTP headers and content.|<code>SMB2 Write Request Len:165 Off:0 Fileusername\private\filename.pptx, SRVSVC NetShareGetInfo response</code>
+src_fqdn|The fully qualified domain name that corresponds to `src_ip`.|<code>src_domain.example.com</code>
+src_hostname|The hostname that corresponds to `src_ip`.|<code>src_example</code>
+src_ip|The source IP address of the flow.|<code>10.0.0.54</code>
+src_port|The source port of the flow.|<code>50438</code>
+start_time|The starting time date stamp, in UTC, of the flow data.|<code>05/14/2015 11:59:59 PM</code>
+tcp_flags|flags turned on in the TCP header.|<code>ACK, PSH</code>
+transport_protocol|Layer 4 protocol contained within the flow.|<code>TCP</code>
+uid|User ID or SID of the flow-handling entity.|<code>S-1-5-18</code>
+user|The user that ran the process.|<code>HOST1\LOCALUSER</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/http.md b/docs/data_model/http.md
index e1db30e3..463c1ada 100644
--- a/docs/data_model/http.md
+++ b/docs/data_model/http.md
@@ -14,23 +14,23 @@ HTTP events represents requests made over the network via the HTTP protocol.
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-hostname|hostname on which the request was seen.|HOST1
-http_version|HTTP version that is specified in the header.|1.1
-request_body_bytes|Integer value corresponding to the total number of bytes in the request.|180
+hostname|hostname on which the request was seen.|<code>HOST1</code>
+http_version|HTTP version that is specified in the header.|<code>1.1</code>
+request_body_bytes|Integer value corresponding to the total number of bytes in the request.|<code>180</code>
 request_body_content|Body of the HTTP request; usually specifies the exact content being requested.|
-request_referrer|The URL from which the request was referred, if applicable.|http://cnn.com
-requester_ip_address|IP address from which the request was made.|10.0.211.200
-response_body_bytes|Integer value corresponding to the total number of bytes in the response.|2910
+request_referrer|The URL from which the request was referred, if applicable.|<code>http://cnn.com</code>
+requester_ip_address|IP address from which the request was made.|<code>10.0.211.200</code>
+response_body_bytes|Integer value corresponding to the total number of bytes in the response.|<code>2910</code>
 response_body_content|Content of the response (does not include header).|
-response_status_code|HTTP protocol status code in response header|200
-url_domain|Domain portion of the URL.|www.mitre.org
-url_full|URL to which the HTTP request was sent|https://www.mitre.org/about/corporate-overview
-url_remainder|the path after the root domain|/about/corporate-overview
-url_scheme|type of user that initiated the request.|https
-user_agent_device|Device type from which request was made, identified by user_agent substring|SM-G930VC (Samgsung Galaxy S7)
-user_agent_full|User agent string associated with the request|HOST1\LOCALUSER1
-user_agent_name|The user agent through which the request was made.|Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36
-user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|4.0
+response_status_code|HTTP protocol status code in response header|<code>200</code>
+url_domain|Domain portion of the URL.|<code>www.mitre.org</code>
+url_full|URL to which the HTTP request was sent|<code>https://www.mitre.org/about/corporate-overview</code>
+url_remainder|the path after the root domain|<code>/about/corporate-overview</code>
+url_scheme|type of user that initiated the request.|<code>https</code>
+user_agent_device|Device type from which request was made, identified by user_agent substring|<code>SM-G930VC (Samgsung Galaxy S7)</code>
+user_agent_full|User agent string associated with the request|<code>HOST1\LOCALUSER1</code>
+user_agent_name|The user agent through which the request was made.|<code>Mozilla/5.0 (Linux; Android 7.0; SM-G930VC Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/58.0.3029.83 Mobile Safari/537.36</code>
+user_agent_version|User Agent Version. Note that some User Agent strings may not label versions in the same way.|<code>4.0</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
index 4d3a21a2..e08cde6f 100755
--- a/docs/data_model/module.md
+++ b/docs/data_model/module.md
@@ -12,19 +12,19 @@ Modules correspond to executable (and potentially non-executable) content, and a
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-base_address|A hex address indicating where the module is loaded into the process’s virtual address space.|18446735277684027392
-fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
-hostname|The hostname of the host, without the domain.|HOST1
-image_path|The file system location of the process image.|C:\path\to\example.exe
-md5_hash|The MD5 hash of the contents of the file located at `module_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
-module_name|The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.|kernel32.exe
-module_path|The full file system path to the module loaded into the memory space of the process.|C:\windows\system32\kernel32.exe
-pid|Process ID of the process in which the module is loaded (or unloaded).|738
-sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
-sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
-signature_valid|Boolean indicator of whether the signature is current and not revoked|True
-signer|The name of the organization which signed the module.|Microsoft Corporation
-tid|The thread ID of the thread responsible for the load or unload event.|50
+base_address|A hex address indicating where the module is loaded into the process’s virtual address space.|<code>18446735277684027392</code>
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|<code>HOST1.EXAMPLE_DOMAIN.COM</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+image_path|The file system location of the process image.|<code>C:\path\to\example.exe</code>
+md5_hash|The MD5 hash of the contents of the file located at `module_path`. The field is in hex notation, without the 0x prefix.|<code>5eb63bbbe01eeed093cb22bb8f5acdc3</code>
+module_name|The name of the file where the module is loaded on disk. This is also the string that is used internally by the program to lookup information about the module.|<code>kernel32.exe</code>
+module_path|The full file system path to the module loaded into the memory space of the process.|<code>C:\windows\system32\kernel32.exe</code>
+pid|Process ID of the process in which the module is loaded (or unloaded).|<code>738</code>
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|<code>2aae6c35c94fcfb415dbe95f408b9ce91ee846ed</code>
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|<code>68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728</code>
+signature_valid|Boolean indicator of whether the signature is current and not revoked|<code>True</code>
+signer|The name of the organization which signed the module.|<code>Microsoft Corporation</code>
+tid|The thread ID of the thread responsible for the load or unload event.|<code>50</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index 94851bfa..3a18db4a 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -13,35 +13,35 @@ A process is a running program on a computer.
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-access_level|Permissions level at which the target process is accessed.|64
+access_level|Permissions level at which the target process is accessed.|<code>64</code>
 call_trace|Stack trace showing context of process open/access call.|
-command_line|The command line string contains all arguments passed to the process upon execution.|example.exe arg1 arg2
-current_working_directory|The absolute path to the current working directory of the process.|c:\temp
-env_vars|The environment variables within a process's memory space, as a string.|SHELL=/bin/zsh
-exe|The basename of the `image_path`.|example.exe
-fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
-guid|Global unique identifier for the initiating process.|{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
-hostname|The hostname of the host, without the domain.|HOST1
-image_path|The file path of the executable associated with this process. This may act as a pivot to [file:file_path](https://car.mitre.org/wiki/Data_Model/file#file_path).|C:\path\to\example.exe
-integrity_level|The Windows integrity level associated with the process. MUST be one of low, medium, high, or system.|High
-md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|5eb63bbbe01eeed093cb22bb8f5acdc3
-parent_command_line|All of the arguments passed to the parent process upon execution.|c:\windows\system32\dism.exe foo.xml
-parent_exe|The `exe` field of the parent process. This is a substring of `parent_image_path`.|example_parent.exe
-parent_guid|Global unique identifier of the parent of the initiating process.|{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
-parent_image_path|The `image_path` field of the parent process.|C:\path\to\example_parent.exe
-pid|The process ID for the process, represented in decimal notation.|738
-ppid|The process ID for the process's parent, represented in decimal notation. In the parent process, this will be the `pid` field.|1860
-sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
-sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728
-sid|The Windows security identifier of the `user` token that the process is running under.|S-1-5-18
-signature_valid|Boolean indicator of whether signature is current and not revoked.|True
-signer|The name of the company that signed the file.|FooCorp
-target_address|Specific address range which is accessed by another process.|08048000-0804c000
+command_line|The command line string contains all arguments passed to the process upon execution.|<code>example.exe arg1 arg2</code>
+current_working_directory|The absolute path to the current working directory of the process.|<code>c:\temp</code>
+env_vars|The environment variables within a process's memory space, as a string.|<code>SHELL=/bin/zsh</code>
+exe|The basename of the `image_path`.|<code>example.exe</code>
+fqdn|The fully qualified domain name of the host in which the process ran. Contains the hostname appended with the domain.|<code>HOST1.EXAMPLE_DOMAIN.COM</code>
+guid|Global unique identifier for the initiating process.|<code>{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+image_path|The file path of the executable associated with this process. This may act as a pivot to [file:file_path](https://car.mitre.org/wiki/Data_Model/file#file_path).|<code>C:\path\to\example.exe</code>
+integrity_level|The Windows integrity level associated with the process. MUST be one of low, medium, high, or system.|<code>High</code>
+md5_hash|The MD5 hash of the contents of the file located at `image_path`. The field is in hex notation, without the 0x prefix.|<code>5eb63bbbe01eeed093cb22bb8f5acdc3</code>
+parent_command_line|All of the arguments passed to the parent process upon execution.|<code>c:\windows\system32\dism.exe foo.xml</code>
+parent_exe|The `exe` field of the parent process. This is a substring of `parent_image_path`.|<code>example_parent.exe</code>
+parent_guid|Global unique identifier of the parent of the initiating process.|<code>{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}</code>
+parent_image_path|The `image_path` field of the parent process.|<code>C:\path\to\example_parent.exe</code>
+pid|The process ID for the process, represented in decimal notation.|<code>738</code>
+ppid|The process ID for the process's parent, represented in decimal notation. In the parent process, this will be the `pid` field.|<code>1860</code>
+sha1_hash|The SHA1 hash of the contents of the file located at `image_path`.|<code>2aae6c35c94fcfb415dbe95f408b9ce91ee846ed</code>
+sha256_hash|The SHA256 hash of the contents of the file located at `image_path`.|<code>68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728</code>
+sid|The Windows security identifier of the `user` token that the process is running under.|<code>S-1-5-18</code>
+signature_valid|Boolean indicator of whether signature is current and not revoked.|<code>True</code>
+signer|The name of the company that signed the file.|<code>FooCorp</code>
+target_address|Specific address range which is accessed by another process.|<code>08048000-0804c000</code>
 target_guid|Global Unique Identifier for the target process (only for process access events).|
-target_name|Name of the process that is accessed.|C:\Windows\System32\winlogon.exe
+target_name|Name of the process that is accessed.|<code>C:\Windows\System32\winlogon.exe</code>
 target_pid|ID of the target process (only for process access events).|
-uid|User ID under which original process is running.|509
-user|The user token that process was created with. May be a local, domain or SYSTEM user. Formatted with "<DOMAIN>\<USER>". Individual threads in the process may gain more privilege or change tokens, so the active token in any thread is not necessarily the one the process was created under.|HOST1\LOCALUSER
+uid|User ID under which original process is running.|<code>509</code>
+user|The user token that process was created with. May be a local, domain or SYSTEM user. Formatted with "<DOMAIN>\<USER>". Individual threads in the process may gain more privilege or change tokens, so the active token in any thread is not necessarily the one the process was created under.|<code>HOST1\LOCALUSER</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index 3c13a1df..38cffff6 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -14,17 +14,17 @@ The registry is a system-defined database in which applications and system compo
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-data|The content of `value`, typically a text string.|\%SystemRoot%\system32\svchost.exe -k rpcss
-fqdn|The fully qualified domain name for the host on which the registry access took place.|HOST1.EXAMPLE_DOMAIN.COM
-hive|The logical group of keys, subkeys, and values in the registry.|HKEY_CURRENT_USER
-hostname|The hostname of the host, without the domain.|HOST1
-image_path|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|C:\path\to\example.exe
-key|The registry key of the event. Similar to a folder in a traditional file system.|HKLM\SYSTEM\CurrentControlSet\services\RpcSs
-new_content|The data within the new value, or the new name of a key, after an edit event.|\%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs
-pid|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|738
-type|The type of data being stored in `value`. Types include binary data, 32 bit numbers, strings, etc.|REG_BINARY
-user|The user in the context of the process that performed the action on the registry key.|HOST1\LOCALUSER
-value|The descriptive name for the data being stored.|InstalledVersion
+data|The content of `value`, typically a text string.|<code>\%SystemRoot%\system32\svchost.exe -k rpcss</code>
+fqdn|The fully qualified domain name for the host on which the registry access took place.|<code>HOST1.EXAMPLE_DOMAIN.COM</code>
+hive|The logical group of keys, subkeys, and values in the registry.|<code>HKEY_CURRENT_USER</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+image_path|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|<code>C:\path\to\example.exe</code>
+key|The registry key of the event. Similar to a folder in a traditional file system.|<code>HKLM\SYSTEM\CurrentControlSet\services\RpcSs</code>
+new_content|The data within the new value, or the new name of a key, after an edit event.|<code>\%SystemRoot%\system32\svchost.exe, HKLM\SYSTEM\CurrentControlSet\services\RpcSs</code>
+pid|Inherited from the [process](https://car.mitre.org/data_model/process) that made the registry access.|<code>738</code>
+type|The type of data being stored in `value`. Types include binary data, 32 bit numbers, strings, etc.|<code>REG_BINARY</code>
+user|The user in the context of the process that performed the action on the registry key.|<code>HOST1\LOCALUSER</code>
+value|The descriptive name for the data being stored.|<code>InstalledVersion</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
index 3e8d5881..f7a73ce8 100755
--- a/docs/data_model/service.md
+++ b/docs/data_model/service.md
@@ -15,16 +15,16 @@ Services, or a service application, can be started automatically at system boot,
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-command_line|The command line that service is started with.|C:\windows\system32\svchost.exe -k rpcss
-exe|The executable for the service.|svchost.exe
-fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|HOST1.EXAMPLE_DOMAIN.COM
-hostname|The hostname of the host, without the domain.|HOST1
-image_path|Where in the file system the service executable is located.|C:\path\to\example.exe
-name|The name of the service.|RpcSs
-pid|The process ID for the process of the service, represented in decimal notation.|718
-ppid|The process ID of the process’s parent or the service, represented in decimal notation. In the parent process, this will be the pid field.|1860
-uid|The ID of SID of the user who acted on the service|S-1-5-18
-user|The user token that service was created with.|HOST1\LOCALUSER
+command_line|The command line that service is started with.|<code>C:\windows\system32\svchost.exe -k rpcss</code>
+exe|The executable for the service.|<code>svchost.exe</code>
+fqdn|The fully qualified domain name of the host. Contains the hostname appended with the domain.|<code>HOST1.EXAMPLE_DOMAIN.COM</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+image_path|Where in the file system the service executable is located.|<code>C:\path\to\example.exe</code>
+name|The name of the service.|<code>RpcSs</code>
+pid|The process ID for the process of the service, represented in decimal notation.|<code>718</code>
+ppid|The process ID of the process’s parent or the service, represented in decimal notation. In the parent process, this will be the pid field.|<code>1860</code>
+uid|The ID of SID of the user who acted on the service|<code>S-1-5-18</code>
+user|The user token that service was created with.|<code>HOST1\LOCALUSER</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
index 3ec92b26..0f6bd4b6 100755
--- a/docs/data_model/socket.md
+++ b/docs/data_model/socket.md
@@ -13,16 +13,16 @@ Socket events are low-level events that may or may not result in a flow. Socket
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-family|The type of socket in question|AF_UNIX, AF_INET, AF_INET6
-image_path|Path to the executable that initiated the socket event.|C:/user/adam/malware.exe
-local_address|IP address on which the socket will accept connections; does not include the port number.|10.0.211.200
-local_path|In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.|/tmp/foo
-local_port|Port number on which the socket is bound at the local end. This pertains to TCP and UDP sockets but not IP sockets.|48777
-pid|ID of the process that acted on the socket|3930
-protocol|The type of connection that was attempted on the socket|TCP
-remote_address|IP address with which the socket is communicating on the remote end.|199.121.21.20
-remote_port|Port number on which the socket is bound at the remote end.|559
-success|Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested)|True
+family|The type of socket in question|<code>AF_UNIX, AF_INET, AF_INET6</code>
+image_path|Path to the executable that initiated the socket event.|<code>C:/user/adam/malware.exe</code>
+local_address|IP address on which the socket will accept connections; does not include the port number.|<code>10.0.211.200</code>
+local_path|In the case that a socket is used for local interprocess communication, the socket binds to a local filepath, and will usually be visible in the filesystem. This is the case with AF_UNIX type sockets.|<code>/tmp/foo</code>
+local_port|Port number on which the socket is bound at the local end. This pertains to TCP and UDP sockets but not IP sockets.|<code>48777</code>
+pid|ID of the process that acted on the socket|<code>3930</code>
+protocol|The type of connection that was attempted on the socket|<code>TCP</code>
+remote_address|IP address with which the socket is communicating on the remote end.|<code>199.121.21.20</code>
+remote_port|Port number on which the socket is bound at the remote end.|<code>559</code>
+success|Boolean indicator of whether the socket event was successful (e.g. the socket was created as requested)|<code>True</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
index 61157f2e..921e6e76 100755
--- a/docs/data_model/thread.md
+++ b/docs/data_model/thread.md
@@ -14,21 +14,21 @@ A thread of execution is the smallest sequence of programmed instructions that c
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-hostname|The hostname of the active host, without the domain.|HOST1
-src_pid|The process ID of the process that created the thread.|6016
-src_tid|The thread ID of the thread that created the event.|9012
-stack_base|The base address of the thread's stack.|18446735827508301824
-stack_limit|The limit of the thread's stack.|18446735827508277248
-start_address|The memory address at which the thread's execution starts.|18446735827446645728
-start_function|The function at `start_address`.|LoadLibrary
-start_module|The module in which `start_address` resides.|C:\windows\system32\ntdll.dll
-start_module_name|The short name of the `start_module`.|ntdll.dll
-tgt_pid|The process ID of the process in which the new thread runs.|232
-tgt_tid|The thread ID of the new thread that was created.|6964
-uid|The ID of SID of the user who directly or indirectly acted on the thread|S-1-5-18
-user|The user context in which the source thread was running. May be a local, domain or SYSTEM user. Formatted as <DOMAIN>\<USER>. Because threads are allowed to impersonate users, this may be different than the user context of the process.|HOST1\LOCALUSER
-user_stack_base|The base address of the thread's stack.|0
-user_stack_limit|The limit of the thread's stack.|0
+hostname|The hostname of the active host, without the domain.|<code>HOST1</code>
+src_pid|The process ID of the process that created the thread.|<code>6016</code>
+src_tid|The thread ID of the thread that created the event.|<code>9012</code>
+stack_base|The base address of the thread's stack.|<code>18446735827508301824</code>
+stack_limit|The limit of the thread's stack.|<code>18446735827508277248</code>
+start_address|The memory address at which the thread's execution starts.|<code>18446735827446645728</code>
+start_function|The function at `start_address`.|<code>LoadLibrary</code>
+start_module|The module in which `start_address` resides.|<code>C:\windows\system32\ntdll.dll</code>
+start_module_name|The short name of the `start_module`.|<code>ntdll.dll</code>
+tgt_pid|The process ID of the process in which the new thread runs.|<code>232</code>
+tgt_tid|The thread ID of the new thread that was created.|<code>6964</code>
+uid|The ID of SID of the user who directly or indirectly acted on the thread|<code>S-1-5-18</code>
+user|The user context in which the source thread was running. May be a local, domain or SYSTEM user. Formatted as <DOMAIN>\<USER>. Because threads are allowed to impersonate users, this may be different than the user context of the process.|<code>HOST1\LOCALUSER</code>
+user_stack_base|The base address of the thread's stack.|<code>0</code>
+user_stack_limit|The limit of the thread's stack.|<code>0</code>
 
 ## Coverage Map
 <table>
diff --git a/docs/data_model/user_session.md b/docs/data_model/user_session.md
index 4ece7e60..2e271192 100755
--- a/docs/data_model/user_session.md
+++ b/docs/data_model/user_session.md
@@ -15,16 +15,16 @@ User sessions are the user activities undertaken on the computer in the course o
 ## Fields
 |Field|Description|Example|
 |---|---|---|
-dest_ip|The destination IP address of the user session. Only applicable to remote or RDP sessions.|192.168.1.5
-dest_port|The destination port of the user session. Only applicable to remote or RDP sessions.|1900
-hostname|The hostname of the host, without the domain.|HOST1
-login_id|A hex value corresponding to the session. The logon id will persist until logout occurs.|1008115
-login_successful|Boolean indicator of whether a login attempt was successful|False
-login_type|The type of login that was accomplished or attempted|interactive,local,rdp,remote
-src_ip|The source IP address of the user session. Only applicable to remote or RDP sessions.|10.0.0.54
-src_port|The source port of the user session. Only applicable to remote or RDP sessions.|50438
-uid|ID or SID of the user for which a session event ocurred|S-1-5-18
-user|The user affiliated with the session. May be a local, domain or SYSTEM user.|HOST1\LOCALUSER
+dest_ip|The destination IP address of the user session. Only applicable to remote or RDP sessions.|<code>192.168.1.5</code>
+dest_port|The destination port of the user session. Only applicable to remote or RDP sessions.|<code>1900</code>
+hostname|The hostname of the host, without the domain.|<code>HOST1</code>
+login_id|A hex value corresponding to the session. The logon id will persist until logout occurs.|<code>1008115</code>
+login_successful|Boolean indicator of whether a login attempt was successful|<code>False</code>
+login_type|The type of login that was accomplished or attempted|<code>interactive,local,rdp,remote</code>
+src_ip|The source IP address of the user session. Only applicable to remote or RDP sessions.|<code>10.0.0.54</code>
+src_port|The source port of the user session. Only applicable to remote or RDP sessions.|<code>50438</code>
+uid|ID or SID of the user for which a session event ocurred|<code>S-1-5-18</code>
+user|The user affiliated with the session. May be a local, domain or SYSTEM user.|<code>HOST1\LOCALUSER</code>
 
 ## Coverage Map
 <table>
diff --git a/scripts/datamodel_template.md b/scripts/datamodel_template.md
index b7da1720..dc490688 100644
--- a/scripts/datamodel_template.md
+++ b/scripts/datamodel_template.md
@@ -11,7 +11,7 @@ title: "{{ datamodel['name'] }}"
 ## Fields
 |Field|Description|Example|
 |---|---|---|{% for field in datamodel['fields']|sort(attribute='name') %}
-{{ field['name'] }}|{{ field['description'] }}|{% if 'example' in field %}{{ field['example'] }}{% endif %}{% endfor %}
+{{ field['name'] }}|{{ field['description'] }}|{% if 'example' in field %}<code>{{ field['example'] }}</code>{% endif %}{% endfor %}
 
 ## Coverage Map
 <table>

From 6649d58c44d37a52b022718436f0fc660fec3d5d Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Fri, 24 Feb 2023 00:24:49 -0500
Subject: [PATCH 64/82] fixed tables to actually show the sensors

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/driver.md     | 12 +++---
 docs/data_model/file.md       | 60 ++++++++++++++---------------
 docs/data_model/flow.md       | 30 +++++++--------
 docs/data_model/module.md     | 24 ++++++------
 docs/data_model/process.md    | 42 ++++++++++----------
 docs/data_model/registry.md   | 72 +++++++++++++++++------------------
 docs/data_model/service.md    | 20 +++++-----
 docs/data_model/socket.md     | 50 ++++++++++++------------
 docs/data_model/thread.md     | 26 ++++++-------
 scripts/datamodel_template.md |  2 +-
 10 files changed, 169 insertions(+), 169 deletions(-)

diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
index e2591c76..52bd4d72 100755
--- a/docs/data_model/driver.md
+++ b/docs/data_model/driver.md
@@ -43,16 +43,16 @@ signer|The name of the organization which signed the driver.|<code>Microsoft Cor
   <tr>
     <th>load</th>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
   </tr>
   <tr>
     <th>unload</th>
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index f9f669e4..17bb8cca 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -106,30 +106,30 @@ user|The user context in which the thread that caused this event was running. Ma
   </tr>
   <tr>
     <th>create</th>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
@@ -141,36 +141,42 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>modify</th>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -179,15 +185,9 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
@@ -224,29 +224,29 @@ user|The user context in which the thread that caused this event was running. Ma
     <th>timestomp</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
index 7a859f48..0e579ef9 100755
--- a/docs/data_model/flow.md
+++ b/docs/data_model/flow.md
@@ -138,29 +138,29 @@ user|The user that ran the process.|<code>HOST1\LOCALUSER</code>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
   </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
index e08cde6f..3c769e36 100755
--- a/docs/data_model/module.md
+++ b/docs/data_model/module.md
@@ -47,18 +47,18 @@ tid|The thread ID of the thread responsible for the load or unload event.|<code>
   <tr>
     <th>load</th>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
   </tr>
   <tr>
     <th>unload</th>
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index 3a18db4a..d11a6355 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -79,33 +79,33 @@ user|The user token that process was created with. May be a local, domain or SYS
   </tr>
   <tr>
     <th>access</th>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
@@ -113,25 +113,25 @@ user|The user token that process was created with. May be a local, domain or SYS
     <th>create</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index 38cffff6..003ec90a 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -44,58 +44,58 @@ value|The descriptive name for the data being stored.|<code>InstalledVersion</co
   </tr>
   <tr>
     <th>add</th>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
   </tr>
   <tr>
     <th>key_edit</th>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
   </tr>
   <tr>
     <th>remove</th>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>value_edit</th>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
   </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
index f7a73ce8..64516ac3 100755
--- a/docs/data_model/service.md
+++ b/docs/data_model/service.md
@@ -43,11 +43,11 @@ user|The user token that service was created with.|<code>HOST1\LOCALUSER</code>
   </tr>
   <tr>
     <th>create</th>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -56,11 +56,11 @@ user|The user token that service was created with.|<code>HOST1\LOCALUSER</code>
   </tr>
   <tr>
     <th>delete</th>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
index 0f6bd4b6..c7d84e35 100755
--- a/docs/data_model/socket.md
+++ b/docs/data_model/socket.md
@@ -41,41 +41,41 @@ success|Boolean indicator of whether the socket event was successful (e.g. the s
   </tr>
   <tr>
     <th>bind</th>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>close</th>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>listen</th>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
index 921e6e76..7404c99a 100755
--- a/docs/data_model/thread.md
+++ b/docs/data_model/thread.md
@@ -70,19 +70,19 @@ user_stack_limit|The limit of the thread's stack.|<code>0</code>
   </tr>
   <tr>
     <th>remote_create</th>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
diff --git a/scripts/datamodel_template.md b/scripts/datamodel_template.md
index dc490688..c73a95c2 100644
--- a/scripts/datamodel_template.md
+++ b/scripts/datamodel_template.md
@@ -21,6 +21,6 @@ title: "{{ datamodel['name'] }}"
   </tr>{% for action in datamodel['actions']|sort(attribute='name') %}
   <tr>
     <th>{{ action['name'] }}</th>{% for field in datamodel['fields']|sort(attribute='name') %}
-    <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and 'action' in datamodel['coverage_map'] and 'field' in datamodel['coverage_map']['action'] %}{{ datamodel['coverage_map'][action][field]|join('&#10') }}{% endif %}</td>{% endfor %}
+    <td style="white-space: pre-wrap;">{% if 'coverage_map' in datamodel and action['name'] in datamodel['coverage_map'] and field['name'] in datamodel['coverage_map'][action['name']] %}{{ datamodel['coverage_map'][action['name']][field['name']]|join('&#10') }}{% endif %}</td>{% endfor %}
   </tr>{% endfor %}
 </table>

From 5d01e40ade980b6128d1bf3169bf2bb645bbad46 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Fri, 24 Feb 2023 01:16:37 -0500
Subject: [PATCH 65/82] markdown links don't work in html table

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/driver.md      | 12 +++---
 docs/data_model/file.md        | 60 ++++++++++++++---------------
 docs/data_model/flow.md        | 30 +++++++--------
 docs/data_model/module.md      | 22 +++++------
 docs/data_model/process.md     | 42 ++++++++++----------
 docs/data_model/registry.md    | 70 +++++++++++++++++-----------------
 docs/data_model/service.md     | 20 +++++-----
 docs/data_model/socket.md      | 48 +++++++++++------------
 docs/data_model/thread.md      | 26 ++++++-------
 scripts/generate_datamodels.py | 10 ++---
 10 files changed, 170 insertions(+), 170 deletions(-)

diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
index 52bd4d72..47ba18f7 100755
--- a/docs/data_model/driver.md
+++ b/docs/data_model/driver.md
@@ -43,16 +43,16 @@ signer|The name of the organization which signed the driver.|<code>Microsoft Cor
   <tr>
     <th>load</th>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
   </tr>
   <tr>
     <th>unload</th>
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
index 17bb8cca..cc970d4a 100755
--- a/docs/data_model/file.md
+++ b/docs/data_model/file.md
@@ -106,30 +106,30 @@ user|The user context in which the thread that caused this event was running. Ma
   </tr>
   <tr>
     <th>create</th>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
@@ -141,42 +141,42 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>modify</th>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -185,9 +185,9 @@ user|The user context in which the thread that caused this event was running. Ma
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
@@ -224,29 +224,29 @@ user|The user context in which the thread that caused this event was running. Ma
     <th>timestomp</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
index 0e579ef9..9356e4d0 100755
--- a/docs/data_model/flow.md
+++ b/docs/data_model/flow.md
@@ -138,29 +138,29 @@ user|The user that ran the process.|<code>HOST1\LOCALUSER</code>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
   </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
index 3c769e36..6fdf7d55 100755
--- a/docs/data_model/module.md
+++ b/docs/data_model/module.md
@@ -47,18 +47,18 @@ tid|The thread ID of the thread responsible for the load or unload event.|<code>
   <tr>
     <th>load</th>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
   </tr>
   <tr>
     <th>unload</th>
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
index d11a6355..4bee996c 100755
--- a/docs/data_model/process.md
+++ b/docs/data_model/process.md
@@ -79,33 +79,33 @@ user|The user token that process was created with. May be a local, domain or SYS
   </tr>
   <tr>
     <th>access</th>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
@@ -113,25 +113,25 @@ user|The user token that process was created with. May be a local, domain or SYS
     <th>create</th>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
index 003ec90a..96ce237a 100755
--- a/docs/data_model/registry.md
+++ b/docs/data_model/registry.md
@@ -44,58 +44,58 @@ value|The descriptive name for the data being stored.|<code>InstalledVersion</co
   </tr>
   <tr>
     <th>add</th>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
   </tr>
   <tr>
     <th>key_edit</th>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')&#10[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
   </tr>
   <tr>
     <th>remove</th>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>value_edit</th>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
   </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
index 64516ac3..e1d2b90c 100755
--- a/docs/data_model/service.md
+++ b/docs/data_model/service.md
@@ -43,11 +43,11 @@ user|The user token that service was created with.|<code>HOST1\LOCALUSER</code>
   </tr>
   <tr>
     <th>create</th>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
@@ -56,11 +56,11 @@ user|The user token that service was created with.|<code>HOST1\LOCALUSER</code>
   </tr>
   <tr>
     <th>delete</th>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
-    <td style="white-space: pre-wrap;">[Autoruns]('../sensors/autoruns_13.98')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
index c7d84e35..4b323924 100755
--- a/docs/data_model/socket.md
+++ b/docs/data_model/socket.md
@@ -41,41 +41,41 @@ success|Boolean indicator of whether the socket event was successful (e.g. the s
   </tr>
   <tr>
     <th>bind</th>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>close</th>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
   <tr>
     <th>listen</th>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
     <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
-    <td style="white-space: pre-wrap;">[osquery]('../sensors/osquery_4.6.0')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
 </table>
\ No newline at end of file
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
index 7404c99a..85230dba 100755
--- a/docs/data_model/thread.md
+++ b/docs/data_model/thread.md
@@ -70,19 +70,19 @@ user_stack_limit|The limit of the thread's stack.|<code>0</code>
   </tr>
   <tr>
     <th>remote_create</th>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;"></td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
-    <td style="white-space: pre-wrap;">[Sysmon]('../sensors/sysmon_13')</td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
     <td style="white-space: pre-wrap;"></td>
     <td style="white-space: pre-wrap;"></td>
   </tr>
diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py
index a35413a9..fc890654 100644
--- a/scripts/generate_datamodels.py
+++ b/scripts/generate_datamodels.py
@@ -25,15 +25,15 @@ def load_sensor(filename):
       return sensors[filename]
   return load_sensor
 
-def replace_sensor_names_with_markdown(datamodels, load_sensor):
-    def replace_sensor_name_with_markdown(sensor_filename):
-        return f"[{load_sensor(sensor_filename)['sensor_name']}]('../sensors/{sensor_filename}')"
+def replace_sensor_names_with_html(datamodels, load_sensor):
+    def replace_sensor_name_with_html(sensor_filename):
+        return f"<a href='../sensors/{sensor_filename}'>{load_sensor(sensor_filename)['sensor_name']}</a>"
 
     for model in datamodels.values():
         if 'coverage_map' in model:
             for action in model['coverage_map']:
                 for field, sensor_filenames in model['coverage_map'][action].items():
-                    model['coverage_map'][action][field] = [replace_sensor_name_with_markdown(sensor_filename) for sensor_filename in sensor_filenames]
+                    model['coverage_map'][action][field] = [replace_sensor_name_with_html(sensor_filename) for sensor_filename in sensor_filenames]
 
 def generate_markdown(datamodels):
     with open('datamodel_template.md') as f:
@@ -45,7 +45,7 @@ def generate_markdown(datamodels):
 def main():
     datamodels = parse_yaml()
     load_sensor = cached_load_sensor()
-    replace_sensor_names_with_markdown(datamodels, load_sensor)
+    replace_sensor_names_with_html(datamodels, load_sensor)
     generate_markdown(datamodels)
 
 if __name__ == "__main__":

From e7ac755b3fda9617f0ecfa1c92146e8608b5f56d Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 26 Feb 2023 17:28:44 -0500
Subject: [PATCH 66/82] update references to the glossary's location and also
 run the redirects script

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/index.md              | 2 +-
 docs/index.md                         | 2 +-
 docs/wiki/Category:Sensors/index.html | 1 +
 docs/wiki/Help:Contents/index.html    | 1 +
 docs/wiki/Help:Glossary/index.html    | 1 +
 scripts/redirects.csv                 | 4 ++--
 6 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 docs/wiki/Category:Sensors/index.html
 create mode 100644 docs/wiki/Help:Contents/index.html
 create mode 100644 docs/wiki/Help:Glossary/index.html

diff --git a/docs/data_model/index.md b/docs/data_model/index.md
index 3c89bfcc..32a3b47b 100755
--- a/docs/data_model/index.md
+++ b/docs/data_model/index.md
@@ -31,7 +31,7 @@ In the Data Model an *object* is much like an [object in computer science](https
 An *action* refers to a state change or event that happens on an object, such as an object's creation, destruction, or modification. These are the verbs that describe that an object can do, and what can happen to an object. However, there are cases where sensors do not monitor actions in objects but merely scan for and check the presence of an object. Each action is represented in a coverage matrix (the 2D table). The actions are on the y-axis.
 
 ### Fields
-A *field* refers to the observable properties of an object. These properties may contain flags, identifiers, data elements, or even references to other objects. In terms of vocabulary, fields are like the adjectives. They describe properties about an object. A [sensor](../Glossary#Sensor) monitors fields in the context of an object, and outputs these in some form of structured data. Once the data is ingested into a [SIEM](https://en.wikipedia.org/wiki/SIEM), the logs can be queried by forcing restrictions or patterns upon one or more objects, such as in an [analytic](../Glossary#Analytic). On the coverage matrix fields are on the x-axis.
+A *field* refers to the observable properties of an object. These properties may contain flags, identifiers, data elements, or even references to other objects. In terms of vocabulary, fields are like the adjectives. They describe properties about an object. A [sensor](../resources/glossary#Sensor) monitors fields in the context of an object, and outputs these in some form of structured data. Once the data is ingested into a [SIEM](https://en.wikipedia.org/wiki/SIEM), the logs can be queried by forcing restrictions or patterns upon one or more objects, such as in an [analytic](../resources/glossary#Analytic). On the coverage matrix fields are on the x-axis.
 
 ### Coverage
 In order to gauge the usefulness of a sensor with respect to analytics, its output must be mapped into the Data Model. For each object that a sensor measures, it captures state. Some sensors periodically scan for objects, instead of monitoring for state changes. In these cases, state may be inferred by looking for changes in the properties of an object.
diff --git a/docs/index.md b/docs/index.md
index 8bfe215a..dd7a4a60 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -9,7 +9,7 @@ Analytics stored in CAR contain the following information:
 * a *hypothesis* which explains the idea behind the analytic
 * the *information domain* or the primary domain the analytic is designed to operate within (e.g. host, network, process, external)
 * references to [ATT&CK](https://attack.mitre.org/) Techniques and Tactics that the analytic detects
-* the [Glossary](Glossary)
+* the [Glossary](resources/glossary)
 * a pseudocode description of how the analytic might be implemented
 * a unit test which can be run to trigger the analytic
 
diff --git a/docs/wiki/Category:Sensors/index.html b/docs/wiki/Category:Sensors/index.html
new file mode 100644
index 00000000..af0bc0ee
--- /dev/null
+++ b/docs/wiki/Category:Sensors/index.html
@@ -0,0 +1 @@
+<meta http-equiv="refresh" content="0; url=/sensors"/>
\ No newline at end of file
diff --git a/docs/wiki/Help:Contents/index.html b/docs/wiki/Help:Contents/index.html
new file mode 100644
index 00000000..dd6a448b
--- /dev/null
+++ b/docs/wiki/Help:Contents/index.html
@@ -0,0 +1 @@
+<meta http-equiv="refresh" content="0; url=/"/>
\ No newline at end of file
diff --git a/docs/wiki/Help:Glossary/index.html b/docs/wiki/Help:Glossary/index.html
new file mode 100644
index 00000000..72217038
--- /dev/null
+++ b/docs/wiki/Help:Glossary/index.html
@@ -0,0 +1 @@
+<meta http-equiv="refresh" content="0; url=/resources/glossary"/>
\ No newline at end of file
diff --git a/scripts/redirects.csv b/scripts/redirects.csv
index 91d04022..609b467c 100644
--- a/scripts/redirects.csv
+++ b/scripts/redirects.csv
@@ -1,6 +1,6 @@
 /wiki/Main_Page,/
 /caret,https://mitre-attack.github.io/caret
-/wiki/Help:Glossary,/Glossary
+/wiki/Help:Glossary,/resources/glossary
 /wiki/Help:Contents,/
 /wiki/Full_Analytic_List,/analytics
 /wiki/Contribute,/CONTRIBUTING
@@ -63,4 +63,4 @@
 /wiki/CAR-2016-04-002,/analytics/CAR-2016-04-002
 /wiki/CAR-2014-12-001,/analytics/CAR-2014-12-001
 /wiki/CAR-2014-11-008,/analytics/CAR-2014-11-008
-/wiki/CAR-2013-05-009,/analytics/CAR-2013-05-009
\ No newline at end of file
+/wiki/CAR-2013-05-009,/analytics/CAR-2013-05-009

From a951c305c775fbb355bfcadb1ad2617a1b3afb38 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 26 Feb 2023 17:47:12 -0500
Subject: [PATCH 67/82] made the key of the dict the filename instead of the
 path since i never use that path anyways

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/generate_datamodels.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py
index fc890654..8f1bf83b 100644
--- a/scripts/generate_datamodels.py
+++ b/scripts/generate_datamodels.py
@@ -12,7 +12,7 @@ def parse_yaml():
     datamodels = {}
     for file in datamodel_files:
         with open(file, encoding="utf-8") as f:
-            datamodels[file] = safe_load(f.read())
+            datamodels[Path(file).stem] = safe_load(f.read())
     return datamodels
 
 def cached_load_sensor():
@@ -39,7 +39,7 @@ def generate_markdown(datamodels):
     with open('datamodel_template.md') as f:
         datamodel_template = Template(f.read())
     for model in datamodels:
-        with open(f'../docs/data_model/{Path(model).stem}.md', 'w', encoding='utf-8') as f:
+        with open(f'../docs/data_model/{model}.md', 'w', encoding='utf-8') as f:
             f.write(datamodel_template.render(datamodel=datamodels[model]))
 
 def main():

From e4b4a89f1cc5a7ba1384ffbca0488488cb52c003 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 26 Feb 2023 18:43:25 -0500
Subject: [PATCH 68/82] generate index file from template

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/index.md            | 39 +++++++++++++++++++----------
 scripts/datamodel_index_template.md | 28 +++++++++++++++++++++
 scripts/generate_datamodels.py      | 29 +++++++++++++++------
 3 files changed, 76 insertions(+), 20 deletions(-)
 mode change 100755 => 100644 docs/data_model/index.md

diff --git a/docs/data_model/index.md b/docs/data_model/index.md
old mode 100755
new mode 100644
index 32a3b47b..0762211e
--- a/docs/data_model/index.md
+++ b/docs/data_model/index.md
@@ -8,19 +8,32 @@ The Data Model, strongly inspired by [CybOX](https://cyboxproject.github.io/), i
 
 |Object|Actions|Fields|
 |---|---|---|
-|**[authentication](authentication)**|`error`<br />`failure`<br />`success`|`ad_domain`<br />`app_name`<br />`auth_service`<br />`auth_target`<br />`decision_reason`<br />`fqdn`<br />`hostname`<br />`fqdn`<br />`method`<br />`response_time`<br />`target_ad_domain`<br />`target_uid`<br />`target_user`<br />`target_user_role`<br />`target_user_type`<br />`uid`<br />`user`<br />`user_agent`<br />`user_role`|
-|**[driver](driver)**|`load`<br />`unload`|`base_address`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`md5_hash`<br />`module_name`<br />`pid`<br />`sha1_hash`<br />`sha256_hash`<br />`signer`<br />`signature_valid`|
-|**[email](email)**|`block`<br />`delete`<br />`deliver`<br />`redirect`<br />`quarantine`|`action_reason`<br />`attachment_mime_type`<br />`attachment_name`<br />`attachment_size`<br />`date`<br />`dest_address`<br />`dest_ip`<br />`dest_port`<br />`from`<br />`message_body`<br />`message_links`<br />`message_type`<br />`return_address`<br />`server_relay`<br />`smtp_uid`<br />`src_address`<br />`src_domain`<br />`src_ip`<br />`src_port`<br />`subject`<br />`to`|
-|**[file](file)**|`acl_modify`<br />`create`<br />`delete`<br />`modify`<br />`read`<br />`timestomp`<br />`write`|`content`<br />`company`<br />`creation_time`<br />`file_name`<br />`file_path`<br />`file_uid`<br />`file_user`<br />`file_extension`<br />`file_gid`<br />`file_gid`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`link_target`<br />`md5_hash`<br />`mime_type`<br />`pid`<br />`ppid`<br />`previous_creation_time`<br />`sha1_hash`<br />`sha256_hash`<br />`signer`<br />`signature_valid`<br />`uid`<br />`user`|
-|**[flow](flow)**|`end`<br />`message`<br />`start`|`application_protocol`<br />`content`<br />`dest_fqdn`<br />`dest_hostname`<br />`dest_ip`<br />`dest_port`<br />`end_time`<br />`exe`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`in_bytes`<br />`network_direction`<br />`out_bytes`<br />`packet_count`<br />`pid`<br />`ppid`<br />`proto_info`<br />`protocol`<br />`src_fqdn`<br />`src_hostname`<br />`src_ip`<br />`src_port`<br />`start_time`<br />`tcp_flags`<br />`transport_protocol`<br />`uid`<br />`user`|
-|**[http](http)**|`get`<br />`post`<br />`put`<br />`tunnel`|`hostname`<br />`http_version`<br />`response_body_bytes`<br />`response_body_content`<br />`response_status_code`<br />`request_body_bytes`<br />`request_body_content`<br />`request_referrer`<br />`requester_ip_address`<br />`url_full`<br />`url_domain`<br />`url_remainder`<br />`url_scheme`<br />`user_agent_full`<br />`user_agent_name`<br />`user_agent_device`<br />`user_agent_version`|
-|**[module](module)**|`load`<br />`unload`|`base_address`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`md5_hash`<br />`module_name`<br />`module_path`<br />`pid`<br />`sha1_hash`<br />`sha256_hash`<br />`signer`<br />`tid`<br />`signature_valid`|
-|**[process](process)**|`access`<br />`create`<br />`terminate`|`access_level`<br />`call_trace`<br />`command_line`<br />`current_working_directory`<br />`env_vars`<br />`exe`<br />`fqdn`<br />`guid`<br />`hostname`<br />`integrity_level`<br />`image_path`<br />`md5_hash`<br />`parent_command_line`<br />`parent_exe`<br />`parent_guid`<br />`parent_image_path`<br />`pid`<br />`ppid`<br />`sha1_hash`<br />`sha256_hash`<br />`sid`<br />`signature_valid`<br />`signer`<br />`target_address`<br />`target_guid`<br />`taget_name`<br />`target_pid`<br />`uid`<br />`user`|
-|**[registry](registry)**|`add`<br />`remove`<br />`key_edit`<br />`value_edit`|`data`<br />`fqdn`<br />`hive`<br />`hostname`<br />`image_path`<br />`key`<br />`pid`<br />`new_content`<br />`type`<br />`user`<br />`value`|
+|**[authentication](authentication)**|`error`<br />`failure`<br />`success`|`ad_domain`<br />`app_name`<br />`auth_service`<br />`auth_target`<br />`decision_reason`<br />`fqdn`<br />`hostname`<br />`method`<br />`response_time`<br />`target_ad_domain`<br />`target_uid`<br />`target_user`<br />`target_user_role`<br />`target_user_type`<br />`uid`<br />`user`<br />`user_agent`<br />`user_role`<br />`user_type`|
+
+|**[driver](driver)**|`load`<br />`unload`|`base_address`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`md5_hash`<br />`module_name`<br />`pid`<br />`sha1_hash`<br />`sha256_hash`<br />`signature_valid`<br />`signer`|
+
+|**[email](email)**|`block`<br />`delete`<br />`deliver`<br />`quarantine`<br />`redirect`|`action_reason`<br />`attachment_mime_type`<br />`attachment_name`<br />`attachment_size`<br />`date`<br />`dest_address`<br />`dest_ip`<br />`dest_port`<br />`from`<br />`message_body`<br />`message_links`<br />`message_type`<br />`return_address`<br />`server_relay`<br />`smtp_uid`<br />`src_address`<br />`src_domain`<br />`src_ip`<br />`src_port`<br />`subject`<br />`to`|
+
+|**[file](file)**|`acl_modify`<br />`create`<br />`delete`<br />`modify`<br />`read`<br />`timestomp`<br />`write`|`company`<br />`content`<br />`creation_time`<br />`extension`<br />`file_name`<br />`file_path`<br />`fqdn`<br />`gid`<br />`group`<br />`hostname`<br />`image_path`<br />`link_target`<br />`md5_hash`<br />`mime_type`<br />`mode`<br />`owner`<br />`owner_uid`<br />`pid`<br />`ppid`<br />`previous_creation_time`<br />`sha1_hash`<br />`sha256_hash`<br />`signature_valid`<br />`signer`<br />`uid`<br />`user`|
+
+|**[flow](flow)**|`end`<br />`message`<br />`start`|`application_protocol`<br />`content`<br />`dest_fqdn`<br />`dest_hostname`<br />`dest_ip`<br />`dest_port`<br />`end_time`<br />`exe`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`in_bytes`<br />`network_direction`<br />`out_bytes`<br />`packet_count`<br />`pid`<br />`ppid`<br />`proto_info`<br />`src_fqdn`<br />`src_hostname`<br />`src_ip`<br />`src_port`<br />`start_time`<br />`tcp_flags`<br />`transport_protocol`<br />`uid`<br />`user`|
+
+|**[http](http)**|`get`<br />`post`<br />`put`<br />`tunnel`|`hostname`<br />`http_version`<br />`request_body_bytes`<br />`request_body_content`<br />`request_referrer`<br />`requester_ip_address`<br />`response_body_bytes`<br />`response_body_content`<br />`response_status_code`<br />`url_domain`<br />`url_full`<br />`url_remainder`<br />`url_scheme`<br />`user_agent_device`<br />`user_agent_full`<br />`user_agent_name`<br />`user_agent_version`|
+
+|**[module](module)**|`load`<br />`unload`|`base_address`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`md5_hash`<br />`module_name`<br />`module_path`<br />`pid`<br />`sha1_hash`<br />`sha256_hash`<br />`signature_valid`<br />`signer`<br />`tid`|
+
+|**[process](process)**|`access`<br />`create`<br />`terminate`|`access_level`<br />`call_trace`<br />`command_line`<br />`current_working_directory`<br />`env_vars`<br />`exe`<br />`fqdn`<br />`guid`<br />`hostname`<br />`image_path`<br />`integrity_level`<br />`md5_hash`<br />`parent_command_line`<br />`parent_exe`<br />`parent_guid`<br />`parent_image_path`<br />`pid`<br />`ppid`<br />`sha1_hash`<br />`sha256_hash`<br />`sid`<br />`signature_valid`<br />`signer`<br />`target_address`<br />`target_guid`<br />`target_name`<br />`target_pid`<br />`uid`<br />`user`|
+
+|**[registry](registry)**|`add`<br />`key_edit`<br />`remove`<br />`value_edit`|`data`<br />`fqdn`<br />`hive`<br />`hostname`<br />`image_path`<br />`key`<br />`new_content`<br />`pid`<br />`type`<br />`user`<br />`value`|
+
 |**[service](service)**|`create`<br />`delete`<br />`pause`<br />`start`<br />`stop`|`command_line`<br />`exe`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`name`<br />`pid`<br />`ppid`<br />`uid`<br />`user`|
-|**[socket](socket)**|`bind`<br />`listen`<br />`close`|`family`<br />`image_path`<br />`local_address`<br />`local_path`<br />`local_port`<br />`pid`<br />`protocol`<br />`remote_address`<br />`remote_port`<br />`success`|
-|**[thread](thread)**|`create`<br />`remote_create`<br />`suspend`<br />`terminate`|`hostname`<br />`src_pid`<br />`src_tid`<br />`stack_base`<br />`stack_limit`<br />`start_address`<br />`start_function`<br />`start_module`<br />`start_module_name`<br />`subprocess_tag`<br />`tgt_pid`<br />`tgt_tid`<br />`uid`<br />`user`<br />`user_stack_base`<br />`user_stack_limit`|
-|**[user_session](user_session)**|`lock`<br />`login`<br />`logout`<br />`reconnect`<br />`unlock`|`dest_ip`<br />`dest_port`<br />`hostname`<br />`login_type`<br />`logon_id`<br />`login_successful`<br />`src_ip`<br />`src_port`<br />`uid`<br />`user`|
+
+|**[socket](socket)**|`bind`<br />`close`<br />`listen`|`family`<br />`image_path`<br />`local_address`<br />`local_path`<br />`local_port`<br />`pid`<br />`protocol`<br />`remote_address`<br />`remote_port`<br />`success`|
+
+|**[thread](thread)**|`create`<br />`remote_create`<br />`suspend`<br />`terminate`|`hostname`<br />`src_pid`<br />`src_tid`<br />`stack_base`<br />`stack_limit`<br />`start_address`<br />`start_function`<br />`start_module`<br />`start_module_name`<br />`tgt_pid`<br />`tgt_tid`<br />`uid`<br />`user`<br />`user_stack_base`<br />`user_stack_limit`|
+
+|**[user_session](user_session)**|`lock`<br />`login`<br />`logout`<br />`reconnect`<br />`unlock`|`dest_ip`<br />`dest_port`<br />`hostname`<br />`login_id`<br />`login_successful`<br />`login_type`<br />`src_ip`<br />`src_port`<br />`uid`<br />`user`|
+
 
 ## What is the data model?
 
@@ -36,4 +49,4 @@ A *field* refers to the observable properties of an object. These properties may
 ### Coverage
 In order to gauge the usefulness of a sensor with respect to analytics, its output must be mapped into the Data Model. For each object that a sensor measures, it captures state. Some sensors periodically scan for objects, instead of monitoring for state changes. In these cases, state may be inferred by looking for changes in the properties of an object.
 
-A summary of data model coverage is [here](data_model_with_sensors).
+A summary of data model coverage is [here](data_model_with_sensors).
\ No newline at end of file
diff --git a/scripts/datamodel_index_template.md b/scripts/datamodel_index_template.md
index e69de29b..e8d294ac 100644
--- a/scripts/datamodel_index_template.md
+++ b/scripts/datamodel_index_template.md
@@ -0,0 +1,28 @@
+---
+title: Data Model
+---
+
+The Data Model, strongly inspired by [CybOX](https://cyboxproject.github.io/), is an organization of the objects that may be monitored from a host-based or network-based perspective. Each object on can be identified by two dimensions: its actions and fields. When paired together, the three-tuple of `(object, action, field)` acts like a coordinate, and describe what properties and state changes of the object can be captured by a sensor.
+
+## Summary
+
+|Object|Actions|Fields|
+|---|---|---|{% for model_name, model in datamodels.items()|sort(attribute='0') %}
+|**[{{ model_name }}]({{ model_name }})**|{{ model['actions']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('<br />') }}|{{ model['fields']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('<br />') }}|
+{% endfor %}
+
+## What is the data model?
+
+### Objects
+In the Data Model an *object* is much like an [object in computer science](https://en.wikipedia.org/wiki/Object_(computer_science)). These are the items that data actually represent, such as hosts, files, connections, etc. Objects are the nouns of the Data Model vocabulary.
+
+### Actions
+An *action* refers to a state change or event that happens on an object, such as an object's creation, destruction, or modification. These are the verbs that describe that an object can do, and what can happen to an object. However, there are cases where sensors do not monitor actions in objects but merely scan for and check the presence of an object. Each action is represented in a coverage matrix (the 2D table). The actions are on the y-axis.
+
+### Fields
+A *field* refers to the observable properties of an object. These properties may contain flags, identifiers, data elements, or even references to other objects. In terms of vocabulary, fields are like the adjectives. They describe properties about an object. A [sensor](../resources/glossary#Sensor) monitors fields in the context of an object, and outputs these in some form of structured data. Once the data is ingested into a [SIEM](https://en.wikipedia.org/wiki/SIEM), the logs can be queried by forcing restrictions or patterns upon one or more objects, such as in an [analytic](../resources/glossary#Analytic). On the coverage matrix fields are on the x-axis.
+
+### Coverage
+In order to gauge the usefulness of a sensor with respect to analytics, its output must be mapped into the Data Model. For each object that a sensor measures, it captures state. Some sensors periodically scan for objects, instead of monitoring for state changes. In these cases, state may be inferred by looking for changes in the properties of an object.
+
+A summary of data model coverage is [here](data_model_with_sensors).
diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py
index 8f1bf83b..05765b47 100644
--- a/scripts/generate_datamodels.py
+++ b/scripts/generate_datamodels.py
@@ -2,7 +2,7 @@
 This script generates the data model portion of the site for each YAML data model mapping file.
 """
 from glob import glob
-from jinja2 import Template
+from jinja2 import Environment, FileSystemLoader
 from os import path
 from pathlib import Path
 from yaml import safe_load
@@ -35,18 +35,33 @@ def replace_sensor_name_with_html(sensor_filename):
                 for field, sensor_filenames in model['coverage_map'][action].items():
                     model['coverage_map'][action][field] = [replace_sensor_name_with_html(sensor_filename) for sensor_filename in sensor_filenames]
 
-def generate_markdown(datamodels):
-    with open('datamodel_template.md') as f:
-        datamodel_template = Template(f.read())
+def create_jinja_environment():
+    def backtick_wrapper_filter(value):
+        return f'`{value}`'
+
+    # autoescape set to false since it's needed to have the html links be generated properly and cause the templates / input data are controlled by us
+    jinja_env = Environment(loader=FileSystemLoader('.'), autoescape=False)
+    jinja_env.filters['backtick'] = backtick_wrapper_filter
+
+    return jinja_env
+
+def generate_markdown(datamodels, jinja_env):
+    datamodel_template = jinja_env.get_template('datamodel_template.md')
     for model in datamodels:
         with open(f'../docs/data_model/{model}.md', 'w', encoding='utf-8') as f:
             f.write(datamodel_template.render(datamodel=datamodels[model]))
 
+def generate_index(datamodels, jinja_env):
+    index_template = jinja_env.get_template('datamodel_index_template.md')
+    with open('../docs/data_model/index.md', 'w', encoding='utf-8') as f:
+        f.write(index_template.render(datamodels=datamodels))
+
 def main():
     datamodels = parse_yaml()
-    load_sensor = cached_load_sensor()
-    replace_sensor_names_with_html(datamodels, load_sensor)
-    generate_markdown(datamodels)
+    replace_sensor_names_with_html(datamodels, cached_load_sensor())
+    jinja_env = create_jinja_environment()
+    generate_markdown(datamodels, jinja_env)
+    generate_index(datamodels, jinja_env)
 
 if __name__ == "__main__":
     main()

From 0912ea835beeffe6a2e615881a011340d8a42340 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 26 Feb 2023 19:17:57 -0500
Subject: [PATCH 69/82] generate index with sensors

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/data_model_with_sensors.md    | 1370 ++++++++++++++++-
 .../datamodel_index_with_sensors_template.md  |   22 +
 scripts/datamodel_sensors.md                  |    0
 scripts/generate_datamodels.py                |    6 +
 4 files changed, 1328 insertions(+), 70 deletions(-)
 create mode 100644 scripts/datamodel_index_with_sensors_template.md
 delete mode 100644 scripts/datamodel_sensors.md

diff --git a/docs/data_model/data_model_with_sensors.md b/docs/data_model/data_model_with_sensors.md
index f91bcb38..03dddeae 100755
--- a/docs/data_model/data_model_with_sensors.md
+++ b/docs/data_model/data_model_with_sensors.md
@@ -6,108 +6,1338 @@ The **Data Model**, strongly inspired by [CybOX](https://cyboxproject.github.io/
 
 Compare the data model's use in analytics that map to [ATT&CK](https://attack.mitre.org/).
 
+
 ## [authentication](authentication)
 
-| | **ad_domain** | **app_name** | **auth_service** | **auth_target** | **decision_reason** | **fqdn** | **hostname** | **method** | **response_time** | **target_ad_domain** | **target_uid** | **target_user** | **target_user_role** | **target_user_type** | **uid** | **user** | **user_agent** | **user_role** | **user_type |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **failure** | | | | | | | | | | | | | | | | | | | |
-| **error** | | | | | | | | | | | | | | | | | | | |
-| **success** | | | | | | | | | | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>ad_domain</th>
+    <th>app_name</th>
+    <th>auth_service</th>
+    <th>auth_target</th>
+    <th>decision_reason</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>method</th>
+    <th>response_time</th>
+    <th>target_ad_domain</th>
+    <th>target_uid</th>
+    <th>target_user</th>
+    <th>target_user_role</th>
+    <th>target_user_type</th>
+    <th>uid</th>
+    <th>user</th>
+    <th>user_agent</th>
+    <th>user_role</th>
+    <th>user_type</th>
+  </tr>
+  <tr>
+    <th>error</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>failure</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>success</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [driver](driver)
 
-| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** |
-|---|---|---|---|---|---|---|---|---|---|---|---|
-| **load** | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | |
-| **unload**| | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>base_address</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>md5_hash</th>
+    <th>module_name</th>
+    <th>pid</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+  </tr>
+  <tr>
+    <th>load</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+  </tr>
+  <tr>
+    <th>unload</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [email](email)
 
-| | **action_reason** | **attachment_mime_type** | **attachment_name** | **attachment_size** | **date** | **dest_address** | **dest_ip** | **dest_port** | **from** | **message_body** | **message_links** | **message_type** | **return_address** | **server_relay** | **smtp_uid** | **src_address** | **src_domain** | **src_ip** | **src_port** | **subject** | **to** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|--|--|
-| **block** | | | | | | | | | | | | | | | | | | | | | |
-| **delete** | | | | | | | | | | | | | | | | | | | | | |
-| **deliver** | | | | | | | | | | | | | | | | | | | | | |
-| **redirect** | | | | | | | | | | | | | | | | | | | | | |
-| **quarantine** | | | | | | | | | | | | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>action_reason</th>
+    <th>attachment_mime_type</th>
+    <th>attachment_name</th>
+    <th>attachment_size</th>
+    <th>date</th>
+    <th>dest_address</th>
+    <th>dest_ip</th>
+    <th>dest_port</th>
+    <th>from</th>
+    <th>message_body</th>
+    <th>message_links</th>
+    <th>message_type</th>
+    <th>return_address</th>
+    <th>server_relay</th>
+    <th>smtp_uid</th>
+    <th>src_address</th>
+    <th>src_domain</th>
+    <th>src_ip</th>
+    <th>src_port</th>
+    <th>subject</th>
+    <th>to</th>
+  </tr>
+  <tr>
+    <th>block</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>delete</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>deliver</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>quarantine</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>redirect</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [file](file)
 
-| | **company** | **content** | **creation_time** | **file_extension** | **file_gid** | **file_group** | **file_name** | **file_path** | **file_uid** | **file_user** | **fqdn** | **hostname** | **image_path** | **link_target** | **md5_hash** | **mime_type** | **mode** | **pid** | **ppid** | **previous_creation_time** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **uid** | **user** |
-| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **create** | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | | | | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | | [Autoruns](../sensors/autoruns_13.98) | | | [Sysmon](../sensors/sysmon_13) | | | | | | [Sysmon](../sensors/sysmon_13) | |
-| **delete** | | | | | | | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | |
-| **modify** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | | [Autoruns](../sensors/autoruns_13.98) | | | | | | | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | |
-| **read** | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **timestomp** | | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | |
-| **write** | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **acl_modify** | | | | | | | | | | | | | | | | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>company</th>
+    <th>content</th>
+    <th>creation_time</th>
+    <th>extension</th>
+    <th>file_name</th>
+    <th>file_path</th>
+    <th>fqdn</th>
+    <th>gid</th>
+    <th>group</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>link_target</th>
+    <th>md5_hash</th>
+    <th>mime_type</th>
+    <th>mode</th>
+    <th>owner</th>
+    <th>owner_uid</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>previous_creation_time</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <th>acl_modify</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>create</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>delete</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>modify</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>read</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>timestomp</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>write</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [flow](flow)
 
-| | **application_protocol** | **content** | **dest_fqdn** | **dest_hostname** | **dest_ip** | **dest_port** | **end_time** | **exe** | **fqdn** | **hostname** | **image_path** | **in_bytes** | **out_bytes** | **network_direction** | **packet_count** | **pid** | **ppid** | **proto_info** | **src_fqdn** | **src_hostname** | **src_ip** | **src_port** | **start_time** | **tcp_flags** | **transport_protocol** | **uid** | **user** |
-| ---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **end** | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **message** | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| **start** | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13)| [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | 
+<table>
+  <tr>
+    <th />
+    <th>application_protocol</th>
+    <th>content</th>
+    <th>dest_fqdn</th>
+    <th>dest_hostname</th>
+    <th>dest_ip</th>
+    <th>dest_port</th>
+    <th>end_time</th>
+    <th>exe</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>in_bytes</th>
+    <th>network_direction</th>
+    <th>out_bytes</th>
+    <th>packet_count</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>proto_info</th>
+    <th>src_fqdn</th>
+    <th>src_hostname</th>
+    <th>src_ip</th>
+    <th>src_port</th>
+    <th>start_time</th>
+    <th>tcp_flags</th>
+    <th>transport_protocol</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <th>end</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>message</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>start</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+  </tr>
+</table>
+
+## [http](http)
+
+<table>
+  <tr>
+    <th />
+    <th>hostname</th>
+    <th>http_version</th>
+    <th>request_body_bytes</th>
+    <th>request_body_content</th>
+    <th>request_referrer</th>
+    <th>requester_ip_address</th>
+    <th>response_body_bytes</th>
+    <th>response_body_content</th>
+    <th>response_status_code</th>
+    <th>url_domain</th>
+    <th>url_full</th>
+    <th>url_remainder</th>
+    <th>url_scheme</th>
+    <th>user_agent_device</th>
+    <th>user_agent_full</th>
+    <th>user_agent_name</th>
+    <th>user_agent_version</th>
+  </tr>
+  <tr>
+    <th>get</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>post</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>put</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>tunnel</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [module](module)
 
-| | **base_address** | **fqdn** | **hostname** | **image_path** | **md5_hash** | **module_name** | **module_path** | **pid** | **sha1_hash** | **sha256_hash** | **signature_valid** | **signer** | **tid** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **load** | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13)  | [Sysmon]( ../sensors/sysmon_13)  | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13)  | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) |
-| **unload** | | | | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>base_address</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>md5_hash</th>
+    <th>module_name</th>
+    <th>module_path</th>
+    <th>pid</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+    <th>tid</th>
+  </tr>
+  <tr>
+    <th>load</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+  </tr>
+  <tr>
+    <th>unload</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [process](process)
 
-| | **access_level** | **call_trace** | **command_line** | **current_working_directory** | **exe** | **env_vars** | **fqdn** | **guid** | **hostname** | **image_path** | **integrity_level** | **md5_hash** | **parent_command_line** | **parent_exe** | **parent_guid** | **parent_image_path** | **pid** | **ppid** | **sha1_hash** | **sha256_hash** | **sid** | **signer** | **signature_valid** | **target_address** | **target_guid** | **target_pid** | **target_name** | **user** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **access** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | | | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | |
-**create** | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | | | | | | |
-| **terminate** | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-
+<table>
+  <tr>
+    <th />
+    <th>access_level</th>
+    <th>call_trace</th>
+    <th>command_line</th>
+    <th>current_working_directory</th>
+    <th>env_vars</th>
+    <th>exe</th>
+    <th>fqdn</th>
+    <th>guid</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>integrity_level</th>
+    <th>md5_hash</th>
+    <th>parent_command_line</th>
+    <th>parent_exe</th>
+    <th>parent_guid</th>
+    <th>parent_image_path</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>sha1_hash</th>
+    <th>sha256_hash</th>
+    <th>sid</th>
+    <th>signature_valid</th>
+    <th>signer</th>
+    <th>target_address</th>
+    <th>target_guid</th>
+    <th>target_name</th>
+    <th>target_pid</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <th>access</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>create</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>terminate</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [registry](registry)
 
-| | **data** | **fqdn** | **hostname** | **hive** | **key** | **image_path** | **new_content** | **pid** | **type** | **user** | **value** |
-|---|---|---|---|---|---|---|---|---|---|---|---|
-| **add** | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)| [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | 
-**key_edit** | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98) | [Sysmon](../sensors/sysmon_13) | [Autoruns](../sensors/autoruns_13.98)<br />[Sysmon](../sensors/sysmon_13) |
-| **remove** | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | | [Sysmon](../sensors/sysmon_13) | |
-| **value_edit** | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| [Autoruns](../sensors/autoruns_13.98) | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98) | | [Autoruns](../sensors/autoruns_13.98)| | [Autoruns](../sensors/autoruns_13.98) |
+<table>
+  <tr>
+    <th />
+    <th>data</th>
+    <th>fqdn</th>
+    <th>hive</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>key</th>
+    <th>new_content</th>
+    <th>pid</th>
+    <th>type</th>
+    <th>user</th>
+    <th>value</th>
+  </tr>
+  <tr>
+    <th>add</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+  </tr>
+  <tr>
+    <th>key_edit</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a>&#10<a href='../sensors/sysmon_13'>Sysmon</a></td>
+  </tr>
+  <tr>
+    <th>remove</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>value_edit</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+  </tr>
+</table>
 
 ## [service](service)
 
-| | **command_line** | **exe** | **fqdn** | **hostname** | **image_path** | **name** | **pid** | **ppid** | **uid** | **user** |
-|---|---|---|---|---|---|---|---|---|---|---|
-| **create** | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | | | | |
-| **delete** | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | [Autoruns](https://car.mitre.org/wiki/Autoruns) | | | | |
-| **pause** | | | | | | | | | | |
-| **start** | | | | | | | | | | |
-| **stop** | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>command_line</th>
+    <th>exe</th>
+    <th>fqdn</th>
+    <th>hostname</th>
+    <th>image_path</th>
+    <th>name</th>
+    <th>pid</th>
+    <th>ppid</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <th>create</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>delete</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/autoruns_13.98'>Autoruns</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>pause</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>start</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>stop</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [socket](socket)
 
-| | **family** | **image_path** | **local_address** | **local_path** | **local_port** | **pid** | **protocol** | **remote_address** | **remote_port** | **success** |
-|---|---|---|---|---|---|---|---|---|---|---|
-| **bind** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | |
-| **listen** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | |
-| **close** | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | o[osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | [osquery](../sensors/osquery_4.6.0) | |
+<table>
+  <tr>
+    <th />
+    <th>family</th>
+    <th>image_path</th>
+    <th>local_address</th>
+    <th>local_path</th>
+    <th>local_port</th>
+    <th>pid</th>
+    <th>protocol</th>
+    <th>remote_address</th>
+    <th>remote_port</th>
+    <th>success</th>
+  </tr>
+  <tr>
+    <th>bind</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>close</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>listen</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/osquery_4.6.0'>osquery</a></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [thread](thread)
 
-| | **hostname** | **src_pid** | **src_tid** | **stack_base** | **stack_limit** | **start_address** | **start_function** | **start_module** | **start_module_name** | **subprocess_tag** | **tgt_pid** | **tgt_tid** | **uid** | **user** | **user_stack_base** | **user_stack_limit** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **create** | | | | | | | | | | | | | | | | |
-| **remote_create** | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | |[Sysmon]( ../sensors/sysmon_13) |[Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | |
-| **suspend** | | | | | | | | | | | | | | | | | |
-| **terminate** | | | | | | | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>hostname</th>
+    <th>src_pid</th>
+    <th>src_tid</th>
+    <th>stack_base</th>
+    <th>stack_limit</th>
+    <th>start_address</th>
+    <th>start_function</th>
+    <th>start_module</th>
+    <th>start_module_name</th>
+    <th>tgt_pid</th>
+    <th>tgt_tid</th>
+    <th>uid</th>
+    <th>user</th>
+    <th>user_stack_base</th>
+    <th>user_stack_limit</th>
+  </tr>
+  <tr>
+    <th>create</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>remote_create</th>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"><a href='../sensors/sysmon_13'>Sysmon</a></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>suspend</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>terminate</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
 
 ## [user_session](user_session)
 
-| | **hostname** | **src_pid** | **src_tid** | **stack_base** | **stack_limit** | **start_address** | **start_function** | **start_module** | **start_module_name** | **subprocess_tag** | **tgt_pid** | **tgt_tid** | **uid** | **user** | **user_stack_base** | **user_stack_limit** |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| **create** | | | | | | | | | | | | | | | | |
-| **remote_create** | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | |[Sysmon]( ../sensors/sysmon_13) |[Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | [Sysmon]( ../sensors/sysmon_13) | | |
-| **suspend** | | | | | | | | | | | | | | | | | |
-| **terminate** | | | | | | | | | | | | | | | | |
+<table>
+  <tr>
+    <th />
+    <th>dest_ip</th>
+    <th>dest_port</th>
+    <th>hostname</th>
+    <th>login_id</th>
+    <th>login_successful</th>
+    <th>login_type</th>
+    <th>src_ip</th>
+    <th>src_port</th>
+    <th>uid</th>
+    <th>user</th>
+  </tr>
+  <tr>
+    <th>lock</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>login</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>logout</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>reconnect</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+  <tr>
+    <th>unlock</th>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+    <td style="white-space: pre-wrap;"></td>
+  </tr>
+</table>
diff --git a/scripts/datamodel_index_with_sensors_template.md b/scripts/datamodel_index_with_sensors_template.md
new file mode 100644
index 00000000..fe5db046
--- /dev/null
+++ b/scripts/datamodel_index_with_sensors_template.md
@@ -0,0 +1,22 @@
+---
+title: "Data Model with Sensors"
+---
+
+The **Data Model**, strongly inspired by [CybOX](https://cyboxproject.github.io/), is an organization of the objects that may be monitored from a host-based or network-based perspective. Each object can be identified by two dimensions: its actions and fields. When paired together, the three-tuple of `(object, action, field)` act like a coordinate, and describe what properties and state changes of the object can be captured by a sensor.
+
+Compare the data model's use in analytics that map to [ATT&CK](https://attack.mitre.org/).
+
+{% for model_name, model in datamodels.items()|sort(attribute='0') %}
+## [{{ model_name }}]({{ model_name }})
+
+<table>
+  <tr>
+    <th />{% for field in model['fields']|sort(attribute='name') %}
+    <th>{{ field['name'] }}</th>{% endfor %}
+  </tr>{% for action in model['actions']|sort(attribute='name') %}
+  <tr>
+    <th>{{ action['name'] }}</th>{% for field in model['fields']|sort(attribute='name') %}
+    <td style="white-space: pre-wrap;">{% if 'coverage_map' in model and action['name'] in model['coverage_map'] and field['name'] in model['coverage_map'][action['name']] %}{{ model['coverage_map'][action['name']][field['name']]|join('&#10') }}{% endif %}</td>{% endfor %}
+  </tr>{% endfor %}
+</table>
+{% endfor %}
diff --git a/scripts/datamodel_sensors.md b/scripts/datamodel_sensors.md
deleted file mode 100644
index e69de29b..00000000
diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py
index 05765b47..262201d0 100644
--- a/scripts/generate_datamodels.py
+++ b/scripts/generate_datamodels.py
@@ -56,12 +56,18 @@ def generate_index(datamodels, jinja_env):
     with open('../docs/data_model/index.md', 'w', encoding='utf-8') as f:
         f.write(index_template.render(datamodels=datamodels))
 
+def generate_index_with_sensors(datamodels, jinja_env):
+    index_template = jinja_env.get_template('datamodel_index_with_sensors_template.md')
+    with open('../docs/data_model/data_model_with_sensors.md', 'w', encoding='utf-8') as f:
+        f.write(index_template.render(datamodels=datamodels))
+
 def main():
     datamodels = parse_yaml()
     replace_sensor_names_with_html(datamodels, cached_load_sensor())
     jinja_env = create_jinja_environment()
     generate_markdown(datamodels, jinja_env)
     generate_index(datamodels, jinja_env)
+    generate_index_with_sensors(datamodels, jinja_env)
 
 if __name__ == "__main__":
     main()

From 01ff21d56432b85bb692b3df75f8fe70d519430e Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 26 Feb 2023 19:21:49 -0500
Subject: [PATCH 70/82] formatting change to fix tables

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/index.md            | 13 -------------
 scripts/datamodel_index_template.md |  3 +--
 2 files changed, 1 insertion(+), 15 deletions(-)

diff --git a/docs/data_model/index.md b/docs/data_model/index.md
index 0762211e..9dcea2bd 100644
--- a/docs/data_model/index.md
+++ b/docs/data_model/index.md
@@ -9,32 +9,19 @@ The Data Model, strongly inspired by [CybOX](https://cyboxproject.github.io/), i
 |Object|Actions|Fields|
 |---|---|---|
 |**[authentication](authentication)**|`error`<br />`failure`<br />`success`|`ad_domain`<br />`app_name`<br />`auth_service`<br />`auth_target`<br />`decision_reason`<br />`fqdn`<br />`hostname`<br />`method`<br />`response_time`<br />`target_ad_domain`<br />`target_uid`<br />`target_user`<br />`target_user_role`<br />`target_user_type`<br />`uid`<br />`user`<br />`user_agent`<br />`user_role`<br />`user_type`|
-
 |**[driver](driver)**|`load`<br />`unload`|`base_address`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`md5_hash`<br />`module_name`<br />`pid`<br />`sha1_hash`<br />`sha256_hash`<br />`signature_valid`<br />`signer`|
-
 |**[email](email)**|`block`<br />`delete`<br />`deliver`<br />`quarantine`<br />`redirect`|`action_reason`<br />`attachment_mime_type`<br />`attachment_name`<br />`attachment_size`<br />`date`<br />`dest_address`<br />`dest_ip`<br />`dest_port`<br />`from`<br />`message_body`<br />`message_links`<br />`message_type`<br />`return_address`<br />`server_relay`<br />`smtp_uid`<br />`src_address`<br />`src_domain`<br />`src_ip`<br />`src_port`<br />`subject`<br />`to`|
-
 |**[file](file)**|`acl_modify`<br />`create`<br />`delete`<br />`modify`<br />`read`<br />`timestomp`<br />`write`|`company`<br />`content`<br />`creation_time`<br />`extension`<br />`file_name`<br />`file_path`<br />`fqdn`<br />`gid`<br />`group`<br />`hostname`<br />`image_path`<br />`link_target`<br />`md5_hash`<br />`mime_type`<br />`mode`<br />`owner`<br />`owner_uid`<br />`pid`<br />`ppid`<br />`previous_creation_time`<br />`sha1_hash`<br />`sha256_hash`<br />`signature_valid`<br />`signer`<br />`uid`<br />`user`|
-
 |**[flow](flow)**|`end`<br />`message`<br />`start`|`application_protocol`<br />`content`<br />`dest_fqdn`<br />`dest_hostname`<br />`dest_ip`<br />`dest_port`<br />`end_time`<br />`exe`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`in_bytes`<br />`network_direction`<br />`out_bytes`<br />`packet_count`<br />`pid`<br />`ppid`<br />`proto_info`<br />`src_fqdn`<br />`src_hostname`<br />`src_ip`<br />`src_port`<br />`start_time`<br />`tcp_flags`<br />`transport_protocol`<br />`uid`<br />`user`|
-
 |**[http](http)**|`get`<br />`post`<br />`put`<br />`tunnel`|`hostname`<br />`http_version`<br />`request_body_bytes`<br />`request_body_content`<br />`request_referrer`<br />`requester_ip_address`<br />`response_body_bytes`<br />`response_body_content`<br />`response_status_code`<br />`url_domain`<br />`url_full`<br />`url_remainder`<br />`url_scheme`<br />`user_agent_device`<br />`user_agent_full`<br />`user_agent_name`<br />`user_agent_version`|
-
 |**[module](module)**|`load`<br />`unload`|`base_address`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`md5_hash`<br />`module_name`<br />`module_path`<br />`pid`<br />`sha1_hash`<br />`sha256_hash`<br />`signature_valid`<br />`signer`<br />`tid`|
-
 |**[process](process)**|`access`<br />`create`<br />`terminate`|`access_level`<br />`call_trace`<br />`command_line`<br />`current_working_directory`<br />`env_vars`<br />`exe`<br />`fqdn`<br />`guid`<br />`hostname`<br />`image_path`<br />`integrity_level`<br />`md5_hash`<br />`parent_command_line`<br />`parent_exe`<br />`parent_guid`<br />`parent_image_path`<br />`pid`<br />`ppid`<br />`sha1_hash`<br />`sha256_hash`<br />`sid`<br />`signature_valid`<br />`signer`<br />`target_address`<br />`target_guid`<br />`target_name`<br />`target_pid`<br />`uid`<br />`user`|
-
 |**[registry](registry)**|`add`<br />`key_edit`<br />`remove`<br />`value_edit`|`data`<br />`fqdn`<br />`hive`<br />`hostname`<br />`image_path`<br />`key`<br />`new_content`<br />`pid`<br />`type`<br />`user`<br />`value`|
-
 |**[service](service)**|`create`<br />`delete`<br />`pause`<br />`start`<br />`stop`|`command_line`<br />`exe`<br />`fqdn`<br />`hostname`<br />`image_path`<br />`name`<br />`pid`<br />`ppid`<br />`uid`<br />`user`|
-
 |**[socket](socket)**|`bind`<br />`close`<br />`listen`|`family`<br />`image_path`<br />`local_address`<br />`local_path`<br />`local_port`<br />`pid`<br />`protocol`<br />`remote_address`<br />`remote_port`<br />`success`|
-
 |**[thread](thread)**|`create`<br />`remote_create`<br />`suspend`<br />`terminate`|`hostname`<br />`src_pid`<br />`src_tid`<br />`stack_base`<br />`stack_limit`<br />`start_address`<br />`start_function`<br />`start_module`<br />`start_module_name`<br />`tgt_pid`<br />`tgt_tid`<br />`uid`<br />`user`<br />`user_stack_base`<br />`user_stack_limit`|
-
 |**[user_session](user_session)**|`lock`<br />`login`<br />`logout`<br />`reconnect`<br />`unlock`|`dest_ip`<br />`dest_port`<br />`hostname`<br />`login_id`<br />`login_successful`<br />`login_type`<br />`src_ip`<br />`src_port`<br />`uid`<br />`user`|
 
-
 ## What is the data model?
 
 ### Objects
diff --git a/scripts/datamodel_index_template.md b/scripts/datamodel_index_template.md
index e8d294ac..8cf84471 100644
--- a/scripts/datamodel_index_template.md
+++ b/scripts/datamodel_index_template.md
@@ -8,8 +8,7 @@ The Data Model, strongly inspired by [CybOX](https://cyboxproject.github.io/), i
 
 |Object|Actions|Fields|
 |---|---|---|{% for model_name, model in datamodels.items()|sort(attribute='0') %}
-|**[{{ model_name }}]({{ model_name }})**|{{ model['actions']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('<br />') }}|{{ model['fields']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('<br />') }}|
-{% endfor %}
+|**[{{ model_name }}]({{ model_name }})**|{{ model['actions']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('<br />') }}|{{ model['fields']|sort(attribute='name')|map(attribute='name')|map('backtick')|join('<br />') }}|{% endfor %}
 
 ## What is the data model?
 

From 5b9c3a8c10e6e0193d552032734939cb9efc112b Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Sun, 26 Feb 2023 19:47:02 -0500
Subject: [PATCH 71/82] use the more modern pathlib instead of path and glob

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/generate_datamodels.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py
index 262201d0..4d017a00 100644
--- a/scripts/generate_datamodels.py
+++ b/scripts/generate_datamodels.py
@@ -1,25 +1,23 @@
 """
 This script generates the data model portion of the site for each YAML data model mapping file.
 """
-from glob import glob
 from jinja2 import Environment, FileSystemLoader
-from os import path
 from pathlib import Path
 from yaml import safe_load
 
 def parse_yaml():
-    datamodel_files = glob(path.join(path.dirname(__file__), "..", "data_model", "*.yaml"))
+    datamodel_files = (Path(__file__).parents[1] / "data_model").glob("*.yaml")
     datamodels = {}
     for file in datamodel_files:
         with open(file, encoding="utf-8") as f:
-            datamodels[Path(file).stem] = safe_load(f.read())
+            datamodels[file.stem] = safe_load(f.read())
     return datamodels
 
 def cached_load_sensor():
   sensors = {}
   def load_sensor(filename):
       if filename not in sensors:
-          sensor_file = path.join(path.dirname(__file__), "..", "sensors", f"{filename}.yaml")
+          sensor_file = Path(__file__).parents[1] / "sensors" / f"{filename}.yaml"
           with open(sensor_file, encoding="utf-8") as f:
               sensors[filename] = safe_load(f.read())
       return sensors[filename]

From 5684c73e17c86796a6719cb8d8eb3486cecfbabd Mon Sep 17 00:00:00 2001
From: alexiacrumpton <alexiacrumpton@users.noreply.github.com>
Date: Mon, 27 Feb 2023 14:05:19 +0000
Subject: [PATCH 72/82] Automated commit to rebuild the static site

Signed-off-by: Build and Push Automation Script <>
---
 docs/analytics/CAR-2013-01-002/index.md |   1 +
 docs/analytics/CAR-2013-01-003/index.md |   6 +-
 docs/analytics/CAR-2013-02-008/index.md |   4 +-
 docs/analytics/CAR-2013-02-012/index.md |   1 +
 docs/analytics/CAR-2013-03-001/index.md |   3 +
 docs/analytics/CAR-2013-05-003/index.md |   1 +
 docs/analytics/CAR-2013-07-005/index.md |   4 +
 docs/analytics/CAR-2013-08-001/index.md |   4 +
 docs/analytics/CAR-2013-10-001/index.md |   4 +
 docs/analytics/CAR-2013-10-002/index.md |   3 +
 docs/analytics/CAR-2014-02-001/index.md |   4 +-
 docs/analytics/CAR-2014-03-005/index.md |   4 +-
 docs/analytics/CAR-2014-04-003/index.md |   6 +
 docs/analytics/CAR-2014-11-002/index.md |   4 +-
 docs/analytics/CAR-2014-11-003/index.md |   5 +-
 docs/analytics/CAR-2014-11-004/index.md |   6 +-
 docs/analytics/CAR-2014-11-005/index.md |   2 +
 docs/analytics/CAR-2014-11-006/index.md |   3 +-
 docs/analytics/CAR-2014-11-007/index.md |   2 +
 docs/analytics/CAR-2014-12-001/index.md |   8 +-
 docs/analytics/CAR-2016-03-001/index.md |  21 +-
 docs/analytics/CAR-2016-03-002/index.md |  14 +-
 docs/analytics/CAR-2016-04-002/index.md |   5 +-
 docs/analytics/CAR-2016-04-003/index.md |   5 +-
 docs/analytics/CAR-2016-04-004/index.md |   3 +-
 docs/analytics/CAR-2016-04-005/index.md |   2 +-
 docs/analytics/CAR-2019-04-001/index.md |  10 +-
 docs/analytics/CAR-2019-04-002/index.md |  12 +-
 docs/analytics/CAR-2019-04-003/index.md |   8 +-
 docs/analytics/CAR-2019-04-004/index.md |  18 +-
 docs/analytics/CAR-2019-07-001/index.md |   2 +-
 docs/analytics/CAR-2019-07-002/index.md |  10 +-
 docs/analytics/CAR-2019-08-001/index.md |   8 +-
 docs/analytics/CAR-2019-08-002/index.md |   8 +-
 docs/analytics/CAR-2020-05-001/index.md |   3 +-
 docs/analytics/CAR-2020-05-003/index.md |   5 +-
 docs/analytics/CAR-2020-09-001/index.md |   4 +
 docs/analytics/CAR-2020-09-002/index.md |   8 +-
 docs/analytics/CAR-2020-09-003/index.md |   8 +-
 docs/analytics/CAR-2020-09-004/index.md |  16 +-
 docs/analytics/CAR-2020-09-005/index.md |  10 +-
 docs/analytics/CAR-2020-11-001/index.md |   6 +-
 docs/analytics/CAR-2020-11-002/index.md |   4 +
 docs/analytics/CAR-2020-11-003/index.md |   4 +
 docs/analytics/CAR-2020-11-004/index.md |  16 +-
 docs/analytics/CAR-2020-11-005/index.md |   4 +
 docs/analytics/CAR-2020-11-006/index.md |   4 +
 docs/analytics/CAR-2020-11-007/index.md |   4 +
 docs/analytics/CAR-2020-11-008/index.md |   4 +
 docs/analytics/CAR-2020-11-009/index.md |   4 +
 docs/analytics/CAR-2020-11-010/index.md |   3 +
 docs/analytics/CAR-2020-11-011/index.md |   4 +
 docs/analytics/CAR-2021-01-002/index.md |   2 +
 docs/analytics/CAR-2021-01-003/index.md |   2 +
 docs/analytics/CAR-2021-01-004/index.md |   2 +
 docs/analytics/CAR-2021-01-006/index.md |   3 +
 docs/analytics/CAR-2021-01-007/index.md |   3 +
 docs/analytics/CAR-2021-01-008/index.md |   2 +
 docs/analytics/CAR-2021-01-009/index.md |   3 +
 docs/analytics/CAR-2021-02-001/index.md |  11 +-
 docs/analytics/CAR-2021-02-002/index.md |   7 +-
 docs/analytics/CAR-2021-04-001/index.md |   7 +-
 docs/analytics/CAR-2021-05-001/index.md |   3 +-
 docs/analytics/CAR-2021-05-002/index.md |   3 +-
 docs/analytics/CAR-2021-05-003/index.md |   1 +
 docs/analytics/CAR-2021-05-004/index.md |   3 +-
 docs/analytics/CAR-2021-05-005/index.md |   3 +-
 docs/analytics/CAR-2021-05-006/index.md |   1 +
 docs/analytics/CAR-2021-05-007/index.md |   1 +
 docs/analytics/CAR-2021-05-008/index.md |   5 +-
 docs/analytics/CAR-2021-05-009/index.md |   3 +-
 docs/analytics/CAR-2021-05-010/index.md |   1 +
 docs/analytics/CAR-2021-05-011/index.md |   5 +-
 docs/analytics/CAR-2021-05-012/index.md |   3 +-
 docs/analytics/CAR-2021-11-001/index.md |   4 +
 docs/analytics/CAR-2021-11-002/index.md |   5 +
 docs/analytics/CAR-2021-12-001/index.md |   4 +
 docs/analytics/CAR-2021-12-002/index.md |   4 +
 docs/analytics/CAR-2022-03-001/index.md |   5 +-
 docs/analytics/by_technique/index.md    | 100 ++--
 docs/car_attack/car_attack.json         | 622 ++++++++++++------------
 docs/data/analytics.json                |   2 +-
 docs/sensors/auditd_2.8.md              |  32 +-
 docs/sensors/index.md                   |   0
 docs/sensors/osquery_4.1.2.md           |  32 +-
 docs/sensors/osquery_4.6.0.md           |  32 +-
 docs/sensors/sysmon_10.4.md             |  57 ++-
 docs/sensors/sysmon_11.0.md             |  57 ++-
 docs/sensors/sysmon_13.md               |  57 ++-
 89 files changed, 829 insertions(+), 570 deletions(-)
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-001/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-002/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-003/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-004/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-005/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-006/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-007/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-008/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-009/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-010/index.md
 mode change 100755 => 100644 docs/analytics/CAR-2020-11-011/index.md
 mode change 100755 => 100644 docs/sensors/index.md
 mode change 100755 => 100644 docs/sensors/osquery_4.1.2.md
 mode change 100755 => 100644 docs/sensors/osquery_4.6.0.md
 mode change 100755 => 100644 docs/sensors/sysmon_10.4.md
 mode change 100755 => 100644 docs/sensors/sysmon_11.0.md

diff --git a/docs/analytics/CAR-2013-01-002/index.md b/docs/analytics/CAR-2013-01-002/index.md
index aad379aa..b99c5476 100644
--- a/docs/analytics/CAR-2013-01-002/index.md
+++ b/docs/analytics/CAR-2013-01-002/index.md
@@ -14,6 +14,7 @@ The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and fi
 Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
diff --git a/docs/analytics/CAR-2013-01-003/index.md b/docs/analytics/CAR-2013-01-003/index.md
index 0261bdbb..ae5269f6 100644
--- a/docs/analytics/CAR-2013-01-003/index.md
+++ b/docs/analytics/CAR-2013-01-003/index.md
@@ -9,13 +9,14 @@ contributors: MITRE
 applicable_platforms: N/A
 ---
 <br><br>
-[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. 
+[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.
 
 ### Output Description
 
 The source, destination, content, and time of each event.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,7 +46,7 @@ The source, destination, content, and time of each event.
 
 #### Pseudocode
 
-Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved. 
+Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved.
 
 
 ```
@@ -53,6 +54,7 @@ flow = search Flow:Message
 smb_events = filter flow where (dest_port == "445" and protocol == "smb")
 smb_events.file_name = smb_events.proto_info.file_name
 output smb_write
+
 ```
 
 
diff --git a/docs/analytics/CAR-2013-02-008/index.md b/docs/analytics/CAR-2013-02-008/index.md
index 023ce975..3b436a92 100644
--- a/docs/analytics/CAR-2013-02-008/index.md
+++ b/docs/analytics/CAR-2013-02-008/index.md
@@ -15,6 +15,7 @@ Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pr
 Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's [Audit Logon Events](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10)) page.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -47,9 +48,10 @@ Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types
 ```
 users_list = search UserSession:Login
 users_grouped = group users_list by hostname
-users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count 
+users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count
 multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
 output multiple_logins
+
 ```
 
 
diff --git a/docs/analytics/CAR-2013-02-012/index.md b/docs/analytics/CAR-2013-02-012/index.md
index 15553611..62c82922 100644
--- a/docs/analytics/CAR-2013-02-012/index.md
+++ b/docs/analytics/CAR-2013-02-012/index.md
@@ -18,6 +18,7 @@ Certain users will likely appear as being logged into several machines and may n
 User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
diff --git a/docs/analytics/CAR-2013-03-001/index.md b/docs/analytics/CAR-2013-03-001/index.md
index 9d01d6a1..faf166ed 100644
--- a/docs/analytics/CAR-2013-03-001/index.md
+++ b/docs/analytics/CAR-2013-03-001/index.md
@@ -21,6 +21,7 @@ The sequence of processes that resulted in `reg.exe` being started from a shell.
 -   `reg.exe`
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -65,6 +66,7 @@ reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe")
 cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")
 reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)
 output reg_and_cmd
+
 ```
 
 
@@ -77,6 +79,7 @@ DNIF version of the above pseudocode.
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*reg\.exe.*)i AND $ParentProcess=regex(.*cmd\.exe.*)i as #A limit 100
 >>_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i NOT $ParentProcess=regex(.*explorer\.exe.*)i as #B limit 100
 >>_checkif sjoin #B.$PPID = #A.$CPID str_compare #B.$SystemName eq #A.$SystemName include
+
 ```
 
 
diff --git a/docs/analytics/CAR-2013-05-003/index.md b/docs/analytics/CAR-2013-05-003/index.md
index 61a44567..6240bf1c 100644
--- a/docs/analytics/CAR-2013-05-003/index.md
+++ b/docs/analytics/CAR-2013-05-003/index.md
@@ -48,6 +48,7 @@ flow = search Flow:Message
 smb_write = filter flow where (dest_port == "445" and protocol == "smb.write")
 smb_write.file_name = smb_write.proto_info.file_name
 output smb_write
+
 ```
 
 
diff --git a/docs/analytics/CAR-2013-07-005/index.md b/docs/analytics/CAR-2013-07-005/index.md
index 871358e0..a7576a61 100644
--- a/docs/analytics/CAR-2013-07-005/index.md
+++ b/docs/analytics/CAR-2013-07-005/index.md
@@ -14,6 +14,7 @@ Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adve
 In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -48,6 +49,7 @@ This analytic looks for the command line argument `a`, which is used by RAR. How
 processes = search Process:Create
 rar_argument = filter processes where (command_line == "* a *")
 output rar_argument
+
 ```
 
 
@@ -58,6 +60,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100
+
 ```
 
 
@@ -68,6 +71,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 command="* a *"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2013-08-001/index.md b/docs/analytics/CAR-2013-08-001/index.md
index 4e59652f..5e774f47 100644
--- a/docs/analytics/CAR-2013-08-001/index.md
+++ b/docs/analytics/CAR-2013-08-001/index.md
@@ -47,6 +47,7 @@ Look for instances of `schtasks.exe` running as processes. The `command_line` fi
 process = search Process:Create
 schtasks = filter process where (exe == "schtasks.exe")
 output schtasks
+
 ```
 
 
@@ -57,6 +58,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100
+
 ```
 
 
@@ -67,6 +69,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command IN ["*/create*", "*/run*", "*/query*", "*/delete*", "*/change*", "*/end*"]
+
 ```
 
 
@@ -85,6 +88,7 @@ Create a new scheduled task with schtasks.exe and verify the analytic fires when
 * To remove the scheduled task, execute `schtasks /Delete /TN calctask`.
 * The program should respond with “SUCCESS: The scheduled task “calctask” was successfully deleted.”
 
+
 ```
 schtasks /Create /SC ONCE /ST 19:00 /TR C:\Windows\System32\calc.exe /TN calctask
 schtasks /Delete /TN calctask
diff --git a/docs/analytics/CAR-2013-10-001/index.md b/docs/analytics/CAR-2013-10-001/index.md
index 8c0e020a..b07ca014 100644
--- a/docs/analytics/CAR-2013-10-001/index.md
+++ b/docs/analytics/CAR-2013-10-001/index.md
@@ -19,6 +19,7 @@ Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pr
 The time of login events for distinct users on individual systems
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -50,6 +51,7 @@ logon_events = search User_Session:Login
 filtered_logons = filter logon_events where (
   user NOT IN TOP30(user))
 output filtered_logons
+
 ```
 
 
@@ -61,6 +63,7 @@ Splunk version of the above pseudocode. NOTE - this is liable to be quite noisy
 
 ```
 index=__your_win_event_log_index__ EventCode=4624|search NOT [search index=__your_win_event_log_index__ EventCode=4624|top 30 Account_Name|table Account_Name]
+
 ```
 
 
@@ -75,6 +78,7 @@ _fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICA
 >>_store in_disk david_test win_top_30 stack_replace
 >>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000
 >>_checkif lookup david_test win_top_30 join $ScopeID = $ScopeID str_compare $User eq $User exclude
+
 ```
 
 
diff --git a/docs/analytics/CAR-2013-10-002/index.md b/docs/analytics/CAR-2013-10-002/index.md
index 7cf719f6..d74768ad 100644
--- a/docs/analytics/CAR-2013-10-002/index.md
+++ b/docs/analytics/CAR-2013-10-002/index.md
@@ -18,6 +18,7 @@ Microsoft Windows allows for processes to remotely create threads within other p
 This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -56,6 +57,7 @@ remote_thread = filter (start_function == "LoadLibraryA" or start_function == "L
 remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")
 
 output remote_thread
+
 ```
 
 
@@ -66,6 +68,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-02-001/index.md b/docs/analytics/CAR-2014-02-001/index.md
index 3708d644..3fd27940 100644
--- a/docs/analytics/CAR-2014-02-001/index.md
+++ b/docs/analytics/CAR-2014-02-001/index.md
@@ -16,6 +16,7 @@ Adversaries may modify the binary file for an existing service to achieve [Persi
 The Service Name and approximate time in which changes occurred on each host
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -58,12 +59,13 @@ file_change = search File:Create,Modify
 process = search Process:Create
 service_process = filter processes where (parent_exe == "services.exe")
 modified_service = join (search, filter) where (
- file_change.time < service_process.time and 
+ file_change.time < service_process.time and
  file_change.file_path == service_process.image_path
 )
 
 modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
 output modified_service
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-03-005/index.md b/docs/analytics/CAR-2014-03-005/index.md
index e69641cc..6b9baddb 100644
--- a/docs/analytics/CAR-2014-03-005/index.md
+++ b/docs/analytics/CAR-2014-03-005/index.md
@@ -9,13 +9,14 @@ contributors: MITRE
 applicable_platforms: Windows
 ---
 <br><br>
-There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. 
+There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality.
 
 When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.
 
 This compound behavior can be detected by looking for `services.exe` receiving a network connection and immediately spawning a child process.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -59,6 +60,7 @@ remote_start = join (flow, service ) where (
  (flow.time < service.time < flow.time + 1 second)
 )
 output remote_start
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-04-003/index.md b/docs/analytics/CAR-2014-04-003/index.md
index 047e86f3..8929c620 100644
--- a/docs/analytics/CAR-2014-04-003/index.md
+++ b/docs/analytics/CAR-2014-04-003/index.md
@@ -16,6 +16,7 @@ Powershell can be used to hide monitored command line execution such as:
 -   `sc start`
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -52,6 +53,7 @@ Look for versions of `PowerShell` that were not launched interactively.
 process = search Process:Create
 powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" )
 output powershell
+
 ```
 
 
@@ -62,6 +64,7 @@ Splunk version of the above pseudocode.
 
 ```
 index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\powershell.exe" ParentImage!="C:\\Windows\\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName
+
 ```
 
 
@@ -73,6 +76,7 @@ EQL version of the above pseudocode.
 ```
 process where subtype.create and
   (process_name == "powershell.exe" and parent_process_name != "explorer.exe")
+
 ```
 
 
@@ -83,6 +87,7 @@ DNIF version of the above pseudocode.
 
 ```
 _fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=powershell.exe NOT $ParentProcess=regex(.*explorer.exe.*)i limit 30
+
 ```
 
 
@@ -93,6 +98,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\powershell.exe" -parent_image="C:\Windows\explorer.exe"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-11-002/index.md b/docs/analytics/CAR-2014-11-002/index.md
index 5c7a8c01..23d636b7 100644
--- a/docs/analytics/CAR-2014-11-002/index.md
+++ b/docs/analytics/CAR-2014-11-002/index.md
@@ -11,7 +11,7 @@ applicable_platforms: Windows
 <br><br>
 Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning `cmd.exe` by looking for programs that do not normally create `cmd.exe`.
 
-While this analytic does not take the user into account, doing so could generate further interesting results. 
+While this analytic does not take the user into account, doing so could generate further interesting results.
 It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don’t routinely launch a command prompt – for example Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.
 
 
@@ -20,6 +20,7 @@ It is very common for some programs to spawn cmd.exe as a subprocess, for exampl
 The time and host the new process was started as well as its parent
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -59,6 +60,7 @@ historic_cmd = filter cmd (where timestamp < now - 1 day AND timestamp > now - 1
 current_cmd = filter cmd (where timestamp >= now - 1 day)
 new_cmd = historic_cmd - current_cmd
 output new_cmd
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-11-003/index.md b/docs/analytics/CAR-2014-11-003/index.md
index 917b1158..85414491 100644
--- a/docs/analytics/CAR-2014-11-003/index.md
+++ b/docs/analytics/CAR-2014-11-003/index.md
@@ -9,11 +9,12 @@ contributors: MITRE
 applicable_platforms: Windows
 ---
 <br><br>
-The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. 
+The Windows Registry location `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for [Accessibility Applications](https://attack.mitre.org/techniques/T1546/008). The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.
 
 This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -49,6 +50,7 @@ One simple way to implement this technique is to note that in a default Windows
 process = search Process:Create
 debuggers = filter process where (command_line match "$.* .*(sethc{{pipe}}utilman{{pipe}}osk{{pipe}}narrator{{pipe}}magnify)\.exe")
 output debuggers
+
 ```
 
 
@@ -59,6 +61,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 command IN ["$* *sethc.exe", "$* *utilman.exe", "$* *osk.exe", "$* *narrator.exe", "$* *magnify.exe"]
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-11-004/index.md b/docs/analytics/CAR-2014-11-004/index.md
index 2ba04b40..02109590 100644
--- a/docs/analytics/CAR-2014-11-004/index.md
+++ b/docs/analytics/CAR-2014-11-004/index.md
@@ -14,6 +14,7 @@ According to [ATT&CK](https://attack.mitre.org/), [PowerShell](https://attack.mi
 For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command `Enter-PSSession -ComputerName \<RemoteHost\>` creates a remote PowerShell session.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -47,6 +48,7 @@ For this to work, certain registry keys must be set, and the WinRM service must
 ```
 process = search Process:Create
 wsmprovhost = filter process where (exe == "wsmprovhost.exe" and parent_exe == "svchost.exe")
+
 ```
 
 
@@ -57,7 +59,8 @@ EQL version of the above pseudocode.
 
 ```
 process where subtype.create and
-  (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")    
+  (process_name == "wsmprovhost.exe" and parent_process_name == "svchost.exe")
+
 ```
 
 
@@ -68,6 +71,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\wsmprovhost.exe" parent_image="*\svchost.exe"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-11-005/index.md b/docs/analytics/CAR-2014-11-005/index.md
index 49e6d432..afdcf95e 100644
--- a/docs/analytics/CAR-2014-11-005/index.md
+++ b/docs/analytics/CAR-2014-11-005/index.md
@@ -20,6 +20,7 @@ Remote access to the registry can be achieved via
 All of these behaviors call into the Windows API, which uses the NamedPipe `WINREG` over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -55,6 +56,7 @@ winreg = filter flows where (dest_port == 445 and proto_info.pipe == "WINREG")
 winreg_modify = filter flows where (proto_info.function == "Create*" or proto_info.function == "SetValue*")
 
 output winreg_modify
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-11-006/index.md b/docs/analytics/CAR-2014-11-006/index.md
index 783d529e..8c65568c 100644
--- a/docs/analytics/CAR-2014-11-006/index.md
+++ b/docs/analytics/CAR-2014-11-006/index.md
@@ -39,7 +39,7 @@ When a [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006
 
 #### Pseudocode
 
-Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis. 
+Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis.
 
 
 ```
@@ -47,6 +47,7 @@ flow = search Flow:Start
 winrm = filter flow where (dest_port == 5985)
 winrm_s = filter flow where (dest_port == 5986)
 output winrm, winrm_s
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-11-007/index.md b/docs/analytics/CAR-2014-11-007/index.md
index 1b37f562..a3106347 100644
--- a/docs/analytics/CAR-2014-11-007/index.md
+++ b/docs/analytics/CAR-2014-11-007/index.md
@@ -19,6 +19,7 @@ More about RPCSS at : [rpcss_dcom_interfaces.html](http://www.hsc.fr/ressources/
 Identifies the connection in which WMI traffic is seen, as well as the process(es) responsible for owning the connection.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -53,6 +54,7 @@ To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insigh
 flows = search Flow:Message
 wmi_flow = filter flows where (dest_port == 135 and proto_info.rpc_interface == "IRemUnknown2")
 output wmi_flow
+
 ```
 
 
diff --git a/docs/analytics/CAR-2014-12-001/index.md b/docs/analytics/CAR-2014-12-001/index.md
index 4058fd4a..8e3c0e1b 100644
--- a/docs/analytics/CAR-2014-12-001/index.md
+++ b/docs/analytics/CAR-2014-12-001/index.md
@@ -24,7 +24,7 @@ Certain strings can be identifiers of the WMI by looking up the interface UUID f
 -   ASCII `CF` (printable text only)
 
 This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.
-The transfer syntax is 
+The transfer syntax is
 
 -   UUID `8a885d04-1ceb-11c9-9fe8-08002b104860` (decoded)
 -   Hex `04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60` (raw)
@@ -39,6 +39,7 @@ Thus, a great ASCII based signature is
 Identifies the process that initiated the RPC request (such as wmic.exe or powershell.exe), as well as the source and destination information of the network connection that triggered the alert.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -82,11 +83,12 @@ flows = search Flow:Message
 wmi_flow = filter flows where (src_port >= 49152 and dest_port >= 49152 and proto_info.rpc_interface == "IRemUnknown2")
 
 remote_wmi_process = join wmi_children, wmi_flow where (
- wmi_flow.time < wmi_children.time < wmi_flow.time + 1sec and 
- wmi_flow.hostname == wmi_children.hostname 
+ wmi_flow.time < wmi_children.time < wmi_flow.time + 1sec and
+ wmi_flow.hostname == wmi_children.hostname
 )
 
 output remote_wmi_process
+
 ```
 
 
diff --git a/docs/analytics/CAR-2016-03-001/index.md b/docs/analytics/CAR-2016-03-001/index.md
index f58cdb2e..407d226b 100644
--- a/docs/analytics/CAR-2016-03-001/index.md
+++ b/docs/analytics/CAR-2016-03-001/index.md
@@ -29,6 +29,7 @@ Within the built-in Windows Commands:
 **Note** `dsquery` is only pre-existing on Windows servers.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -69,31 +70,33 @@ To be effective in deciphering malicious and benign activity, the full command l
 ```
 process = search Process:Create
 info_command = filter process where (
- exe == "hostname.exe" or 
- exe == "ipconfig.exe" or 
- exe == "net.exe" or 
- exe == "quser.exe" or 
+ exe == "hostname.exe" or
+ exe == "ipconfig.exe" or
+ exe == "net.exe" or
+ exe == "quser.exe" or
  exe == "qwinsta.exe" or
  exe == "sc" and (command_line match " query" or command_line match " qc")) or
- exe == "systeminfo.exe" or 
- exe == "tasklist.exe" or 
+ exe == "systeminfo.exe" or
+ exe == "tasklist.exe" or
  exe == "whoami.exe"
 )
 output info_command
+
 ```
 
 
-#### Splunk
+#### Splunk, Sysmon native
 
 Splunk version of the above pseudocode search.
 
 
 ```
 index=__your_sysmon_index__ EventCode=1 (Image="C:\\Windows\\*\\hostname.exe" OR Image="C:\\Windows\\*\\ipconfig.exe" OR Image="C:\\Windows\\*\\net.exe" OR Image="C:\\Windows\\*\\quser.exe" OR Image="C:\\Windows\\*\\qwinsta.exe" OR (Image="C:\\Windows\\*\\sc.exe" AND (CommandLine="* query *" OR CommandLine="* qc *")) OR Image="C:\\Windows\\*\\systeminfo.exe" OR Image="C:\\Windows\\*\\tasklist.exe" OR Image="C:\\Windows\\*\\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName
+
 ```
 
 
-#### Eql
+#### Eql, EQL native
 
 EQL version of the above pseudocode search.
 
@@ -101,6 +104,7 @@ EQL version of the above pseudocode search.
 ```
 process where subtype.create and
   (process_name == "hostname.exe" or process_name == "ipconfig.exe" or process_name == "net.exe" or process_name == "quser.exe" process_name == "qwinsta.exe" or process_name == "systeminfo.exe" or process_name == "tasklist.exe" or process_name == "whoami.exe" or (process_name == "sc.exe" and (command_line == "* query *" or command_line == "* qc *")))
+
 ```
 
 
@@ -111,6 +115,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WindowsSysmon event_id=1 (image in ["*\hostname.exe", "*\ipconfig.exe", "*\net.exe", "*\quser.exe", "*\qwinsta.exe", "*\systeminfo.exe", "*\tasklist.exe", "*\whoami.exe"] OR (image="*\sc.exe" command IN ["* query *", "* qc *"))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2016-03-002/index.md b/docs/analytics/CAR-2016-03-002/index.md
index 9cd3fac9..df9fb235 100644
--- a/docs/analytics/CAR-2016-03-002/index.md
+++ b/docs/analytics/CAR-2016-03-002/index.md
@@ -9,11 +9,12 @@ contributors: MITRE
 applicable_platforms: Windows
 ---
 <br><br>
-Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\<hostname\>" process call create "\<command line\>"`. It is possible to also connect via IP address, in which case the string `"\<hostname\>"` would instead look like `IP Address`. 
+Adversaries may use [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to move laterally, by launching executables remotely.The analytic [CAR-2014-12-001](../CAR-2014-12-001) describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\<hostname\>" process call create "\<command line\>"`. It is possible to also connect via IP address, in which case the string `"\<hostname\>"` would instead look like `IP Address`.
 
 Although this analytic was created after [CAR-2014-12-001](../CAR-2014-12-001), it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility [PowerShell](https://attack.mitre.org/T1059/001).
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -47,24 +48,27 @@ Looks for instances of wmic.exe as well as the substrings in the command line:
 * `/node:`
 
 
+
 ```
 processes = search Process:Create
 wmic = filter processes where (exe == "wmic.exe" and command_line == "* process call create *" and command_line == "* /node:*")
 output wmic
+
 ```
 
 
-#### Splunk
+#### Splunk, Sysmon native
 
 Splunk version of the above pseudocode.
 
 
 ```
 index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\wmic.exe" CommandLine="* process call create *"|search CommandLine="* /node:*"
+
 ```
 
 
-#### Eql
+#### Eql, EQL native
 
 EQL version of the above pseudocode.
 
@@ -73,16 +77,18 @@ EQL version of the above pseudocode.
 process where subtype.create and
   (process_name == "wmic.exe" and command_line == "* process call create ")
   |filter command_line == "* /node:*"
+
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
 norm_id=WindowsSysmon event_id=1 image="C:\\Windows\\*\\wmic.exe" command="* process call create *" command="* /node:*"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2016-04-002/index.md b/docs/analytics/CAR-2016-04-002/index.md
index 830b4277..a17b5b4f 100644
--- a/docs/analytics/CAR-2016-04-002/index.md
+++ b/docs/analytics/CAR-2016-04-002/index.md
@@ -49,6 +49,7 @@ When an eventlog is cleared, a new event is created that alerts that the eventlo
 ```
 ([log_name] == "Security" and [event_code] in [1100, 1102, 1104]) or
 ([log_name] == "System" and [event_code] == 104)
+
 ```
 
 
@@ -66,7 +67,7 @@ When an eventlog is cleared, a new event is created that alerts that the eventlo
 
 
 
-#### LogPoint version of the above pseudocode. (Logpoint)
+#### LogPoint version of the above pseudocode. (Logpoint, LogPoint native)
 
 
 LogPoint version of the above pseudocode.
@@ -74,6 +75,7 @@ LogPoint version of the above pseudocode.
 
 ```
 norm_id=WinServer ((channel="Security" event_id IN [1100,1102]) OR (channel="System" event_id=104))
+
 ```
 
 
@@ -85,6 +87,7 @@ This search query looks for  wevtutil, Clear-EventLog, Limit-EventLog, Remove-It
 
 ```
 index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 (Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)
+
 ```
 
 
diff --git a/docs/analytics/CAR-2016-04-003/index.md b/docs/analytics/CAR-2016-04-003/index.md
index ea1ed9b3..4fd03850 100644
--- a/docs/analytics/CAR-2016-04-003/index.md
+++ b/docs/analytics/CAR-2016-04-003/index.md
@@ -14,6 +14,7 @@ Spyware and malware remain a serious problem and Microsoft developed security se
 Stopping services events are Windows Event Code 7036.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -43,16 +44,18 @@ log_name == "System" AND
 event_code == "7036"
 param1 in ["Windows Defender", "Windows Firewall"] AND
 param2 == "stopped"
+
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
 norm_id=WinServer channel="System" event_id=7036 param1 in ["Windows Defender", "Windows Firewall"] param2="stopped"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2016-04-004/index.md b/docs/analytics/CAR-2016-04-004/index.md
index 87162383..925c4d09 100644
--- a/docs/analytics/CAR-2016-04-004/index.md
+++ b/docs/analytics/CAR-2016-04-004/index.md
@@ -33,12 +33,13 @@ The successful use of [Pass The Hash](https://attack.mitre.org/techniques/T1550/
 
 #### Pseudocode
 
-This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not "ANONYMOUS LOGON" 
+This analytic will look for remote logins, using a non domain login, from one host to another, using NTL authentication where the account is not "ANONYMOUS LOGON".
 
 
 ```
 EventCode == 4624 and [target_user_name] != "ANONYMOUS LOGON" and
 [authentication_package_name] == "NTLM"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2016-04-005/index.md b/docs/analytics/CAR-2016-04-005/index.md
index 1950f251..e4b2ee27 100644
--- a/docs/analytics/CAR-2016-04-005/index.md
+++ b/docs/analytics/CAR-2016-04-005/index.md
@@ -50,7 +50,7 @@ Look in the system logs for remote logons using RDP.
 
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
diff --git a/docs/analytics/CAR-2019-04-001/index.md b/docs/analytics/CAR-2019-04-001/index.md
index c94f5997..2e28ac70 100644
--- a/docs/analytics/CAR-2019-04-001/index.md
+++ b/docs/analytics/CAR-2019-04-001/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source [UACME](https://github.com/hfiref0x/UACME) tool.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -48,6 +49,7 @@ This Splunk query looks for specific invocations of UACME, representing differen
 
 ```
 index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"),  "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")
+
 ```
 
 
@@ -65,10 +67,11 @@ possible_uac_bypass = filter processes where (
   (image_path == "c:\program files\windows media player\osk.exe") or
   (parent_image_path == "c:\windows\system32\slui.exe") or
   (parent_command_line == '"c:\windows\system32\dism.exe"*""*.xml"' and image_path != "c:\users\*\appdata\local\temp\*\dismhost.exe") or
-  (command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or 
-  (parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe") 
+  (command_line == '"c:\windows\system32\wusa.exe"*/quiet*' and user != "NOT_TRANSLATED" and current_working_directory == "c:\windows\system32\" and parent_image_path != "c:\windows\explorer.exe") or
+  (parent_image_path == "c:\windows\*dccw.exe" and image_path != "c:\windows\system32\cttune.exe")
 )
 output possible_uac_bypass
+
 ```
 
 
@@ -86,13 +89,14 @@ output possible_uac_bypass
 
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
 norm_id=WindowsSysmon event_id=1 integrity_level="High" ((parent_image="c:\windows\system32\fodhelper.exe" OR command='*.exe"*cleanmgr.exe /autoclean*' OR image="c:\program files\windows media player\osk.exe" OR parent_image="c:\windows\system32\slui.exe") OR (parent_command='"c:\windows\system32\dism.exe"*""*.xml"' -image="c:\users\*\appdata\local\temp\*\dismhost.exe") OR (parent_image="c:\windows\*dccw.exe" -image="c:\windows\system32\cttune.exe") OR (command='"c:\windows\system32\wusa.exe"*/quiet*' -user="NOT_TRANSLATED" path="c:\windows\system32\" -parent_image="c:\windows\explorer.exe"))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2019-04-002/index.md b/docs/analytics/CAR-2019-04-002/index.md
index bfc4d74b..dbcaf5ff 100644
--- a/docs/analytics/CAR-2019-04-002/index.md
+++ b/docs/analytics/CAR-2019-04-002/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -49,6 +50,7 @@ This just looks for all executions of regsvr32.exe that have a parent of regsvr3
 
 ```
 index=__your_sysmon_data__ EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
+
 ```
 
 
@@ -64,6 +66,7 @@ regsvr_processes = filter processes where (
   parent_image_path == "*regsvr32.exe" and image_path != "*regsvr32.exe*"
  )
 output regsvr_processes
+
 ```
 
 
@@ -76,6 +79,7 @@ This uses the same logic as above, but adds lightweight baselining by ignoring a
 ```
 index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | search NOT [
 search index=__your_sysmon_data__ earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | dedup CommandLine | fields CommandLine ]
+
 ```
 
 
@@ -87,6 +91,7 @@ This looks for child processes that may be spawend by regsvr32, while attempting
 
 ```
 index=__your_sysmon_data__ EventCode=1 (ParentImage="C:\\Windows\\System32\\regsvr32.exe" OR ParentImage="C:\\Windows\\SysWOW64\\regsvr32.exe") AND Image!="C:\\Windows\\System32\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\regsvr32.exe" AND Image!="C:\\WINDOWS\\System32\\regsvr32.exe" AND Image!="C:\\WINDOWS\\SysWOW64\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\WerFault.exe" AND Image!="C:\\Windows\\System32\\wevtutil.exe" AND Image!="C:\\Windows\\System32\\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image
+
 ```
 
 
@@ -107,6 +112,7 @@ regsvr_processes = filter processes where (
   image_path != "C:\Windows\System32\wevtutil.exe"
  )
 output regsvr_processes
+
 ```
 
 
@@ -117,7 +123,8 @@ This looks for unsigned images that may be loaded by regsvr32, while attempting
 
 
 ```
-index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded    
+index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded
+
 ```
 
 
@@ -131,11 +138,12 @@ This is a pseudocode version of the above Splunk query for loading unsigned imag
 modules = search Module:Load
 unsigned_modules = filter modules where (
   (image_path == "C:\Windows\System32\regsvr32.exe" or image_path == "C:\Windows\SysWOW64\regsvr32.exe") and
-  signer == null and 
+  signer == null and
   module_path != "C:\Program Files*" and
   module_path != "C:\Windows\*"
 )
 output unsigned_modules
+
 ```
 
 
diff --git a/docs/analytics/CAR-2019-04-003/index.md b/docs/analytics/CAR-2019-04-003/index.md
index b2ec47b1..8aacf130 100644
--- a/docs/analytics/CAR-2019-04-003/index.md
+++ b/docs/analytics/CAR-2019-04-003/index.md
@@ -13,6 +13,7 @@ Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly
 
 Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.
 
+
 #### References
 As usual, credit to Roberto Rodriguez and the [ThreatHunter Playbook](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/playbooks/platforms/windows/05_defense_evasion/regsvr32/variants/bypass_whitelisting_regsvr32.md).
 
@@ -50,6 +51,7 @@ This looks for any and all usage of the scrobj DLL, which is what is used to run
 
 ```
 index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"
+
 ```
 
 
@@ -61,6 +63,7 @@ EQL version of the above Splunk search.
 ```
 process where subtype.create and
   (process_path == "*regsvr32.exe" and command_line == "*scrobj.dll")
+
 ```
 
 
@@ -75,16 +78,18 @@ squiblydoo_processes = filter processes where (
   image_path == "*regsvr32.exe" and command_line == "*scrobj.dll"
   )
 output squiblydoo_processes
+
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll"
+
 ```
 
 
@@ -96,3 +101,4 @@ norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll"
 The [Atomic Red Team test for Squiblydoo](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md#atomic-test-2---regsvr32-remote-com-scriptlet-execution) is a good test case for this.
 
 
+
diff --git a/docs/analytics/CAR-2019-04-004/index.md b/docs/analytics/CAR-2019-04-004/index.md
index 325ac168..960d9046 100644
--- a/docs/analytics/CAR-2019-04-004/index.md
+++ b/docs/analytics/CAR-2019-04-004/index.md
@@ -13,6 +13,7 @@ Credential dumpers like Mimikatz can be loaded into memory and from there read d
 
 *This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn’t have a CAR data model mapping, since we currently lack any open/access actions for Processes. If this changes, we will update the data model requirements.*
 
+
 #### References
 Credit to [Cyb3rWard0g](https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/playbooks/windows/06_credential_access/credential_dumping_T1003/credentials_from_memory/mimikatz_logonpasswords.md), dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics.
 
@@ -43,11 +44,12 @@ This is specific to the way Mimikatz works currently, and thus is fragile to bot
 
 
 ```
-index=__your_sysmon_data__ EventCode=10 
+index=__your_sysmon_data__ EventCode=10
 TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
 (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
-CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)" 
+CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)"
 | table _time hostname user SourceImage GrantedAccess
+
 ```
 
 
@@ -61,22 +63,24 @@ This is an outlier version of the above without including the specific call trac
 earliest=-d@d latest=now() index=__your_sysmon_data__
   EventCode=10
   TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
-  (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) 
-| search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) 
-  | dedup SourceImage 
+  (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
+| search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
+  | dedup SourceImage
   | fields SourceImage ]
 | table  _time hostname user SourceImage GrantedAccess
+
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
-norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)" 
+norm_id=WindowsSysmon event_id=10 image="C:\Windows\system32\lsass.exe" (access="0x1410" OR access="0x1010" OR access="0x1438" OR access="0x143a" OR access="0x1418") call_trace="C:\windows\SYSTEM32\ntdll.dll+*|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)"
 | fields log_ts, host, user, source_image, access
+
 ```
 
 
diff --git a/docs/analytics/CAR-2019-07-001/index.md b/docs/analytics/CAR-2019-07-001/index.md
index 013dfc51..d367b9cd 100644
--- a/docs/analytics/CAR-2019-07-001/index.md
+++ b/docs/analytics/CAR-2019-07-001/index.md
@@ -74,7 +74,7 @@ output chmod_processes
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode for Windows.
 
diff --git a/docs/analytics/CAR-2019-07-002/index.md b/docs/analytics/CAR-2019-07-002/index.md
index 72858330..3af96ddd 100644
--- a/docs/analytics/CAR-2019-07-002/index.md
+++ b/docs/analytics/CAR-2019-07-002/index.md
@@ -9,13 +9,14 @@ contributors: Kaushal Parikh/Cyware Labs, Tony Lambert/Red Canary, MITRE
 applicable_platforms: Windows
 ---
 <br><br>
-[ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. 
+[ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
 
 ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
 
 Note - the CAR data model currently does not support process access actions, so the pseudocode implementation is based around process creates.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -54,6 +55,7 @@ procdump_lsass = filter processes where (
   exe = "procdump*.exe"  and
   command_line = "*lsass*")
 output procdump_lsass
+
 ```
 
 
@@ -65,6 +67,7 @@ A Splunk/Sysmon version of the above pseudocode.
 
 ```
 index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
+
 ```
 
 
@@ -83,6 +86,7 @@ A related Splunk search, which instead of looking for process create events look
 
 ```
 index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" GrantedAccess="0x1FFFFF" ("procdump")
+
 ```
 
 
@@ -93,13 +97,14 @@ A [Sigma Version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/sys
 
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
 norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*"
+
 ```
 
 
@@ -113,3 +118,4 @@ norm_id=WindowsSysmon event_id=1 image="*\procdump*.exe" command="*lsass*"
 3. Execute procdump.exe -ma lsass.exe lsass_dump
 
 
+
diff --git a/docs/analytics/CAR-2019-08-001/index.md b/docs/analytics/CAR-2019-08-001/index.md
index 0d727545..53d19e9e 100644
--- a/docs/analytics/CAR-2019-08-001/index.md
+++ b/docs/analytics/CAR-2019-08-001/index.md
@@ -14,6 +14,7 @@ The Windows Task Manager may be used to dump the memory space of `lsass.exe` to
 This requires filesystem data to determine whether files have been created.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -52,6 +53,7 @@ lsass_dump = filter files where (
   file_name = "lsass*.dmp"  and
   image_path = "C:\Windows\*\taskmgr.exe")
 output lsass_dump
+
 ```
 
 
@@ -63,6 +65,7 @@ A Splunk/Sysmon version of the above pseudocode.
 
 ```
 index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"
+
 ```
 
 
@@ -74,16 +77,18 @@ An EQL version of the above pseudocode.
 
 ```
 file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"
+
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
 norm_id=WindowsSysmon event_id=11 file="*lsass*.dmp" source_image="C:\Windows\*\taskmgr.exe"
+
 ```
 
 
@@ -98,6 +103,7 @@ norm_id=WindowsSysmon event_id=11 file="*lsass*.dmp" source_image="C:\Windows\*\
 
 
 
+
 ### True Positives
 
 #### Mordor (sysmon)
diff --git a/docs/analytics/CAR-2019-08-002/index.md b/docs/analytics/CAR-2019-08-002/index.md
index f0fb91fd..209fd563 100644
--- a/docs/analytics/CAR-2019-08-002/index.md
+++ b/docs/analytics/CAR-2019-08-002/index.md
@@ -14,6 +14,7 @@ The NTDSUtil tool may be used to dump a Microsoft Active Directory database to d
 This requires filesystem data to determine whether files have been created.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -52,6 +53,7 @@ ntds_dump = filter files where (
   file_name = "ntds.dit"  and
   image_path = "*ntdsutil.exe")
 output ntds_dump
+
 ```
 
 
@@ -63,6 +65,7 @@ A Splunk/Sysmon version of the above pseudocode.
 
 ```
 index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"
+
 ```
 
 
@@ -74,16 +77,18 @@ An EQL version of the above pseudocode.
 
 ```
 file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"
+
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocode.
 
 
 ```
 norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe"
+
 ```
 
 
@@ -96,3 +101,4 @@ norm_id=WindowsSysmon event_id=11 file="*ntds.dit" source_image="*ntdsutil.exe"
 2. Execute `ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q`
 
 
+
diff --git a/docs/analytics/CAR-2020-05-001/index.md b/docs/analytics/CAR-2020-05-001/index.md
index add50eb2..ef913ab9 100644
--- a/docs/analytics/CAR-2020-05-001/index.md
+++ b/docs/analytics/CAR-2020-05-001/index.md
@@ -18,6 +18,7 @@ This analytic was tested both in a lab and in a production environment with a ve
 NOTE - this analytic has no corresponding pseudocode implementation because the CAR data model doesn't currently support process access events.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -48,7 +49,7 @@ index=__your_sysmon_index__ EventCode=10 TargetImage="C:\\windows\\system32\\lsa
 ```
 
 
-#### Logpoint
+#### Logpoint, LogPoint native
 
 LogPoint version of the above pseudocodes.
 
diff --git a/docs/analytics/CAR-2020-05-003/index.md b/docs/analytics/CAR-2020-05-003/index.md
index 9d095cf7..23a34063 100644
--- a/docs/analytics/CAR-2020-05-003/index.md
+++ b/docs/analytics/CAR-2020-05-003/index.md
@@ -15,7 +15,8 @@ This analytic takes all instances of LoLBAS execution and then looks for instanc
 
 The analytic needs to be tuned. The `1.5` in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting analytic when you have analysts looking at the screen and able to tune the analytic up and down, because the threshold may not be stable for very long.
 
-Note - this analytic is related to [CAR-2013-04-002](/analytics/CAR-2013-04-002), but differs by looking for a different set of binaries and also looking at standard deviation across command lines of these binaries instead of their execution within a short time window. 
+Note - this analytic is related to [CAR-2013-04-002](/analytics/CAR-2013-04-002), but differs by looking for a different set of binaries and also looking at standard deviation across command lines of these binaries instead of their execution within a short time window.
+
 
 
 ### ATT&CK Detections
@@ -55,6 +56,7 @@ process_count_stdev = standard_deviation(process_count)
 lower_bound = process_count_avg - stdev * 1.5
 outliers = filter lolbas_processes where (process_count < lower_bound)
 return outliers
+
 ```
 
 
@@ -66,6 +68,7 @@ This Splunk query looks for instances of LoLBAS commands being executed, then st
 
 ```
 index=__your_sysmon_index__ EventCode=1 (OriginalFileName = At.exe OR OriginalFileName = Atbroker.exe OR OriginalFileName = Bash.exe OR OriginalFileName = Bitsadmin.exe OR OriginalFileName = Certutil.exe OR OriginalFileName = Cmd.exe OR OriginalFileName = Cmdkey.exe OR OriginalFileName = Cmstp.exe OR OriginalFileName = Control.exe OR OriginalFileName = Csc.exe OR OriginalFileName = Cscript.exe OR OriginalFileName = Dfsvc.exe OR OriginalFileName = Diskshadow.exe OR OriginalFileName = Dnscmd.exe OR OriginalFileName = Esentutl.exe OR OriginalFileName = Eventvwr.exe OR OriginalFileName = Expand.exe OR OriginalFileName = Extexport.exe OR OriginalFileName = Extrac32.exe OR OriginalFileName = Findstr.exe OR OriginalFileName = Forfiles.exe OR OriginalFileName = Ftp.exe OR OriginalFileName = Gpscript.exe OR OriginalFileName = Hh.exe OR OriginalFileName = Ie4uinit.exe OR OriginalFileName = Ieexec.exe OR OriginalFileName = Infdefaultinstall.exe OR OriginalFileName = Installutil.exe OR OriginalFileName = Jsc.exe OR OriginalFileName = Makecab.exe OR OriginalFileName = Mavinject.exe OR OriginalFileName = Microsoft.Workflow.r.exe OR OriginalFileName = Mmc.exe OR OriginalFileName = Msbuild.exe OR OriginalFileName = Msconfig.exe OR OriginalFileName = Msdt.exe OR OriginalFileName = Mshta.exe OR OriginalFileName = Msiexec.exe OR OriginalFileName = Odbcconf.exe OR OriginalFileName = Pcalua.exe OR OriginalFileName = Pcwrun.exe OR OriginalFileName = Presentationhost.exe OR OriginalFileName = Print.exe OR OriginalFileName = Reg.exe OR OriginalFileName = Regasm.exe OR OriginalFileName = Regedit.exe OR OriginalFileName = Register-cimprovider.exe OR OriginalFileName = Regsvcs.exe OR OriginalFileName = Regsvr32.exe OR OriginalFileName = Replace.exe OR OriginalFileName = Rpcping.exe OR OriginalFileName = Rundll32.exe OR OriginalFileName = Runonce.exe OR OriginalFileName = Runscripthelper.exe OR OriginalFileName = Sc.exe OR OriginalFileName = Schtasks.exe OR OriginalFileName = Scriptrunner.exe OR OriginalFileName = SyncAppvPublishingServer.exe OR OriginalFileName = Tttracer.exe OR OriginalFileName = Verclsid.exe OR OriginalFileName = Wab.exe OR OriginalFileName = Wmic.exe OR OriginalFileName = Wscript.exe OR OriginalFileName = Wsreset.exe OR OriginalFileName = Xwizard.exe OR OriginalFileName = Advpack.dll OR OriginalFileName = Comsvcs.dll OR OriginalFileName = Ieadvpack.dll OR OriginalFileName = Ieaframe.dll OR OriginalFileName = Mshtml.dll OR OriginalFileName = Pcwutl.dll OR OriginalFileName = Setupapi.dll OR OriginalFileName = Shdocvw.dll OR OriginalFileName = Shell32.dll OR OriginalFileName = Syssetup.dll OR OriginalFileName = Url.dll OR OriginalFileName = Zipfldr.dll OR OriginalFileName = Appvlp.exe OR OriginalFileName = Bginfo.exe OR OriginalFileName = Cdb.exe OR OriginalFileName = csi.exe OR OriginalFileName = Devtoolslauncher.exe OR OriginalFileName = dnx.exe OR OriginalFileName = Dxcap.exe OR OriginalFileName = Excel.exe OR OriginalFileName = Mftrace.exe OR OriginalFileName = Msdeploy.exe OR OriginalFileName = msxsl.exe OR OriginalFileName = Powerpnt.exe OR OriginalFileName = rcsi.exe OR OriginalFileName = Sqler.exe OR OriginalFileName = Sqlps.exe OR OriginalFileName = SQLToolsPS.exe OR OriginalFileName = Squirrel.exe OR OriginalFileName = te.exe OR OriginalFileName = Tracker.exe OR OriginalFileName = Update.exe OR OriginalFileName = vsjitdebugger.exe OR OriginalFileName = Winword.exe OR OriginalFileName = Wsl.exe OR OriginalFileName = CL_Mutexverifiers.ps1 OR OriginalFileName = CL_Invocation.ps1 OR OriginalFileName = Manage-bde.wsf OR OriginalFileName = Pubprn.vbs OR OriginalFileName = Slmgr.vbs OR OriginalFileName = Syncappvpublishingserver.vbs OR OriginalFileName = winrm.vbs OR OriginalFileName = Pester.bat)|eval CommandLine=lower(CommandLine)|eventstats count(process) as procCount by process|eventstats avg(procCount) as avg stdev(procCount) as stdev|eval lowerBound=(avg-stdev*1.5)|eval isOutlier=if((procCount < lowerBound),1,0)|where isOutlier=1|table host, Image, ParentImage, CommandLine, ParentCommandLine, procCount
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-09-001/index.md b/docs/analytics/CAR-2020-09-001/index.md
index 5363b961..6971ec05 100644
--- a/docs/analytics/CAR-2020-09-001/index.md
+++ b/docs/analytics/CAR-2020-09-001/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -50,6 +51,7 @@ task_files = filter files where (
   (file_path = "C:\Windows\System32\Tasks\*" or file_path = "C:\Windows\Tasks\*")  and
   image_path != "C:\WINDOWS\system32\svchost.exe")
 output task_files
+
 ```
 
 
@@ -62,6 +64,7 @@ This Splunk search looks for any files created under the Windows tasks directori
 ```
 index=__your_sysmon_index__ EventCode=11 Image!="C:\\WINDOWS\\system32\\svchost.exe" (TargetFilename="C:\\Windows\\System32\\Tasks\\
 *" OR TargetFilename="C:\\Windows\\Tasks\\*")
+
 ```
 
 
@@ -73,6 +76,7 @@ This LogPoint search looks for any files created under the Windows tasks directo
 
 ```
 norm_id=WindowsSysmon event_id=11 -source_image="C:\WINDOWS\system32\svchost.exe" (path="C:\Windows\System32\Tasks*" OR path="C:\Windows\Tasks*")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-09-002/index.md b/docs/analytics/CAR-2020-09-002/index.md
index 453072c5..66c2364e 100644
--- a/docs/analytics/CAR-2020-09-002/index.md
+++ b/docs/analytics/CAR-2020-09-002/index.md
@@ -9,7 +9,8 @@ contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
 <br><br>
-Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys. 
+Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this analytic looks for any changes under these keys.
+
 
 
 ### ATT&CK Detections
@@ -46,10 +47,11 @@ This is a pseudocode representation of the below splunk search.
 
 
 ```
-registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) 
+registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit)
 clsid_keys = filter registry_keys where (
   key = "*\Software\Classes\CLSID\*")
 output clsid_keys
+
 ```
 
 
@@ -61,6 +63,7 @@ This Splunk search looks for any registry keys that were created, deleted, or re
 
 ```
 index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Classes\\CLSID\\*"
+
 ```
 
 
@@ -72,6 +75,7 @@ This LogPoint search looks for any registry keys that were created, deleted, or
 
 ```
 norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Classes\CLSID\*"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-09-003/index.md b/docs/analytics/CAR-2020-09-003/index.md
index ec2492d4..b74405b3 100644
--- a/docs/analytics/CAR-2020-09-003/index.md
+++ b/docs/analytics/CAR-2020-09-003/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -49,6 +50,7 @@ processes = search Process:Create
 fltmc_processes = filter processes where (
   exe = "fltmc.exe" AND command_line = "*unload*")
 output fltmc_processes
+
 ```
 
 
@@ -59,7 +61,8 @@ This Splunk search looks for process create events for the fltmc.exe utility and
 
 
 ```
-index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe") 
+index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe")
+
 ```
 
 
@@ -70,7 +73,8 @@ This LogPoint search looks for process create events for the fltmc.exe utility a
 
 
 ```
-norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe") 
+norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-09-004/index.md b/docs/analytics/CAR-2020-09-004/index.md
index 02c9710c..96bacd7b 100644
--- a/docs/analytics/CAR-2020-09-004/index.md
+++ b/docs/analytics/CAR-2020-09-004/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as [PowerSploit](https://powersploit.readthedocs.io/en/latest/) in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -46,15 +47,16 @@ This is a pseudocode representation of the below splunk search.
 ```
 processes = search Process:Create
   cred_processes = filter processes where (
-  command_line = "*reg* query HKLM /f password /t REG_SZ /s*" OR 
+  command_line = "*reg* query HKLM /f password /t REG_SZ /s*" OR
   command_line = "reg* query HKCU /f password /t REG_SZ /s" OR
   command_line = "*Get-UnattendedInstallFile*" OR
-  command_line = "*Get-Webconfig*" OR 
-  command_line = "*Get-ApplicationHost*" OR 
-  command_line = "*Get-SiteListPassword*" OR 
-  command_line = "*Get-CachedGPPPassword*" OR 
+  command_line = "*Get-Webconfig*" OR
+  command_line = "*Get-ApplicationHost*" OR
+  command_line = "*Get-SiteListPassword*" OR
+  command_line = "*Get-CachedGPPPassword*" OR
   command_line = "*Get-RegistryAutoLogon*")
 output cred_processes
+
 ```
 
 
@@ -65,7 +67,8 @@ This Splunk search looks for command lines of reg.exe used to search for passwor
 
 
 ```
-((index=__your_sysmon_index__ EventCode=1) OR (index=__your_win_syslog_index__ EventCode=4688)) (CommandLine="*reg* query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="*Get-UnattendedInstallFile*" OR CommandLine="*Get-Webconfig*" OR CommandLine="*Get-ApplicationHost*" OR CommandLine="*Get-SiteListPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR CommandLine="*Get-RegistryAutoLogon*") 
+((index=__your_sysmon_index__ EventCode=1) OR (index=__your_win_syslog_index__ EventCode=4688)) (CommandLine="*reg* query HKLM /f password /t REG_SZ /s*" OR CommandLine="reg* query HKCU /f password /t REG_SZ /s" OR CommandLine="*Get-UnattendedInstallFile*" OR CommandLine="*Get-Webconfig*" OR CommandLine="*Get-ApplicationHost*" OR CommandLine="*Get-SiteListPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR CommandLine="*Get-RegistryAutoLogon*")
+
 ```
 
 
@@ -77,6 +80,7 @@ This LogPoint search looks for command lines of reg.exe used to search for passw
 
 ```
 norm_id=WindowsSysmon event_id=1 command IN ["*reg* query HKLM /f password /t REG_SZ /s*", "reg* query HKCU /f password /t REG_SZ /s", "*Get-UnattendedInstallFile*", "*Get-Webconfig*", "*Get-ApplicationHost*", "*Get-SiteListPassword*", "*Get-CachedGPPPassword*", "*Get-RegistryAutoLogon*"]
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-09-005/index.md b/docs/analytics/CAR-2020-09-005/index.md
index f5b226a5..08181964 100644
--- a/docs/analytics/CAR-2020-09-005/index.md
+++ b/docs/analytics/CAR-2020-09-005/index.md
@@ -9,7 +9,8 @@ contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
 <br><br>
-Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse. 
+Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows` or `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows` are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.
+
 
 
 ### ATT&CK Detections
@@ -46,12 +47,13 @@ This is a pseudocode representation of the below splunk search.
 
 
 ```
-registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit) 
+registry_keys = search (Registry:Create AND Registry:Remove AND Registry:Edit)
 appinit_keys = filter registry_keys where (
-  key = "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" OR 
+  key = "*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*" OR
   key = "*\SOFTWARE\\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*""
   )
 output clsid_keys
+
 ```
 
 
@@ -63,6 +65,7 @@ This Splunk search looks for any registry keys that were created, deleted, or re
 
 ```
 index=__your_sysmon_index__ (EventCode=12 OR EventCode=13 OR EventCode=14) (TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*" OR TargetObject="*\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Appinit_Dlls\\*")
+
 ```
 
 
@@ -74,6 +77,7 @@ This LogPoint search looks for any registry keys that were created, deleted, or
 
 ```
 norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object IN ["*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*", "*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\*"]
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-001/index.md b/docs/analytics/CAR-2020-11-001/index.md
old mode 100755
new mode 100644
index 881b48b4..8d86254b
--- a/docs/analytics/CAR-2020-11-001/index.md
+++ b/docs/analytics/CAR-2020-11-001/index.md
@@ -9,7 +9,8 @@ contributors: Olaf Hartong
 applicable_platforms: Windows
 ---
 <br><br>
-Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.  
+Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\Environment*UserInitMprLogonScript*. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.
+
 
 
 ### ATT&CK Detections
@@ -54,6 +55,7 @@ registry = search (Registry:Add OR Registry:Edit)
 registry_logon_key_events = filter registry where (
   key = "*\Environment*UserInitMprLogonScript")
 output (logon_script_key_processes, registry_logon_key_events)
+
 ```
 
 
@@ -65,6 +67,7 @@ Look for commands for adding a logon script as a registry value, as well as dire
 
 ```
 (index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\System32\\reg.exe" CommandLine="*add*\\Environment*UserInitMprLogonScript") OR (index=__your_sysmon_index__ (EventCode=12 OR EventCode=14 OR EventCode=13) TargetObject="*\\Environment*UserInitMprLogonScript")
+
 ```
 
 
@@ -76,6 +79,7 @@ Look for commands for adding a logon script as a registry value, as well as dire
 
 ```
 norm_id=WindowsSysmon ((event_id=1 image="C:\Windows\System32\reg.exe" command="*add*\Environment*UserInitMprLogonScript") OR (event_id IN [12, 13, 14] target_object="*\Environment*UserInitMprLogonScript"))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-002/index.md b/docs/analytics/CAR-2020-11-002/index.md
old mode 100755
new mode 100644
index 11c8bef6..e0c923ed
--- a/docs/analytics/CAR-2020-11-002/index.md
+++ b/docs/analytics/CAR-2020-11-002/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -54,6 +55,7 @@ sniffer_processes = filter processes where (
   exe = "wprui.exe" OR
   exe = "wpr.exe" )
 output sniffer_processes
+
 ```
 
 
@@ -65,6 +67,7 @@ look for common network traffic sniffing apps being run
 
 ```
 (index=__your_sysmon_index__ EventCode=1) (Image="*tshark.exe" OR Image="*windump.exe" OR (Image="*logman.exe" AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\Windows Event Reporting\\Core\\EventReporting.AgentService.exe") OR Image="*tcpdump.exe" OR Image="*wprui.exe" OR Image="*wpr.exe")
+
 ```
 
 
@@ -76,6 +79,7 @@ look for common network traffic sniffing apps being run
 
 ```
 norm_id=WindowsSysmon event_id=1 (image="*\tshark.exe" OR image="*\windump.exe" OR (image="*\logman.exe" -parent_image="?" -parent_image="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe") OR image="*\tcpdump.exe" OR image="*\wprui.exe" OR image="*\wpr.exe")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-003/index.md b/docs/analytics/CAR-2020-11-003/index.md
old mode 100755
new mode 100644
index 5195e8c1..fa70f827
--- a/docs/analytics/CAR-2020-11-003/index.md
+++ b/docs/analytics/CAR-2020-11-003/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -49,6 +50,7 @@ processes = search Process:Create
 mavinject_processes = filter processes where (
   exe = "C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR command_line = "*/INJECTRUNNING*"
 output mavinject_processes
+
 ```
 
 
@@ -60,6 +62,7 @@ Search for instances of mavinject.exe or mavinject32.exe
 
 ```
 (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\SysWOW64\\mavinject.exe" OR Image="C:\\Windows\\System32\\mavinject.exe" OR CommandLine="*\INJECTRUNNING*")
+
 ```
 
 
@@ -71,6 +74,7 @@ Search for instances of mavinject.exe or mavinject32.exe
 
 ```
 norm_id=WindowsSysmon event_id=1 (image="C:\Windows\SysWOW64\mavinject.exe" OR image="C:\Windows\System32\mavinject.exe" OR command="*\INJECTRUNNING*")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-004/index.md b/docs/analytics/CAR-2020-11-004/index.md
old mode 100755
new mode 100644
index 4a286dcf..08eb69d6
--- a/docs/analytics/CAR-2020-11-004/index.md
+++ b/docs/analytics/CAR-2020-11-004/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -59,6 +60,7 @@ mismatch_processes = filter processes where ( parent_exe exists AND
   (exe="taskhostw.exe" AND (parent_exe!="services.exe" AND parent_exe!="svchost.exe")) OR
   (exe="userinit.exe" AND (parent_exe!="dwm.exe" AND parent_exe!="winlogon.exe"))
 output mismatch_processes
+
 ```
 
 
@@ -81,6 +83,7 @@ Looks for processes that do not have the expected parent. Common Splunk forwarde
 (Image="C:\\Windows\\System32\\taskhost.exe" AND (ParentImage!="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
 (Image="C:\\Windows\\System32\\taskhostw.exe" AND (ParentImage!="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
 (Image="C:\\Windows\System32\\userinit.exe" AND (ParentImage!="C:\\Windows\\System32\\dwm.exe" AND ParentImage!="C:\\Windows\\System32\\winlogon.exe")))
+
 ```
 
 
@@ -91,13 +94,14 @@ Looks for processes that do not have the expected parent. Unique environments ma
 
 
 ```
-norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR 
-(image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR 
-(image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe"  (-parent_image="*\wininit.exe"  -parent_image="*\winlogon.exe")) OR 
-(image="*\LogonUI.exe"  (-parent_image="*\winlogon.exe"  -parent_image="*\wininit.exe")) OR (image="*\services.exe"  -parent_image="*\wininit.exe") OR 
-(image="*\spoolsv.exe"  -parent_image="*\services.exe") OR (image="*\taskhost.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR 
-(image="*\taskhostw.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR 
+norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR
+(image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR
+(image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe"  (-parent_image="*\wininit.exe"  -parent_image="*\winlogon.exe")) OR
+(image="*\LogonUI.exe"  (-parent_image="*\winlogon.exe"  -parent_image="*\wininit.exe")) OR (image="*\services.exe"  -parent_image="*\wininit.exe") OR
+(image="*\spoolsv.exe"  -parent_image="*\services.exe") OR (image="*\taskhost.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR
+(image="*\taskhostw.exe"  (-parent_image="*\services.exe"  -parent_image="*\svchost.exe")) OR
 (image="*\userinit.exe"  (-parent_image="*\dwm.exe"  -parent_image="*\winlogon.exe")))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-005/index.md b/docs/analytics/CAR-2020-11-005/index.md
old mode 100755
new mode 100644
index 6b29102e..4309ff97
--- a/docs/analytics/CAR-2020-11-005/index.md
+++ b/docs/analytics/CAR-2020-11-005/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -49,6 +50,7 @@ processes = search Process:Create
 clear_commands = filter processes where (
   command_line ="*rm (Get-PSReadlineOption).HistorySavePath*" OR command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR command_line="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*")  OR command_linee="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
 output clear_commands
+
 ```
 
 
@@ -60,6 +62,7 @@ Look for powershell commands that would clear command history
 
 ```
 (index=__your_sysmon_index__ EventCode=1) (CommandLine="*rm (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*del (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR CommandLine="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="del*Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt")
+
 ```
 
 
@@ -71,6 +74,7 @@ Look for powershell commands that would clear command history
 
 ```
 norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).HistorySavePath*" OR command="*del (Get-PSReadlineOption).HistorySavePath*" OR command="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR command="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-006/index.md b/docs/analytics/CAR-2020-11-006/index.md
old mode 100755
new mode 100644
index 4531700e..fe0df510
--- a/docs/analytics/CAR-2020-11-006/index.md
+++ b/docs/analytics/CAR-2020-11-006/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -54,6 +55,7 @@ net_processes = filter processes where (
   command_line="*get-localgroup*" OR
   command_line="*get-ADPrincipalGroupMembership*" )
 output net_processes
+
 ```
 
 
@@ -65,6 +67,7 @@ Look for instances of net.exe
 
 ```
 (index=__your_sysmon_index__ EventCode=1) Image="C:\\Windows\\System32\\net.exe" AND (CommandLine="* user*" OR CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="*get-localgroup*" OR CommandLine="*get-ADPrincipalGroupMembership*")
+
 ```
 
 
@@ -76,6 +79,7 @@ Look for instances of net.exe
 
 ```
 norm_id=WindowsSysmon event_id=1 image="C:\Windows\System32\net.exe" (command="* user*" OR command="* group*" OR command="* localgroup*" OR command="*get-localgroup*" OR command="*get-ADPrincipalGroupMembership*")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-007/index.md b/docs/analytics/CAR-2020-11-007/index.md
old mode 100755
new mode 100644
index 57d88e48..87997dc6
--- a/docs/analytics/CAR-2020-11-007/index.md
+++ b/docs/analytics/CAR-2020-11-007/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -51,6 +52,7 @@ target_processes = filter processes where (
   command_line="*Remove-SmbShare*" OR
   comman_line="*Remove-FileShare*" )
 output target_processes
+
 ```
 
 
@@ -62,6 +64,7 @@ looks network shares being deleted from the command line
 
 ```
 (index=__your_sysmon_index__ EventCode=1) ((Image="C:\\Windows\\System32\\net.exe" AND CommandLine="*delete*") OR CommandLine="*Remove-SmbShare*" OR CommandLine="*Remove-FileShare*")
+
 ```
 
 
@@ -73,6 +76,7 @@ looks network shares being deleted from the command line
 
 ```
 norm_id=WindowsSysmon event_id=1 ((image="C:\Windows\System32\net.exe" command="*delete*") OR command="*Remove-SmbShare*" OR command="*Remove-FileShare*")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-008/index.md b/docs/analytics/CAR-2020-11-008/index.md
old mode 100755
new mode 100644
index 0915aec5..a37ff1ef
--- a/docs/analytics/CAR-2020-11-008/index.md
+++ b/docs/analytics/CAR-2020-11-008/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -50,6 +51,7 @@ target_processes = filter processes where (
   (exe="C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe" OR exe="C:\Windows\Microsoft.NET\Framework*\msbuild.exe" OR exe="C:\users\*\appdata\roaming\microsoft\msxsl.exe") AND
   image_path!="*Microsoft Visual Studio*")
 output target_processes
+
 ```
 
 
@@ -61,6 +63,7 @@ Looks for all instances of msbuild.exe or msxsl.exe
 
 ```
 (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\bin\\MSBuild.exe" OR Image="C:\\Windows\\Microsoft.NET\\Framework*\\msbuild.exe" OR Image="C:\\users\\*\\appdata\\roaming\\microsoft\\msxsl.exe") ParentImage!="*\\Microsoft Visual Studio*")
+
 ```
 
 
@@ -72,6 +75,7 @@ Looks for all instances of msbuild.exe or msxsl.exe
 
 ```
 norm_id=WindowsSysmon event_id=1 (image IN ["C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe", "C:\Windows\Microsoft.NET\Framework*\msbuild.exe", "C:\Users\*\appdata\roaming\microsoft\msxsl.exe") -parent_image="*\Microsoft Visual Studio*")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-009/index.md b/docs/analytics/CAR-2020-11-009/index.md
old mode 100755
new mode 100644
index ef6ee340..9dbd0862
--- a/docs/analytics/CAR-2020-11-009/index.md
+++ b/docs/analytics/CAR-2020-11-009/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -47,6 +48,7 @@ This is a pseudocode representation of the below splunk search.
 processes = search Process:Create
 target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe")
 output target_processes
+
 ```
 
 
@@ -58,6 +60,7 @@ looks all instances of hh.exe
 
 ```
 (index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe")
+
 ```
 
 
@@ -69,6 +72,7 @@ looks all instances of hh.exe
 
 ```
 norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-010/index.md b/docs/analytics/CAR-2020-11-010/index.md
old mode 100755
new mode 100644
index 800a6add..7b628a9a
--- a/docs/analytics/CAR-2020-11-010/index.md
+++ b/docs/analytics/CAR-2020-11-010/index.md
@@ -51,6 +51,7 @@ target_processes = filter processes where (
   exe="C:\Windows\System32\CMSTP.exe" AND
   src_ip NOT IN [10.0.0.0/8,192.168.0.0/16, 172.16.0.0/12] )
 output target_processes
+
 ```
 
 
@@ -62,6 +63,7 @@ looks for instances of CMSTP.exe that are combined with external communication
 
 ```
 (index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))
+
 ```
 
 
@@ -73,6 +75,7 @@ looks for instances of CMSTP.exe that are combined with external communication
 
 ```
 norm_id=WindowsSysmon event_id=3 image="C:\Windows\System32\CMSTP.exe" -source_address IN HOMENET
+
 ```
 
 
diff --git a/docs/analytics/CAR-2020-11-011/index.md b/docs/analytics/CAR-2020-11-011/index.md
old mode 100755
new mode 100644
index 756d02c2..2199e3cd
--- a/docs/analytics/CAR-2020-11-011/index.md
+++ b/docs/analytics/CAR-2020-11-011/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -49,6 +50,7 @@ reg_events = search Registry:add or Registry:edit
 scr_reg_events = filter processes where (
   key="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE" AND
 output scr_reg_events
+
 ```
 
 
@@ -60,6 +62,7 @@ looks creations of edits of the SCRNSAVE.exe registry key
 
 ```
 index=your_sysmon_index (EventCode=12 OR EventCode=13 OR EventCode=14) TargetObject="*\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\SCRNSAVE.EXE"
+
 ```
 
 
@@ -71,6 +74,7 @@ looks creations of edits of the SCRNSAVE.exe registry key
 
 ```
 norm_id=WindowsSysmon event_id IN [12, 13, 14] target_object="*\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-01-002/index.md b/docs/analytics/CAR-2021-01-002/index.md
index 42fddd25..0cf7a862 100644
--- a/docs/analytics/CAR-2021-01-002/index.md
+++ b/docs/analytics/CAR-2021-01-002/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,6 +46,7 @@ This is a Splunk query that determines the average length of a command per user
 
 ```
 index=* sourcetype="xmlwineventlog" EventCode=4688  |eval cmd_len=len(CommandLine) | eventstats avg(cmd_len) as avg by host| stats max(cmd_len) as maxlen, values(avg) as avgperhost by host, CommandLine | where maxlen > 10*avgperhost
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-01-003/index.md b/docs/analytics/CAR-2021-01-003/index.md
index ce77d77c..36aced39 100644
--- a/docs/analytics/CAR-2021-01-003/index.md
+++ b/docs/analytics/CAR-2021-01-003/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,6 +46,7 @@ This search query looks for an instance where wevtutil is invoked along with a c
 
 ```
 index=__your_sysmon_index__ sourcetype= __your__windows__sysmon__sourcetype EventCode=1 Image=*wevtutil* CommandLine=*cl* (CommandLine=*System* OR CommandLine=*Security* OR CommandLine=*Setup* OR CommandLine=*Application*)
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-01-004/index.md b/docs/analytics/CAR-2021-01-004/index.md
index 7aaac00c..983fb059 100644
--- a/docs/analytics/CAR-2021-01-004/index.md
+++ b/docs/analytics/CAR-2021-01-004/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,6 +46,7 @@ This query looks for processes spawned by spoolsv.exe or connhost.exe externally
 
 ```
 (index=__your_sysmon_index__ EventCode=1) (Image=C:\\Windows\\System32\\spoolsv.exe* OR Image=C:\\Windows\\System32\\conhost.exe) ParentImage = "C:\\Windows\\System32\\cmd.exe"
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-01-006/index.md b/docs/analytics/CAR-2021-01-006/index.md
index aeb988af..9552c8d1 100644
--- a/docs/analytics/CAR-2021-01-006/index.md
+++ b/docs/analytics/CAR-2021-01-006/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,6 +46,7 @@ This Splunk query looks for any executable invocations from an Excel file.
 
 ```
 index = __your_sysmon__index__ (ParentImage="*excel.exe" OR ParentImage="*word.exe" OR ParentImage="*outlook.exe") Image="*.exe"
+
 ```
 
 
@@ -60,6 +62,7 @@ target_processes = filter processes where (
      (parent_image="*excel.exe" OR parent_image="*word.exe" OR parent_image="*outlook.exe")
      AND image="*.exe"
      )
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-01-007/index.md b/docs/analytics/CAR-2021-01-007/index.md
index 96f4c91b..267d05a0 100644
--- a/docs/analytics/CAR-2021-01-007/index.md
+++ b/docs/analytics/CAR-2021-01-007/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -45,6 +46,7 @@ This query looks for the specific use of service control for querying or trying
 
 ```
 index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe"  | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$"
+
 ```
 
 
@@ -60,6 +62,7 @@ target_processes = filter processes where (
                    (exe="C:\\Windows\\System32\\sc.exe") AND (command_line="sc *config*" OR command_line="sc *stop*" OR command_line="sc *query*")
                    )
 output target_processes
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-01-008/index.md b/docs/analytics/CAR-2021-01-008/index.md
index 6acda7f9..3ff06c01 100644
--- a/docs/analytics/CAR-2021-01-008/index.md
+++ b/docs/analytics/CAR-2021-01-008/index.md
@@ -46,6 +46,7 @@ This query looks for the specific use of reg.exe in correlation to commands aime
 
 ```
 sourcetype = __your_sysmon_index__ ParentImage = "C:\\Windows\\System32\\cmd.exe" | where like(CommandLine,"reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
+
 ```
 
 
@@ -60,6 +61,7 @@ processes = search Process:Create
 cmd_processes = filter processes where (
                 (parent_image = "C:\\Windows\\System32\\cmd.exe") AND (command_line = "reg.exe%HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System%REG_DWORD /d 0%")
                 )
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-01-009/index.md b/docs/analytics/CAR-2021-01-009/index.md
index da8c6b20..48fabed7 100644
--- a/docs/analytics/CAR-2021-01-009/index.md
+++ b/docs/analytics/CAR-2021-01-009/index.md
@@ -46,6 +46,7 @@ This query looks for the deletion or resizing of shadow copy volumes, which may
 
 ```
 ((EventCode="4688" OR EventCode="1") (CommandLine="*vssadmin* *delete* *shadows*" OR CommandLine="*wmic* *shadowcopy* *delete*" OR CommandLine="*vssadmin* *resize* *shadowstorage*")) OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="*Win32_ShadowCopy*")
+
 ```
 
 
@@ -57,6 +58,7 @@ This query looks for the deletion or resizing of shadow copy volumes, which may
 
 ```
 (EventCode:("4688" OR "1") AND process.command_line:(*vssadmin*\ *delete*\ *shadows* OR *wmic*\ *shadowcopy*\ *delete* OR *vssadmin*\ *resize*\ *shadowstorage*)) OR (EventCode:"5857" AND ProviderName:"MSVSS__PROVIDER") OR (EventCode:"5858" AND Operation:*Win32_ShadowCopy*)
+
 ```
 
 
@@ -68,6 +70,7 @@ This query looks for the deletion or resizing of shadow copy volumes, which may
 
 ```
 (EventCode IN ["4688", "1"] CommandLine IN ["*vssadmin* *delete* *shadows*", "*wmic* *shadowcopy* *delete*", "*vssadmin* *resize* *shadowstorage*"]) OR (EventCode IN "5857" ProviderName IN "MSVSS__PROVIDER") OR (EventCode IN "5858" Operation IN "*Win32_ShadowCopy*")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-02-001/index.md b/docs/analytics/CAR-2021-02-001/index.md
index 99a8ff0c..d937f4dd 100644
--- a/docs/analytics/CAR-2021-02-001/index.md
+++ b/docs/analytics/CAR-2021-02-001/index.md
@@ -9,7 +9,8 @@ contributors: Nichols Jasper
 applicable_platforms: Windows
 ---
 <br><br>
-A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. 
+A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.
+
 
 
 ### ATT&CK Detections
@@ -49,7 +50,7 @@ processes = search Process:Create
 suspicious_processes = filter processes where (
   (parent_exe == "w3wp.exe" OR
    parent_exe == "httpd.exe" OR
-   parent_exe == "tomcat*.exe" OR 
+   parent_exe == "tomcat*.exe" OR
    parent_exe == "nginx.exe" ) AND
   (exe == "cmd.exe" OR
    exe == "powershell.exe" OR
@@ -59,6 +60,7 @@ suspicious_processes = filter processes where (
    exe == "systeminfo.exe" OR
    exe == "ipconfig.exe) )
 output suspicious_processes
+
 ```
 
 
@@ -69,9 +71,10 @@ Look for host enumeration commands spawned by web services.
 
 
 ```
-(index=__your_sysmon_index__ EventCode=1) 
+(index=__your_sysmon_index__ EventCode=1)
 (ParentImage="C:\\Windows\\System32\\*w3wp.exe" OR ParentImage="*httpd.exe" OR ParentImage="*tomcat*.exe" OR ParentImage="*nginx.exe")
-(Image="C:\\Windows\\System32\\cmd.exe OR Image="C:\\Windows\\SysWOW64\\cmd.exe" OR Image="C:\\Windows\\System32\\*\\powershell.exe OR Image="C:\\Windows\SysWOW64\\*\powershell.exe OR Image="C:\\Windows\\System32\\net.exe" OR Image="C:\\Windows\\System32\\hostname.exe" OR Image="C:\\Windows\\System32\\whoami.exe" OR Image="*systeminfo.exe OR Image="C:\\Windows\\System32\\ipconfig.exe") 
+(Image="C:\\Windows\\System32\\cmd.exe OR Image="C:\\Windows\\SysWOW64\\cmd.exe" OR Image="C:\\Windows\\System32\\*\\powershell.exe OR Image="C:\\Windows\SysWOW64\\*\powershell.exe OR Image="C:\\Windows\\System32\\net.exe" OR Image="C:\\Windows\\System32\\hostname.exe" OR Image="C:\\Windows\\System32\\whoami.exe" OR Image="*systeminfo.exe OR Image="C:\\Windows\\System32\\ipconfig.exe")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-02-002/index.md b/docs/analytics/CAR-2021-02-002/index.md
index b19db756..d715eff2 100644
--- a/docs/analytics/CAR-2021-02-002/index.md
+++ b/docs/analytics/CAR-2021-02-002/index.md
@@ -9,7 +9,8 @@ contributors: Sebastien Damaye
 applicable_platforms: Windows
 ---
 <br><br>
-Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.  
+Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.
+
 
 
 ### ATT&CK Detections
@@ -56,6 +57,7 @@ suspicious_processes = filter processes where (
   (image_path == "C:\Windows\System32\rundll32.exe" AND
    command_line == "*,a /p:*"))
 output suspicious_processes
+
 ```
 
 
@@ -68,6 +70,7 @@ Look for instances GetSystem elevation performed by Meterpreter or Cobalt Strike
 ```
 index=__your_sysmon_index__ (ParentImage="C:\\Windows\\System32\\services.exe" Image="C:\\Windows\\System32\\cmd.exe" (CommandLine="*echo*" AND CommandLine="*\\pipe\\*"))
 OR (Image="C:\\Windows\\System32\\rundll32.exe" CommandLine="*,a /p:*")
+
 ```
 
 
@@ -85,6 +88,7 @@ suspicious_processes = filter processes where (
    command_line == "*echo*" AND
    command_line == "*\pipe\*"))
 output suspicious_processes
+
 ```
 
 
@@ -96,6 +100,7 @@ Look for instances GetSystem elevation performed by Empire or PoshC2
 
 ```
 index=__your_sysmon_index__ (Image="C:\\Windows\\System32\\cmd.exe" OR CommandLine="*%COMSPEC%*") (CommandLine="*echo*" AND CommandLine="*\pipe\*")
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-04-001/index.md b/docs/analytics/CAR-2021-04-001/index.md
index 791d82ca..6bec00b8 100644
--- a/docs/analytics/CAR-2021-04-001/index.md
+++ b/docs/analytics/CAR-2021-04-001/index.md
@@ -33,6 +33,7 @@ To make sure the rule doesn't miss cases where the executable would be started f
 `C:\Windows\System32\srv\svchost.exe`
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -82,8 +83,9 @@ suspicious_processes = filter processes where (
   OR (exe=services.exe AND image_path!="C:\\Windows\\System32\\services.exe")
   OR (exe=lsm.exe AND image_path!="C:\\Windows\\System32\\lsm.exe")
   OR (exe=explorer.exe AND image_path!="C:\\Windows\\explorer.exe")
-  ) 
+  )
 output suspicious_processes
+
 ```
 
 
@@ -105,7 +107,8 @@ OR (process_name=csrss.exe AND NOT process_path="C:\\Windows\\System32\\csrss.ex
 OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe")
 OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe")
 OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe")
-) 
+)
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-05-001/index.md b/docs/analytics/CAR-2021-05-001/index.md
index 6b904bb5..07e25a33 100644
--- a/docs/analytics/CAR-2021-05-001/index.md
+++ b/docs/analytics/CAR-2021-05-001/index.md
@@ -60,6 +60,7 @@ processes = search Process:Create
 addstore_commands = filter processes where (
   exe =”C:\Windows\System32\certutil.exe” AND command_line="*-addstore*” )
 output addstore_commands
+
 ```
 
 
@@ -70,7 +71,7 @@ output addstore_commands
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.004/atomic_red_team/windows-sysmon.log) using the Splunk attack range with the commands below
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
diff --git a/docs/analytics/CAR-2021-05-002/index.md b/docs/analytics/CAR-2021-05-002/index.md
index 45d39dba..16b2e5ec 100644
--- a/docs/analytics/CAR-2021-05-002/index.md
+++ b/docs/analytics/CAR-2021-05-002/index.md
@@ -49,6 +49,7 @@ files = search File:create
 batch_files = filter files where (
   extension =".bat" AND file_path = "C:\Windows\system32*" )
 output batch_files
+
 ```
 
 
@@ -70,7 +71,7 @@ You must be ingesting data that records the file-system activity from your hosts
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/batch_file_in_system32/windows-sysmon.log) using the Splunk attack range with the commands below
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
diff --git a/docs/analytics/CAR-2021-05-003/index.md b/docs/analytics/CAR-2021-05-003/index.md
index 54242317..7486e622 100644
--- a/docs/analytics/CAR-2021-05-003/index.md
+++ b/docs/analytics/CAR-2021-05-003/index.md
@@ -50,6 +50,7 @@ processes = search Process:Create
 bcdedit_commands = filter processes where (
   exe = "C:\Windows\System32\bcdedit.exe" AND command_line="*recoveryenabled*" )
 output bcedit_commands
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-05-004/index.md b/docs/analytics/CAR-2021-05-004/index.md
index 301bea27..ed1abe63 100644
--- a/docs/analytics/CAR-2021-05-004/index.md
+++ b/docs/analytics/CAR-2021-05-004/index.md
@@ -49,6 +49,7 @@ processes = search Process:Create
 bitsadmin_commands = filter processes where (
   exe ="C:\Windows\System32\bitsadmin.exe" AND command_line includes one of [*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*,*resume*])
 output bitsadmin_commands
+
 ```
 
 
@@ -70,7 +71,7 @@ To successfully implement this search you need to be ingesting information on pr
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using the Splunk attack range with the commands below
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
diff --git a/docs/analytics/CAR-2021-05-005/index.md b/docs/analytics/CAR-2021-05-005/index.md
index 1e5ac427..9e62c4fb 100644
--- a/docs/analytics/CAR-2021-05-005/index.md
+++ b/docs/analytics/CAR-2021-05-005/index.md
@@ -50,6 +50,7 @@ processes = search Process:Create
 bitsadmin_commands = filter processes where (
   exe ="C:\Windows\System32\bitsadmin.exe" AND command_line = *transfer*)
 output bitsadmin_commands
+
 ```
 
 
@@ -71,7 +72,7 @@ To successfully implement this search you need to be ingesting information on pr
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log) using the Splunk attack range with the commands below
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
diff --git a/docs/analytics/CAR-2021-05-006/index.md b/docs/analytics/CAR-2021-05-006/index.md
index 3eff2abb..928edc3a 100644
--- a/docs/analytics/CAR-2021-05-006/index.md
+++ b/docs/analytics/CAR-2021-05-006/index.md
@@ -49,6 +49,7 @@ processes = search Process:Create
 certutil_downloads = filter processes where (
   exe ="C:\Windows\System32\certutil.exe" AND command_line = *urlcache* AND command_line = *split*)
 output certutil_downloads
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-05-007/index.md b/docs/analytics/CAR-2021-05-007/index.md
index ff39d9e5..97a3738a 100644
--- a/docs/analytics/CAR-2021-05-007/index.md
+++ b/docs/analytics/CAR-2021-05-007/index.md
@@ -49,6 +49,7 @@ processes = search Process:Create
 certutil_downloads = filter processes where (
   exe = "C:\Windows\System32\certutil.exe" AND command_line = *verifyctl* AND command_line = *split*)
 output certutil_downloads
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-05-008/index.md b/docs/analytics/CAR-2021-05-008/index.md
index 5056e205..8227df58 100644
--- a/docs/analytics/CAR-2021-05-008/index.md
+++ b/docs/analytics/CAR-2021-05-008/index.md
@@ -49,6 +49,7 @@ processes = search Process:Create
 certutil_downloads = filter processes where (
   exe =”C:\Windows\System32\certutil.exe” AND command_line = * -exportPFX * )
 output certutil_downloads
+
 ```
 
 
@@ -70,7 +71,7 @@ Splunk implementation
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/certutil_exe_certificate_extraction/windows-sysmon.log) using the Splunk attack range with the commands below
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
@@ -80,7 +81,7 @@ python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
 
 **Configurations:** Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
 
-execute the atomic test [T1606.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1606.002) against a Windows target.
+Execute the atomic test [T1606.002](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1606.002) against a Windows target.
 
 ```
 Invoke-AtomicTest T1606.002
diff --git a/docs/analytics/CAR-2021-05-009/index.md b/docs/analytics/CAR-2021-05-009/index.md
index 9ca808eb..44c3ed02 100644
--- a/docs/analytics/CAR-2021-05-009/index.md
+++ b/docs/analytics/CAR-2021-05-009/index.md
@@ -49,6 +49,7 @@ processes = search Process:Create
 certutil_downloads = filter processes where (
   exe =”C:\Windows\System32\certutil.exe” AND command_line = *decode* )
 output certutil_downloads
+
 ```
 
 
@@ -70,7 +71,7 @@ To successfully implement this search you need to be ingesting information on pr
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1140/atomic_red_team/windows-sysmon.log) using the Splunk attack range with the commands below
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
diff --git a/docs/analytics/CAR-2021-05-010/index.md b/docs/analytics/CAR-2021-05-010/index.md
index 228547b8..0563fc99 100644
--- a/docs/analytics/CAR-2021-05-010/index.md
+++ b/docs/analytics/CAR-2021-05-010/index.md
@@ -49,6 +49,7 @@ processes = search Process:Create
 certutil_downloads = filter processes where (
   (exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND command_line = * -exportPFX * )
 output certutil_downloads
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-05-011/index.md b/docs/analytics/CAR-2021-05-011/index.md
index 6e0a2ef1..3c5dd4dd 100644
--- a/docs/analytics/CAR-2021-05-011/index.md
+++ b/docs/analytics/CAR-2021-05-011/index.md
@@ -47,6 +47,7 @@ Pseudocode implementation of the Splunk search below. The CAR data model does no
 remote_threads = search Thread:remote_create
 lsass_remote_create = filter remote_threads where "lsass" in raw event
 output lsass_remote_create
+
 ```
 
 
@@ -56,6 +57,7 @@ output lsass_remote_create
 This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
 
 
+
 ```
 `sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest
 ```
@@ -68,7 +70,8 @@ This search needs Sysmon Logs with a Sysmon configuration, which includes EventC
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log) using the Splunk attack range with the commands below
+
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
diff --git a/docs/analytics/CAR-2021-05-012/index.md b/docs/analytics/CAR-2021-05-012/index.md
index fc7e0d6e..f0bb7fb4 100644
--- a/docs/analytics/CAR-2021-05-012/index.md
+++ b/docs/analytics/CAR-2021-05-012/index.md
@@ -48,6 +48,7 @@ Pseudocode implementation of the Splunk search below.
 services = search Service:create
 suspicious_services = filter services where image_path = "*\.exe" AND image_path does not contain ["C:\\Windows\\*", "%windir%\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*"] )
 output suspicious_services
+
 ```
 
 
@@ -69,7 +70,7 @@ To successfully implement this search, you need to be ingesting logs with the Se
 
 **Configurations:** Using Splunk [Attack Range](https://github.com/splunk/attack_range)
 
-Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log)  using the Splunk attack range with the commands below
+Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-system.log) using the Splunk attack range with the commands below
 
 ```
 python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
diff --git a/docs/analytics/CAR-2021-11-001/index.md b/docs/analytics/CAR-2021-11-001/index.md
index 18eb1c64..f74e56f7 100644
--- a/docs/analytics/CAR-2021-11-001/index.md
+++ b/docs/analytics/CAR-2021-11-001/index.md
@@ -51,6 +51,7 @@ safe_dll_search_processes = filter processes where command_line CONTAINS("*SafeD
 reg_keys = search Registry:value_edit
 safe_dll_reg_keys = filter reg_keys where value="SafeDllSearchMode" AND value_data="0"
 output safe_dll_search_processes, safe_dll_reg_keys
+
 ```
 
 
@@ -62,6 +63,7 @@ This is a Splunk representation of the above pseudocode.
 
 ```
 (source="WinEventLog:*" ((((EventCode="4688" OR EventCode="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) (CommandLine="*00000000*" OR CommandLine="*0*") CommandLine="*SafeDllSearchMode*") OR ((EventCode="4657") ObjectValueName="SafeDllSearchMode" value="0")) OR ((EventCode="13") EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)")))
+
 ```
 
 
@@ -73,6 +75,7 @@ This is an Elastic representation of the above pseudocode.
 
 ```
 (((EventCode:("4688" OR "1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:(*00000000* OR *0*) AND process.command_line:*SafeDllSearchMode*) OR (EventCode:"4657" AND winlog.event_data.ObjectValueName:"SafeDllSearchMode" AND value:"0")) OR (EventCode:"13" AND winlog.event_data.EventType:"SetValue" AND winlog.event_data.TargetObject:*SafeDllSearchMode AND winlog.event_data.Details:"DWORD\ \(0x00000000\)"))
+
 ```
 
 
@@ -84,6 +87,7 @@ This is a LogPoint representation of the above pseudocode.
 
 ```
 (((EventCode IN ["4688", "1"] ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine IN ["*00000000*", "*0*"] CommandLine="*SafeDllSearchMode*") OR (EventCode IN "4657" ObjectValueName="SafeDllSearchMode" value="0")) OR (EventCode IN "13" EventType="SetValue" TargetObject="*SafeDllSearchMode" Details="DWORD (0x00000000)"))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-11-002/index.md b/docs/analytics/CAR-2021-11-002/index.md
index 61b22c50..f6078275 100644
--- a/docs/analytics/CAR-2021-11-002/index.md
+++ b/docs/analytics/CAR-2021-11-002/index.md
@@ -12,6 +12,7 @@ applicable_platforms: Windows
 Detection of modification of the registry key values of `Notify`, `Userinit`, and `Shell` located in `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` and `HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\`. When a user logs on, the Registry key values of `Notify`, `Userinit` and `Shell` are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload.
 
 
+
 ### ATT&CK Detections
 
 |Technique|Subtechnique(s)|Tactic(s)|Level of Coverage|
@@ -51,6 +52,7 @@ logon_reg_processes = filter processes where command_line CONTAINS("*\\Microsoft
 reg_keys = search Registry:value_edit
 logon_reg_keys = filter reg_keys where (value="Userinit" OR value="Shell" OR value="Notify")
 output logon_reg_processes, logon_reg_keys
+
 ```
 
 
@@ -62,6 +64,7 @@ This is a Splunk representation of the above pseudocode.
 
 ```
 (((((EventCode="4688" OR EventCode="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR ((CommandLine="*Set-ItemProperty*" OR CommandLine="*New-ItemProperty*") CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" (CommandLine="*Userinit*" OR CommandLine="*Shell*" OR CommandLine="*Notify*")) OR ((EventCode="4657") (ObjectValueName="Userinit" OR ObjectValueName="Shell" OR ObjectValueName="Notify"))) OR ((EventCode="13") (TargetObject="*Userinit" OR TargetObject="*Shell" OR TargetObject="*Notify"))))
+
 ```
 
 
@@ -73,6 +76,7 @@ This is an ElasticSearch representation of the above pseudocode.
 
 ```
 (((EventCode:("4688" OR "1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:(*Set\-ItemProperty* OR *New\-ItemProperty*) AND process.command_line:*\-value*)) AND process.command_line:*\\Microsoft\\Windows\ NT\\CurrentVersion\\Winlogon* AND process.command_line:(*Userinit* OR *Shell* OR *Notify*)) OR (EventCode:"4657" AND winlog.event_data.ObjectValueName:("Userinit" OR "Shell" OR "Notify"))) OR (EventCode:"13" AND winlog.event_data.TargetObject:(*Userinit OR *Shell OR *Notify)))
+
 ```
 
 
@@ -84,6 +88,7 @@ This is a LogPoint representation of the above pseudocode.
 
 ```
 (((EventCode IN ["4688", "1"] ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine IN ["*Set-ItemProperty*", "*New-ItemProperty*"] CommandLine="*-value*")) CommandLine="*\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" CommandLine IN ["*Userinit*", "*Shell*", "*Notify*"]) OR (EventCode IN "4657" ObjectValueName IN ["Userinit", "Shell", "Notify"])) OR (EventCode IN "13" TargetObject IN ["*Userinit", "*Shell", "*Notify"]))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-12-001/index.md b/docs/analytics/CAR-2021-12-001/index.md
index b7078c65..2e563114 100644
--- a/docs/analytics/CAR-2021-12-001/index.md
+++ b/docs/analytics/CAR-2021-12-001/index.md
@@ -49,6 +49,7 @@ susp_tasks_processes = filter processes where command_line CONTAINS("*SCHTASKS*"
 tasks = search Task:create
 susp_tasks = filter tasks where (task_content CONTAINS("*.cmd*") OR task_content CONTAINS("*.ps1*") OR task_content CONTAINS("*.vbs*") OR task_content CONTAINS("*.py*") OR task_content CONTAINS("*.js*") OR task_content CONTAINS("*.exe*") OR task_content CONTAINS("*.bat*") OR (task_content CONTAINS("*javascript*") OR task_content CONTAINS("*powershell*") OR task_content CONTAINS("*wmic*") OR task_content CONTAINS("*rundll32*") OR task_content CONTAINS("*cmd*") OR task_content CONTAINS("*cscript*") OR task_content CONTAINS("*wscript*") OR task_content CONTAINS("*regsvr32*") OR task_content CONTAINS("*mshta*") OR task_content CONTAINS("*bitsadmin*") OR task_content CONTAINS("*certutil*") OR task_content CONTAINS("*msiexec*") OR task_content CONTAINS("*javaw*") OR (task_content CONTAINS("*%APPDATA%*") OR task_content CONTAINS("*\\AppData\\Roaming*") OR task_content CONTAINS("*%PUBLIC%*") OR task_content CONTAINS("*C:\\Users\\Public*") OR task_content CONTAINS("*%ProgramData%*") OR task_content CONTAINS("*C:\\ProgramData*") OR task_content CONTAINS("*%TEMP%*") OR task_content CONTAINS("*\\AppData\\Local\\Temp*") OR task_content CONTAINS("*\\Windows\\PLA\\System*") OR task_content CONTAINS("*\\tasks*") OR task_content CONTAINS("*\\Registration\\CRMLog*") OR task_content CONTAINS("*\\FxsTmp*") OR task_content CONTAINS("*\\spool\\drivers\\color*") OR task_content CONTAINS("*\\tracing*"))))
 output susp_tasks_processes, susp_tasks
+
 ```
 
 
@@ -60,6 +61,7 @@ This is a Splunk representation of the above pseudocode search.
 
 ```
 (((EventCode="4688" OR EventCode="1") CommandLine="*SCHTASKS*" (CommandLine="*/CREATE*" OR CommandLine="*/CHANGE*")) ((CommandLine="*.cmd*" OR CommandLine="*.ps1*" OR CommandLine="*.vbs*" OR CommandLine="*.py*" OR CommandLine="*.js*" OR CommandLine="*.exe*" OR CommandLine="*.bat*") OR (CommandLine="*javascript*" OR CommandLine="*powershell*" OR CommandLine="*wmic*" OR CommandLine="*rundll32*" OR CommandLine="*cmd*" OR CommandLine="*cscript*" OR CommandLine="*wscript*" OR CommandLine="*regsvr32*" OR CommandLine="*mshta*" OR CommandLine="*bitsadmin*" OR CommandLine="*certutil*" OR CommandLine="*msiexec*" OR CommandLine="*javaw*") OR (CommandLine="*%APPDATA%*" OR CommandLine="*\\AppData\\Roaming*" OR CommandLine="*%PUBLIC%*" OR CommandLine="*C:\\Users\\Public*" OR CommandLine="*%ProgramData%*" OR CommandLine="*C:\\ProgramData*" OR CommandLine="*%TEMP%*" OR CommandLine="*\\AppData\\Local\\Temp*" OR CommandLine="*\\Windows\\PLA\\System*" OR CommandLine="*\\tasks*" OR CommandLine="*\\Registration\\CRMLog*" OR CommandLine="*\\FxsTmp*" OR CommandLine="*\\spool\\drivers\\color*" OR CommandLine="*\\tracing*"))) OR ((EventCode="4698" OR EventCode="4702") ((TaskContent="*.cmd*" OR TaskContent="*.ps1*" OR TaskContent="*.vbs*" OR TaskContent="*.py*" OR TaskContent="*.js*" OR TaskContent="*.exe*" OR TaskContent="*.bat*") OR (TaskContent="*javascript*" OR TaskContent="*powershell*" OR TaskContent="*wmic*" OR TaskContent="*rundll32*" OR TaskContent="*cmd*" OR TaskContent="*cscript*" OR TaskContent="*wscript*" OR TaskContent="*regsvr32*" OR TaskContent="*mshta*" OR TaskContent="*bitsadmin*" OR TaskContent="*certutil*" OR TaskContent="*msiexec*" OR TaskContent="*javaw*") OR (TaskContent="*%APPDATA%*" OR TaskContent="*\\AppData\\Roaming*" OR TaskContent="*%PUBLIC%*" OR TaskContent="*C:\\Users\\Public*" OR TaskContent="*%ProgramData%*" OR TaskContent="*C:\\ProgramData*" OR TaskContent="*%TEMP%*" OR TaskContent="*\\AppData\\Local\\Temp*" OR TaskContent="*\\Windows\\PLA\\System*" OR TaskContent="*\\tasks*" OR TaskContent="*\\Registration\\CRMLog*" OR TaskContent="*\\FxsTmp*" OR TaskContent="*\\spool\\drivers\\color*" OR TaskContent="*\\tracing*")))
+
 ```
 
 
@@ -71,6 +73,7 @@ This is an ElasticSearch representation of the above pseudocode search.
 
 ```
 ((winlog.event_id:("4688" OR "1") AND process.command_line:*SCHTASKS* AND process.command_line:(*\/CREATE* OR *\/CHANGE*)) AND (process.command_line:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR process.command_line:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR process.command_line:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*))) OR (winlog.event_id:("4698" OR "4702") AND (winlog.event_data.TaskContent:(*.cmd* OR *.ps1* OR *.vbs* OR *.py* OR *.js* OR *.exe* OR *.bat*) OR winlog.event_data.TaskContent:(*javascript* OR *powershell* OR *wmic* OR *rundll32* OR *cmd* OR *cscript* OR *wscript* OR *regsvr32* OR *mshta* OR *bitsadmin* OR *certutil* OR *msiexec* OR *javaw*) OR winlog.event_data.TaskContent:(*%APPDATA%* OR *\\AppData\\Roaming* OR *%PUBLIC%* OR *C\:\\Users\\Public* OR *%ProgramData%* OR *C\:\\ProgramData* OR *%TEMP%* OR *\\AppData\\Local\\Temp* OR *\\Windows\\PLA\\System* OR *\\tasks* OR *\\Registration\\CRMLog* OR *\\FxsTmp* OR *\\spool\\drivers\\color* OR *\\tracing*)))
+
 ```
 
 
@@ -82,6 +85,7 @@ This is a LogPoint representation of the above pseudocode search.
 
 ```
 ((event_id IN ["4688", "1"] CommandLine="*SCHTASKS*" CommandLine IN ["*/CREATE*", "*/CHANGE*"]) (CommandLine IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR CommandLine IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR CommandLine IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"])) OR (event_id IN ["4698", "4702"] (TaskContent IN ["*.cmd*", "*.ps1*", "*.vbs*", "*.py*", "*.js*", "*.exe*", "*.bat*"] OR TaskContent IN ["*javascript*", "*powershell*", "*wmic*", "*rundll32*", "*cmd*", "*cscript*", "*wscript*", "*regsvr32*", "*mshta*", "*bitsadmin*", "*certutil*", "*msiexec*", "*javaw*"] OR TaskContent IN ["*%APPDATA%*", "*\\AppData\\Roaming*", "*%PUBLIC%*", "*C:\\Users\\Public*", "*%ProgramData%*", "*C:\\ProgramData*", "*%TEMP%*", "*\\AppData\\Local\\Temp*", "*\\Windows\\PLA\\System*", "*\\tasks*", "*\\Registration\\CRMLog*", "*\\FxsTmp*", "*\\spool\\drivers\\color*", "*\\tracing*"]))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2021-12-002/index.md b/docs/analytics/CAR-2021-12-002/index.md
index 53fcf621..6c827278 100644
--- a/docs/analytics/CAR-2021-12-002/index.md
+++ b/docs/analytics/CAR-2021-12-002/index.md
@@ -51,6 +51,7 @@ logon_reg_processes = filter processes where (command_line CONTAINS("*reg*") AND
 reg_keys = search Registry:value_edit
 logon_reg_keys = filter reg_keys where value="Common Startup"
 output logon_reg_processes, logon_reg_keys
+
 ```
 
 
@@ -62,6 +63,7 @@ This is a Splunk representation of the above pseudocode search.
 
 ```
 (((EventCode="4688" OR EventCode="1") (CommandLine="*reg*" AND CommandLine="*add*" AND CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" AND CommandLine="*-value*") CommandLine="*Common Startup*") OR ((EventCode="4657" ObjectValueName="Common Startup") OR (EventCode="13" TargetObject="*Common Startup")))
+
 ```
 
 
@@ -73,6 +75,7 @@ This is an ElasticSeearech representation of the above pseudocode search.
 
 ```
 ((EventLog:"Security" AND (winlog.event_id:"4688" OR winlog.event_id:"1") AND ((process.command_line:*reg* AND process.command_line:*add* AND process.command_line:*\/d*) OR (process.command_line:*Set\-ItemProperty* AND process.command_line:*\-value*)) AND process.command_line:*Common\ Startup*) OR (winlog.event_id:"4657" AND winlog.event_data.ObjectValueName:"Common\ Startup") OR (winlog.event_id:"13" AND winlog.event_data.TargetObject:"*Common Startup"))
+
 ```
 
 
@@ -84,6 +87,7 @@ This is a LogPoint representation of the above pseudocode search.
 
 ```
 ((EventLog="Security" (event_id="4688" OR event_id="1") ((CommandLine="*reg*" CommandLine="*add*" CommandLine="*/d*") OR (CommandLine="*Set-ItemProperty*" CommandLine="*-value*")) CommandLine="*Common Startup*") OR (event_id="4657" ObjectValueName="Common Startup") OR (event_id="13" TargetObject="*Common Startup"))
+
 ```
 
 
diff --git a/docs/analytics/CAR-2022-03-001/index.md b/docs/analytics/CAR-2022-03-001/index.md
index a10887d6..32de9e01 100644
--- a/docs/analytics/CAR-2022-03-001/index.md
+++ b/docs/analytics/CAR-2022-03-001/index.md
@@ -16,6 +16,7 @@ Adversaries may disable Windows event logging to limit data that can be leverage
 4. The fourth way is to use auditpol.exe to modify the audit configuration and disable/modify important parameters that will lead to disable the creation of EventLog.
 5. The last one is to modify the Registry Key value `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\file` (or other kind of log) to modify the path where the EventLog are stocked. Importantly, with this technique, the EventViewer will use the value of the Registry Key "file" to know where to find the Log. Thus, using the EventViewer will always show the current event logs, but the old one will be stocked in another evtx. Also, the path must be in a folder that the Eventlog process has access (like it doesn’t work if attacker set up the new path in the Desktop). Attacker can also decrease the maxsize value of the Log to force the system to rewrite on the older EventLog (but the minimum cannot be less than 1028 KB). As the Registry key is modified, Security EventLog 4657 or Sysmon EventLog 13 will be generated on the system. All of these attacks required administrative right. Attacks number three, four and five do not require a system reboot to be effective immediately.
 
+
 #### References
 https://ptylu.github.io/content/report/report.html?report=25
 
@@ -55,10 +56,10 @@ This detects the disabling of Windows Event Logging, via process command line or
 ```
 processes = search Process:create
 susp_processes = filter processes where ((command_line CONTAINS("*New-Item*") OR command_line CONTAINS("*reg add*")) OR command_line CONTAINS("*MiniNt*")) OR (command_line CONTAINS("*Stop-Service*")AND command_line CONTAINS("*EventLog*")) OR (command_line CONTAINS("*EventLog*") AND (command_line CONTAINS("*Set-Service*") OR command_line CONTAINS("*reg add*") OR command_line CONTAINS("*Set-ItemProperty*") OR command_line CONTAINS("*New-ItemProperty*") OR command_line CONTAINS("*sc config*"))) OR (command_line CONTAINS("*auditpol*") AND (command_line CONTAINS("*/set*") OR command_line CONTAINS("*/clear*") OR command_line CONTAINS("*/revove*"))) OR ((command_line CONTAINS("*wevtutil*") AND (command_line CONTAINS("*sl*") OR command_line CONTAINS("*set-log*"))))
-
 reg_keys = search Registry:value_edit
 event_log_reg_keys = filter reg_keys where Key="*EventLog*" AND (value="Start" OR value="File" OR value="MaxSize")
 output susp_processes, event_log_reg_keys
+
 ```
 
 
@@ -70,6 +71,7 @@ Splunk version of the CAR pseudocode.
 
 ```
 ((EventCode="4688" OR EventCode="1") ((CommandLine="*New-Item*" OR CommandLine="*reg add*") CommandLine="*MiniNt*")OR (CommandLine="*Stop-Service*" CommandLine="*EventLog*")OR (CommandLine="*EventLog*" (CommandLine="*Set-Service*" OR CommandLine="*reg add*" OR CommandLine="*Set-ItemProperty*" OR CommandLine="*New-ItemProperty*" OR CommandLine="*sc config*")) OR (CommandLine="*auditpol*" (CommandLine="*/set*" OR CommandLine="*/clear*" OR CommandLine="*/revove*")) OR ((CommandLine="*wevtutil*" (CommandLine="*sl*" OR CommandLine="*set-log*")))) OR (EventCode="4719") OR ((EventCode="4657" OR EventCode="13") (ObjectName="*EventLog*") (ObjectValueName="Start" OR ObjectValueName="File" OR ObjectValueName="MaxSize"))
+
 ```
 
 
@@ -81,6 +83,7 @@ LogPoint version of the CAR pseudocode.
 
 ```
 ((((((EventCode IN ["4688", "1"] CommandLine="*New-Item*" CommandLine="*reg add*" CommandLine IN "*MiniNt*") OR (CommandLine="*Stop-Service*" CommandLine="*EventLog*")) OR (CommandLine IN ["*Set-Service*", "*reg add*", "*Set-ItemProperty*", "*New-ItemProperty*", "*sc config*"] CommandLine IN "*EventLog*")) OR (CommandLine IN "*auditpol*" CommandLine IN ["*/set*", "*/clear*", "*/revove*"])) OR (CommandLine IN "*wevtutil*" CommandLine IN ["*sl*", "*set-log*"]) OR EventCode IN "4719") OR (EventCode IN ["4657", "13"] ObjectName IN "*EventLog*" ObjectValueName IN ["Start", "File", "MaxSize"]))
+
 ```
 
 
diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md
index e1445b68..08777978 100644
--- a/docs/analytics/by_technique/index.md
+++ b/docs/analytics/by_technique/index.md
@@ -16,14 +16,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1003/">T1003: OS Credential Dumping</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003: NTDS</a></td>
-            <td><ul><li><a href="CAR-2019-08-002">CAR-2019-08-002: Active Directory Dumping via NTDSUtil</a></li><li><a href="CAR-2020-05-001">CAR-2020-05-001: MiniDump of LSASS</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001: LSASS Memory</a></td>
             <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li><li><a href="CAR-2019-04-004">CAR-2019-04-004: Credential Dumping via Mimikatz</a></li><li><a href="CAR-2019-07-002">CAR-2019-07-002: Lsass Process Dump via Procdump</a></li><li><a href="CAR-2019-08-001">CAR-2019-08-001: Credential Dumping via Windows Task Manager</a></li><li><a href="CAR-2021-05-011">CAR-2021-05-011: Create Remote Thread into LSASS</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003: NTDS</a></td>
+            <td><ul><li><a href="CAR-2019-08-002">CAR-2019-08-002: Active Directory Dumping via NTDSUtil</a></li><li><a href="CAR-2020-05-001">CAR-2020-05-001: MiniDump of LSASS</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002: Security Account Manager</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
@@ -59,20 +59,20 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001: Remote Desktop Protocol</a></td>
-            <td><ul><li><a href="CAR-2013-07-002">CAR-2013-07-002: RDP Connection Detection</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li><li><a href="CAR-2016-04-005">CAR-2016-04-005: Remote Desktop Logon</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
+            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002: SMB/Windows Admin Shares</a></td>
             <td><ul><li><a href="CAR-2013-01-003">CAR-2013-01-003: SMB Events Monitoring</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-003">CAR-2013-05-003: SMB Write Request</a></li><li><a href="CAR-2013-05-005">CAR-2013-05-005: SMB Copy and Execution</a></li><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/003/">T1021.003: Distributed Component Object Model</a></td>
-            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001: Remote Desktop Protocol</a></td>
+            <td><ul><li><a href="CAR-2013-07-002">CAR-2013-07-002: RDP Connection Detection</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li><li><a href="CAR-2016-04-005">CAR-2016-04-005: Remote Desktop Logon</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
-            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1021/003/">T1021.003: Distributed Component Object Model</a></td>
+            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
         </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1029/">T1029: Scheduled Transfer</a></td>
@@ -141,14 +141,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1055/">T1055: Process Injection</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1055/012/">T1055.012: Process Hollowing</a></td>
-            <td><ul><li><a href="CAR-2020-11-004">CAR-2020-11-004: Processes Started From Irregular Parent</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1055/001/">T1055.001: Dynamic-link Library Injection</a></td>
             <td><ul><li><a href="CAR-2013-10-002">CAR-2013-10-002: DLL Injection via Load Library</a></li><li><a href="CAR-2020-11-003">CAR-2020-11-003: DLL Injection with Mavinject</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1055/012/">T1055.012: Process Hollowing</a></td>
+            <td><ul><li><a href="CAR-2020-11-004">CAR-2020-11-004: Processes Started From Irregular Parent</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1057/">T1057: Process Discovery</a></td>
             <td>(N/A - technique only)</td>
@@ -159,6 +159,10 @@ permalink: /analytics/by_technique
             <td>(N/A - technique only)</td>
             <td><ul><li><a href="CAR-2021-01-002">CAR-2021-01-002: Unusually Long Command Line Strings</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001: PowerShell</a></td>
+            <td><ul><li><a href="CAR-2014-04-003">CAR-2014-04-003: Powershell Execution</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1059/003/">T1059.003: Windows Command Shell</a></td>
             <td><ul><li><a href="CAR-2013-02-003">CAR-2013-02-003: Processes Spawning cmd.exe</a></li><li><a href="CAR-2014-11-002">CAR-2014-11-002: Outlier Parents of Cmd</a></li></ul></td>
@@ -167,10 +171,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1059/005/">T1059.005: Visual Basic</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001: PowerShell</a></td>
-            <td><ul><li><a href="CAR-2014-04-003">CAR-2014-04-003: Powershell Execution</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li></ul></td>
-        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1068/">T1068: Exploitation for Privilege Escalation</a></td>
             <td>(N/A - technique only)</td>
@@ -190,6 +190,10 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1070/">T1070: Indicator Removal</a></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1070/005/">T1070.005: Network Share Connection Removal</a></td>
+            <td><ul><li><a href="CAR-2020-11-007">CAR-2020-11-007: Network Share Connection Removal</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1070/003/">T1070.003: Clear Command History</a></td>
             <td><ul><li><a href="CAR-2020-11-005">CAR-2020-11-005: Clear Powershell Console Command History</a></li></ul></td>
@@ -198,10 +202,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1070/001/">T1070.001: Clear Windows Event Logs</a></td>
             <td><ul><li><a href="CAR-2016-04-002">CAR-2016-04-002: User Activity from Clearing Event Logs</a></li><li><a href="CAR-2021-01-003">CAR-2021-01-003: Clearing Windows Logs with Wevtutil</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1070/005/">T1070.005: Network Share Connection Removal</a></td>
-            <td><ul><li><a href="CAR-2020-11-007">CAR-2020-11-007: Network Share Connection Removal</a></li></ul></td>
-        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1078/">T1078: Valid Accounts</a></td>
         </tr>
@@ -277,14 +277,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="5"><a href="https://attack.mitre.org/techniques/T1218/">T1218: System Binary Proxy Execution</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
-            <td><ul><li><a href="CAR-2019-04-002">CAR-2019-04-002: Generic Regsvr32</a></li><li><a href="CAR-2019-04-003">CAR-2019-04-003: Squiblydoo</a></li></ul></td>
-        </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/001/">T1218.001: Compiled HTML File</a></td>
-            <td><ul><li><a href="CAR-2020-11-009">CAR-2020-11-009: Compiled HTML Access</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1218/011/">T1218.011: Rundll32</a></td>
             <td><ul><li><a href="CAR-2014-03-006">CAR-2014-03-006: RunDLL32.exe monitoring</a></li></ul></td>
@@ -293,6 +285,14 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1218/003/">T1218.003: CMSTP</a></td>
             <td><ul><li><a href="CAR-2020-11-010">CAR-2020-11-010: CMSTP</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
+            <td><ul><li><a href="CAR-2019-04-002">CAR-2019-04-002: Generic Regsvr32</a></li><li><a href="CAR-2019-04-003">CAR-2019-04-003: Squiblydoo</a></li></ul></td>
+        </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/001/">T1218.001: Compiled HTML File</a></td>
+            <td><ul><li><a href="CAR-2020-11-009">CAR-2020-11-009: Compiled HTML Access</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1222/">T1222: File and Directory Permissions Modification</a></td>
         </tr>
@@ -328,8 +328,8 @@ permalink: /analytics/by_technique
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1546/">T1546: Event Triggered Execution</a></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008: Accessibility Features</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-11-003">CAR-2014-11-003: Debuggers for Accessibility Applications</a></li><li><a href="CAR-2014-11-008">CAR-2014-11-008: Command Launched from WinLogon</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1546/010/">T1546.010: AppInit DLLs</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2020-09-005">CAR-2020-09-005: AppInit DLLs</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1546/015/">T1546.015: Component Object Model Hijacking</a></td>
@@ -344,8 +344,8 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1546/010/">T1546.010: AppInit DLLs</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2020-09-005">CAR-2020-09-005: AppInit DLLs</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008: Accessibility Features</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-11-003">CAR-2014-11-003: Debuggers for Accessibility Applications</a></li><li><a href="CAR-2014-11-008">CAR-2014-11-008: Command Launched from WinLogon</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1546/002/">T1546.002: Screensaver</a></td>
@@ -354,6 +354,10 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1547/">T1547: Boot or Logon Autostart Execution</a></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1547/001/">T1547.001: Registry Run Keys / Startup Folder</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li><li><a href="CAR-2021-12-002">CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'</a></li></ul></td>
@@ -362,10 +366,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1547/010/">T1547.010: Port Monitors</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
-        </tr>
        <tr>
             <td rowspan="2"><a href="https://attack.mitre.org/techniques/T1548/">T1548: Abuse Elevation Control Mechanism</a></td>
             <td>(N/A - technique only)</td>
@@ -429,14 +429,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1569/">T1569: System Services</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1569/001/">T1569.001: Launchctl</a></td>
-            <td><ul><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1569/002/">T1569.002: Service Execution</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li><li><a href="CAR-2014-03-005">CAR-2014-03-005: Remotely Launched Executables via Services</a></li><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1569/001/">T1569.001: Launchctl</a></td>
+            <td><ul><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1570/">T1570: Lateral Tool Transfer</a></td>
             <td>(N/A - technique only)</td>
@@ -446,16 +446,20 @@ permalink: /analytics/by_technique
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1574/">T1574: Hijack Execution Flow</a></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/010/">T1574.010: Services File Permissions Weakness</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1574/009/">T1574.009: Path Interception by Unquoted Path</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-07-001">CAR-2014-07-001: Service Search Path Interception</a></li></ul></td>
+        </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1574/011/">T1574.011: Services Registry Permissions Weakness</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1574/001/">T1574.001: DLL Search Order Hijacking</a></td>
             <td><ul><li><a href="CAR-2021-11-001">CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/011/">T1574.011: Services Registry Permissions Weakness</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1574/010/">T1574.010: Services File Permissions Weakness</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1574/007/">T1574.007: Path Interception by PATH Environment Variable</a></td>
@@ -465,10 +469,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1574/008/">T1574.008: Path Interception by Search Order Hijacking</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/009/">T1574.009: Path Interception by Unquoted Path</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-07-001">CAR-2014-07-001: Service Search Path Interception</a></li></ul></td>
-        </tr>
        <tr>
             <td ><a href="https://attack.mitre.org/techniques/T1606/">T1606: Forge Web Credentials</a></td>
             <td><a href="https://attack.mitre.org/techniques/T1606/002/">T1606.002: SAML Tokens</a></td>
diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json
index 02432b5c..a2dee028 100644
--- a/docs/car_attack/car_attack.json
+++ b/docs/car_attack/car_attack.json
@@ -5,682 +5,701 @@
     "domain": "mitre-enterprise",
     "techniques": [
         {
-            "techniqueID": "T1003",
+            "techniqueID": "T1053",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1003.003",
+            "techniqueID": "T1053.005",
             "color": "#c6dbef",
-            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
             "enabled": true
         },
         {
-            "techniqueID": "T1003.001",
+            "techniqueID": "T1087",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1087.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1021",
+            "techniqueID": "T1087.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true
         },
         {
-            "techniqueID": "T1105",
+            "techniqueID": "T1069",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1559",
+            "techniqueID": "T1069.001",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "enabled": true
         },
         {
-            "techniqueID": "T1559.002",
+            "techniqueID": "T1069.002",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true
         },
         {
-            "techniqueID": "T1606",
+            "techniqueID": "T1016",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1606.002",
+            "techniqueID": "T1082",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1187",
+            "techniqueID": "T1033",
             "color": "#c6dbef",
-            "comment": "CAR-2013-09-003: SMB Session Setups",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1053",
+            "techniqueID": "T1057",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1053.005",
+            "techniqueID": "T1007",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1070",
+            "techniqueID": "T1546",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1070.003",
+            "techniqueID": "T1546.010",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-005: Clear Powershell Console Command History",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs",
             "enabled": true
         },
         {
-            "techniqueID": "T1218",
+            "techniqueID": "T1574",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1218.010",
+            "techniqueID": "T1574.009",
             "color": "#c6dbef",
-            "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception",
             "enabled": true
         },
         {
-            "techniqueID": "T1053.002",
+            "techniqueID": "T1547",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1547.004",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify",
             "enabled": true
         },
         {
-            "techniqueID": "T1047",
+            "techniqueID": "T1112",
             "color": "#c6dbef",
-            "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1197",
+            "techniqueID": "T1105",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File",
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546",
+            "techniqueID": "T1059",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver",
+            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546.008",
+            "techniqueID": "T1059.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
+            "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions",
             "enabled": true
         },
         {
-            "techniqueID": "T1218.001",
+            "techniqueID": "T1047",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-009: Compiled HTML Access",
-            "enabled": true
+            "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1021.001",
+            "techniqueID": "T1040",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon",
-            "enabled": true
+            "comment": "CAR-2020-11-002: Local Network Sniffing",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059",
+            "techniqueID": "T1012",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings",
+            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059.003",
+            "techniqueID": "T1547.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true
         },
         {
-            "techniqueID": "T1569",
+            "techniqueID": "T1574.011",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
+            "enabled": true
         },
         {
-            "techniqueID": "T1569.001",
+            "techniqueID": "T1562",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-012: Create Service In Suspicious File Path",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1569.002",
+            "techniqueID": "T1562.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
             "enabled": true
         },
         {
-            "techniqueID": "T1570",
+            "techniqueID": "T1187",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes",
+            "comment": "CAR-2013-09-003: SMB Session Setups",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1543",
+            "techniqueID": "T1036",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
+            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1543.003",
+            "techniqueID": "T1036.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
+            "comment": "CAR-2013-05-009: Running executables with same hash and different names",
             "enabled": true
         },
         {
-            "techniqueID": "T1574",
+            "techniqueID": "T1562.006",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
+            "enabled": true
         },
         {
-            "techniqueID": "T1574.010",
+            "techniqueID": "T1490",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications",
-            "enabled": true
+            "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1127",
+            "techniqueID": "T1204",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-008: MSBuild and msxsl",
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1127.001",
+            "techniqueID": "T1204.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-008: MSBuild and msxsl",
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
             "enabled": true
         },
         {
-            "techniqueID": "T1078",
+            "techniqueID": "T1543",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1078.002",
+            "techniqueID": "T1543.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
             "enabled": true
         },
         {
-            "techniqueID": "T1078.003",
+            "techniqueID": "T1574.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
             "enabled": true
         },
         {
-            "techniqueID": "T1550",
+            "techniqueID": "T1553",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-004: Successful Local Account Login",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1550.002",
+            "techniqueID": "T1553.004",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-004: Successful Local Account Login",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true
         },
         {
-            "techniqueID": "T1548",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1021.002",
+            "techniqueID": "T1059.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity",
+            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd",
             "enabled": true
         },
         {
-            "techniqueID": "T1574.001",
+            "techniqueID": "T1003",
             "color": "#c6dbef",
-            "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1112",
+            "techniqueID": "T1003.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "enabled": true
         },
         {
-            "techniqueID": "T1055",
+            "techniqueID": "T1021",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1055.012",
+            "techniqueID": "T1021.006",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-004: Processes Started From Irregular Parent",
+            "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)",
             "enabled": true
         },
         {
-            "techniqueID": "T1140",
+            "techniqueID": "T1570",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-009: CertUtil With Decode Argument",
+            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1562",
+            "techniqueID": "T1078",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging",
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1562.001",
+            "techniqueID": "T1078.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
             "enabled": true
         },
         {
-            "techniqueID": "T1036",
+            "techniqueID": "T1078.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "enabled": true
         },
         {
-            "techniqueID": "T1036.003",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-05-009: Running executables with same hash and different names",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1021.003",
-            "color": "#c6dbef",
-            "comment": "CAR-2014-05-001: RPC Activity",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1021.006",
+            "techniqueID": "T1053.002",
             "color": "#c6dbef",
-            "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT",
             "enabled": true
         },
         {
-            "techniqueID": "T1087",
+            "techniqueID": "T1564",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1087.001",
+            "techniqueID": "T1564.004",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
             "enabled": true
         },
         {
-            "techniqueID": "T1087.002",
+            "techniqueID": "T1546.015",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2020-09-002: Component Object Model Hijacking",
             "enabled": true
         },
         {
-            "techniqueID": "T1003.002",
+            "techniqueID": "T1021.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity",
             "enabled": true
         },
         {
-            "techniqueID": "T1069",
+            "techniqueID": "T1505",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1069.001",
+            "techniqueID": "T1505.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
             "enabled": true
         },
         {
-            "techniqueID": "T1069.002",
+            "techniqueID": "T1574.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications",
             "enabled": true
         },
         {
-            "techniqueID": "T1057",
+            "techniqueID": "T1569",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.011",
+            "techniqueID": "T1569.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true
         },
         {
-            "techniqueID": "T1018",
+            "techniqueID": "T1070",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1029",
+            "techniqueID": "T1070.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2020-11-007: Network Share Connection Removal",
+            "enabled": true
         },
         {
-            "techniqueID": "T1033",
+            "techniqueID": "T1218",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1007",
+            "techniqueID": "T1218.011",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring",
+            "enabled": true
         },
         {
-            "techniqueID": "T1082",
+            "techniqueID": "T1037",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1049",
+            "techniqueID": "T1037.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "enabled": true
         },
         {
-            "techniqueID": "T1016",
+            "techniqueID": "T1140",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2021-05-009: CertUtil With Decode Argument",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1010",
+            "techniqueID": "T1003.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS",
+            "enabled": true
         },
         {
-            "techniqueID": "T1518",
+            "techniqueID": "T1055",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1518.001",
+            "techniqueID": "T1055.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject",
             "enabled": true
         },
         {
-            "techniqueID": "T1046",
+            "techniqueID": "T1560",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity",
+            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1562.006",
+            "techniqueID": "T1560.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
+            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
             "enabled": true
         },
         {
-            "techniqueID": "T1098",
+            "techniqueID": "T1559",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059.005",
+            "techniqueID": "T1559.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
             "enabled": true
         },
         {
-            "techniqueID": "T1012",
+            "techniqueID": "T1547.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences",
+            "enabled": true
         },
         {
-            "techniqueID": "T1204",
+            "techniqueID": "T1574.007",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-002: Batch File Write to System32",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences",
+            "enabled": true
         },
         {
-            "techniqueID": "T1204.002",
+            "techniqueID": "T1574.008",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-002: Batch File Write to System32",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1218.011",
+            "techniqueID": "T1546.001",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1055.001",
+            "techniqueID": "T1546.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1040",
+            "techniqueID": "T1546.008",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-002: Local Network Sniffing",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
+            "enabled": true
         },
         {
-            "techniqueID": "T1222",
+            "techniqueID": "T1218.003",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2020-11-010: CMSTP",
+            "enabled": true
         },
         {
-            "techniqueID": "T1222.001",
+            "techniqueID": "T1569.001",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "comment": "CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true
         },
         {
-            "techniqueID": "T1222.002",
+            "techniqueID": "T1546.002",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "comment": "CAR-2020-11-011: Registry Edit from Screensaver",
             "enabled": true
         },
         {
-            "techniqueID": "T1547",
+            "techniqueID": "T1021.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1548",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.001",
+            "techniqueID": "T1548.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC",
             "enabled": true
         },
         {
-            "techniqueID": "T1070.001",
+            "techniqueID": "T1197",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
-            "enabled": true
+            "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059.001",
+            "techniqueID": "T1218.010",
             "color": "#c6dbef",
-            "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions",
+            "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo",
             "enabled": true
         },
         {
-            "techniqueID": "T1490",
+            "techniqueID": "T1068",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification",
+            "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1564",
+            "techniqueID": "T1039",
             "color": "#c6dbef",
-            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1564.004",
+            "techniqueID": "T1003.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.015",
+            "techniqueID": "T1018",
             "color": "#c6dbef",
-            "comment": "CAR-2020-09-002: Component Object Model Hijacking",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.010",
+            "techniqueID": "T1029",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.004",
+            "techniqueID": "T1049",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.007",
+            "techniqueID": "T1010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.008",
+            "techniqueID": "T1518",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.009",
+            "techniqueID": "T1518.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.001",
+            "techniqueID": "T1046",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1098",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1059.005",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.003",
+            "techniqueID": "T1021.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2014-05-001: RPC Activity",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.010",
+            "techniqueID": "T1036.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs",
+            "comment": "CAR-2021-04-001: Common Windows Process Masquerading",
             "enabled": true
         },
         {
-            "techniqueID": "T1037",
+            "techniqueID": "T1222",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "comment": "CAR-2019-07-001: Access Permission Modification",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1037.001",
+            "techniqueID": "T1222.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "comment": "CAR-2019-07-001: Access Permission Modification",
             "enabled": true
         },
         {
-            "techniqueID": "T1560",
+            "techniqueID": "T1222.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "enabled": true
         },
         {
-            "techniqueID": "T1560.001",
+            "techniqueID": "T1055.012",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
+            "comment": "CAR-2020-11-004: Processes Started From Irregular Parent",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1070.003",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-005: Clear Powershell Console Command History",
             "enabled": true
         },
         {
@@ -690,67 +709,61 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1039",
+            "techniqueID": "T1136",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring",
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1553",
+            "techniqueID": "T1136.001",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "enabled": true
         },
         {
-            "techniqueID": "T1553.004",
+            "techniqueID": "T1606",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
-            "enabled": true
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1036.005",
+            "techniqueID": "T1606.002",
             "color": "#c6dbef",
-            "comment": "CAR-2021-04-001: Common Windows Process Masquerading",
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.002",
+            "techniqueID": "T1550",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-011: Registry Edit from Screensaver",
-            "enabled": true
+            "comment": "CAR-2016-04-004: Successful Local Account Login",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1070.005",
+            "techniqueID": "T1550.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-007: Network Share Connection Removal",
+            "comment": "CAR-2016-04-004: Successful Local Account Login",
             "enabled": true
         },
         {
-            "techniqueID": "T1068",
+            "techniqueID": "T1070.001",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "enabled": true
         },
         {
-            "techniqueID": "T1136",
+            "techniqueID": "T1127",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1136.001",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1548.002",
+            "techniqueID": "T1127.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
             "enabled": true
         },
         {
@@ -773,22 +786,9 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1505",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1505.003",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1218.003",
+            "techniqueID": "T1218.001",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-010: CMSTP",
+            "comment": "CAR-2020-11-009: Compiled HTML Access",
             "enabled": true
         }
     ]
diff --git a/docs/data/analytics.json b/docs/data/analytics.json
index 2ee43fdb..341dd409 100644
--- a/docs/data/analytics.json
+++ b/docs/data/analytics.json
@@ -1 +1 @@
-{"analytics": [{"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}]}
\ No newline at end of file
+{"analytics": [{"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}]}
\ No newline at end of file
diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md
index de2e70bd..f82c2af1 100644
--- a/docs/sensors/auditd_2.8.md
+++ b/docs/sensors/auditd_2.8.md
@@ -15,17 +15,13 @@ auditd is the userspace component to the Linux Auditing System. It's responsible
 
 ## Data Model Coverage
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 ### [driver](../data_model/driver)
 
@@ -42,13 +38,17 @@ auditd is the userspace component to the Linux Auditing System. It's responsible
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 
 
 
diff --git a/docs/sensors/index.md b/docs/sensors/index.md
old mode 100755
new mode 100644
diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md
old mode 100755
new mode 100644
index 9c5d21f5..17e2e2d5
--- a/docs/sensors/osquery_4.1.2.md
+++ b/docs/sensors/osquery_4.1.2.md
@@ -14,17 +14,13 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 ### [driver](../data_model/driver)
 
@@ -41,13 +37,17 @@ osquery exposes an operating system as a high-performance relational database. T
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 
 
 
diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md
old mode 100755
new mode 100644
index 7efe527e..878a4c27
--- a/docs/sensors/osquery_4.6.0.md
+++ b/docs/sensors/osquery_4.6.0.md
@@ -14,17 +14,13 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| |
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 ### [driver](../data_model/driver)
 
@@ -41,13 +37,17 @@ osquery exposes an operating system as a high-performance relational database. T
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| |
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
 
 
 
diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md
old mode 100755
new mode 100644
index 0bbcec26..7ad43bc1
--- a/docs/sensors/sysmon_10.4.md
+++ b/docs/sensors/sysmon_10.4.md
@@ -14,14 +14,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [thread](../data_model/thread)
+### [process](../data_model/process)
 
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -32,18 +31,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  | | | | | | | | | | |
 
-### [file](../data_model/file)
-
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -51,6 +38,22 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| | |✓|✓| |✓|
 | `unload` |  | | | | | | | | | | |
 
+### [module](../data_model/module)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  |✓| |✓|✓| |✓|✓|✓|✓| |✓| |
+| `unload` |  | | | | | | | | | | | | |
+
+### [thread](../data_model/thread)
+
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -59,13 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md
old mode 100755
new mode 100644
index bf5db123..41c5e2ea
--- a/docs/sensors/sysmon_11.0.md
+++ b/docs/sensors/sysmon_11.0.md
@@ -14,14 +14,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [thread](../data_model/thread)
+### [process](../data_model/process)
 
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -32,18 +31,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  | | | | | | | | | | |
 
-### [file](../data_model/file)
-
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓|
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -51,6 +38,22 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| | |✓|✓| |✓|
 | `unload` |  | | | | | | | | | | |
 
+### [module](../data_model/module)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  |✓| |✓|✓| |✓|✓|✓|✓| |✓| |
+| `unload` |  | | | | | | | | | | | | |
+
+### [thread](../data_model/thread)
+
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -59,13 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓|
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md
index 40ed48d5..2c091e37 100644
--- a/docs/sensors/sysmon_13.md
+++ b/docs/sensors/sysmon_13.md
@@ -14,14 +14,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [thread](../data_model/thread)
+### [process](../data_model/process)
 
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -32,18 +31,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  |✓|✓| |✓|✓|✓|✓| | |✓|
 
-### [file](../data_model/file)
-
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓|
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -51,6 +38,22 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| | |✓|✓|✓|✓|
 | `unload` |  | | | | | | | | | | |
 
+### [module](../data_model/module)
+
+| | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `module_path` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `tid` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `load` |  |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓|
+| `unload` |  | | | | | | | | | | | | |
+
+### [thread](../data_model/thread)
+
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -59,13 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓|
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 

From 581658f5271a788238e3fb41b7940dba089eee40 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 27 Feb 2023 11:51:59 -0500
Subject: [PATCH 73/82] added generate_datamodels to the workflow

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 .github/workflows/regenerate-docs.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
index 55b99e75..70e1b95b 100644
--- a/.github/workflows/regenerate-docs.yml
+++ b/.github/workflows/regenerate-docs.yml
@@ -29,6 +29,9 @@ jobs:
           cache: 'pip'
       - name: Install script dependencies
         run: pip install -r ./scripts/requirements.txt
+      - name: Regenerate datamodels
+        working-directory: ./scripts
+        run: python generate_datamodels.py
       - name: Regenerate analytics
         working-directory: ./scripts
         run: python generate_analytics.py

From 2e5f4564faf15e1c2387da6cce744032abcd60e8 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 27 Feb 2023 11:56:01 -0500
Subject: [PATCH 74/82] added coverage field to datamodel schema

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 scripts/datamodel_schema.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/datamodel_schema.yaml b/scripts/datamodel_schema.yaml
index bf9c1aa7..d0e5985b 100644
--- a/scripts/datamodel_schema.yaml
+++ b/scripts/datamodel_schema.yaml
@@ -3,6 +3,7 @@ name: str()
 description: str()
 actions: list(include('action'))
 fields: list(include('field'))
+coverage: map(map(str(), key=str()), key=str(), required=False)
 ---
 action:
   name: str()

From 7abef661f7c6992464c57af5eaf0ce68df5aa406 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 27 Feb 2023 11:58:57 -0500
Subject: [PATCH 75/82] reran generate analytics - just seem to hae changed the
 order for some of them

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/analytics/by_technique/index.md | 100 +++++++++++++--------------
 docs/data/analytics.json             |   2 +-
 2 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md
index 08777978..e1445b68 100644
--- a/docs/analytics/by_technique/index.md
+++ b/docs/analytics/by_technique/index.md
@@ -16,14 +16,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1003/">T1003: OS Credential Dumping</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001: LSASS Memory</a></td>
-            <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li><li><a href="CAR-2019-04-004">CAR-2019-04-004: Credential Dumping via Mimikatz</a></li><li><a href="CAR-2019-07-002">CAR-2019-07-002: Lsass Process Dump via Procdump</a></li><li><a href="CAR-2019-08-001">CAR-2019-08-001: Credential Dumping via Windows Task Manager</a></li><li><a href="CAR-2021-05-011">CAR-2021-05-011: Create Remote Thread into LSASS</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003: NTDS</a></td>
             <td><ul><li><a href="CAR-2019-08-002">CAR-2019-08-002: Active Directory Dumping via NTDSUtil</a></li><li><a href="CAR-2020-05-001">CAR-2020-05-001: MiniDump of LSASS</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001: LSASS Memory</a></td>
+            <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li><li><a href="CAR-2019-04-004">CAR-2019-04-004: Credential Dumping via Mimikatz</a></li><li><a href="CAR-2019-07-002">CAR-2019-07-002: Lsass Process Dump via Procdump</a></li><li><a href="CAR-2019-08-001">CAR-2019-08-001: Credential Dumping via Windows Task Manager</a></li><li><a href="CAR-2021-05-011">CAR-2021-05-011: Create Remote Thread into LSASS</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002: Security Account Manager</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
@@ -59,21 +59,21 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
-            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001: Remote Desktop Protocol</a></td>
+            <td><ul><li><a href="CAR-2013-07-002">CAR-2013-07-002: RDP Connection Detection</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li><li><a href="CAR-2016-04-005">CAR-2016-04-005: Remote Desktop Logon</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002: SMB/Windows Admin Shares</a></td>
             <td><ul><li><a href="CAR-2013-01-003">CAR-2013-01-003: SMB Events Monitoring</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-003">CAR-2013-05-003: SMB Write Request</a></li><li><a href="CAR-2013-05-005">CAR-2013-05-005: SMB Copy and Execution</a></li><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001: Remote Desktop Protocol</a></td>
-            <td><ul><li><a href="CAR-2013-07-002">CAR-2013-07-002: RDP Connection Detection</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li><li><a href="CAR-2016-04-005">CAR-2016-04-005: Remote Desktop Logon</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1021/003/">T1021.003: Distributed Component Object Model</a></td>
             <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
+            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1029/">T1029: Scheduled Transfer</a></td>
             <td>(N/A - technique only)</td>
@@ -141,14 +141,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1055/">T1055: Process Injection</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1055/001/">T1055.001: Dynamic-link Library Injection</a></td>
-            <td><ul><li><a href="CAR-2013-10-002">CAR-2013-10-002: DLL Injection via Load Library</a></li><li><a href="CAR-2020-11-003">CAR-2020-11-003: DLL Injection with Mavinject</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1055/012/">T1055.012: Process Hollowing</a></td>
             <td><ul><li><a href="CAR-2020-11-004">CAR-2020-11-004: Processes Started From Irregular Parent</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1055/001/">T1055.001: Dynamic-link Library Injection</a></td>
+            <td><ul><li><a href="CAR-2013-10-002">CAR-2013-10-002: DLL Injection via Load Library</a></li><li><a href="CAR-2020-11-003">CAR-2020-11-003: DLL Injection with Mavinject</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1057/">T1057: Process Discovery</a></td>
             <td>(N/A - technique only)</td>
@@ -159,10 +159,6 @@ permalink: /analytics/by_technique
             <td>(N/A - technique only)</td>
             <td><ul><li><a href="CAR-2021-01-002">CAR-2021-01-002: Unusually Long Command Line Strings</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001: PowerShell</a></td>
-            <td><ul><li><a href="CAR-2014-04-003">CAR-2014-04-003: Powershell Execution</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1059/003/">T1059.003: Windows Command Shell</a></td>
             <td><ul><li><a href="CAR-2013-02-003">CAR-2013-02-003: Processes Spawning cmd.exe</a></li><li><a href="CAR-2014-11-002">CAR-2014-11-002: Outlier Parents of Cmd</a></li></ul></td>
@@ -171,6 +167,10 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1059/005/">T1059.005: Visual Basic</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001: PowerShell</a></td>
+            <td><ul><li><a href="CAR-2014-04-003">CAR-2014-04-003: Powershell Execution</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1068/">T1068: Exploitation for Privilege Escalation</a></td>
             <td>(N/A - technique only)</td>
@@ -190,10 +190,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1070/">T1070: Indicator Removal</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1070/005/">T1070.005: Network Share Connection Removal</a></td>
-            <td><ul><li><a href="CAR-2020-11-007">CAR-2020-11-007: Network Share Connection Removal</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1070/003/">T1070.003: Clear Command History</a></td>
             <td><ul><li><a href="CAR-2020-11-005">CAR-2020-11-005: Clear Powershell Console Command History</a></li></ul></td>
@@ -202,6 +198,10 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1070/001/">T1070.001: Clear Windows Event Logs</a></td>
             <td><ul><li><a href="CAR-2016-04-002">CAR-2016-04-002: User Activity from Clearing Event Logs</a></li><li><a href="CAR-2021-01-003">CAR-2021-01-003: Clearing Windows Logs with Wevtutil</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1070/005/">T1070.005: Network Share Connection Removal</a></td>
+            <td><ul><li><a href="CAR-2020-11-007">CAR-2020-11-007: Network Share Connection Removal</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1078/">T1078: Valid Accounts</a></td>
         </tr>
@@ -277,14 +277,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="5"><a href="https://attack.mitre.org/techniques/T1218/">T1218: System Binary Proxy Execution</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/011/">T1218.011: Rundll32</a></td>
-            <td><ul><li><a href="CAR-2014-03-006">CAR-2014-03-006: RunDLL32.exe monitoring</a></li></ul></td>
-        </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/003/">T1218.003: CMSTP</a></td>
-            <td><ul><li><a href="CAR-2020-11-010">CAR-2020-11-010: CMSTP</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
             <td><ul><li><a href="CAR-2019-04-002">CAR-2019-04-002: Generic Regsvr32</a></li><li><a href="CAR-2019-04-003">CAR-2019-04-003: Squiblydoo</a></li></ul></td>
@@ -293,6 +285,14 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1218/001/">T1218.001: Compiled HTML File</a></td>
             <td><ul><li><a href="CAR-2020-11-009">CAR-2020-11-009: Compiled HTML Access</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/011/">T1218.011: Rundll32</a></td>
+            <td><ul><li><a href="CAR-2014-03-006">CAR-2014-03-006: RunDLL32.exe monitoring</a></li></ul></td>
+        </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/003/">T1218.003: CMSTP</a></td>
+            <td><ul><li><a href="CAR-2020-11-010">CAR-2020-11-010: CMSTP</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1222/">T1222: File and Directory Permissions Modification</a></td>
         </tr>
@@ -328,8 +328,8 @@ permalink: /analytics/by_technique
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1546/">T1546: Event Triggered Execution</a></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1546/010/">T1546.010: AppInit DLLs</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2020-09-005">CAR-2020-09-005: AppInit DLLs</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008: Accessibility Features</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-11-003">CAR-2014-11-003: Debuggers for Accessibility Applications</a></li><li><a href="CAR-2014-11-008">CAR-2014-11-008: Command Launched from WinLogon</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1546/015/">T1546.015: Component Object Model Hijacking</a></td>
@@ -344,8 +344,8 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008: Accessibility Features</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-11-003">CAR-2014-11-003: Debuggers for Accessibility Applications</a></li><li><a href="CAR-2014-11-008">CAR-2014-11-008: Command Launched from WinLogon</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1546/010/">T1546.010: AppInit DLLs</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2020-09-005">CAR-2020-09-005: AppInit DLLs</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1546/002/">T1546.002: Screensaver</a></td>
@@ -354,10 +354,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1547/">T1547: Boot or Logon Autostart Execution</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1547/001/">T1547.001: Registry Run Keys / Startup Folder</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li><li><a href="CAR-2021-12-002">CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'</a></li></ul></td>
@@ -366,6 +362,10 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1547/010/">T1547.010: Port Monitors</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="2"><a href="https://attack.mitre.org/techniques/T1548/">T1548: Abuse Elevation Control Mechanism</a></td>
             <td>(N/A - technique only)</td>
@@ -429,14 +429,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1569/">T1569: System Services</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1569/002/">T1569.002: Service Execution</a></td>
-            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li><li><a href="CAR-2014-03-005">CAR-2014-03-005: Remotely Launched Executables via Services</a></li><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1569/001/">T1569.001: Launchctl</a></td>
             <td><ul><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1569/002/">T1569.002: Service Execution</a></td>
+            <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li><li><a href="CAR-2014-03-005">CAR-2014-03-005: Remotely Launched Executables via Services</a></li><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1570/">T1570: Lateral Tool Transfer</a></td>
             <td>(N/A - technique only)</td>
@@ -446,20 +446,16 @@ permalink: /analytics/by_technique
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1574/">T1574: Hijack Execution Flow</a></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/009/">T1574.009: Path Interception by Unquoted Path</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-07-001">CAR-2014-07-001: Service Search Path Interception</a></li></ul></td>
-        </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/011/">T1574.011: Services Registry Permissions Weakness</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1574/010/">T1574.010: Services File Permissions Weakness</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1574/001/">T1574.001: DLL Search Order Hijacking</a></td>
             <td><ul><li><a href="CAR-2021-11-001">CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/010/">T1574.010: Services File Permissions Weakness</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1574/011/">T1574.011: Services Registry Permissions Weakness</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1574/007/">T1574.007: Path Interception by PATH Environment Variable</a></td>
@@ -469,6 +465,10 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1574/008/">T1574.008: Path Interception by Search Order Hijacking</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1574/009/">T1574.009: Path Interception by Unquoted Path</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-07-001">CAR-2014-07-001: Service Search Path Interception</a></li></ul></td>
+        </tr>
        <tr>
             <td ><a href="https://attack.mitre.org/techniques/T1606/">T1606: Forge Web Credentials</a></td>
             <td><a href="https://attack.mitre.org/techniques/T1606/002/">T1606.002: SAML Tokens</a></td>
diff --git a/docs/data/analytics.json b/docs/data/analytics.json
index 341dd409..2ee43fdb 100644
--- a/docs/data/analytics.json
+++ b/docs/data/analytics.json
@@ -1 +1 @@
-{"analytics": [{"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}]}
\ No newline at end of file
+{"analytics": [{"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}]}
\ No newline at end of file

From 292d191e48ae30947e49b7433385d55948ab1b35 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 27 Feb 2023 12:04:16 -0500
Subject: [PATCH 76/82] reran generate sensors - seems to put the data model
 coverage section in a different order than live

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/sensors/auditd_2.8.md    | 32 +++++++++++-----------
 docs/sensors/osquery_4.1.2.md | 32 +++++++++++-----------
 docs/sensors/osquery_4.6.0.md | 32 +++++++++++-----------
 docs/sensors/sysmon_10.4.md   | 50 +++++++++++++++++------------------
 docs/sensors/sysmon_11.0.md   | 50 +++++++++++++++++------------------
 docs/sensors/sysmon_13.md     | 50 +++++++++++++++++------------------
 6 files changed, 123 insertions(+), 123 deletions(-)

diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md
index f82c2af1..de2e70bd 100644
--- a/docs/sensors/auditd_2.8.md
+++ b/docs/sensors/auditd_2.8.md
@@ -15,13 +15,17 @@ auditd is the userspace component to the Linux Auditing System. It's responsible
 
 ## Data Model Coverage
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 
 ### [driver](../data_model/driver)
 
@@ -38,17 +42,13 @@ auditd is the userspace component to the Linux Auditing System. It's responsible
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md
index 17e2e2d5..9c5d21f5 100644
--- a/docs/sensors/osquery_4.1.2.md
+++ b/docs/sensors/osquery_4.1.2.md
@@ -14,13 +14,17 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 
 ### [driver](../data_model/driver)
 
@@ -37,17 +41,13 @@ osquery exposes an operating system as a high-performance relational database. T
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md
index 878a4c27..7efe527e 100644
--- a/docs/sensors/osquery_4.6.0.md
+++ b/docs/sensors/osquery_4.6.0.md
@@ -14,13 +14,17 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| |
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
 
 ### [driver](../data_model/driver)
 
@@ -37,17 +41,13 @@ osquery exposes an operating system as a high-performance relational database. T
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| |
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md
index 7ad43bc1..26a6a06c 100644
--- a/docs/sensors/sysmon_10.4.md
+++ b/docs/sensors/sysmon_10.4.md
@@ -14,13 +14,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [process](../data_model/process)
+### [thread](../data_model/thread)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -31,6 +32,18 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  | | | | | | | | | | |
 
+### [file](../data_model/file)
+
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -45,15 +58,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| |✓|✓|✓|✓| |✓| |
 | `unload` |  | | | | | | | | | | | | |
 
-### [thread](../data_model/thread)
-
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
-
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -62,17 +66,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓|
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md
index 41c5e2ea..afed68dd 100644
--- a/docs/sensors/sysmon_11.0.md
+++ b/docs/sensors/sysmon_11.0.md
@@ -14,13 +14,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [process](../data_model/process)
+### [thread](../data_model/thread)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -31,6 +32,18 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  | | | | | | | | | | |
 
+### [file](../data_model/file)
+
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓|
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -45,15 +58,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| |✓|✓|✓|✓| |✓| |
 | `unload` |  | | | | | | | | | | | | |
 
-### [thread](../data_model/thread)
-
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
-
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -62,17 +66,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓|
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓|
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md
index 2c091e37..f1ac7958 100644
--- a/docs/sensors/sysmon_13.md
+++ b/docs/sensors/sysmon_13.md
@@ -14,13 +14,14 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [process](../data_model/process)
+### [thread](../data_model/thread)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -31,6 +32,18 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  |✓|✓| |✓|✓|✓|✓| | |✓|
 
+### [file](../data_model/file)
+
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓|
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -45,15 +58,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓|
 | `unload` |  | | | | | | | | | | | | |
 
-### [thread](../data_model/thread)
-
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
-
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -62,17 +66,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓|
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓|
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 
 

From 1ac88dcdaa2dd4af5f20c2739715940494d46082 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 27 Feb 2023 12:05:25 -0500
Subject: [PATCH 77/82] reran generate nav layer - seems to be a reordering

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/car_attack/car_attack.json | 630 ++++++++++++++++----------------
 1 file changed, 315 insertions(+), 315 deletions(-)

diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json
index a2dee028..02432b5c 100644
--- a/docs/car_attack/car_attack.json
+++ b/docs/car_attack/car_attack.json
@@ -5,155 +5,114 @@
     "domain": "mitre-enterprise",
     "techniques": [
         {
-            "techniqueID": "T1053",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1053.005",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1087",
+            "techniqueID": "T1003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1087.001",
+            "techniqueID": "T1003.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS",
             "enabled": true
         },
         {
-            "techniqueID": "T1087.002",
+            "techniqueID": "T1003.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS",
             "enabled": true
         },
         {
-            "techniqueID": "T1069",
+            "techniqueID": "T1021",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1069.001",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1069.002",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1016",
+            "techniqueID": "T1105",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1082",
+            "techniqueID": "T1559",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1033",
+            "techniqueID": "T1559.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
+            "enabled": true
         },
         {
-            "techniqueID": "T1057",
+            "techniqueID": "T1606",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1007",
+            "techniqueID": "T1606.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "enabled": true
         },
         {
-            "techniqueID": "T1546",
+            "techniqueID": "T1187",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver",
+            "comment": "CAR-2013-09-003: SMB Session Setups",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546.010",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1574",
+            "techniqueID": "T1053",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.009",
+            "techniqueID": "T1053.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
             "enabled": true
         },
         {
-            "techniqueID": "T1547",
+            "techniqueID": "T1070",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.004",
+            "techniqueID": "T1070.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify",
+            "comment": "CAR-2020-11-005: Clear Powershell Console Command History",
             "enabled": true
         },
         {
-            "techniqueID": "T1112",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1105",
+            "techniqueID": "T1218",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
+            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059",
+            "techniqueID": "T1218.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo",
+            "enabled": true
         },
         {
-            "techniqueID": "T1059.001",
+            "techniqueID": "T1053.002",
             "color": "#c6dbef",
-            "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT",
             "enabled": true
         },
         {
@@ -164,542 +123,564 @@
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1040",
+            "techniqueID": "T1197",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-002: Local Network Sniffing",
+            "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1012",
+            "techniqueID": "T1546",
             "color": "#c6dbef",
-            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.001",
+            "techniqueID": "T1546.008",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
             "enabled": true
         },
         {
-            "techniqueID": "T1574.011",
+            "techniqueID": "T1218.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
+            "comment": "CAR-2020-11-009: Compiled HTML Access",
             "enabled": true
         },
         {
-            "techniqueID": "T1562",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1562.001",
+            "techniqueID": "T1021.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
+            "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon",
             "enabled": true
         },
         {
-            "techniqueID": "T1187",
+            "techniqueID": "T1059",
             "color": "#c6dbef",
-            "comment": "CAR-2013-09-003: SMB Session Setups",
+            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1036",
+            "techniqueID": "T1059.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading",
+            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1569",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1036.003",
+            "techniqueID": "T1569.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-009: Running executables with same hash and different names",
+            "comment": "CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true
         },
         {
-            "techniqueID": "T1562.006",
+            "techniqueID": "T1569.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true
         },
         {
-            "techniqueID": "T1490",
+            "techniqueID": "T1570",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification",
+            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1204",
+            "techniqueID": "T1543",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-002: Batch File Write to System32",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1204.002",
+            "techniqueID": "T1543.003",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-002: Batch File Write to System32",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
             "enabled": true
         },
         {
-            "techniqueID": "T1543",
+            "techniqueID": "T1574",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1543.003",
+            "techniqueID": "T1574.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications",
             "enabled": true
         },
         {
-            "techniqueID": "T1574.001",
+            "techniqueID": "T1127",
             "color": "#c6dbef",
-            "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1127.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
             "enabled": true
         },
         {
-            "techniqueID": "T1553",
+            "techniqueID": "T1078",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1553.004",
+            "techniqueID": "T1078.002",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
             "enabled": true
         },
         {
-            "techniqueID": "T1059.003",
+            "techniqueID": "T1078.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd",
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
             "enabled": true
         },
         {
-            "techniqueID": "T1003",
+            "techniqueID": "T1550",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "comment": "CAR-2016-04-004: Successful Local Account Login",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1003.001",
+            "techniqueID": "T1550.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "comment": "CAR-2016-04-004: Successful Local Account Login",
             "enabled": true
         },
         {
-            "techniqueID": "T1021",
+            "techniqueID": "T1548",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1021.006",
+            "techniqueID": "T1021.002",
             "color": "#c6dbef",
-            "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity",
             "enabled": true
         },
         {
-            "techniqueID": "T1570",
+            "techniqueID": "T1574.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
+            "enabled": true
         },
         {
-            "techniqueID": "T1078",
+            "techniqueID": "T1112",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1078.002",
+            "techniqueID": "T1055",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
-            "enabled": true
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1078.003",
+            "techniqueID": "T1055.012",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2020-11-004: Processes Started From Irregular Parent",
             "enabled": true
         },
         {
-            "techniqueID": "T1053.002",
+            "techniqueID": "T1140",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT",
-            "enabled": true
+            "comment": "CAR-2021-05-009: CertUtil With Decode Argument",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1564",
+            "techniqueID": "T1562",
             "color": "#c6dbef",
-            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1564.004",
+            "techniqueID": "T1562.001",
             "color": "#c6dbef",
-            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.015",
+            "techniqueID": "T1036",
             "color": "#c6dbef",
-            "comment": "CAR-2020-09-002: Component Object Model Hijacking",
-            "enabled": true
+            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1021.002",
+            "techniqueID": "T1036.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity",
+            "comment": "CAR-2013-05-009: Running executables with same hash and different names",
             "enabled": true
         },
         {
-            "techniqueID": "T1505",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1505.003",
+            "techniqueID": "T1021.003",
             "color": "#c6dbef",
-            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
+            "comment": "CAR-2014-05-001: RPC Activity",
             "enabled": true
         },
         {
-            "techniqueID": "T1574.010",
+            "techniqueID": "T1021.006",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications",
+            "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)",
             "enabled": true
         },
         {
-            "techniqueID": "T1569",
+            "techniqueID": "T1087",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1569.002",
+            "techniqueID": "T1087.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1070",
+            "techniqueID": "T1087.002",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true
         },
         {
-            "techniqueID": "T1070.005",
+            "techniqueID": "T1003.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-007: Network Share Connection Removal",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1218",
+            "techniqueID": "T1069",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1218.011",
+            "techniqueID": "T1069.001",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true
         },
         {
-            "techniqueID": "T1037",
+            "techniqueID": "T1069.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1057",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1037.001",
+            "techniqueID": "T1574.011",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
             "enabled": true
         },
         {
-            "techniqueID": "T1140",
+            "techniqueID": "T1018",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-009: CertUtil With Decode Argument",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1003.003",
+            "techniqueID": "T1029",
             "color": "#c6dbef",
-            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1055",
+            "techniqueID": "T1033",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1055.001",
+            "techniqueID": "T1007",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1560",
+            "techniqueID": "T1082",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1560.001",
+            "techniqueID": "T1049",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1559",
+            "techniqueID": "T1016",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1559.002",
+            "techniqueID": "T1010",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.010",
+            "techniqueID": "T1518",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.007",
+            "techniqueID": "T1518.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1574.008",
+            "techniqueID": "T1046",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546.001",
+            "techniqueID": "T1562.006",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.003",
+            "techniqueID": "T1098",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546.008",
+            "techniqueID": "T1059.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1218.003",
+            "techniqueID": "T1012",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-010: CMSTP",
-            "enabled": true
+            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1569.001",
+            "techniqueID": "T1204",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-012: Create Service In Suspicious File Path",
-            "enabled": true
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546.002",
+            "techniqueID": "T1204.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-011: Registry Edit from Screensaver",
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
             "enabled": true
         },
         {
-            "techniqueID": "T1021.001",
+            "techniqueID": "T1218.011",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon",
+            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring",
             "enabled": true
         },
         {
-            "techniqueID": "T1548",
+            "techniqueID": "T1055.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject",
+            "enabled": true
         },
         {
-            "techniqueID": "T1548.002",
+            "techniqueID": "T1040",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC",
-            "enabled": true
+            "comment": "CAR-2020-11-002: Local Network Sniffing",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1197",
+            "techniqueID": "T1222",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File",
+            "comment": "CAR-2019-07-001: Access Permission Modification",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1218.010",
+            "techniqueID": "T1222.001",
             "color": "#c6dbef",
-            "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo",
+            "comment": "CAR-2019-07-001: Access Permission Modification",
             "enabled": true
         },
         {
-            "techniqueID": "T1068",
+            "techniqueID": "T1222.002",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "enabled": true
         },
         {
-            "techniqueID": "T1039",
+            "techniqueID": "T1547",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1003.002",
+            "techniqueID": "T1547.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true
         },
         {
-            "techniqueID": "T1018",
+            "techniqueID": "T1070.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "enabled": true
         },
         {
-            "techniqueID": "T1029",
+            "techniqueID": "T1059.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions",
+            "enabled": true
         },
         {
-            "techniqueID": "T1049",
+            "techniqueID": "T1490",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1010",
+            "techniqueID": "T1564",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1518",
+            "techniqueID": "T1564.004",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "enabled": true
         },
         {
-            "techniqueID": "T1518.001",
+            "techniqueID": "T1546.015",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2020-09-002: Component Object Model Hijacking",
             "enabled": true
         },
         {
-            "techniqueID": "T1046",
+            "techniqueID": "T1547.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences",
+            "enabled": true
         },
         {
-            "techniqueID": "T1098",
+            "techniqueID": "T1547.004",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify",
+            "enabled": true
         },
         {
-            "techniqueID": "T1059.005",
+            "techniqueID": "T1574.007",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1021.003",
+            "techniqueID": "T1574.008",
             "color": "#c6dbef",
-            "comment": "CAR-2014-05-001: RPC Activity",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1036.005",
+            "techniqueID": "T1574.009",
             "color": "#c6dbef",
-            "comment": "CAR-2021-04-001: Common Windows Process Masquerading",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception",
             "enabled": true
         },
         {
-            "techniqueID": "T1222",
+            "techniqueID": "T1546.001",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences",
+            "enabled": true
         },
         {
-            "techniqueID": "T1222.001",
+            "techniqueID": "T1546.003",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1222.002",
+            "techniqueID": "T1546.010",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs",
             "enabled": true
         },
         {
-            "techniqueID": "T1055.012",
+            "techniqueID": "T1037",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-004: Processes Started From Irregular Parent",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1037.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
             "enabled": true
         },
         {
-            "techniqueID": "T1070.003",
+            "techniqueID": "T1560",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-005: Clear Powershell Console Command History",
+            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1560.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
             "enabled": true
         },
         {
@@ -709,61 +690,67 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1136",
+            "techniqueID": "T1039",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1136.001",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1606",
+            "techniqueID": "T1553",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1606.002",
+            "techniqueID": "T1553.004",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true
         },
         {
-            "techniqueID": "T1550",
+            "techniqueID": "T1036.005",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-004: Successful Local Account Login",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2021-04-001: Common Windows Process Masquerading",
+            "enabled": true
         },
         {
-            "techniqueID": "T1550.002",
+            "techniqueID": "T1546.002",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-004: Successful Local Account Login",
+            "comment": "CAR-2020-11-011: Registry Edit from Screensaver",
             "enabled": true
         },
         {
-            "techniqueID": "T1070.001",
+            "techniqueID": "T1070.005",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "comment": "CAR-2020-11-007: Network Share Connection Removal",
             "enabled": true
         },
         {
-            "techniqueID": "T1127",
+            "techniqueID": "T1068",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-008: MSBuild and msxsl",
+            "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1127.001",
+            "techniqueID": "T1136",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-008: MSBuild and msxsl",
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1136.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1548.002",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC",
             "enabled": true
         },
         {
@@ -786,9 +773,22 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1218.001",
+            "techniqueID": "T1505",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-009: Compiled HTML Access",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1505.003",
+            "color": "#c6dbef",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1218.003",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-010: CMSTP",
             "enabled": true
         }
     ]

From d7207560d95eae7fcf584071e787dd4e1394b5be Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 27 Feb 2023 12:39:03 -0500
Subject: [PATCH 78/82] handle case where data_model directory is removed
 entirely before regenerating files

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 .github/workflows/regenerate-docs.yml | 3 +++
 scripts/generate_datamodels.py        | 1 +
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/regenerate-docs.yml b/.github/workflows/regenerate-docs.yml
index 70e1b95b..d91167f8 100644
--- a/.github/workflows/regenerate-docs.yml
+++ b/.github/workflows/regenerate-docs.yml
@@ -16,6 +16,9 @@ jobs:
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.head_ref }}
+      - name: Clean /docs/data_model
+        shell: bash
+        run: rm -rfv ./docs/data_model
       - name: Clean /docs/analytics
         shell: bash
         run: rm -rfv ./docs/analytics
diff --git a/scripts/generate_datamodels.py b/scripts/generate_datamodels.py
index 4d017a00..5467ef47 100644
--- a/scripts/generate_datamodels.py
+++ b/scripts/generate_datamodels.py
@@ -62,6 +62,7 @@ def generate_index_with_sensors(datamodels, jinja_env):
 def main():
     datamodels = parse_yaml()
     replace_sensor_names_with_html(datamodels, cached_load_sensor())
+    Path('../docs/data_model').mkdir(exist_ok=True)
     jinja_env = create_jinja_environment()
     generate_markdown(datamodels, jinja_env)
     generate_index(datamodels, jinja_env)

From 9f06a95035708cf98c65522c0bc7784b0c94f042 Mon Sep 17 00:00:00 2001
From: Amndeep Singh Mann <amann@mitre.org>
Date: Mon, 27 Feb 2023 12:39:28 -0500
Subject: [PATCH 79/82] reran generate_datamodels - changes to file permissions
 to not be executable

Signed-off-by: Amndeep Singh Mann <amann@mitre.org>
---
 docs/data_model/authentication.md          | 0
 docs/data_model/data_model_with_sensors.md | 0
 docs/data_model/driver.md                  | 0
 docs/data_model/email.md                   | 0
 docs/data_model/file.md                    | 0
 docs/data_model/flow.md                    | 0
 docs/data_model/module.md                  | 0
 docs/data_model/process.md                 | 0
 docs/data_model/registry.md                | 0
 docs/data_model/service.md                 | 0
 docs/data_model/socket.md                  | 0
 docs/data_model/thread.md                  | 0
 docs/data_model/user_session.md            | 0
 13 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100755 => 100644 docs/data_model/authentication.md
 mode change 100755 => 100644 docs/data_model/data_model_with_sensors.md
 mode change 100755 => 100644 docs/data_model/driver.md
 mode change 100755 => 100644 docs/data_model/email.md
 mode change 100755 => 100644 docs/data_model/file.md
 mode change 100755 => 100644 docs/data_model/flow.md
 mode change 100755 => 100644 docs/data_model/module.md
 mode change 100755 => 100644 docs/data_model/process.md
 mode change 100755 => 100644 docs/data_model/registry.md
 mode change 100755 => 100644 docs/data_model/service.md
 mode change 100755 => 100644 docs/data_model/socket.md
 mode change 100755 => 100644 docs/data_model/thread.md
 mode change 100755 => 100644 docs/data_model/user_session.md

diff --git a/docs/data_model/authentication.md b/docs/data_model/authentication.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/data_model_with_sensors.md b/docs/data_model/data_model_with_sensors.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/driver.md b/docs/data_model/driver.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/email.md b/docs/data_model/email.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/file.md b/docs/data_model/file.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/flow.md b/docs/data_model/flow.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/module.md b/docs/data_model/module.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/process.md b/docs/data_model/process.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/registry.md b/docs/data_model/registry.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/service.md b/docs/data_model/service.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/socket.md b/docs/data_model/socket.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/thread.md b/docs/data_model/thread.md
old mode 100755
new mode 100644
diff --git a/docs/data_model/user_session.md b/docs/data_model/user_session.md
old mode 100755
new mode 100644

From 6a882ac97f3a214bd1adabbf2819cdaf26350d7a Mon Sep 17 00:00:00 2001
From: Amndeep7 <Amndeep7@users.noreply.github.com>
Date: Mon, 27 Feb 2023 17:41:28 +0000
Subject: [PATCH 80/82] Automated commit to rebuild the static site

Signed-off-by: Build and Push Automation Script <>
---
 docs/analytics/by_technique/index.md | 100 ++---
 docs/car_attack/car_attack.json      | 622 +++++++++++++--------------
 docs/data/analytics.json             |   2 +-
 docs/sensors/auditd_2.8.md           |  32 +-
 docs/sensors/osquery_4.1.2.md        |  32 +-
 docs/sensors/osquery_4.6.0.md        |  32 +-
 docs/sensors/sysmon_10.4.md          |  50 +--
 docs/sensors/sysmon_11.0.md          |  50 +--
 docs/sensors/sysmon_13.md            |  50 +--
 9 files changed, 485 insertions(+), 485 deletions(-)

diff --git a/docs/analytics/by_technique/index.md b/docs/analytics/by_technique/index.md
index e1445b68..08777978 100644
--- a/docs/analytics/by_technique/index.md
+++ b/docs/analytics/by_technique/index.md
@@ -16,14 +16,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1003/">T1003: OS Credential Dumping</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003: NTDS</a></td>
-            <td><ul><li><a href="CAR-2019-08-002">CAR-2019-08-002: Active Directory Dumping via NTDSUtil</a></li><li><a href="CAR-2020-05-001">CAR-2020-05-001: MiniDump of LSASS</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001: LSASS Memory</a></td>
             <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li><li><a href="CAR-2019-04-004">CAR-2019-04-004: Credential Dumping via Mimikatz</a></li><li><a href="CAR-2019-07-002">CAR-2019-07-002: Lsass Process Dump via Procdump</a></li><li><a href="CAR-2019-08-001">CAR-2019-08-001: Credential Dumping via Windows Task Manager</a></li><li><a href="CAR-2021-05-011">CAR-2021-05-011: Create Remote Thread into LSASS</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1003/003/">T1003.003: NTDS</a></td>
+            <td><ul><li><a href="CAR-2019-08-002">CAR-2019-08-002: Active Directory Dumping via NTDSUtil</a></li><li><a href="CAR-2020-05-001">CAR-2020-05-001: MiniDump of LSASS</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1003/002/">T1003.002: Security Account Manager</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
@@ -59,20 +59,20 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-07-001">CAR-2013-07-001: Suspicious Arguments</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001: Remote Desktop Protocol</a></td>
-            <td><ul><li><a href="CAR-2013-07-002">CAR-2013-07-002: RDP Connection Detection</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li><li><a href="CAR-2016-04-005">CAR-2016-04-005: Remote Desktop Logon</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
+            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002: SMB/Windows Admin Shares</a></td>
             <td><ul><li><a href="CAR-2013-01-003">CAR-2013-01-003: SMB Events Monitoring</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2013-05-003">CAR-2013-05-003: SMB Write Request</a></li><li><a href="CAR-2013-05-005">CAR-2013-05-005: SMB Copy and Execution</a></li><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/003/">T1021.003: Distributed Component Object Model</a></td>
-            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001: Remote Desktop Protocol</a></td>
+            <td><ul><li><a href="CAR-2013-07-002">CAR-2013-07-002: RDP Connection Detection</a></li><li><a href="CAR-2013-10-001">CAR-2013-10-001: User Login Activity Monitoring</a></li><li><a href="CAR-2016-04-005">CAR-2016-04-005: Remote Desktop Logon</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1021/006/">T1021.006: Windows Remote Management</a></td>
-            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li><li><a href="CAR-2014-11-006">CAR-2014-11-006: Windows Remote Management (WinRM)</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1021/003/">T1021.003: Distributed Component Object Model</a></td>
+            <td><ul><li><a href="CAR-2014-05-001">CAR-2014-05-001: RPC Activity</a></li></ul></td>
         </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1029/">T1029: Scheduled Transfer</a></td>
@@ -141,14 +141,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1055/">T1055: Process Injection</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1055/012/">T1055.012: Process Hollowing</a></td>
-            <td><ul><li><a href="CAR-2020-11-004">CAR-2020-11-004: Processes Started From Irregular Parent</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1055/001/">T1055.001: Dynamic-link Library Injection</a></td>
             <td><ul><li><a href="CAR-2013-10-002">CAR-2013-10-002: DLL Injection via Load Library</a></li><li><a href="CAR-2020-11-003">CAR-2020-11-003: DLL Injection with Mavinject</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1055/012/">T1055.012: Process Hollowing</a></td>
+            <td><ul><li><a href="CAR-2020-11-004">CAR-2020-11-004: Processes Started From Irregular Parent</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1057/">T1057: Process Discovery</a></td>
             <td>(N/A - technique only)</td>
@@ -159,6 +159,10 @@ permalink: /analytics/by_technique
             <td>(N/A - technique only)</td>
             <td><ul><li><a href="CAR-2021-01-002">CAR-2021-01-002: Unusually Long Command Line Strings</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001: PowerShell</a></td>
+            <td><ul><li><a href="CAR-2014-04-003">CAR-2014-04-003: Powershell Execution</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1059/003/">T1059.003: Windows Command Shell</a></td>
             <td><ul><li><a href="CAR-2013-02-003">CAR-2013-02-003: Processes Spawning cmd.exe</a></li><li><a href="CAR-2014-11-002">CAR-2014-11-002: Outlier Parents of Cmd</a></li></ul></td>
@@ -167,10 +171,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1059/005/">T1059.005: Visual Basic</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1059/001/">T1059.001: PowerShell</a></td>
-            <td><ul><li><a href="CAR-2014-04-003">CAR-2014-04-003: Powershell Execution</a></li><li><a href="CAR-2014-11-004">CAR-2014-11-004: Remote PowerShell Sessions</a></li></ul></td>
-        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1068/">T1068: Exploitation for Privilege Escalation</a></td>
             <td>(N/A - technique only)</td>
@@ -190,6 +190,10 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1070/">T1070: Indicator Removal</a></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1070/005/">T1070.005: Network Share Connection Removal</a></td>
+            <td><ul><li><a href="CAR-2020-11-007">CAR-2020-11-007: Network Share Connection Removal</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1070/003/">T1070.003: Clear Command History</a></td>
             <td><ul><li><a href="CAR-2020-11-005">CAR-2020-11-005: Clear Powershell Console Command History</a></li></ul></td>
@@ -198,10 +202,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1070/001/">T1070.001: Clear Windows Event Logs</a></td>
             <td><ul><li><a href="CAR-2016-04-002">CAR-2016-04-002: User Activity from Clearing Event Logs</a></li><li><a href="CAR-2021-01-003">CAR-2021-01-003: Clearing Windows Logs with Wevtutil</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1070/005/">T1070.005: Network Share Connection Removal</a></td>
-            <td><ul><li><a href="CAR-2020-11-007">CAR-2020-11-007: Network Share Connection Removal</a></li></ul></td>
-        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1078/">T1078: Valid Accounts</a></td>
         </tr>
@@ -277,14 +277,6 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="5"><a href="https://attack.mitre.org/techniques/T1218/">T1218: System Binary Proxy Execution</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
-            <td><ul><li><a href="CAR-2019-04-002">CAR-2019-04-002: Generic Regsvr32</a></li><li><a href="CAR-2019-04-003">CAR-2019-04-003: Squiblydoo</a></li></ul></td>
-        </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1218/001/">T1218.001: Compiled HTML File</a></td>
-            <td><ul><li><a href="CAR-2020-11-009">CAR-2020-11-009: Compiled HTML Access</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1218/011/">T1218.011: Rundll32</a></td>
             <td><ul><li><a href="CAR-2014-03-006">CAR-2014-03-006: RunDLL32.exe monitoring</a></li></ul></td>
@@ -293,6 +285,14 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1218/003/">T1218.003: CMSTP</a></td>
             <td><ul><li><a href="CAR-2020-11-010">CAR-2020-11-010: CMSTP</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/010/">T1218.010: Regsvr32</a></td>
+            <td><ul><li><a href="CAR-2019-04-002">CAR-2019-04-002: Generic Regsvr32</a></li><li><a href="CAR-2019-04-003">CAR-2019-04-003: Squiblydoo</a></li></ul></td>
+        </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1218/001/">T1218.001: Compiled HTML File</a></td>
+            <td><ul><li><a href="CAR-2020-11-009">CAR-2020-11-009: Compiled HTML Access</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1222/">T1222: File and Directory Permissions Modification</a></td>
         </tr>
@@ -328,8 +328,8 @@ permalink: /analytics/by_technique
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1546/">T1546: Event Triggered Execution</a></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008: Accessibility Features</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-11-003">CAR-2014-11-003: Debuggers for Accessibility Applications</a></li><li><a href="CAR-2014-11-008">CAR-2014-11-008: Command Launched from WinLogon</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1546/010/">T1546.010: AppInit DLLs</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2020-09-005">CAR-2020-09-005: AppInit DLLs</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1546/015/">T1546.015: Component Object Model Hijacking</a></td>
@@ -344,8 +344,8 @@ permalink: /analytics/by_technique
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1546/010/">T1546.010: AppInit DLLs</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2020-09-005">CAR-2020-09-005: AppInit DLLs</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1546/008/">T1546.008: Accessibility Features</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-11-003">CAR-2014-11-003: Debuggers for Accessibility Applications</a></li><li><a href="CAR-2014-11-008">CAR-2014-11-008: Command Launched from WinLogon</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1546/002/">T1546.002: Screensaver</a></td>
@@ -354,6 +354,10 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="4"><a href="https://attack.mitre.org/techniques/T1547/">T1547: Boot or Logon Autostart Execution</a></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
+        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1547/001/">T1547.001: Registry Run Keys / Startup Folder</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li><li><a href="CAR-2021-12-002">CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'</a></li></ul></td>
@@ -362,10 +366,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1547/010/">T1547.010: Port Monitors</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1547/004/">T1547.004: Winlogon Helper DLL</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2021-11-002">CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify</a></li></ul></td>
-        </tr>
        <tr>
             <td rowspan="2"><a href="https://attack.mitre.org/techniques/T1548/">T1548: Abuse Elevation Control Mechanism</a></td>
             <td>(N/A - technique only)</td>
@@ -429,14 +429,14 @@ permalink: /analytics/by_technique
        <tr>
             <td rowspan="3"><a href="https://attack.mitre.org/techniques/T1569/">T1569: System Services</a></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1569/001/">T1569.001: Launchctl</a></td>
-            <td><ul><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
-        </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1569/002/">T1569.002: Service Execution</a></td>
             <td><ul><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li><li><a href="CAR-2014-03-005">CAR-2014-03-005: Remotely Launched Executables via Services</a></li><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
         </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1569/001/">T1569.001: Launchctl</a></td>
+            <td><ul><li><a href="CAR-2021-05-012">CAR-2021-05-012: Create Service In Suspicious File Path</a></li></ul></td>
+        </tr>
        <tr>
             <td rowspan="1"><a href="https://attack.mitre.org/techniques/T1570/">T1570: Lateral Tool Transfer</a></td>
             <td>(N/A - technique only)</td>
@@ -446,16 +446,20 @@ permalink: /analytics/by_technique
             <td rowspan="7"><a href="https://attack.mitre.org/techniques/T1574/">T1574: Hijack Execution Flow</a></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/010/">T1574.010: Services File Permissions Weakness</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1574/009/">T1574.009: Path Interception by Unquoted Path</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-07-001">CAR-2014-07-001: Service Search Path Interception</a></li></ul></td>
+        </tr>
+       <tr>
+            <td><a href="https://attack.mitre.org/techniques/T1574/011/">T1574.011: Services Registry Permissions Weakness</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1574/001/">T1574.001: DLL Search Order Hijacking</a></td>
             <td><ul><li><a href="CAR-2021-11-001">CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0</a></li></ul></td>
         </tr>
        <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/011/">T1574.011: Services Registry Permissions Weakness</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2013-03-001">CAR-2013-03-001: Reg.exe called from Command Shell</a></li><li><a href="CAR-2013-04-002">CAR-2013-04-002: Quick execution of a series of suspicious commands</a></li><li><a href="CAR-2020-05-003">CAR-2020-05-003: Rare LolBAS Command Lines</a></li></ul></td>
+            <td><a href="https://attack.mitre.org/techniques/T1574/010/">T1574.010: Services File Permissions Weakness</a></td>
+            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-02-001">CAR-2014-02-001: Service Binary Modifications</a></li></ul></td>
         </tr>
        <tr>
             <td><a href="https://attack.mitre.org/techniques/T1574/007/">T1574.007: Path Interception by PATH Environment Variable</a></td>
@@ -465,10 +469,6 @@ permalink: /analytics/by_technique
             <td><a href="https://attack.mitre.org/techniques/T1574/008/">T1574.008: Path Interception by Search Order Hijacking</a></td>
             <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li></ul></td>
         </tr>
-       <tr>
-            <td><a href="https://attack.mitre.org/techniques/T1574/009/">T1574.009: Path Interception by Unquoted Path</a></td>
-            <td><ul><li><a href="CAR-2013-01-002">CAR-2013-01-002: Autorun Differences</a></li><li><a href="CAR-2014-07-001">CAR-2014-07-001: Service Search Path Interception</a></li></ul></td>
-        </tr>
        <tr>
             <td ><a href="https://attack.mitre.org/techniques/T1606/">T1606: Forge Web Credentials</a></td>
             <td><a href="https://attack.mitre.org/techniques/T1606/002/">T1606.002: SAML Tokens</a></td>
diff --git a/docs/car_attack/car_attack.json b/docs/car_attack/car_attack.json
index 02432b5c..a2dee028 100644
--- a/docs/car_attack/car_attack.json
+++ b/docs/car_attack/car_attack.json
@@ -5,682 +5,701 @@
     "domain": "mitre-enterprise",
     "techniques": [
         {
-            "techniqueID": "T1003",
+            "techniqueID": "T1053",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1003.003",
+            "techniqueID": "T1053.005",
             "color": "#c6dbef",
-            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
             "enabled": true
         },
         {
-            "techniqueID": "T1003.001",
+            "techniqueID": "T1087",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1087.001",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1021",
+            "techniqueID": "T1087.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true
         },
         {
-            "techniqueID": "T1105",
+            "techniqueID": "T1069",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1559",
+            "techniqueID": "T1069.001",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "enabled": true
         },
         {
-            "techniqueID": "T1559.002",
+            "techniqueID": "T1069.002",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
             "enabled": true
         },
         {
-            "techniqueID": "T1606",
+            "techniqueID": "T1016",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1606.002",
+            "techniqueID": "T1082",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1187",
+            "techniqueID": "T1033",
             "color": "#c6dbef",
-            "comment": "CAR-2013-09-003: SMB Session Setups",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1053",
+            "techniqueID": "T1057",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-001: Remotely Scheduled Tasks via AT | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1053.005",
+            "techniqueID": "T1007",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-08-001: Execution with schtasks | CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks | CAR-2020-09-001: Scheduled Task - FileAccess | CAR-2021-12-001: Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1070",
+            "techniqueID": "T1546",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1070.003",
+            "techniqueID": "T1546.010",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-005: Clear Powershell Console Command History",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs",
             "enabled": true
         },
         {
-            "techniqueID": "T1218",
+            "techniqueID": "T1574",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1218.010",
+            "techniqueID": "T1574.009",
             "color": "#c6dbef",
-            "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception",
             "enabled": true
         },
         {
-            "techniqueID": "T1053.002",
+            "techniqueID": "T1547",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1547.004",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify",
             "enabled": true
         },
         {
-            "techniqueID": "T1047",
+            "techniqueID": "T1112",
             "color": "#c6dbef",
-            "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1197",
+            "techniqueID": "T1105",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File",
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2021-05-005: BITSAdmin Download File | CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments | CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546",
+            "techniqueID": "T1059",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon | CAR-2020-09-002: Component Object Model Hijacking | CAR-2020-09-005: AppInit DLLs | CAR-2020-11-011: Registry Edit from Screensaver",
+            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1546.008",
+            "techniqueID": "T1059.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
+            "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions",
             "enabled": true
         },
         {
-            "techniqueID": "T1218.001",
+            "techniqueID": "T1047",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-009: Compiled HTML Access",
-            "enabled": true
+            "comment": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC | CAR-2014-12-001: Remotely Launched Executables via WMI | CAR-2016-03-002: Create Remote Process via WMIC",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1021.001",
+            "techniqueID": "T1040",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon",
-            "enabled": true
+            "comment": "CAR-2020-11-002: Local Network Sniffing",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059",
+            "techniqueID": "T1012",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-04-003: Powershell Execution | CAR-2014-11-002: Outlier Parents of Cmd | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2021-01-002: Unusually Long Command Line Strings",
+            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059.003",
+            "techniqueID": "T1547.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
             "enabled": true
         },
         {
-            "techniqueID": "T1569",
+            "techniqueID": "T1574.011",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
+            "enabled": true
         },
         {
-            "techniqueID": "T1569.001",
+            "techniqueID": "T1562",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-012: Create Service In Suspicious File Path",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1569.002",
+            "techniqueID": "T1562.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
             "enabled": true
         },
         {
-            "techniqueID": "T1570",
+            "techniqueID": "T1187",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes",
+            "comment": "CAR-2013-09-003: SMB Session Setups",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1543",
+            "techniqueID": "T1036",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
+            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1543.003",
+            "techniqueID": "T1036.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
+            "comment": "CAR-2013-05-009: Running executables with same hash and different names",
             "enabled": true
         },
         {
-            "techniqueID": "T1574",
+            "techniqueID": "T1562.006",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-07-001: Service Search Path Interception | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
+            "enabled": true
         },
         {
-            "techniqueID": "T1574.010",
+            "techniqueID": "T1490",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications",
-            "enabled": true
+            "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1127",
+            "techniqueID": "T1204",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-008: MSBuild and msxsl",
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1127.001",
+            "techniqueID": "T1204.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-008: MSBuild and msxsl",
+            "comment": "CAR-2021-05-002: Batch File Write to System32",
             "enabled": true
         },
         {
-            "techniqueID": "T1078",
+            "techniqueID": "T1543",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1078.002",
+            "techniqueID": "T1543.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-09-005: Service Outlier Executables | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2014-05-002: Services launching Cmd",
             "enabled": true
         },
         {
-            "techniqueID": "T1078.003",
+            "techniqueID": "T1574.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
             "enabled": true
         },
         {
-            "techniqueID": "T1550",
+            "techniqueID": "T1553",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-004: Successful Local Account Login",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1550.002",
+            "techniqueID": "T1553.004",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-004: Successful Local Account Login",
+            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
             "enabled": true
         },
         {
-            "techniqueID": "T1548",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1021.002",
+            "techniqueID": "T1059.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity",
+            "comment": "CAR-2013-02-003: Processes Spawning cmd.exe | CAR-2014-11-002: Outlier Parents of Cmd",
             "enabled": true
         },
         {
-            "techniqueID": "T1574.001",
+            "techniqueID": "T1003",
             "color": "#c6dbef",
-            "comment": "CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1112",
+            "techniqueID": "T1003.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-11-005: Remote Registry | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-001: Registry Edit with Creation of SafeDllSearchMode Key Set to 0 | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-07-001: Suspicious Arguments | CAR-2019-04-004: Credential Dumping via Mimikatz | CAR-2019-07-002: Lsass Process Dump via Procdump | CAR-2019-08-001: Credential Dumping via Windows Task Manager | CAR-2021-05-011: Create Remote Thread into LSASS",
+            "enabled": true
         },
         {
-            "techniqueID": "T1055",
+            "techniqueID": "T1021",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-07-001: Suspicious Arguments | CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM) | CAR-2016-04-005: Remote Desktop Logon",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1055.012",
+            "techniqueID": "T1021.006",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-004: Processes Started From Irregular Parent",
+            "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)",
             "enabled": true
         },
         {
-            "techniqueID": "T1140",
+            "techniqueID": "T1570",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-009: CertUtil With Decode Argument",
+            "comment": "CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-03-001: SMB Write Request - NamedPipes",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1562",
+            "techniqueID": "T1078",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2020-09-003: Indicator Blocking - Driver Unloaded | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt | CAR-2022-03-001: Disable Windows Event Logging",
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1562.001",
+            "techniqueID": "T1078.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-04-003: User Activity from Stopping Windows Defensive Services | CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
             "enabled": true
         },
         {
-            "techniqueID": "T1036",
+            "techniqueID": "T1078.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-05-002: Suspicious Run Locations | CAR-2013-05-009: Running executables with same hash and different names | CAR-2021-04-001: Common Windows Process Masquerading",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-02-008: Simultaneous Logins on a Host | CAR-2013-02-012: User Logged in to Multiple Hosts | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2013-10-001: User Login Activity Monitoring",
+            "enabled": true
         },
         {
-            "techniqueID": "T1036.003",
-            "color": "#c6dbef",
-            "comment": "CAR-2013-05-009: Running executables with same hash and different names",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1021.003",
-            "color": "#c6dbef",
-            "comment": "CAR-2014-05-001: RPC Activity",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1021.006",
+            "techniqueID": "T1053.002",
             "color": "#c6dbef",
-            "comment": "CAR-2014-05-001: RPC Activity | CAR-2014-11-004: Remote PowerShell Sessions | CAR-2014-11-006: Windows Remote Management (WinRM)",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-004: Execution with AT | CAR-2015-04-001: Remotely Scheduled Tasks via AT",
             "enabled": true
         },
         {
-            "techniqueID": "T1087",
+            "techniqueID": "T1564",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1087.001",
+            "techniqueID": "T1564.004",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
             "enabled": true
         },
         {
-            "techniqueID": "T1087.002",
+            "techniqueID": "T1546.015",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2020-09-002: Component Object Model Hijacking",
             "enabled": true
         },
         {
-            "techniqueID": "T1003.002",
+            "techniqueID": "T1021.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2013-05-003: SMB Write Request | CAR-2013-05-005: SMB Copy and Execution | CAR-2014-05-001: RPC Activity",
             "enabled": true
         },
         {
-            "techniqueID": "T1069",
+            "techniqueID": "T1505",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1069.001",
+            "techniqueID": "T1505.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
             "enabled": true
         },
         {
-            "techniqueID": "T1069.002",
+            "techniqueID": "T1574.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands | CAR-2020-11-006: Local Permission Group Discovery",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-02-001: Service Binary Modifications",
             "enabled": true
         },
         {
-            "techniqueID": "T1057",
+            "techniqueID": "T1569",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.011",
+            "techniqueID": "T1569.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2014-02-001: Service Binary Modifications | CAR-2014-03-005: Remotely Launched Executables via Services | CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true
         },
         {
-            "techniqueID": "T1018",
+            "techniqueID": "T1070",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2020-11-005: Clear Powershell Console Command History | CAR-2020-11-007: Network Share Connection Removal | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1029",
+            "techniqueID": "T1070.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2020-11-007: Network Share Connection Removal",
+            "enabled": true
         },
         {
-            "techniqueID": "T1033",
+            "techniqueID": "T1218",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring | CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo | CAR-2020-11-009: Compiled HTML Access | CAR-2020-11-010: CMSTP",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1007",
+            "techniqueID": "T1218.011",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring",
+            "enabled": true
         },
         {
-            "techniqueID": "T1082",
+            "techniqueID": "T1037",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1049",
+            "techniqueID": "T1037.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "enabled": true
         },
         {
-            "techniqueID": "T1016",
+            "techniqueID": "T1140",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2016-03-001: Host Discovery Commands",
+            "comment": "CAR-2021-05-009: CertUtil With Decode Argument",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1010",
+            "techniqueID": "T1003.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil | CAR-2020-05-001: MiniDump of LSASS",
+            "enabled": true
         },
         {
-            "techniqueID": "T1518",
+            "techniqueID": "T1055",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject | CAR-2020-11-004: Processes Started From Irregular Parent",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1518.001",
+            "techniqueID": "T1055.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject",
             "enabled": true
         },
         {
-            "techniqueID": "T1046",
+            "techniqueID": "T1560",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity",
+            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1562.006",
+            "techniqueID": "T1560.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
+            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
             "enabled": true
         },
         {
-            "techniqueID": "T1098",
+            "techniqueID": "T1559",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059.005",
+            "techniqueID": "T1559.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "comment": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
             "enabled": true
         },
         {
-            "techniqueID": "T1012",
+            "techniqueID": "T1547.010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2020-05-003: Rare LolBAS Command Lines",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences",
+            "enabled": true
         },
         {
-            "techniqueID": "T1204",
+            "techniqueID": "T1574.007",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-002: Batch File Write to System32",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences",
+            "enabled": true
         },
         {
-            "techniqueID": "T1204.002",
+            "techniqueID": "T1574.008",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-002: Batch File Write to System32",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1218.011",
+            "techniqueID": "T1546.001",
             "color": "#c6dbef",
-            "comment": "CAR-2014-03-006: RunDLL32.exe monitoring",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1055.001",
+            "techniqueID": "T1546.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2020-11-003: DLL Injection with Mavinject",
+            "comment": "CAR-2013-01-002: Autorun Differences",
             "enabled": true
         },
         {
-            "techniqueID": "T1040",
+            "techniqueID": "T1546.008",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-002: Local Network Sniffing",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-11-003: Debuggers for Accessibility Applications | CAR-2014-11-008: Command Launched from WinLogon",
+            "enabled": true
         },
         {
-            "techniqueID": "T1222",
+            "techniqueID": "T1218.003",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2020-11-010: CMSTP",
+            "enabled": true
         },
         {
-            "techniqueID": "T1222.001",
+            "techniqueID": "T1569.001",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "comment": "CAR-2021-05-012: Create Service In Suspicious File Path",
             "enabled": true
         },
         {
-            "techniqueID": "T1222.002",
+            "techniqueID": "T1546.002",
             "color": "#c6dbef",
-            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "comment": "CAR-2020-11-011: Registry Edit from Screensaver",
             "enabled": true
         },
         {
-            "techniqueID": "T1547",
+            "techniqueID": "T1021.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "comment": "CAR-2013-07-002: RDP Connection Detection | CAR-2013-10-001: User Login Activity Monitoring | CAR-2016-04-005: Remote Desktop Logon",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1548",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC | CAR-2021-02-002: Get System Elevation",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.001",
+            "techniqueID": "T1548.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2013-03-001: Reg.exe called from Command Shell | CAR-2020-05-003: Rare LolBAS Command Lines | CAR-2021-12-002: Modification of Default Startup Folder in the Registry Key 'Common Startup'",
+            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC",
             "enabled": true
         },
         {
-            "techniqueID": "T1070.001",
+            "techniqueID": "T1197",
             "color": "#c6dbef",
-            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
-            "enabled": true
+            "comment": "CAR-2021-05-004: BITS Job Persistence | CAR-2021-05-005: BITSAdmin Download File",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1059.001",
+            "techniqueID": "T1218.010",
             "color": "#c6dbef",
-            "comment": "CAR-2014-04-003: Powershell Execution | CAR-2014-11-004: Remote PowerShell Sessions",
+            "comment": "CAR-2019-04-002: Generic Regsvr32 | CAR-2019-04-003: Squiblydoo",
             "enabled": true
         },
         {
-            "techniqueID": "T1490",
+            "techniqueID": "T1068",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-009: Detecting Shadow Copy Deletion or Resize | CAR-2021-05-003: BCDEdit Failure Recovery Modification",
+            "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1564",
+            "techniqueID": "T1039",
             "color": "#c6dbef",
-            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "comment": "CAR-2013-01-003: SMB Events Monitoring",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1564.004",
+            "techniqueID": "T1003.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities | CAR-2020-08-002: NTFS Alternate Data Stream Execution - LOLBAS",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.015",
+            "techniqueID": "T1018",
             "color": "#c6dbef",
-            "comment": "CAR-2020-09-002: Component Object Model Hijacking",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.010",
+            "techniqueID": "T1029",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1547.004",
+            "techniqueID": "T1049",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2021-11-002: Registry Edit with Modification of Userinit, Shell or Notify",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.007",
+            "techniqueID": "T1010",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.008",
+            "techniqueID": "T1518",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
-            "enabled": true
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1574.009",
+            "techniqueID": "T1518.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2014-07-001: Service Search Path Interception",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.001",
+            "techniqueID": "T1046",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands | CAR-2021-01-001: Identifying Port Scanning Activity",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1098",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
+            "enabled": true,
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1059.005",
+            "color": "#c6dbef",
+            "comment": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.003",
+            "techniqueID": "T1021.003",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences",
+            "comment": "CAR-2014-05-001: RPC Activity",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.010",
+            "techniqueID": "T1036.005",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-09-005: AppInit DLLs",
+            "comment": "CAR-2021-04-001: Common Windows Process Masquerading",
             "enabled": true
         },
         {
-            "techniqueID": "T1037",
+            "techniqueID": "T1222",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "comment": "CAR-2019-07-001: Access Permission Modification",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1037.001",
+            "techniqueID": "T1222.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-002: Autorun Differences | CAR-2020-11-001: Boot or Logon Initialization Scripts",
+            "comment": "CAR-2019-07-001: Access Permission Modification",
             "enabled": true
         },
         {
-            "techniqueID": "T1560",
+            "techniqueID": "T1222.002",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2019-07-001: Access Permission Modification",
+            "enabled": true
         },
         {
-            "techniqueID": "T1560.001",
+            "techniqueID": "T1055.012",
             "color": "#c6dbef",
-            "comment": "CAR-2013-07-005: Command Line Usage of Archiving Software",
+            "comment": "CAR-2020-11-004: Processes Started From Irregular Parent",
+            "enabled": true
+        },
+        {
+            "techniqueID": "T1070.003",
+            "color": "#c6dbef",
+            "comment": "CAR-2020-11-005: Clear Powershell Console Command History",
             "enabled": true
         },
         {
@@ -690,67 +709,61 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1039",
+            "techniqueID": "T1136",
             "color": "#c6dbef",
-            "comment": "CAR-2013-01-003: SMB Events Monitoring",
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1553",
+            "techniqueID": "T1136.001",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "enabled": true
         },
         {
-            "techniqueID": "T1553.004",
+            "techniqueID": "T1606",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
-            "enabled": true
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1036.005",
+            "techniqueID": "T1606.002",
             "color": "#c6dbef",
-            "comment": "CAR-2021-04-001: Common Windows Process Masquerading",
+            "comment": "CAR-2021-05-008: Certutil exe certificate extraction",
             "enabled": true
         },
         {
-            "techniqueID": "T1546.002",
+            "techniqueID": "T1550",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-011: Registry Edit from Screensaver",
-            "enabled": true
+            "comment": "CAR-2016-04-004: Successful Local Account Login",
+            "enabled": true,
+            "showSubtechniques": true
         },
         {
-            "techniqueID": "T1070.005",
+            "techniqueID": "T1550.002",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-007: Network Share Connection Removal",
+            "comment": "CAR-2016-04-004: Successful Local Account Login",
             "enabled": true
         },
         {
-            "techniqueID": "T1068",
+            "techniqueID": "T1070.001",
             "color": "#c6dbef",
-            "comment": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
-            "enabled": true,
-            "showSubtechniques": true
+            "comment": "CAR-2016-04-002: User Activity from Clearing Event Logs | CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
+            "enabled": true
         },
         {
-            "techniqueID": "T1136",
+            "techniqueID": "T1127",
             "color": "#c6dbef",
-            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
             "enabled": true,
             "showSubtechniques": true
         },
         {
-            "techniqueID": "T1136.001",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-05-010: Create local admin accounts using net exe",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1548.002",
+            "techniqueID": "T1127.001",
             "color": "#c6dbef",
-            "comment": "CAR-2013-10-002: DLL Injection via Load Library | CAR-2019-04-001: UAC Bypass | CAR-2021-01-008: Disable UAC",
+            "comment": "CAR-2020-11-008: MSBuild and msxsl",
             "enabled": true
         },
         {
@@ -773,22 +786,9 @@
             "enabled": true
         },
         {
-            "techniqueID": "T1505",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
-            "enabled": true,
-            "showSubtechniques": true
-        },
-        {
-            "techniqueID": "T1505.003",
-            "color": "#c6dbef",
-            "comment": "CAR-2021-02-001: Webshell-Indicative Process Tree",
-            "enabled": true
-        },
-        {
-            "techniqueID": "T1218.003",
+            "techniqueID": "T1218.001",
             "color": "#c6dbef",
-            "comment": "CAR-2020-11-010: CMSTP",
+            "comment": "CAR-2020-11-009: Compiled HTML Access",
             "enabled": true
         }
     ]
diff --git a/docs/data/analytics.json b/docs/data/analytics.json
index 2ee43fdb..341dd409 100644
--- a/docs/data/analytics.json
+++ b/docs/data/analytics.json
@@ -1 +1 @@
-{"analytics": [{"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}]}
\ No newline at end of file
+{"analytics": [{"shortName": "Scheduled Task - FileAccess", "name": "CAR-2020-09-001", "fields": ["file/create/file_path", "file/create/image_path"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Low"}]}, {"shortName": "Host Discovery Commands", "name": "CAR-2016-03-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Moderate"}]}, {"shortName": "AppInit DLLs", "name": "CAR-2020-09-005", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Service Search Path Interception", "name": "CAR-2014-07-001", "fields": ["process/create/command_line", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1574", "coverage": "High"}]}, {"shortName": "Registry Edit with Modification of Userinit, Shell or Notify", "name": "CAR-2021-11-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Local Permission Group Discovery", "name": "CAR-2020-11-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With URLCache and Split Arguments", "name": "CAR-2021-05-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Powershell Execution", "name": "CAR-2014-04-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "High"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "CertUtil Download With VerifyCtl and Split Arguments", "name": "CAR-2021-05-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remote Registry", "name": "CAR-2014-11-005", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}]}, {"shortName": "Create Remote Process via WMIC", "name": "CAR-2016-03-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Low"}]}, {"shortName": "Local Network Sniffing", "name": "CAR-2020-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Credential Access", "Discovery"], "technique": "Technique/T1040", "coverage": "Moderate"}]}, {"shortName": "Reg.exe called from Command Shell", "name": "CAR-2013-03-001", "fields": ["process/create/command_line", "process/create/hostname", "process/create/exe", "process/create/parent_exe", "process/create/pid", "process/create/ppid"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}]}, {"shortName": "Detecting Tampering of Windows Defender Command Prompt", "name": "CAR-2021-01-007", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Medium"}]}, {"shortName": "SMB Session Setups", "name": "CAR-2013-09-003", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/protocol"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1187", "coverage": "Low"}]}, {"shortName": "Running executables with same hash and different names", "name": "CAR-2013-05-009", "fields": ["process/create/exe", "process/create/md5_hash"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Indicator Blocking - Driver Unloaded", "name": "CAR-2020-09-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "BCDEdit Failure Recovery Modification", "name": "CAR-2021-05-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Moderate"}]}, {"shortName": "Batch File Write to System32", "name": "CAR-2021-05-002", "fields": ["file/create/extension", "file/create/file_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1204", "coverage": "Moderate"}]}, {"shortName": "Services launching Cmd", "name": "CAR-2014-05-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Registry Edit with Creation of SafeDllSearchMode Key Set to 0", "name": "CAR-2021-11-001", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1574", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Attempt To Add Certificate To Untrusted Store", "name": "CAR-2021-05-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1553", "coverage": "Moderate"}]}, {"shortName": "Modification of Default Startup Folder in the Registry Key 'Common Startup'", "name": "CAR-2021-12-002", "fields": ["process/create/command_line", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1547", "coverage": "Medium"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Medium"}]}, {"shortName": "Processes Spawning cmd.exe", "name": "CAR-2013-02-003", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credential Dumping via Mimikatz", "name": "CAR-2019-04-004", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Remote PowerShell Sessions", "name": "CAR-2014-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request - NamedPipes", "name": "CAR-2014-03-001", "fields": ["flow/message/proto_info", "flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Low"}]}, {"shortName": "Simultaneous Logins on a Host", "name": "CAR-2013-02-008", "fields": ["user_session/login/user", "user_session/login/hostname"], "attack": [{"tactics": ["Initial Access"], "technique": "Technique/T1078", "coverage": "Low"}]}, {"shortName": "Execution with AT", "name": "CAR-2013-05-004", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via Schtasks", "name": "CAR-2015-04-002", "fields": ["flow/message/dest_port", "flow/message/src_port", "flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Execution with schtasks", "name": "CAR-2013-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "NTFS Alternate Data Stream Execution - System Utilities", "name": "CAR-2020-08-001", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "Remote Windows Management Instrumentation (WMI) over RPC", "name": "CAR-2014-11-007", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "Moderate"}]}, {"shortName": "Component Object Model Hijacking", "name": "CAR-2020-09-002", "fields": ["registry/add/key", "registry/remove/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "SMB Copy and Execution", "name": "CAR-2013-05-005", "fields": ["process/create/image_path", "process/create/proto_info", "process/create/hostname"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}]}, {"shortName": "Webshell-Indicative Process Tree", "name": "CAR-2021-02-001", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1505", "coverage": "Moderate"}]}, {"shortName": "User Logged in to Multiple Hosts", "name": "CAR-2013-02-012", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "User Activity from Stopping Windows Defensive Services", "name": "CAR-2016-04-003", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}]}, {"shortName": "Service Binary Modifications", "name": "CAR-2014-02-001", "fields": ["file/create/file_path", "file/create/image_path", "process/create/image_path", "process/create/parent_exe"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Rare LolBAS Command Lines", "name": "CAR-2020-05-003", "fields": [], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}]}, {"shortName": "Suspicious Arguments", "name": "CAR-2013-07-001", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Command and Control", "Lateral Movement"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Remotely Scheduled Tasks via AT", "name": "CAR-2015-04-001", "fields": ["flow/message/proto_info"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1053", "coverage": "Moderate"}]}, {"shortName": "Network Share Connection Removal", "name": "CAR-2020-11-007", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "High"}]}, {"shortName": "RunDLL32.exe monitoring", "name": "CAR-2014-03-006", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Boot or Logon Initialization Scripts", "name": "CAR-2020-11-001", "fields": ["process/create/command_line", "process/create/exe", "registry/add/key", "registry/edit/key"], "attack": [{"tactics": ["Persistence", "Lateral Movement"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "CertUtil With Decode Argument", "name": "CAR-2021-05-009", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1140", "coverage": "Moderate"}]}, {"shortName": "Unusually Long Command Line Strings", "name": "CAR-2021-01-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Low"}]}, {"shortName": "MiniDump of LSASS", "name": "CAR-2020-05-001", "fields": [], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "DLL Injection with Mavinject", "name": "CAR-2020-11-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "Command Line Usage of Archiving Software", "name": "CAR-2013-07-005", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Exfiltration"], "technique": "Technique/T1560", "coverage": "Moderate"}]}, {"shortName": "Unusual Child Process spawned using DDE exploit", "name": "CAR-2021-01-006", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1559", "coverage": "Low"}]}, {"shortName": "Credential Dumping via Windows Task Manager", "name": "CAR-2019-08-001", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Shadow Copy Deletion", "name": "CAR-2020-04-001", "fields": [], "attack": []}, {"shortName": "Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths", "name": "CAR-2021-12-001", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Execution", "Persistence", "Privilege Escalation"], "technique": "Technique/T1053", "coverage": "Medium"}]}, {"shortName": "Autorun Differences", "name": "CAR-2013-01-002", "fields": [], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1053", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1547", "coverage": "Moderate"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}, {"tactics": ["Persistence", "Execution"], "technique": "Technique/T1112", "coverage": "Moderate"}, {"tactics": ["Persistence"], "technique": "Technique/T1037", "coverage": "Moderate"}]}, {"shortName": "Remotely Launched Executables via WMI", "name": "CAR-2014-12-001", "fields": ["flow/message/dest_port", "flow/message/proto_info", "flow/message/src_port", "process/create/command_line", "process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1047", "coverage": "High"}]}, {"shortName": "NTFS Alternate Data Stream Execution - LOLBAS", "name": "CAR-2020-08-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1564", "coverage": "Low"}]}, {"shortName": "CMSTP", "name": "CAR-2020-11-010", "fields": ["process/create/exe", "process/create/src_ip"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "Create Service In Suspicious File Path", "name": "CAR-2021-05-012", "fields": ["service/create/image_path"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "Registry Edit from Screensaver", "name": "CAR-2020-11-011", "fields": ["registry/edit/key", "registry/add/key"], "attack": [{"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1546", "coverage": "High"}]}, {"shortName": "User Login Activity Monitoring", "name": "CAR-2013-10-001", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Detecting Shadow Copy Deletion or Resize", "name": "CAR-2021-01-009", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Impact"], "technique": "Technique/T1490", "coverage": "Low"}]}, {"shortName": "Remotely Launched Executables via Services", "name": "CAR-2014-03-005", "fields": ["flow/start/pid", "process/create/parent_exe", "process/create/pid"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Moderate"}]}, {"shortName": "UAC Bypass", "name": "CAR-2019-04-001", "fields": ["process/create/image_path", "process/create/parent_image_path", "process/create/integrity_level", "process/create/user", "process/create/parent_command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1548", "coverage": "Low"}]}, {"shortName": "BITSAdmin Download File", "name": "CAR-2021-05-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}, {"tactics": ["Command and Control"], "technique": "Technique/T1105", "coverage": "Moderate"}]}, {"shortName": "Generic Regsvr32", "name": "CAR-2019-04-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "process/create/image", "process/create/parent_image"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Low"}]}, {"shortName": "Unusual Child Process for Spoolsv.Exe or Connhost.Exe", "name": "CAR-2021-01-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1068", "coverage": "Low"}]}, {"shortName": "Get System Elevation", "name": "CAR-2021-02-002", "fields": ["process/create/exe", "process/create/parent_exe", "process/create/command_line", "service/create/command_line"], "attack": [{"tactics": ["Privilege Escalation", "Defense Evasion"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Debuggers for Accessibility Applications", "name": "CAR-2014-11-003", "fields": ["process/create/command_line", "process/create/exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "RDP Connection Detection", "name": "CAR-2013-07-002", "fields": ["flow/end/dest_port", "flow/start/dest_ip", "flow/start/dest_port", "flow/start/src_ip"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Medium"}]}, {"shortName": "Disable UAC", "name": "CAR-2021-01-008", "fields": ["process/create/image_path", "process/create/command_line"], "attack": [{"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Medium"}]}, {"shortName": "Lsass Process Dump via Procdump", "name": "CAR-2019-07-002", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "SMB Events Monitoring", "name": "CAR-2013-01-003", "fields": ["flow/message/dest_port", "flow/message/proto_info"], "attack": [{"tactics": ["Collection"], "technique": "Technique/T1039", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Service Outlier Executables", "name": "CAR-2013-09-005", "fields": ["process/create/parent_image_path"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1543", "coverage": "Moderate"}]}, {"shortName": "Command Launched from WinLogon", "name": "CAR-2014-11-008", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Privilege Escalation", "Persistence"], "technique": "Technique/T1546", "coverage": "Moderate"}]}, {"shortName": "Windows Remote Management (WinRM)", "name": "CAR-2014-11-006", "fields": ["flow/start/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Quick execution of a series of suspicious commands", "name": "CAR-2013-04-002", "fields": ["process/create/hostname", "process/create/ppid", "process/create/exe"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1087", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1069", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1057", "coverage": "Low"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1543", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1112", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation"], "technique": "Technique/T1574", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1018", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1569", "coverage": "Low"}, {"tactics": ["Persistence", "Privilege Escalation", "Execution"], "technique": "Technique/T1053", "coverage": "Low"}, {"tactics": ["Exfiltration"], "technique": "Technique/T1029", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1033", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1007", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1082", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1049", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1016", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1010", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1518", "coverage": "Low"}, {"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Low"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Low"}, {"tactics": ["Credential Access"], "technique": "Technique/T1098", "coverage": "Low"}, {"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}, {"tactics": ["Discovery"], "technique": "Technique/T1012", "coverage": "Low"}]}, {"shortName": "RPC Activity", "name": "CAR-2014-05-001", "fields": ["flow/start/dest_port", "flow/start/src_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Common Windows Process Masquerading", "name": "CAR-2021-04-001", "fields": ["process/create/exe", "process/create/image_path", "process/access/exe", "process/access/image_path", "process/terminate/exe", "process/terminate/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Moderate"}]}, {"shortName": "Access Permission Modification", "name": "CAR-2019-07-001", "fields": [], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1222", "coverage": "Moderate"}]}, {"shortName": "Processes Started From Irregular Parent", "name": "CAR-2020-11-004", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Low"}]}, {"shortName": "All Logins Since Last Boot", "name": "CAR-2015-07-001", "fields": ["user_session/login/user"], "attack": []}, {"shortName": "BITS Job Persistence", "name": "CAR-2021-05-004", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion", "Persistence"], "technique": "Technique/T1197", "coverage": "Moderate"}]}, {"shortName": "Identifying Port Scanning Activity", "name": "CAR-2021-01-001", "fields": ["flow/start/dest_ip"], "attack": [{"tactics": ["Discovery"], "technique": "Technique/T1046", "coverage": "Moderate"}]}, {"shortName": "Clear Powershell Console Command History", "name": "CAR-2020-11-005", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "Disable Windows Event Logging", "name": "CAR-2022-03-001", "fields": ["registry/value_edit/value", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1562", "coverage": "Moderate"}]}, {"shortName": "Create local admin accounts using net exe", "name": "CAR-2021-05-010", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Persistence"], "technique": "Technique/T1136", "coverage": "Moderate"}]}, {"shortName": "Certutil exe certificate extraction", "name": "CAR-2021-05-008", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1606", "coverage": "Moderate"}]}, {"shortName": "DLL Injection via Load Library", "name": "CAR-2013-10-002", "fields": ["thread/remote_create/src_pid", "thread/remote_create/start_function"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1055", "coverage": "Moderate"}, {"tactics": ["Privilege Escalation"], "technique": "Technique/T1548", "coverage": "Moderate"}]}, {"shortName": "Create Remote Thread into LSASS", "name": "CAR-2021-05-011", "fields": ["thread/remote_create"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Moderate"}]}, {"shortName": "Successful Local Account Login", "name": "CAR-2016-04-004", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1550", "coverage": "Moderate"}]}, {"shortName": "SMB Write Request", "name": "CAR-2013-05-003", "fields": ["flow/message/proto_info", "flow/message/dest_port"], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1570", "coverage": "Moderate"}, {"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}, {"tactics": ["Defense Evasion"], "technique": "Technique/T1078", "coverage": "Moderate"}]}, {"shortName": "Remote Desktop Logon", "name": "CAR-2016-04-005", "fields": [], "attack": [{"tactics": ["Lateral Movement"], "technique": "Technique/T1021", "coverage": "Moderate"}]}, {"shortName": "Clearing Windows Logs with Wevtutil", "name": "CAR-2021-01-003", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Low"}]}, {"shortName": "MSBuild and msxsl", "name": "CAR-2020-11-008", "fields": ["process/create/exe", "process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1127", "coverage": "High"}]}, {"shortName": "Outlier Parents of Cmd", "name": "CAR-2014-11-002", "fields": ["process/create/exe", "process/create/parent_exe"], "attack": [{"tactics": ["Execution"], "technique": "Technique/T1059", "coverage": "Moderate"}]}, {"shortName": "Credentials in Files & Registry", "name": "CAR-2020-09-004", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1552", "coverage": "Low"}]}, {"shortName": "Active Directory Dumping via NTDSUtil", "name": "CAR-2019-08-002", "fields": ["file/create/file_name", "file/create/image_path"], "attack": [{"tactics": ["Credential Access"], "technique": "Technique/T1003", "coverage": "Low"}]}, {"shortName": "Suspicious Run Locations", "name": "CAR-2013-05-002", "fields": ["process/create/image_path"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1036", "coverage": "Low"}]}, {"shortName": "Squiblydoo", "name": "CAR-2019-04-003", "fields": ["process/create/exe", "process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "Moderate"}]}, {"shortName": "Compiled HTML Access", "name": "CAR-2020-11-009", "fields": ["process/create/exe"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1218", "coverage": "High"}]}, {"shortName": "User Activity from Clearing Event Logs", "name": "CAR-2016-04-002", "fields": ["process/create/command_line"], "attack": [{"tactics": ["Defense Evasion"], "technique": "Technique/T1070", "coverage": "Moderate"}]}]}
\ No newline at end of file
diff --git a/docs/sensors/auditd_2.8.md b/docs/sensors/auditd_2.8.md
index de2e70bd..f82c2af1 100644
--- a/docs/sensors/auditd_2.8.md
+++ b/docs/sensors/auditd_2.8.md
@@ -15,17 +15,13 @@ auditd is the userspace component to the Linux Auditing System. It's responsible
 
 ## Data Model Coverage
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 ### [driver](../data_model/driver)
 
@@ -42,13 +38,17 @@ auditd is the userspace component to the Linux Auditing System. It's responsible
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 
 
 
diff --git a/docs/sensors/osquery_4.1.2.md b/docs/sensors/osquery_4.1.2.md
index 9c5d21f5..17e2e2d5 100644
--- a/docs/sensors/osquery_4.1.2.md
+++ b/docs/sensors/osquery_4.1.2.md
@@ -14,17 +14,13 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 ### [driver](../data_model/driver)
 
@@ -41,13 +37,17 @@ osquery exposes an operating system as a high-performance relational database. T
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| |✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| | | | |✓|✓| |✓|✓| | | |✓|
 
 
 
diff --git a/docs/sensors/osquery_4.6.0.md b/docs/sensors/osquery_4.6.0.md
index 7efe527e..878a4c27 100644
--- a/docs/sensors/osquery_4.6.0.md
+++ b/docs/sensors/osquery_4.6.0.md
@@ -14,17 +14,13 @@ osquery exposes an operating system as a high-performance relational database. T
 
 ## Data Model Coverage
 
-### [file](../data_model/file)
+### [process](../data_model/process)
 
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
-| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
-| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
-| `write` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| |
+| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 ### [driver](../data_model/driver)
 
@@ -41,13 +37,17 @@ osquery exposes an operating system as a high-performance relational database. T
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | | |✓|✓| | | | |✓| | | | |✓| | | | |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓|✓|✓| | | |✓| |✓| | | | |✓|✓|✓|✓| | | | | | | |✓| |
-| `terminate` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
+| `delete` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | |✓|✓|
+| `modify` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
+| `write` |  | |✓| |✓|✓| | | | |✓| |✓| |✓| | |✓|✓| |✓|✓| | | |✓|
 
 
 
diff --git a/docs/sensors/sysmon_10.4.md b/docs/sensors/sysmon_10.4.md
index 26a6a06c..7ad43bc1 100644
--- a/docs/sensors/sysmon_10.4.md
+++ b/docs/sensors/sysmon_10.4.md
@@ -14,14 +14,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [thread](../data_model/thread)
+### [process](../data_model/process)
 
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -32,18 +31,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  | | | | | | | | | | |
 
-### [file](../data_model/file)
-
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -58,6 +45,15 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| |✓|✓|✓|✓| |✓| |
 | `unload` |  | | | | | | | | | | | | |
 
+### [thread](../data_model/thread)
+
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -66,13 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | | |✓|✓|✓| | | | |✓| | | | |✓| | | |✓|✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | | | | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| |✓| |✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/sysmon_11.0.md b/docs/sensors/sysmon_11.0.md
index afed68dd..41c5e2ea 100644
--- a/docs/sensors/sysmon_11.0.md
+++ b/docs/sensors/sysmon_11.0.md
@@ -14,14 +14,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [thread](../data_model/thread)
+### [process](../data_model/process)
 
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -32,18 +31,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  | | | | | | | | | | |
 
-### [file](../data_model/file)
-
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓|
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -58,6 +45,15 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| |✓|✓|✓|✓| |✓| |
 | `unload` |  | | | | | | | | | | | | |
 
+### [thread](../data_model/thread)
+
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓| | | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -66,13 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | | |✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓|✓|✓| | |✓| | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | | |✓|
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 
diff --git a/docs/sensors/sysmon_13.md b/docs/sensors/sysmon_13.md
index f1ac7958..2c091e37 100644
--- a/docs/sensors/sysmon_13.md
+++ b/docs/sensors/sysmon_13.md
@@ -14,14 +14,13 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 
 ## Data Model Coverage
 
-### [thread](../data_model/thread)
+### [process](../data_model/process)
 
-| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
-| `suspend` |  | | | | | | | | | | | | | | |
-| `terminate` |  | | | | | | | | | | | | | | |
+| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓|
+| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
 
 ### [registry](../data_model/registry)
 
@@ -32,18 +31,6 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `remove` |  |✓|✓| |✓|✓| |✓| | |✓|
 | `value_edit` |  |✓|✓| |✓|✓|✓|✓| | |✓|
 
-### [file](../data_model/file)
-
-| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
-| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓|
-| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
-| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
-
 ### [driver](../data_model/driver)
 
 | | `base_address` | `fqdn` | `hostname` | `image_path` | `md5_hash` | `module_name` | `pid` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` |
@@ -58,6 +45,15 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `load` |  |✓| |✓|✓| |✓|✓|✓| |✓|✓|✓|
 | `unload` |  | | | | | | | | | | | | |
 
+### [thread](../data_model/thread)
+
+| | `hostname` | `src_pid` | `src_tid` | `stack_base` | `stack_limit` | `start_address` | `start_function` | `start_module` | `start_module_name` | `tgt_pid` | `tgt_tid` | `uid` | `user` | `user_stack_base` | `user_stack_limit` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `remote_create` | ✓|✓| | | |✓|✓|✓| |✓|✓|✓| | | |
+| `suspend` |  | | | | | | | | | | | | | | |
+| `terminate` |  | | | | | | | | | | | | | | |
+
 ### [flow](../data_model/flow)
 
 | | `application_protocol` | `content` | `dest_fqdn` | `dest_hostname` | `dest_ip` | `dest_port` | `end_time` | `exe` | `fqdn` | `hostname` | `image_path` | `in_bytes` | `network_direction` | `out_bytes` | `packet_count` | `pid` | `ppid` | `proto_info` | `src_fqdn` | `src_hostname` | `src_ip` | `src_port` | `start_time` | `tcp_flags` | `transport_protocol` | `uid` | `user` |
@@ -66,13 +62,17 @@ Sysmon is a freely available program from Microsoft that is provided as part of
 | `message` |  | | | | | | | | | | | | | | | | | | | | | | | | | | |
 | `start` |  | |✓| |✓|✓| | |✓| |✓| | | | |✓| | |✓| |✓|✓|✓| | |✓|✓|
 
-### [process](../data_model/process)
+### [file](../data_model/file)
 
-| | `access_level` | `call_trace` | `command_line` | `current_working_directory` | `env_vars` | `exe` | `fqdn` | `guid` | `hostname` | `image_path` | `integrity_level` | `md5_hash` | `parent_command_line` | `parent_exe` | `parent_guid` | `parent_image_path` | `pid` | `ppid` | `sha1_hash` | `sha256_hash` | `sid` | `signature_valid` | `signer` | `target_address` | `target_guid` | `target_name` | `target_pid` | `uid` | `user` |
-|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-| `access` |  | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
-| `create` |  | |✓|✓| | |✓| | |✓|✓|✓|✓| | |✓|✓|✓| |✓|✓| | | | | | | |✓|
-| `terminate` |  | | | | | |✓| | |✓| | | | | | |✓| | | | | | | | | | | | |
+| | `company` | `content` | `creation_time` | `extension` | `file_name` | `file_path` | `fqdn` | `gid` | `group` | `hostname` | `image_path` | `link_target` | `md5_hash` | `mime_type` | `mode` | `owner` | `owner_uid` | `pid` | `ppid` | `previous_creation_time` | `sha1_hash` | `sha256_hash` | `signature_valid` | `signer` | `uid` | `user` |
+|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
+| `acl_modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `create` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| | | | | | | | |
+| `delete` |  | | | | |✓|✓| | | |✓| |✓| | | | |✓| | |✓|✓| | |✓|✓|
+| `modify` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `read` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
+| `timestomp` |  | |✓| | |✓|✓| | | |✓| | | | | | |✓| |✓| | | | | | |
+| `write` |  | | | | | | | | | | | | | | | | | | | | | | | | | |
 
 
 

From 84ac9eafe5f2a289bd5cdc057a2ed8f3b666a2f1 Mon Sep 17 00:00:00 2001
From: Keep Watcher <keepwatch@users.noreply.github.com>
Date: Mon, 25 Sep 2023 20:26:47 -0400
Subject: [PATCH 81/82] Create detectable_calcuator.py

---
 .../detectable_calcuator.py                   | 252 ++++++++++++++++++
 1 file changed, 252 insertions(+)
 create mode 100644 scripts/detectable_calculator/detectable_calcuator.py

diff --git a/scripts/detectable_calculator/detectable_calcuator.py b/scripts/detectable_calculator/detectable_calcuator.py
new file mode 100644
index 00000000..3148474f
--- /dev/null
+++ b/scripts/detectable_calculator/detectable_calcuator.py
@@ -0,0 +1,252 @@
+"""Module providing verified technique extraction from open-source detection libraries"""
+# pylint: disable=C0206
+
+import os
+import re
+import json
+import tomllib
+from datetime import datetime
+from urllib.request import urlretrieve
+from pathlib import Path
+from zipfile import ZipFile
+import yaml
+
+def list_files(path, extensions):
+    """Function listing filenames in a path with a specific extension."""
+    results = []
+    for root, dirs, files in os.walk(path):
+        for file in files:
+            for extension in extensions:
+                if file.endswith(extension):
+                    temp_path = Path(root, file)
+                    results.append(temp_path)
+    return results
+
+def create_or_append(key_name, value, target_dict):
+    """Helper function to add or append to a key-based list within a dictionary."""
+    if key_name in target_dict:
+        target_dict[key_name].append(value)
+    else:
+        target_dict[key_name] = [value]
+
+def download_library(library_name, repo_url, root_path):
+    """Downloads detection libraries from Github if not present on disk."""
+    library_path = Path(root_path,library_name)
+    library_zip = Path(root_path, f"{library_name}.zip")
+
+    # only download if the folder does not exist at target path
+    if os.path.exists(library_path):
+        print(f"{library_name} already present, skipping download")
+    else:
+        urlretrieve(repo_url, library_zip)
+
+        # extract zip
+        with ZipFile(library_zip, 'r') as zobject:
+            zobject.extractall(root_path)
+
+        # cleanup
+        os.remove(library_zip)
+        print(f"{library_name} downloaded")
+
+# optional - location where detection libraries will be downloaded
+ROOT_SEARCH_PATH = ""
+UNIQUE_DETECTION_THRESHOLD = 5
+DETECTION_LIBRARIES = {
+    "car": {
+        "search_path": Path("car-master","analytics"),
+        "file_types": [".yaml"],
+        "repo_url": "https://github.com/mitre-attack/car/archive/refs/heads/master.zip",
+        "repo_name": "car-master"
+    },
+    "sigma_windows": {
+        "search_path": Path("sigma-master","rules","windows"),
+        "file_types": [".yml"],
+        "repo_url": "https://github.com/SigmaHQ/sigma/archive/refs/heads/master.zip",
+        "repo_name": "sigma-master"
+    },
+    "sigma_linux": {
+        "search_path": Path("sigma-master","rules","linux"),
+        "file_types": [".yml"],
+        "repo_url": "https://github.com/SigmaHQ/sigma/archive/refs/heads/master.zip",
+        "repo_name": "sigma-master"
+    },
+    "splunk": {
+        "search_path": Path("security_content-develop","detections","endpoint"),
+        "file_types": [".yml"],
+        "repo_url": "https://github.com/splunk/security_content/archive/refs/heads/develop.zip",
+        "repo_name": "security_content-develop"
+    },
+    "elastic_windows": {
+        "search_path": Path("detection-rules-main","rules","windows"),
+        "file_types": [".toml"],
+        "repo_url": "https://github.com/elastic/detection-rules/archive/refs/heads/main.zip",
+        "repo_name": "detection-rules-main"
+    },
+    "elastic_linux": {
+        "search_path": Path("detection-rules-main","rules","linux"),
+        "file_types": [".toml"],
+        "repo_url": "https://github.com/elastic/detection-rules/archive/refs/heads/main.zip",
+        "repo_name": "detection-rules-main"
+    }
+}
+
+spl_sourcetype_maps = {
+    "xmlwineventlog": "windows",
+    "sysmon_linux": "linux",
+    "WinEventLog": "windows",
+    "xmlwineventlog;WinEventLog": "windows"
+}
+
+extracted_techniques = {"windows": {}, "linux": {}}
+skipped = {}
+
+if not ROOT_SEARCH_PATH:
+    ROOT_SEARCH_PATH = "."
+
+for library in DETECTION_LIBRARIES:
+    print(f"--- Parsing {library} ---")
+    skipped[library] = {}
+    search_path = Path(ROOT_SEARCH_PATH,DETECTION_LIBRARIES[library]["search_path"])
+
+    download_library(DETECTION_LIBRARIES[library]["repo_name"],
+                     DETECTION_LIBRARIES[library]["repo_url"], ROOT_SEARCH_PATH)
+
+    for file_path in list_files(search_path, extensions=DETECTION_LIBRARIES[library]["file_types"]):
+        file_basename = os.path.basename(file_path)
+        temp_results = {"name": file_basename, "source": library}
+        PLATFORM = ""
+        if library in ["car","sigma_windows","sigma_linux","splunk"]:
+            with open(file_path, 'r', encoding="utf-8") as f:
+                content = yaml.safe_load(f)
+                if library == "car":
+                    if "platforms" in content:
+                        raw_platform = content["platforms"]
+                        for platform_element in raw_platform:
+                            if platform_element in ["Windows","Linux"]:
+                                PLATFORM = platform_element.lower()
+                                if "coverage" in content:
+                                    for coverage_item in content["coverage"]:
+                                        technique = coverage_item["technique"]
+                                        create_or_append(technique, temp_results,
+                                                         extracted_techniques[PLATFORM])
+                                        if "subtechniques" in coverage_item:
+                                            for sub_t in coverage_item["subtechniques"]:
+                                                create_or_append(sub_t, temp_results,
+                                                                 extracted_techniques[PLATFORM])
+                                else:
+                                    create_or_append("no coverage in content", file_basename,
+                                                     skipped[library])
+                    else:
+                        create_or_append("no platforms in content", file_basename, skipped[library])
+                    if not PLATFORM:
+                        create_or_append("platforms present, but no win/linux", file_basename,
+                                         skipped[library])
+                elif library in ["sigma_windows","sigma_linux"]:
+                    PLATFORM = library.split("_")[1]
+                    if "tags" in content:
+                        MATCH_MADE = False
+                        for raw_tag in content["tags"]:
+                            match = re.search(r"\.(?P<technique>t\d+(\.\d+)?)$", raw_tag)
+                            if match:
+                                create_or_append(match.group("technique").upper(),temp_results,
+                                                 extracted_techniques[PLATFORM])
+                                MATCH_MADE = True
+                        if not MATCH_MADE:
+                            create_or_append("no techniques found in tags",
+                                             file_basename, skipped[library])
+                    else:
+                        create_or_append("no tags in content", file_basename, skipped[library])
+                elif library == "splunk":
+                    splunk_tags = []
+                    if "tags" in content:
+                        if "mitre_attack_id" in content["tags"]:
+                            splunk_tags = content["tags"]["mitre_attack_id"]
+                        else:
+                            create_or_append("no attack ids in tags", file_basename,
+                                             skipped[library])
+                    else:
+                        create_or_append("no tags in content", file_basename, skipped[library])
+
+                    if "tests" in content:
+                        for test in content["tests"]:
+                            if "attack_data" in test:
+                                for attack_data in test["attack_data"]:
+                                    if attack_data["sourcetype"] in spl_sourcetype_maps:
+                                        splunk_os = spl_sourcetype_maps[attack_data["sourcetype"]]
+                                        for splunk_tag in splunk_tags:
+                                            create_or_append(splunk_tag.upper(), temp_results,
+                                                             extracted_techniques[splunk_os])
+                            else:
+                                create_or_append("no attack_data in test", file_basename,
+                                                 skipped[library])
+                    else:
+                        create_or_append("no tests in content", file_basename, skipped[library])
+        elif library in ["elastic_windows", "elastic_linux"]:
+            with open(file_path, 'rb') as toml_f:
+                toml_content = tomllib.load(toml_f)
+                MATCH_MADE = False
+                if "tags" in toml_content["rule"]:
+                    for toml_tag in toml_content["rule"]["tags"]:
+                        os_match = re.search(r"^OS:\s(?P<platform>.+)$", toml_tag)
+                        if os_match:
+                            PLATFORM = os_match.group("platform").lower()
+                else:
+                    create_or_append("no tags in content", file_basename, skipped[library])
+
+                if "threat" in toml_content["rule"]:
+                    for threat_item in toml_content["rule"]["threat"]:
+                        if "technique" in threat_item:
+                            for technique_item in threat_item["technique"]:
+                                technique_match = re.search(r"(?P<technique>[Tt]\d+)$",
+                                                            technique_item["id"])
+                                if technique_match:
+                                    create_or_append(technique_match.group("technique"),
+                                                     temp_results,extracted_techniques[PLATFORM])
+                                    MATCH_MADE = True
+
+                                if "subtechnique" in technique_item:
+                                    for toml_subt in technique_item["subtechnique"]:
+                                        subt_match = re.search(r"(?P<technique>[Tt]\d+\.\d+)$",
+                                                               toml_subt["id"])
+                                        if subt_match:
+                                            create_or_append(subt_match.group("technique"),
+                                                             temp_results,
+                                                             extracted_techniques[PLATFORM])
+                                            MATCH_MADE = True
+                else:
+                    create_or_append("no threat in content", file_basename, skipped[library])
+
+            if not PLATFORM:
+                create_or_append("no platform (OS:) in tags", file_basename, skipped[library])
+
+            if not MATCH_MADE:
+                create_or_append("no techniques matching regex pattern found in threat section",
+                                 file_basename, skipped[library])
+
+print("--- Printing results and outputting to disk ---")
+
+filename_time = datetime.utcnow().strftime('%Y-%m-%d-%H-%M-%S')
+for os in extracted_techniques:
+    techniques = list(extracted_techniques[os].keys())
+    technique_count = len(techniques)
+    detect_techs = {}
+    for ex_tech in extracted_techniques[os]:
+        rule_count = len(extracted_techniques[os][ex_tech])
+        if rule_count >= UNIQUE_DETECTION_THRESHOLD:
+            detect_techs[ex_tech] = rule_count
+    print(f"{technique_count} techniques found for {os}: {techniques}")
+    print(f"{len(detect_techs.keys())} likely detectable techniques found for {os} {detect_techs}")
+
+export_filename_success = f"{filename_time}_parsed-technique-map.json"
+with open(export_filename_success, 'w', encoding="utf-8") as job_success:
+    json.dump(extracted_techniques, job_success)
+
+for error_library in skipped:
+    for error_type in skipped[error_library]:
+        error_files = skipped[error_library][error_type]
+        error_count = len(error_files)
+        print(f"{error_count} errors found for {error_library} - error type {error_type}: {error_files}")
+
+export_filename_skips = f"{filename_time}_skips.json"
+with open(export_filename_skips, 'w', encoding="utf-8") as job_skips:
+    json.dump(skipped, job_skips)

From 9d8b6cc042edeedfc3ea2a41a3fef4a4cf10e93f Mon Sep 17 00:00:00 2001
From: Keep Watcher <keepwatch@users.noreply.github.com>
Date: Mon, 25 Sep 2023 20:27:58 -0400
Subject: [PATCH 82/82] Adding supplement files

---
 scripts/detectable_calculator/README.md       | 26 +++++++++++++++++++
 .../detectable_calculator/requirements.txt    |  2 ++
 2 files changed, 28 insertions(+)
 create mode 100644 scripts/detectable_calculator/README.md
 create mode 100644 scripts/detectable_calculator/requirements.txt

diff --git a/scripts/detectable_calculator/README.md b/scripts/detectable_calculator/README.md
new file mode 100644
index 00000000..a747f805
--- /dev/null
+++ b/scripts/detectable_calculator/README.md
@@ -0,0 +1,26 @@
+# Detectable techniques calculator
+
+This script queries four open-source detection repositories to calculate known and likely detectable MITRE ATT&CK techniques. It's inspired by and attempts to improve CAR's [coverage comparison website](https://car.mitre.org/coverage/). 
+
+Key differences:
+
+- Split per-technique detection results by operating system (Windows and Linux only for now)
+- Focuses on detections in "active" library content (a Github term search will match on content like [this deprecated Sigma rule](https://github.com/SigmaHQ/sigma/blob/eb2f82cbc35909a9657aada437a59a70b5610818/deprecated/windows/proc_creation_win_lolbin_rdrleakdiag.yml#L13), and it seems like CAR is including these results)
+- Can be run anytime instead of depending on a CAR coverage update (last update as of writing was `December 30, 2022`)
+- Outputs a conservative list of "likely detectable" techniques and subtechniques using the conditions above and a configurable threshold (`UNIQUE_DETECTION_THRESHOLD`).
+
+## Usage
+
+Run the code with `python detectable_calculator.py`
+
+## Setup directions
+
+1. Install Python 3 (this code was validated on Python 3.11.5).
+2. Install required libraries to permit detection rule parsing: `pip install -r requirements.txt`
+3. Optional: In the code, configure the `ROOT_SEARCH_PATH` if you want the detection libraries to be somewhere other than your current working directory
+4. Optional: In the code, configure the `UNIQUE_DETECTION_THRESHOLD` (5 by default) if you think more or fewer detections should be required for a technique to be counted as "likely detectable" per-operating-system.
+5. Optional: If having trouble with the script's detection repo download, manually download the four detection libraries by unzipping these files in the `ROOT_SEARCH_PATH`:
+    - https://github.com/mitre-attack/car/archive/refs/heads/master.zip
+    - https://github.com/SigmaHQ/sigma/archive/refs/heads/master.zip
+    - https://github.com/splunk/security_content/archive/refs/heads/develop.zip
+    - https://github.com/elastic/detection-rules/archive/refs/heads/main.zip
diff --git a/scripts/detectable_calculator/requirements.txt b/scripts/detectable_calculator/requirements.txt
new file mode 100644
index 00000000..12934505
--- /dev/null
+++ b/scripts/detectable_calculator/requirements.txt
@@ -0,0 +1,2 @@
+PyYAML==6.0.1
+toml==0.10.2
\ No newline at end of file