:root{color-scheme:light;--hf-height:56px;--bg1:#fff;--bg2:#f0f0f0;--bg3:#e0e0e0;--fg1:#1a1a1a;--fg2:#666;--link:#2563eb;--accent:#2563eb;--border:#d1d5db;--btn-hover:#d1d5db;--syn-key:#0550ae;--syn-str:#116329;--syn-num:#953800;--syn-bool:#6639ba;--syn-punct:#666;--msg-param:#b91c1c;--highlight-bg:#fef08a;--highlight-fg:#1a1a1a;--tactic-reconnaissance:#6c3483;--tactic-initial_access:#c0392b;--tactic-execution:#d35400;--tactic-persistence:#b7950b;--tactic-privilege_escalation:#1e8449;--tactic-defense_evasion:#148f77;--tactic-credential_access:#2471a3;--tactic-discovery:#7d3c98;--tactic-lateral_movement:#c2185b;--tactic-collection:#00838f;--tactic-command_and_control:#5d4037;--tactic-exfiltration:#455a64;--tactic-impact:#c62828;--badge-bg:#374151;--badge-fg:#fff;--rel-sequence:#0369a1;--rel-shared-rules:#9ca3af;--rel-success-failure:#b91c1c;--rel-shared-schema:#2563eb;--rel-equivalent:#7c3aed}:root.theme-gruvbox-dark{color-scheme:dark;--bg1:#282828;--bg2:#1d2021;--bg3:#3c3836;--fg1:#ebdbb2;--fg2:#a89984;--link:#83a598;--accent:#fabd2f;--border:#504945;--btn-hover:#504945;--syn-key:#83a598;--syn-str:#b8bb26;--syn-num:#fe8019;--syn-bool:#d3869b;--syn-punct:#a89984;--msg-param:#fabd2f;--highlight-bg:#4a3a10;--highlight-fg:#fabd2f;--badge-bg:#504945;--badge-fg:#ebdbb2;--rel-sequence:#83a598;--rel-shared-rules:#665c54;--rel-success-failure:#fb4934;--rel-shared-schema:#83a598;--rel-equivalent:#d3869b}:root.theme-oxocarbon{color-scheme:dark;--bg1:#161616;--bg2:#262626;--bg3:#393939;--fg1:#dde1e6;--fg2:#a2a9b0;--link:#78a9ff;--accent:#be95ff;--border:#525252;--btn-hover:#393939;--syn-key:#78a9ff;--syn-str:#42be65;--syn-num:#ee5396;--syn-bool:#be95ff;--syn-punct:#a2a9b0;--msg-param:#08bdba;--highlight-bg:#2a1f47;--highlight-fg:#be95ff;--badge-bg:#525252;--badge-fg:#dde1e6;--rel-sequence:#78a9ff;--rel-shared-rules:#525252;--rel-success-failure:#ee5396;--rel-shared-schema:#78a9ff;--rel-equivalent:#be95ff}.chroma .lnlinks{outline:0;text-decoration:none;color:inherit}.chroma .lntd{vertical-align:top;padding:0;margin:0;border:0}.chroma .lntable{border-spacing:0;padding:0;margin:0;border:0}.chroma .hl{background-color:var(--bg2)}.chroma .lnt{white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em 0 .4em;color:#7f7f7f}.chroma .ln{white-space:pre;-webkit-user-select:none;user-select:none;margin-right:.4em;padding:0 .4em 0 .4em;color:#7f7f7f}.chroma .line{display:flex}.chroma .nt{color:var(--syn-key)}.chroma .s,.chroma .s2,.chroma .s1,.chroma .sa,.chroma .sb,.chroma .sc,.chroma .dl,.chroma .sd,.chroma .se,.chroma .sh,.chroma .si,.chroma .sx,.chroma .sr,.chroma .ss,.chroma .l-Scalar-Plain{color:var(--syn-str)}.chroma .mi,.chroma .mf,.chroma .mh,.chroma .il,.chroma .mb,.chroma .mo{color:var(--syn-num)}.chroma .kc{color:var(--syn-bool)}.chroma .p{color:var(--syn-punct)}.chroma .k{font-weight:bold}.chroma .kd{font-weight:bold}.chroma .kn{font-weight:bold}.chroma .kp{font-weight:bold}.chroma .kr{font-weight:bold}.chroma .kt{font-weight:bold}.chroma .nc{color:var(--syn-key);font-weight:bold}.chroma .no{color:var(--syn-key)}.chroma .nn{color:var(--syn-key)}.chroma .nb{color:var(--syn-bool)}.chroma .bp{color:var(--syn-bool)}.chroma .nv,.chroma .vc,.chroma .vg,.chroma .vi,.chroma .vm{color:var(--fg2)}.chroma .nf,.chroma .fm{color:var(--syn-key)}.chroma .c,.chroma .ch,.chroma .cm,.chroma .c1,.chroma .cs,.chroma .cp,.chroma .cpf{color:var(--fg2);font-style:italic}.chroma .ow{font-weight:bold}html{scrollbar-gutter:stable}@media(prefers-reduced-motion:no-preference){html,.post-body,.blog-index{scroll-behavior:smooth}}body{display:flex;min-height:100dvh;flex-direction:column;margin:0;background-color:var(--bg1);color:var(--fg1);font-family:sans-serif;line-height:1.5;-webkit-text-size-adjust:none;text-size-adjust:none}header,footer,thead,pre,code{background-color:var(--bg2)}kbd{display:inline-block;padding:2px 6px;font-family:monospace;font-size:.875em;line-height:1.2;color:var(--fg1);background-color:var(--bg2);border:1px solid var(--border);border-radius:3px;box-shadow:inset 0 -1px 0 var(--border)}main{width:100%;max-width:1200px;margin:0 auto;padding-inline:2em;padding-block:0;box-sizing:border-box}main>h1:first-child{font-size:1.15rem;margin-top:-1.5em;margin-bottom:0}article{margin-top:2em}article:not(:last-of-type){padding-bottom:2em;border-bottom:solid 1px var(--fg2)}.metadata{margin:1em 0}.tags{list-style:none;display:inline-flex;gap:.5em;margin:0;padding:0}.tags a{color:var(--fg2);text-decoration:none}:is(h1,h2,h3,h4,h5,h6) .anchor{visibility:hidden}:is(h1,h2,h3,h4,h5,h6):hover .anchor{visibility:visible}p,li{text-align:left}a{color:var(--link);text-decoration:none}a:hover{text-decoration:underline}pre code{padding:0}code{padding:.2em .3em;overflow-wrap:break-word;word-break:break-word}a{overflow-wrap:break-word;word-break:break-word}table{border-collapse:collapse;width:auto;max-width:100%;word-wrap:break-word;overflow-wrap:break-word}td,th{border:solid 1px var(--border)}td,th{padding:.4em .75em}th{font-size:.8rem}pre{padding:1em}pre,.katex{overflow:auto}figure{margin:0}img{width:100%}figcaption{margin-top:1em;color:var(--fg2);text-align:center}.stat-item:not(:last-child)::after{content:",";margin-right:.3em}.table-scroll-wrap{overflow-x:auto;-webkit-overflow-scrolling:touch}.post-authors{display:flex;align-items:center;gap:.4rem;flex-wrap:wrap}.post-author-link{text-decoration:none}.post-author-name{font-weight:600}.author-icons{display:flex;gap:.3rem;align-items:center}.author-social{display:inline-flex;align-items:center;text-decoration:none}.author-social svg{width:18px;height:18px;fill:var(--fg2)}.author-profile{padding:2em 1em;margin-top:2em;border-top:1px solid var(--border);display:flex;gap:1.5em;align-items:flex-start}.author-header{display:flex;gap:1rem;align-items:center}.author-header-content{display:flex;flex-direction:column;gap:.3em;align-items:flex-start}.author-title-row{display:flex;gap:.5em;align-items:center}.author-full-bio{margin-top:.5em}.author-posts{margin-top:1em}.author-row{display:flex;gap:1.5em;align-items:center;margin-bottom:1em}.author-name{font-weight:600;width:10em}.author-name a{text-decoration:none;color:var(--fg1)}.author-links-right{display:flex;gap:.5rem;align-items:center;margin-left:auto}.blog-heading{margin:-1.5rem 0 0 0}.posts-showcase{display:flex;gap:1.5em;flex-wrap:wrap}.post-showcase{flex:1 1 300px}.post-showcase:first-child{flex:1 1 100%;margin-bottom:.5em}.post-showcase-title{font-size:1.15rem}.post-meta{font-size:.85rem;color:var(--fg2)}.post-excerpt{position:relative;overflow:hidden;max-height:6em}.excerpt-fade{position:absolute;bottom:0;left:0;right:0;height:2.5em;background:linear-gradient(transparent,var(--bg1));pointer-events:none}.read-more a{font-size:.85rem;color:var(--link)}.read-more a:hover{text-decoration:underline}.home-sidebar{position:fixed;right:2em;top:calc(var(--hf-height) + 1em);width:14em}.sidebar-section{margin-bottom:1.25rem}.sidebar-title{font-size:.8rem;text-transform:uppercase;color:var(--fg2)}.sidebar-list{list-style:none;padding:0;margin:.35em 0 0;display:flex;flex-direction:column;gap:.2em}.sidebar-list a{color:var(--fg1);font-size:.85rem}.sidebar-list a:hover{color:var(--link)}header{background-color:var(--bg2);height:var(--hf-height);min-height:var(--hf-height);display:flex;align-items:center;position:relative;box-sizing:border-box;padding:0;border-bottom:1px solid var(--border);flex-shrink:0}.navbar{width:100%;height:100%;display:flex;align-items:center;padding:0 .75rem;box-sizing:border-box;position:relative;background:inherit;font-family:sans-serif}.site-logo{display:inline-block;width:40px;height:40px;color:var(--fg1);margin-right:.5rem}.site-logo .icon{display:block}.site-brand{position:absolute;left:50%;transform:translateX(-50%);display:flex;align-items:center;gap:.5rem;text-decoration:none;height:var(--hf-height)}.header-title{color:var(--fg1);text-decoration:none;font-weight:600;font-size:1rem}.header-actions{display:flex;align-items:center;gap:2rem;margin-left:auto}.header-action-link{color:var(--fg1);text-decoration:none;font-size:.8125rem;font-weight:600;white-space:nowrap;display:flex;align-items:center}.header-action-link:hover,.header-action-link.active{color:var(--link);text-decoration:none}.btn-icon{background:0;border:0;color:var(--fg1);cursor:pointer;padding:0;display:flex;align-items:center}.btn-icon:hover{color:var(--link)}.help-btn{font-size:.6875rem;font-weight:600;font-family:inherit;white-space:nowrap}.icon{display:inline-block;background-color:currentColor;-webkit-mask-size:contain;mask-size:contain;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-position:center;mask-position:center}.icon-sun{width:14px;height:14px;-webkit-mask-image:url("data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%2024%2024'%20fill='none'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'%3E%3Ccircle%20cx='12'%20cy='12'%20r='5'/%3E%3Cline%20x1='12'%20y1='1'%20x2='12'%20y2='3'/%3E%3Cline%20x1='12'%20y1='21'%20x2='12'%20y2='23'/%3E%3Cline%20x1='4.22'%20y1='4.22'%20x2='5.64'%20y2='5.64'/%3E%3Cline%20x1='18.36'%20y1='18.36'%20x2='19.78'%20y2='19.78'/%3E%3Cline%20x1='1'%20y1='12'%20x2='3'%20y2='12'/%3E%3Cline%20x1='21'%20y1='12'%20x2='23'%20y2='12'/%3E%3Cline%20x1='4.22'%20y1='19.78'%20x2='5.64'%20y2='18.36'/%3E%3Cline%20x1='18.36'%20y1='5.64'%20x2='19.78'%20y2='4.22'/%3E%3C/svg%3E");mask-image:url("data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%2024%2024'%20fill='none'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'%3E%3Ccircle%20cx='12'%20cy='12'%20r='5'/%3E%3Cline%20x1='12'%20y1='1'%20x2='12'%20y2='3'/%3E%3Cline%20x1='12'%20y1='21'%20x2='12'%20y2='23'/%3E%3Cline%20x1='4.22'%20y1='4.22'%20x2='5.64'%20y2='5.64'/%3E%3Cline%20x1='18.36'%20y1='18.36'%20x2='19.78'%20y2='19.78'/%3E%3Cline%20x1='1'%20y1='12'%20x2='3'%20y2='12'/%3E%3Cline%20x1='21'%20y1='12'%20x2='23'%20y2='12'/%3E%3Cline%20x1='4.22'%20y1='19.78'%20x2='5.64'%20y2='18.36'/%3E%3Cline%20x1='18.36'%20y1='5.64'%20x2='19.78'%20y2='4.22'/%3E%3C/svg%3E")}.icon-menu{width:16px;height:16px;-webkit-mask-image:url("data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%2024%2024'%20fill='none'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%3E%3Cline%20x1='3'%20y1='6'%20x2='21'%20y2='6'/%3E%3Cline%20x1='3'%20y1='12'%20x2='21'%20y2='12'/%3E%3Cline%20x1='3'%20y1='18'%20x2='21'%20y2='18'/%3E%3C/svg%3E");mask-image:url("data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%2024%2024'%20fill='none'%20stroke='black'%20stroke-width='2'%20stroke-linecap='round'%3E%3Cline%20x1='3'%20y1='6'%20x2='21'%20y2='6'/%3E%3Cline%20x1='3'%20y1='12'%20x2='21'%20y2='12'/%3E%3Cline%20x1='3'%20y1='18'%20x2='21'%20y2='18'/%3E%3C/svg%3E")}.icon-shield{width:40px;height:40px;-webkit-mask-image:url("data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%2064%2064'%3E%3Cpath%20d='M32%204l24%208V28c0%2016-12%2027-24%2032C20%2055%208%2044%208%2028V12z'%20fill='none'%20stroke='black'%20stroke-width='3'/%3E%3Cpath%20d='M32%2018l4%2012%208%204-8%204-4%2012-4-12-8-4%208-4z'%20fill='black'/%3E%3C/svg%3E");mask-image:url("data:image/svg+xml,%3Csvg%20xmlns='http://www.w3.org/2000/svg'%20viewBox='0%200%2064%2064'%3E%3Cpath%20d='M32%204l24%208V28c0%2016-12%2027-24%2032C20%2055%208%2044%208%2028V12z'%20fill='none'%20stroke='black'%20stroke-width='3'/%3E%3Cpath%20d='M32%2018l4%2012%208%204-8%204-4%2012-4-12-8-4%208-4z'%20fill='black'/%3E%3C/svg%3E")}.nav-check-hidden{position:absolute;opacity:0;pointer-events:none}.nav-toggle{display:none}.nav-links{display:contents}.theme-cycle-btn{padding:.3rem;justify-content:center;border-radius:4px}@media(max-width:600px){header{height:auto;min-height:auto;padding:.5rem 0}.navbar{min-height:auto;padding:0 .625rem}.site-brand{position:absolute;left:50%;transform:translateX(-50%)}.site-logo{width:34px;height:34px}.site-logo .icon-shield{width:34px;height:34px}.header-title{font-size:1rem}.header-actions{flex-direction:row;align-items:center;gap:1rem}.help-btn{display:none}.nav-toggle{display:flex}.nav-toggle .icon-menu{width:20px;height:20px}.nav-links{display:none;position:absolute;top:calc(100% + 4px);right:0;background:var(--bg2);border:1px solid var(--border);border-radius:4px;min-width:140px;box-shadow:0 4px 12px rgba(0,0,0,0.3);z-index:1001;padding:.25rem 0;flex-direction:column}#nav-check:checked ~ .nav-links{display:flex}#nav-check:focus-visible ~ .nav-toggle{outline:2px solid var(--link);outline-offset:2px}.nav-links .header-action-link{font-size:.8125rem;padding:.5rem 1rem}.nav-links .header-action-link:hover{background:var(--btn-hover)}}.help-overlay{border:0;padding:0;background:transparent;overflow:visible;inset:0;margin:auto}.help-overlay:popover-open{display:flex;align-items:center;justify-content:center}.help-overlay::backdrop{background:rgba(0,0,0,0.5)}.help-panel{position:relative;background:var(--bg2);border:1px solid var(--border);border-radius:6px;box-shadow:0 8px 24px rgba(0,0,0,0.4);max-width:90%;width:auto;padding:1.5em 2em;max-height:85vh;overflow-y:auto}.help-panel h2{margin:0 0 .75em;font-size:1rem}.help-panel dl{display:grid;grid-template-columns:auto 1fr;gap:.4em 1.25em;align-items:baseline;margin:0}.help-panel dt{text-align:right;white-space:nowrap}.help-panel dd{margin:0;font-size:.875rem;color:var(--fg2)}.help-nav-link{margin:1em 0 0;font-size:.85rem;color:var(--fg2)}.hint-label{position:absolute;top:0;left:100%;z-index:500;background:var(--accent);color:var(--bg1);font:bold 11px/1 monospace;text-transform:uppercase;padding:2px 4px;border-radius:3px;white-space:nowrap;pointer-events:none;transform:translate(2px,-100%);box-shadow:0 1px 3px rgba(0,0,0,.35)}.hint-label--hidden{display:none}@media(max-width:820px){.home-sidebar{position:static;width:auto;margin-top:2rem}.event-meta{gap:.3em .75rem}}@media(max-width:768px){.search-pagination{flex-wrap:wrap}}@media(max-width:600px){main,.footer-content{padding-left:1em;padding-right:1em}.blog-heading{margin:-1.25rem 0 0 0}.event-catalog-summary{display:none}.event-provider-table td{padding:.5em;font-size:.875rem}.event-provider-table th{padding:.5em;font-size:.65rem}.event-provider-table td:first-child{word-break:break-word}.event-toc-table .col-channel{display:none}.event-toc-table td,.event-toc-table th{padding:.35em .5em;font-size:.8rem}.event-fields-table td,.event-fields-table th{padding:.5em;font-size:.875rem}.search-results-table thead{display:none}.search-results-table tr{display:block}.search-results-table td{display:block;padding:0 .75em;border:0;font-size:.85rem}.search-group-header td{display:block;padding:.6em .75em .25em}.filter-chip{padding:.3em .5em;font-size:.7rem}td,th{padding:.5em}pre{padding:.5em}.search-card{padding:.5em}.search-card-primary{font-size:.8rem}.search-card-context{font-size:.75rem;padding-left:.5em}}@media(max-width:480px){main,.footer-content{padding-left:.4em;padding-right:.4em}.event-meta{flex-direction:column;gap:.25em}}.event-meta{display:flex;flex-wrap:wrap;gap:.4em 1rem;margin:.5em 0 .75em;padding:.4em .75em;background:var(--bg2);border-radius:4px}.event-meta>div{display:flex;flex-direction:column}.event-meta dt{font-size:.75rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg2)}.event-meta dd{margin:0;font-weight:600}.event-section{margin:1em 0}.event-section h2,.event-section h3{font-size:1rem;margin:0 0 .4em}.event-detection-rules .event-section{margin:.8em 0 0}.event-detection-rules .event-section:first-of-type{margin-top:.4em}.event-section>p{margin:0}.section-anchor{color:var(--fg2);text-decoration:none;opacity:0;margin-left:.3em;font-size:.85em;font-weight:400}.event-section h2:hover .section-anchor,.event-section h3:hover .section-anchor,.event-section:target .section-anchor{opacity:1}.section-anchor:hover{color:var(--link)}.event-section[id]{scroll-margin-top:calc(var(--hf-height) + 1em)}.event-message{white-space:pre-wrap;word-break:break-word;overflow-wrap:anywhere;margin:0;padding:.75em 1em;border-radius:4px;font-size:.85rem;line-height:1.6}pre.chroma{max-width:100%;overflow-x:auto}.msg-param{color:var(--msg-param);font-weight:600}.event-fields-table{width:auto;max-width:100%;border-collapse:collapse}.event-fields-table th{text-align:left;font-size:.8rem;padding:.4em .75em}.event-fields-table td{padding:.4em .75em}.event-fields-table td:first-child{white-space:normal}.event-fields-table{border-collapse:separate;border-spacing:0}.event-fields-table td,.event-fields-table th{border:0;border-bottom:1px solid var(--border)}.event-fields-table tbody tr:last-child td{border-bottom:0}@media(max-width:600px){.event-fields-table thead{display:none}.event-fields-table tr{display:block;padding:.5em 0;border-bottom:1px solid var(--border)}.event-fields-table tbody tr:last-child{border-bottom:0}.event-fields-table td{display:block;padding:.15em 0;border:0}.event-fields-table td:first-child{padding-bottom:.3em}}.field-type{display:inline-block;font-size:.7rem;font-family:var(--font-mono,monospace);padding:.1em .4em;margin-left:.4em;border-radius:3px;background:var(--bg3);color:var(--fg2);vertical-align:baseline;white-space:nowrap}details.field-values{margin-top:.35em}details.field-values summary{cursor:pointer;font-size:.9375rem;color:var(--fg2)}.field-value-list{display:grid;grid-template-columns:auto 1fr;gap:.125em .75em;margin:.35em 0 0;padding:0;font-size:.9375rem}.field-value-list dt{margin:0;color:var(--fg2)}.field-value-list dd{margin:0}.priority-source{font-size:.75rem;color:var(--fg2)}.detection-rules{list-style:none;padding:0;margin:0}.detection-rules li{padding:.25em .5em;border-bottom:1px solid var(--bg3)}.detection-rules li:nth-child(odd){background:var(--bg2)}.detection-rules li:last-child{border-bottom:0}.rule-severity{display:inline-block;font-size:.65em;font-weight:600;padding:.15em .5em;border-radius:3px;vertical-align:middle;text-transform:uppercase;letter-spacing:.03em}.rel-inferred-pill{display:inline-block;font-size:.65em;font-weight:600;padding:.05em .4em;margin-right:.35em;border:1px dashed var(--fg2);border-radius:3px;vertical-align:middle;text-transform:uppercase;letter-spacing:.03em;color:var(--fg2);cursor:help}.rule-severity--informational,.rule-severity--low,.rule-severity--medium,.rule-severity--high,.rule-severity--critical{background:var(--badge-bg);color:var(--badge-fg)}.sigma-desc{color:var(--fg2);overflow-wrap:anywhere}.sigma-more{margin-top:.5em}.sigma-more summary{cursor:pointer;color:var(--link);font-size:.9em;width:fit-content}.sigma-more summary:hover{text-decoration:underline}.ref-page-link{font-size:.75rem;font-weight:400;color:var(--fg2);text-decoration:none;margin-left:.5em}.ref-page-link:hover{color:var(--link);text-decoration:underline}.rule-also-fires{display:block;font-size:.8rem;color:var(--fg2);font-style:italic;margin-top:.1em}.related-events{list-style:none;padding:0;margin:0}.related-event-group{margin-bottom:1.25em}.related-event-group-label{font-weight:700;font-size:1rem;margin-bottom:.5em;padding-bottom:.25em;text-transform:uppercase;letter-spacing:.03em}.related-event-card{border:1px solid var(--border);border-radius:4px;padding:.6em .8em;margin-bottom:.4em}.related-event-card .related-event-line1{font-weight:500;overflow-wrap:anywhere}.related-event-card .related-event-line2{padding-left:0;color:var(--fg2);margin-top:.2em}.related-event-source{font-size:.8em;opacity:.7}.related-event-rules{list-style:none;padding:0;margin:.4em 0 0 0}.related-event-rules li{font-size:.85em;padding:.15em 0;color:var(--fg)}.related-event-rule-vendor{display:inline-block;font-size:.75em;font-weight:600;padding:.1em .45em;border-radius:3px;vertical-align:middle;text-transform:uppercase;letter-spacing:.03em;background:var(--badge-bg);color:var(--badge-fg);margin-right:.35em}.event-provider-table{width:100%;border-collapse:separate;border-spacing:0;border:1px solid var(--border)}.event-provider-table th,.event-provider-table td{border-right:1px solid var(--border);border-bottom:1px solid var(--border)}.event-provider-table th:last-child,.event-provider-table td:last-child{border-right:0}.event-provider-table tbody tr:last-child td{border-bottom:0}.event-provider-table th{text-align:left;font-size:.8rem;padding:.4em .75em}.event-provider-table td{padding:.4em .75em}.event-provider-table td a{color:var(--link)}.event-catalog{margin-top:-2.5em}.event-catalog>h1{font-size:1.15rem;margin-bottom:0}.event-catalog-summary{color:var(--fg2);font-size:.8rem;margin-top:.15em;margin-bottom:.25em}.event-provider{margin-top:-2.5em}.event-provider>h1{font-size:1.15rem;margin-bottom:0}.event-provider-summary{color:var(--fg2);font-size:.8rem;margin-top:.15em;margin-bottom:1em}.event-toc-table{width:100%;border-collapse:separate;border-spacing:0;border:1px solid var(--border)}.event-toc-table th,.event-toc-table td{border-right:1px solid var(--border);border-bottom:1px solid var(--border)}.event-toc-table th:last-child,.event-toc-table td:last-child{border-right:0}.event-toc-table tbody tr:last-child td{border-bottom:0}.event-toc-table th{text-align:left;font-size:.8rem}.event-toc-table td,.event-toc-table th{padding:.4em .75em}.event-toc-table td a{color:var(--link)}.event-toc-table .col-event-id,.event-toc-table .col-channel{width:1%;white-space:nowrap}.event-entry{border-left:3px solid transparent;scroll-margin-top:calc(var(--hf-height) + 1em)}.event-entry-header{display:none}.event-entry-heading{font-size:1.15rem;margin:0}.event-body{display:none;padding:0 .75em .75em}html:not(.js) .event-entry:target{border-left-color:var(--link);background:var(--bg2)}html:not(.js) .event-entry:target .event-body,html:not(.js) .event-entry:has(:target) .event-body{display:block}html:not(.js) .event-provider:has(:target){margin-top:-1.5em}html:not(.js) .event-provider:has(:target)>h1,html:not(.js) .event-provider:has(:target)>.event-provider-summary,html:not(.js) .event-provider:has(:target)>.table-scroll-wrap,html:not(.js) .event-provider:has(:target)>.event-entry:not(:target):not(:has(:target)){display:none}html:not(.js) .event-provider:has(:target)>.event-entry:target,html:not(.js) .event-provider:has(:target)>.event-entry:has(:target){border-left:0;background:transparent;margin:0}html:not(.js) .event-provider:has(:target)>.event-entry:target .event-entry-header,html:not(.js) .event-provider:has(:target)>.event-entry:has(:target) .event-entry-header{display:flex;align-items:baseline;gap:.5em;padding-bottom:.5em;margin-bottom:.75em;border-bottom:1px solid var(--border)}.event-entry.event-active{border-left-color:var(--link);background:var(--bg2)}.event-entry.event-active .event-body{display:block}.event-provider.event-focused{margin-top:-1.5em}.event-provider.event-focused>h1,.event-provider.event-focused>.event-provider-summary,.event-provider.event-focused>.table-scroll-wrap,.event-provider.event-focused>.event-entry:not(.event-active){display:none}.event-provider.event-focused>.event-entry.event-active{border-left:0;background:transparent;margin:0}.event-provider.event-focused>.event-entry.event-active .event-entry-header{display:flex;align-items:baseline;gap:.5em;padding-bottom:.5em;margin-bottom:.75em;border-bottom:1px solid var(--border)}.event-canonical-page .event-entry-header{display:flex;align-items:baseline;gap:.5em;padding-bottom:.5em;margin-bottom:.75em;border-bottom:1px solid var(--border)}.event-canonical-page .event-entry .event-body{display:block}.event-canonical-breadcrumb{font-size:.85rem;color:var(--fg2);margin-bottom:.5em}.event-permalink{color:var(--fg2);text-decoration:none;font-size:.9em;opacity:.7}.event-permalink:hover{opacity:1;color:var(--link)}.provider-badge-stub{display:inline-block;font-size:.65em;padding:.15em .45em;border-radius:3px;vertical-align:middle;background:var(--badge-bg);color:var(--badge-fg)}@keyframes field-flash{0%{background-color:color-mix(in srgb,var(--accent) 35%,transparent)}100%{background-color:transparent}}tr[id*="-field-"]:target td{animation:field-flash 2s ease-out}tr[id*="-field-"]{scroll-margin-top:30vh}.search-container{position:relative;margin-bottom:1em}.search-input-wrap{position:relative;display:flex;align-items:center}.search-icon{position:absolute;left:.75em;width:1.1em;height:1.1em;color:var(--fg2);pointer-events:none}.search-input{width:100%;padding:.75em 1em .75em 2.5em;font-size:1rem;font-family:inherit;background:var(--bg2);color:var(--fg1);border:1px solid var(--border);border-radius:4px;outline:0;box-sizing:border-box}.search-input:focus{border-color:var(--link);box-shadow:0 0 0 2px color-mix(in srgb,var(--link) 30%,transparent)}.search-input::placeholder{color:var(--fg2)}.search-status{position:absolute;right:2.75em;font-size:.8rem;color:var(--fg2);pointer-events:none;white-space:nowrap}.search-filters{display:flex;flex-wrap:wrap;gap:.5em;margin-top:.5em;align-items:center}.filter-group{display:flex;flex-wrap:wrap;gap:.35em}.filter-chip{display:inline-flex;align-items:center;padding:.25em .6em;font-size:.75rem;font-family:inherit;line-height:1.4;border-radius:3px;border:1px solid var(--border);background:var(--bg2);color:var(--fg1);cursor:pointer;white-space:nowrap;user-select:none;transition:background .15s,border-color .15s,color .15s}.filter-chip:hover{background:var(--bg3)}.filter-chip--positive{background:color-mix(in srgb,#22c55e 15%,var(--bg2));border-color:color-mix(in srgb,#22c55e 40%,var(--border));color:var(--fg1)}.filter-chip--positive::before{content:"+\00a0";font-weight:700}.filter-chip--negative{background:color-mix(in srgb,#ef4444 12%,var(--bg2));border-color:color-mix(in srgb,#ef4444 35%,var(--border));color:var(--fg2);text-decoration:line-through}.filter-chip--negative::before{content:"\2212\00a0";font-weight:700}.search-clear{position:absolute;right:.5em;top:50%;transform:translateY(-50%);background:0;border:0;color:var(--fg2);font-size:1.3rem;cursor:pointer;padding:.25em;line-height:1;align-items:center;z-index:1}.search-clear:not([hidden]){display:flex}.search-clear:hover{color:var(--fg1)}.search-results-table{overflow-x:auto;-webkit-overflow-scrolling:touch}.search-results-table table{width:100%;border-collapse:collapse;table-layout:auto}.search-results-table th{text-align:left;font-size:.8rem;padding:.4em .75em;border-bottom:2px solid var(--border);color:var(--fg2)}.search-results-table td{padding:.4em .75em;font-size:.875rem;border-bottom:1px solid var(--border);vertical-align:top}.search-group-header td{font-weight:700;font-size:.85rem;padding:.75em .75em .35em;color:var(--fg1);border-bottom:1px solid var(--border);background:var(--bg2)}.search-group-header .group-count{font-weight:400;color:var(--fg2);font-size:.8rem;margin-left:.5em}.search-pagination{display:flex;align-items:center;justify-content:center;gap:.25em;margin-top:1em;padding:.5em 0}.search-pagination .page-btn{min-width:2em;padding:.3em .5em;border:1px solid var(--border);border-radius:3px;background:var(--bg2);color:var(--fg1);font-size:.85rem;font-family:inherit;cursor:pointer;text-align:center}.search-pagination .page-btn:hover:not(:disabled){background:var(--bg3)}.search-pagination .page-btn--active{background:var(--link);color:#fff;border-color:var(--link)}.search-pagination .page-btn:disabled{opacity:.4;cursor:default}.search-pagination .page-ellipsis{padding:.3em .25em;color:var(--fg2)}.search-pagination .page-summary{font-size:.8rem;color:var(--fg2);margin-left:1em}mark,.search-highlight{background:var(--highlight-bg);color:var(--highlight-fg);border-radius:2px;padding:0 2px}.search-cards{display:flex;flex-direction:column;gap:2px}.search-card{display:block;padding:.6em .75em;border-bottom:1px solid var(--border);cursor:pointer;transition:background .1s}.search-card:hover,.search-card--active{background:var(--bg3)}.search-card-primary{font-size:.95rem;line-height:1.4}.search-card-provider{color:var(--fg2);font-size:.85rem}.search-card-separator{color:var(--fg2);font-size:.85rem;margin:0 .15em}.search-card-id{color:var(--link);font-weight:600}.search-card-desc{color:var(--fg1)}.search-card-context{margin-top:.3em;padding-left:1em;font-size:.85rem;color:var(--fg2);line-height:1.5;overflow:hidden;text-overflow:ellipsis}.search-card-section{font-weight:600;color:var(--fg2);font-size:.8rem;text-transform:uppercase;letter-spacing:.03em}.filter-detail-item{display:block;margin-top:.15em;padding-left:1em;text-indent:-1em}.filter-detail-item:first-of-type{margin-top:0}.filter-detail-item code{color:var(--link);font-size:.85rem;padding:0;background:0}@media(max-width:600px){.mw-prefix{display:none}}.pattern-graph-link{margin-top:.5em;font-size:.85em}.pattern .pattern-chain-source{color:var(--fg2);margin-bottom:.15em}.pattern .pattern-chain-source a{color:var(--link);text-decoration:none}@media(hover:hover){.pattern .pattern-chain-source a:hover{text-decoration:underline}}.pattern .pattern-chain-source-sep{display:inline-block;width:4ch}.pattern,.pattern-shape{border:1px solid var(--border);border-radius:4px;padding:.9em 1em;margin-bottom:.8em;background:var(--bg1)}.pattern:last-of-type,.pattern-shape:last-of-type{margin-bottom:0}.pattern[id],.pattern-shape[id]{scroll-margin-top:calc(var(--hf-height) + 1em)}.pattern:target,.pattern-shape:target{border-color:var(--link)}.pattern .p-title{display:flex;align-items:baseline;gap:.7em;flex-wrap:wrap}.pattern .p-title .p-name{font-weight:600;font-size:1.05em;color:var(--fg1);text-decoration:none}@media(hover:hover){.pattern .p-title a.p-name:hover{text-decoration:underline;color:var(--link)}}.pattern .p-title .p-tactic{color:var(--fg2);font-size:.88em}.pattern .p-desc{color:var(--fg2);margin:.4em 0 .7em;line-height:1.5}.pattern .chain-line,.pattern-shape .chain-line{font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.88em;color:var(--fg2);margin:.3em 0;display:flex;flex-wrap:wrap;align-items:baseline;gap:.25em;line-height:1.6}.pattern .coverage .lbl{color:var(--fg2);text-transform:uppercase;letter-spacing:.06em;font-size:.75em;opacity:.75;margin-right:.7em;font-family:ui-sans-serif,system-ui,sans-serif}.pattern .chain-line .node a,.pattern-shape .chain-line .node a{color:var(--link);text-decoration:none;overflow-wrap:anywhere}.pattern .chain-line .node.cur,.pattern-shape .chain-line .node.cur{background:var(--bg2);padding:.05em .4em;border-radius:3px;border:1px solid var(--border)}.pattern .chain-line .node.cur a,.pattern-shape .chain-line .node.cur a{color:var(--fg1);font-weight:700;text-decoration:none;cursor:default}@media(hover:hover){.pattern .chain-line .node a:hover,.pattern-shape .chain-line .node a:hover{text-decoration:underline}.pattern .chain-line .node.cur a:hover,.pattern-shape .chain-line .node.cur a:hover{text-decoration:none}}.pattern .chain-line .arrow,.pattern-shape .chain-line .arrow{color:var(--fg2);opacity:.55;margin:0 .3em}.pattern .chain-line .joiner,.pattern-shape .chain-line .joiner{color:var(--fg2);opacity:.55;margin:0 .4em;font-style:italic}.pattern .chain-line .step-alts,.pattern-shape .chain-line .step-alts{display:inline-flex;align-items:baseline;gap:.2em}.pattern .chain-line .step-paren,.pattern-shape .chain-line .step-paren{color:var(--fg2);opacity:.55}.pattern .chain-line .joiner-alt,.pattern-shape .chain-line .joiner-alt{font-style:normal}.pattern .chain-line .arrow-step,.pattern-shape .chain-line .arrow-step{margin:0 .45em}.pattern .coverage{color:var(--fg2);font-size:.95em;margin:.3em 0 .5em;line-height:1.5}.pattern .coverage strong{color:var(--fg1);font-weight:600}.pattern details.pattern-rules{margin:.2em 0 0}.pattern details.pattern-rules>summary{cursor:pointer;color:var(--fg2);font-size:.9em;list-style:none;padding:.2em 0}.pattern details.pattern-rules>summary::-webkit-details-marker{display:none}.pattern details.pattern-rules>summary .caret{display:inline-block;width:.9em;color:var(--fg2);opacity:.7}.pattern details.pattern-rules[open]>summary .caret::before{content:"▾"}.pattern details.pattern-rules:not([open])>summary .caret::before{content:"▸"}.pattern .rule-group,.pattern-shape .rule-group{margin:.2em 0 .4em}.pattern .rule-group h4,.pattern-shape .rule-group h4{font-size:.78em;text-transform:uppercase;letter-spacing:.06em;color:var(--fg2);margin:.8em 0 .25em;font-weight:600}.pattern .rule-row,.pattern-shape .rule-row{display:grid;grid-template-columns:minmax(0,1fr) auto;gap:.7em;padding:.25em 0;border-top:1px solid var(--border);font-size:.95em}.pattern .rule-group .rule-row:first-of-type,.pattern-shape .rule-group .rule-row:first-of-type{border-top:0}.pattern .rule-row .title,.pattern-shape .rule-row .title{min-width:0;overflow:hidden;text-overflow:ellipsis}.pattern .rule-row .title a,.pattern-shape .rule-row .title a{color:var(--link);text-decoration:none}@media(hover:hover){.pattern .rule-row .title a:hover,.pattern-shape .rule-row .title a:hover{color:var(--link);text-decoration:underline}}.pattern .rule-row .rule-row-source-sep,.pattern-shape .rule-row .rule-row-source-sep{display:inline-block;width:4ch}.pattern .rule-row .author,.pattern-shape .rule-row .author{color:var(--fg2);opacity:.8;font-size:.88em}@media(max-width:600px){.pattern .rule-row,.pattern-shape .rule-row{grid-template-columns:minmax(0,1fr)}.pattern .rule-row .author:not(:empty),.pattern-shape .rule-row .author:not(:empty){margin-top:.15em}}.pattern-shape details>summary{cursor:pointer;list-style:none}.pattern-shape details>summary::-webkit-details-marker{display:none}.pattern-shape details>summary .caret{display:inline-block;width:.9em;color:var(--fg2);opacity:.7}.pattern-shape details[open]>summary .caret::before{content:"▾"}.pattern-shape details:not([open])>summary .caret::before{content:"▸"}.pattern-shape .shape-details{margin-top:.2em}.pattern-shape .shape-details>summary.shape-summary{color:var(--fg2);font-size:.88em;padding:.3em 0}@media(hover:hover){.pattern-shape .shape-details>summary.shape-summary:hover{color:var(--fg1)}}.pattern-shape .shape-summary strong{color:var(--fg1);font-weight:600}.pattern-shape .pattern-purpose{margin:0 0 .4em;font-size:1.05em;font-weight:600;color:var(--fg1);line-height:1.35}.pattern-shape .shape-rules-more{margin-top:.25em}.pattern-shape .shape-rules-more>summary{cursor:pointer;color:var(--link);font-size:.9em;width:fit-content}@media(hover:hover){.pattern-shape .shape-rules-more>summary:hover{text-decoration:underline}}.pattern-sources h3{font-size:.85em;margin:.7em 0 .2em}.pattern-refs ul{margin:0;padding-left:1.2em;line-height:1.5}.pattern-refs a{word-break:break-all}@media(max-width:480px){.event-body{padding:0 .25em .5em}.event-message{padding:.5em .5em}.pattern,.pattern-shape{padding:.6em .5em}.related-event-card{padding:.5em .5em}.detection-rules li{padding:.2em .25em}}.sigma-source-link{margin-left:.4em;font-size:.78em;color:var(--text-secondary);text-decoration:none;text-transform:uppercase;letter-spacing:.04em}.sigma-source-link:hover{text-decoration:underline}.event-section-prose{margin:0 0 .75em;font-size:.9em;color:var(--text-secondary)}.attack-page{max-width:1100px;margin:0 auto;padding:1rem}.attack-intro{color:var(--text-secondary);margin-bottom:1.5rem;line-height:1.5}.attack-controls{display:flex;align-items:center;gap:1rem;margin-bottom:1rem}.attack-controls input{flex:1;padding:.5rem .75rem;font-size:.95rem;border:1px solid var(--border);border-radius:4px;background:var(--bg-secondary);color:var(--text)}.attack-count{font-size:.85rem;color:var(--text-secondary);white-space:nowrap}.attack-legend{display:flex;gap:1.25rem;margin-bottom:1.5rem;font-size:.8rem;color:var(--text-secondary)}.attack-legend-item{display:flex;align-items:center;gap:.35rem}.vendor-dot{display:inline-block;width:10px;height:10px;border-radius:50%}.vendor-dot--4{background:#2ecc71}.vendor-dot--3{background:#27ae60}.vendor-dot--2{background:#f39c12}.vendor-dot--1{background:var(--text-secondary)}.vendor-dot--0{background:var(--border)}.attack-tactic-section{margin-bottom:2rem}.attack-tactic-heading{border-left:4px solid;padding-left:.75rem;margin-bottom:.75rem;font-size:1.2rem}.attack-tactic-heading a{color:inherit;text-decoration:none}.attack-tactic-heading a:hover{text-decoration:underline}.attack-tactic-count{font-weight:normal;font-size:.85rem;color:var(--text-secondary)}.attack-technique-list{display:flex;flex-direction:column;gap:.35rem}.attack-technique-card{border:1px solid var(--border);border-radius:4px;background:var(--bg-secondary)}.attack-technique-card[open]{border-color:var(--accent)}.attack-technique-summary{display:flex;align-items:center;gap:.75rem;padding:.5rem .75rem;cursor:pointer;list-style:none;font-size:.9rem}.attack-technique-summary::-webkit-details-marker{display:none}.attack-technique-summary::marker{display:none;content:""}.attack-tid code{font-size:.85rem;padding:.1rem .35rem;background:var(--bg);border-radius:3px;color:var(--accent)}.attack-tid{text-decoration:none;flex:0 0 auto}.attack-tech-name{flex:1 1 auto;min-width:0;font-weight:500;color:var(--text);overflow-wrap:anywhere;word-break:break-word}.attack-rule-count{color:var(--text-secondary);font-size:.8rem;flex:0 0 auto}.attack-technique-body{padding:0 .75rem .75rem}.attack-technique-links{font-size:.85rem;margin:0 0 .5rem 0;color:var(--text-secondary)}.attack-technique-links a{color:var(--accent);text-decoration:none}.attack-technique-links a:hover{text-decoration:underline}.attack-authoring-teaser{font-size:.82rem;margin:0 0 .8rem 0;padding:.35rem .55rem;color:var(--text-secondary);background:var(--bg);border-left:2px solid var(--border);line-height:1.5}.attack-authoring-teaser strong{color:var(--text);font-weight:600}.attack-authoring-teaser a{color:var(--accent);text-decoration:none;white-space:nowrap}.attack-authoring-teaser a:hover{text-decoration:underline}.attack-rules-by-vendor{display:flex;flex-direction:column;gap:.9rem}.attack-rules-vendor{font-size:.9rem;font-weight:600;margin:0 0 .35rem 0;color:var(--text);display:flex;align-items:baseline;gap:.4rem}.attack-rules-vendor a{color:inherit;text-decoration:none}.attack-rules-vendor a:hover{text-decoration:underline}.attack-rules-count{font-weight:normal;font-size:.75rem;color:var(--text-secondary)}.attack-rules-list{list-style:none;padding:0;margin:0;display:block;font-size:.85rem}.attack-rule-row{padding:.15rem 0;min-width:0}.attack-rule-title{color:var(--accent);text-decoration:none;overflow-wrap:anywhere;word-break:break-word}.attack-rule-title:hover{text-decoration:underline}.attack-rules-empty{font-size:.85rem;color:var(--text-secondary);margin:0}.indicators-page{max-width:1100px;margin:0 auto;padding:1rem}.indicators-intro{color:var(--text-secondary);margin-bottom:1.5rem;line-height:1.5}.indicators-controls{display:flex;align-items:center;gap:1rem;margin-bottom:1rem}.indicators-controls input{flex:1;padding:.5rem .75rem;font-size:.95rem;border:1px solid var(--border);border-radius:4px;background:var(--bg-secondary);color:var(--text)}.indicators-count{font-size:.85rem;color:var(--text-secondary);white-space:nowrap}.indicators-toc{display:flex;flex-wrap:wrap;gap:.35rem .85rem;font-size:.85rem;line-height:1.4;margin-bottom:1.75rem;padding-bottom:1rem;border-bottom:1px solid var(--border)}.indicators-toc a{color:var(--text);text-decoration:none}.indicators-toc a:hover{text-decoration:underline}.indicators-toc-count{color:var(--text-secondary);font-size:.8rem}.indicators-field-section{margin-bottom:1.75rem;scroll-margin-top:1rem}.indicators-field-heading{font-size:1.05rem;margin-bottom:.5rem;padding-bottom:.25rem;border-bottom:1px solid var(--border)}.indicators-field-heading code{font-size:1rem}.indicators-field-count{font-weight:normal;font-size:.8rem;color:var(--text-secondary);margin-left:.5rem}.indicators-entry-list{display:flex;flex-direction:column}.indicators-entry{border-bottom:1px solid var(--border)}.indicators-entry:last-child{border-bottom:0}.indicators-entry[open]{background:var(--bg-secondary)}.indicators-entry-summary{display:flex;align-items:baseline;gap:.4em;padding:.35em .5em;cursor:pointer;list-style:none}.indicators-entry-summary::-webkit-details-marker{display:none}.indicators-entry-summary::before{content:"▸";color:var(--text-secondary);font-size:.7em;flex:0 0 auto;width:.8em;text-align:center}.indicators-entry[open]>.indicators-entry-summary::before{content:"▾"}.indicators-kind{color:var(--text-secondary);font-family:monospace;font-size:.92em;white-space:nowrap;flex:0 0 auto}.indicators-value{flex:1 1 auto;min-width:0;word-break:break-all}.indicators-rules-count{font-variant-numeric:tabular-nums;white-space:nowrap;color:var(--text-secondary);font-size:.92em;flex:0 0 auto;margin-left:auto;padding-left:1em}.indicators-entry-body{padding:.5em 1em .75em 2.25em;font-size:.92em;border-top:1px dashed var(--border)}.indicators-entry-label{color:var(--text-secondary);font-weight:600;font-size:.85em;text-transform:uppercase;letter-spacing:.04em;display:inline-block;margin-right:.4em}.indicators-entry-techniques{margin-bottom:.75em;line-height:1.6}.indicators-entry-techniques a{color:var(--text);text-decoration:none;margin-right:.15em}.indicators-entry-techniques a:hover{text-decoration:underline}.indicators-entry-techniques code{font-size:.85em;color:var(--text-secondary);background:transparent;padding:0}.indicators-entry-rules ul{margin:.25em 0 0 0;padding-left:1em;line-height:1.55}.indicators-entry-rules li{list-style-type:disc;margin-bottom:.15em}.indicators-entry-rules a{color:var(--text)}.indicators-rule-vendor{display:inline-block;font-size:.78em;color:var(--text-secondary);text-transform:uppercase;letter-spacing:.04em;margin-right:.4em;font-family:monospace}@media(max-width:700px){.indicators-entry-summary{flex-wrap:wrap}.indicators-rules-count{width:100%;margin-left:0;padding-left:1.6em;text-align:left}.indicators-entry-body{padding-left:1em}}.rules-index-page,.rule-page,.rules-event-page{max-width:1100px;margin:0 auto;padding:.5rem 1rem 1rem}.rules-intro{color:var(--fg2);max-width:56rem;line-height:1.55;margin:.5rem 0 1.25rem}.rules-index-controls{display:flex;align-items:center;gap:.75rem;margin:1rem 0 .75rem}.rules-index-controls input{flex:1;max-width:36rem;padding:.45rem .65rem;font-family:inherit;font-size:.9rem;background:var(--bg1);color:var(--fg1);border:1px solid var(--border);border-radius:4px}.rules-count{color:var(--fg2);font-size:.85rem;white-space:nowrap}.rules-toc{display:flex;flex-wrap:wrap;gap:.5rem 1rem;margin:.5rem 0 1.5rem;padding:.6rem .75rem;background:var(--bg2);border:1px solid var(--border);border-radius:4px;font-size:.88rem}.rules-toc-count{color:var(--fg2);font-size:.82rem}.rules-tactic-section{margin:2rem 0}.rules-tactic-section h2{margin:0 0 .5rem;font-size:1.25rem;border-bottom:1px solid var(--border);padding-bottom:.3rem}.rules-section-meta{color:var(--fg2);font-weight:normal;font-size:.85rem;margin-left:.5rem}.rules-technique-block{margin:.4rem 0;padding:.4rem .6rem;border:1px solid var(--border);border-radius:4px;background:var(--bg2)}.rules-technique-block summary{cursor:pointer;display:flex;flex-wrap:wrap;align-items:baseline;gap:.5rem;font-weight:500}.rules-technique-link{color:var(--link)}.rules-technique-count{color:var(--fg2);font-size:.82rem;margin-left:auto}.rules-list{list-style:none;margin:.5rem 0 0;padding:0}.rules-list li{padding:.18rem 0;font-size:.92rem;line-height:1.4}.rules-meta{color:var(--fg2);font-size:.82rem}.rules-status-filter{display:flex;flex-wrap:wrap;align-items:center;gap:.5rem .75rem;margin:.4rem 0 1.5rem;font-size:.86rem}.rules-status-label{color:var(--fg2);font-size:.82rem;text-transform:uppercase;letter-spacing:.05em}.rules-status-chip{display:inline-flex;align-items:center;gap:.35rem;cursor:pointer;user-select:none}.rules-status-chip input{margin:0;cursor:pointer}.rules-status-count{color:var(--fg2);font-size:.78rem;font-variant-numeric:tabular-nums}.rule-vendor{display:inline-block;font-size:.78rem;font-family:monospace;color:var(--fg2);text-transform:uppercase;letter-spacing:.04em;margin-right:.4rem;min-width:3.6rem}.rule-vendor--sigma{color:var(--syn-key)}.rule-vendor--elastic{color:var(--syn-num)}.rule-vendor--splunk{color:var(--syn-str)}.rule-status{display:inline-block;font-size:.78rem;font-family:monospace;text-transform:uppercase;letter-spacing:.04em;margin-left:.3em}.rule-status--production,.rule-status--stable{color:var(--syn-str)}.rule-status--experimental,.rule-status--development,.rule-status--validation,.rule-status--test,.rule-status--testing{color:var(--syn-num)}.rule-status--deprecated,.rule-status--unsupported{color:var(--fg2);text-decoration:line-through}.rule-eyebrow{font-size:.85rem;color:var(--fg2);margin:0 0 .25rem}.rule-header h1{margin:0 0 .4rem;line-height:1.25;font-size:1.6rem}dl.rule-header-meta{display:grid;grid-template-columns:max-content 1fr;column-gap:.75rem;row-gap:.15rem;color:var(--fg2);margin:0 0 .6rem;font-size:.92rem;line-height:1.4;max-width:56rem}dl.rule-header-meta dt{font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;font-family:monospace;color:var(--fg2);margin:0;align-self:baseline}dl.rule-header-meta dd{margin:0;color:var(--fg1);align-self:baseline}p.rule-header-meta{color:var(--fg2);margin:0 0 .6rem;font-size:.92rem;line-height:1.5;max-width:56rem}.rule-description{margin:.6rem 0 0;line-height:1.55;max-width:56rem}.rule-eq-banner,.rule-parse-failed{margin:1rem 0;padding:.65rem .8rem;border-left:3px solid var(--accent);background:var(--bg2);border-radius:0 4px 4px 0;font-size:.92rem}.rule-parse-failed{border-left-color:var(--syn-num)}.rule-section{margin:1.75rem 0}.rule-section h2{font-size:1.2rem;margin:0 0 .5rem;border-bottom:1px solid var(--border);padding-bottom:.3rem}.rule-subheading{font-size:1rem;margin:1.4rem 0 .4rem;font-weight:600;color:var(--fg)}.rule-section-prose{color:var(--fg2);margin:0 0 .6rem;font-size:.9rem;max-width:56rem;line-height:1.5}.rule-section-prose code{font-size:.85em;padding:0 .2em;background:var(--bg2);border-radius:2px}.rule-authoring-table{table-layout:auto}.rule-authoring-table code{font-size:.82rem}.rule-authoring-kinds{color:var(--fg2);font-size:.85rem}.rule-authoring-samples{color:var(--fg2);font-size:.82rem;word-break:break-all}.rule-authoring-value{word-break:break-all;max-width:32rem}.rule-authoring-table td:first-child{white-space:nowrap}.rule-authoring-scroll{width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}@media(max-width:700px){.rule-authoring-table{font-size:.82rem;min-width:36rem}.rule-authoring-table th,.rule-authoring-table td{padding:.35rem .45rem}.rule-authoring-samples,.rule-authoring-value{word-break:normal;max-width:18rem}}.rule-mitre-table,.rule-events-table,.rule-exclusions-table,.rule-indicators-table{width:100%;border-collapse:separate;border-spacing:0;font-size:.9rem;background:var(--bg2);border:1px solid var(--border);border-radius:4px;overflow:hidden}.rule-mitre-table th,.rule-events-table th,.rule-exclusions-table th,.rule-indicators-table th{text-align:left;font-weight:600;font-size:.82rem;color:var(--fg2);background:var(--bg1);padding:.5rem .65rem;border-bottom:1px solid var(--border)}.rule-mitre-table td,.rule-events-table td,.rule-exclusions-table td,.rule-indicators-table td{padding:.4rem .65rem;border-bottom:1px solid var(--border);vertical-align:top}.rule-mitre-table tr:last-child td,.rule-events-table tr:last-child td,.rule-exclusions-table tr:last-child td,.rule-indicators-table tr:last-child td{border-bottom:0}.rule-events-table th:nth-child(1),.rule-events-table td:nth-child(1){width:1%;white-space:nowrap}.rule-events-table th:nth-child(2),.rule-events-table td:nth-child(2){width:1%;white-space:nowrap;font-variant-numeric:tabular-nums;text-align:right}.rule-events-table th:nth-child(3),.rule-events-table td:nth-child(3){width:auto}.rule-mitre-table th:nth-child(1),.rule-mitre-table td:nth-child(1){width:1%;white-space:nowrap}.rule-mitre-table th:nth-child(2),.rule-mitre-table td:nth-child(2){width:auto}.rule-indicators-table th:nth-child(1),.rule-indicators-table td:nth-child(1){width:1%;white-space:nowrap}.rule-indicators-table th:nth-child(2),.rule-indicators-table td:nth-child(2){width:1%;white-space:nowrap}.rule-indicators-table th:nth-child(3),.rule-indicators-table td:nth-child(3){width:auto}.rule-num{text-align:right;white-space:nowrap;font-variant-numeric:tabular-nums;color:var(--fg2);width:5rem}.rule-mitre-tactic{white-space:nowrap;font-weight:500;width:12rem}.rule-stage{margin:.9rem 0;padding:.7rem .9rem;background:var(--bg2);border:1px solid var(--border);border-radius:4px}.rule-stage h3{margin:0 0 .4rem;font-size:1rem}.rule-stage-negated{color:var(--syn-num);font-weight:normal;font-size:.85rem}.rule-stage-eid{margin-left:.4rem;font-size:.78rem;font-family:monospace;color:var(--fg2);font-weight:normal}.rule-stage-meta{list-style:none;margin:0 0 .5rem;padding:0;display:flex;flex-wrap:wrap;gap:.4rem 1rem;font-size:.85rem;color:var(--fg2)}.rule-stage-meta li code{font-family:monospace;background:var(--bg1);padding:.05rem .3rem;border-radius:3px}.rule-stage-pred summary{cursor:pointer;font-size:.88rem;color:var(--fg2);margin-bottom:.3rem}.rule-stage-pred-body{margin:0;padding:.6rem .75rem;background:var(--bg1);border:1px solid var(--border);border-radius:4px;overflow-x:auto;font-size:.82rem;line-height:1.45;white-space:pre;word-break:normal}.rule-stage-pred-body code{background:transparent;padding:0;font-family:monospace}.rule-members-list{list-style:none;margin:0;padding:0}.rule-members-list li{padding:.35rem 0;font-size:.93rem;line-height:1.5;border-bottom:1px solid var(--border)}.rule-meta{color:var(--fg2);font-size:.85rem}.rule-neighbor-group{margin:.9rem 0}.rule-neighbor-group h3{font-size:.95rem;margin:0 0 .3rem}.rule-neighbor-group ul{list-style:disc;margin:0 0 0 1.2rem;padding:0}.rule-neighbor-group li{padding:.1rem 0;font-size:.92rem;line-height:1.4}.rules-event-page .rule-section h2{font-size:1.1rem}.rule-body-section h2{display:flex;align-items:baseline;gap:.5rem}.rule-body-lang{font-size:.78rem;font-weight:normal;color:var(--fg2);text-transform:uppercase;letter-spacing:.05em;font-family:monospace}.rule-body-code{border:1px solid var(--border);border-radius:4px;max-height:36rem;overflow:auto}.rule-body-code pre,.rule-body-code .highlight{margin:0;border-radius:0}.rule-body-code .spl-line .kr,.rule-stage-pred-body .spl-line .kr{color:var(--syn-bool);font-weight:bold}.rule-body-code .spl-line .nf,.rule-body-code .spl-line .fm,.rule-stage-pred-body .spl-line .nf,.rule-stage-pred-body .spl-line .fm{color:var(--syn-key);font-weight:500}.rule-body-code .spl-line .nv,.rule-stage-pred-body .spl-line .nv{color:var(--fg1)}.rule-body-code .spl-line .o,.rule-body-code .spl-line .p,.rule-stage-pred-body .spl-line .o,.rule-stage-pred-body .spl-line .p{color:var(--syn-punct)}.rule-body-code .spl-line .k,.rule-stage-pred-body .spl-line .k{color:var(--syn-bool)}.rule-body-code .eql-line .kr,.rule-body-code .eql-line .k,.rule-stage-pred-body .eql-line .kr,.rule-stage-pred-body .eql-line .k{color:var(--syn-bool);font-weight:bold}.rule-body-code .eql-line .kc,.rule-stage-pred-body .eql-line .kc{color:var(--syn-bool)}.rule-body-code .eql-line .nf,.rule-stage-pred-body .eql-line .nf{color:var(--syn-key);font-weight:500}.rule-body-code .eql-line .nv,.rule-stage-pred-body .eql-line .nv{color:var(--fg1)}.rule-body-code .eql-line .o,.rule-body-code .eql-line .p,.rule-stage-pred-body .eql-line .o,.rule-stage-pred-body .eql-line .p{color:var(--syn-punct)}.rule-body-code .kql-line .kr,.rule-body-code .kql-line .k,.rule-stage-pred-body .kql-line .kr,.rule-stage-pred-body .kql-line .k{color:var(--syn-bool);font-weight:bold}.rule-body-code .kql-line .kc,.rule-stage-pred-body .kql-line .kc{color:var(--syn-bool)}.rule-body-code .kql-line .nf,.rule-body-code .kql-line .fm,.rule-stage-pred-body .kql-line .nf,.rule-stage-pred-body .kql-line .fm{color:var(--syn-key);font-weight:500}.rule-body-code .kql-line .nv,.rule-stage-pred-body .kql-line .nv{color:var(--fg1)}.rule-body-code .kql-line .o,.rule-body-code .kql-line .p,.rule-stage-pred-body .kql-line .o,.rule-stage-pred-body .kql-line .p{color:var(--syn-punct)}.rule-indicator-values{list-style:none;margin:0;padding:0}.rule-indicator-values li{padding:.1rem 0;line-height:1.45}.rule-indicator-values li+li{border-top:1px dashed var(--border);padding-top:.2rem;margin-top:.1rem}.rule-indicator-values code{word-break:break-word}.rule-compare-vendor{margin:1.2rem 0 .5rem;font-size:1rem}.rule-compare-list{display:flex;flex-direction:column;gap:.5rem}.rule-compare-card{border:1px solid var(--border);background:var(--bg2);border-radius:4px;padding:.5rem .75rem}.rule-compare-card summary{cursor:pointer;display:flex;flex-wrap:wrap;align-items:baseline;gap:.4rem .75rem}.rule-compare-title{font-weight:500}.rule-compare-body{margin-top:.6rem;padding-top:.6rem;border-top:1px solid var(--border);font-size:.88rem}.rule-compare-meta{margin:.4rem 0 .25rem;font-size:.85rem;color:var(--fg2)}.rule-compare-exclusions,.rule-compare-indicators{list-style:disc;margin:0 0 .4rem 1.25rem;padding:0;font-size:.84rem}.rule-compare-exclusions li,.rule-compare-indicators li{padding:.08rem 0}.attack-technique-links{margin:0 0 .5rem;font-size:.88rem}@media(max-width:600px){.rule-header h1{font-size:1.3rem}.rules-index-controls{flex-direction:column;align-items:stretch;gap:.3rem}.rules-index-controls input{max-width:none}.rules-toc{flex-direction:column;gap:.3rem}.rule-mitre-table,.rule-events-table,.rule-exclusions-table,.rule-indicators-table{font-size:.84rem}.rule-mitre-table td,.rule-events-table td,.rule-exclusions-table td,.rule-indicators-table td{padding:.35rem .45rem;word-break:break-word;overflow-wrap:anywhere}.rule-stage-pred-body{font-size:.78rem}.rules-technique-block summary{flex-direction:column;align-items:flex-start}.rules-technique-count{margin-left:0}.rule-stage-pred-body,.rule-body-code,.rule-compare-card pre{max-width:100%}}