.event-meta{display:flex;flex-wrap:wrap;gap:.4em 1rem;margin:.5em 0 .75em;padding:.4em .75em;background:var(--bg2);border-radius:4px}.event-meta>div{display:flex;flex-direction:column}.event-meta dt{font-size:.75rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg2)}.event-meta dd{margin:0;font-weight:600}.event-section{margin:1em 0}.event-section h2,.event-section h3{font-size:1rem;margin:0 0 .4em}.event-detection-rules .event-section{margin:.8em 0 0}.event-detection-rules .event-section:first-of-type{margin-top:.4em}.event-section>p{margin:0}.section-anchor{color:var(--fg2);text-decoration:none;opacity:0;margin-left:.3em;font-size:.85em;font-weight:400}.event-section h2:hover .section-anchor,.event-section h3:hover .section-anchor,.event-section:target .section-anchor{opacity:1}.section-anchor:hover{color:var(--link)}.event-section[id]{scroll-margin-top:calc(var(--hf-height) + 1em)}.event-message{white-space:pre-wrap;word-break:break-word;overflow-wrap:anywhere;margin:0;padding:.75em 1em;border-radius:4px;font-size:.85rem;line-height:1.6}.record-type-msgtype{font-size:.8rem;font-weight:400;font-family:var(--font-mono,monospace);color:var(--fg2);margin-left:.5em;white-space:nowrap}.auditd-rule{margin:0;padding:.6em .9em;border-radius:4px;background:var(--bg2);font-size:.85rem;line-height:1.5;overflow-x:auto}.source-list{list-style:none;padding:0;margin:0}.source-list>li{margin-bottom:1em}.source-list>li>p{margin:.25em 0 0}.source-cite{font-size:.8rem;color:var(--fg2)}.source-caveat{font-size:.85rem;color:var(--fg2)}.event-oie-note{font-size:.85rem;color:var(--fg2);border-left:3px solid var(--border);padding-left:.6em;margin:.4em 0 .8em}.event-example-note{font-size:.85rem;color:var(--fg2);border-left:3px solid var(--border);padding-left:.6em;margin:.4em 0 .8em}pre.chroma{max-width:100%;overflow-x:auto}.msg-param{color:var(--msg-param);font-weight:600}.event-fields-table{width:auto;max-width:100%;border-collapse:collapse}.event-fields-table th{text-align:left;font-size:.8rem;padding:.4em .75em}.event-fields-table td{padding:.4em .75em}.event-fields-table td:first-child{white-space:nowrap}.event-fields-table{border-collapse:separate;border-spacing:0}.event-fields-table td,.event-fields-table th{border:0;border-bottom:1px solid var(--border)}.event-fields-table tbody tr:last-child td{border-bottom:0}@media(max-width:600px){.event-fields-table thead{display:none}.event-fields-table tr{display:block;padding:.5em 0;border-bottom:1px solid var(--border)}.event-fields-table tbody tr:last-child{border-bottom:0}.event-fields-table td{display:block;padding:.15em 0;border:0}.event-fields-table td:first-child{padding-bottom:.3em;white-space:normal}.event-fields-table .field-rule-count{text-align:left}.event-fields-table .field-rule-count:empty{display:none}.event-fields-table .field-rule-unit{display:inline}}.field-rule-count{text-align:right;white-space:nowrap;color:var(--fg2);font-size:.85rem}.field-rule-unit{display:none}.common-indicators-table{width:100%;border-collapse:separate;border-spacing:0;font-size:.875rem}.common-indicators-table th{text-align:left;font-size:.8rem;padding:.4em .75em;border:0;border-bottom:2px solid var(--border)}.common-indicators-table td{padding:.35em .75em;border:0;border-bottom:1px solid var(--border);vertical-align:top}.common-indicators-table tbody tr:last-child td{border-bottom:0}.common-indicators-table .rule-num{text-align:right;font-variant-numeric:tabular-nums;white-space:nowrap}.common-indicators-table .indicator-vendors{color:var(--fg2);font-size:.8rem;white-space:nowrap}.common-indicators-table code{word-break:break-all}.indicator-rules-unit{display:none}@media(max-width:600px){.common-indicators-table thead{display:none}.common-indicators-table,.common-indicators-table tbody{display:block}.common-indicators-table tr{display:block;padding:.5em 0;border-bottom:1px solid var(--border)}.common-indicators-table tbody tr:last-child{border-bottom:0}.common-indicators-table td{display:inline;padding:0;border:0}.common-indicators-table td+td::before{content:" "}.common-indicators-table code{word-break:normal;overflow-wrap:anywhere}.common-indicators-table td code:empty{display:none}.common-indicators-table .rule-num::before{content:"\A";white-space:pre}.common-indicators-table .rule-num{font-size:.8rem;color:var(--fg2)}.indicator-rules-unit{display:inline}.common-indicators-table .indicator-vendors{white-space:normal}.common-indicators-table .indicator-vendors::before{content:" · "}}.field-type{display:inline-block;font-size:.7rem;font-family:var(--font-mono,monospace);padding:.1em .4em;margin-left:.4em;border-radius:3px;background:var(--bg3);color:var(--fg2);vertical-align:baseline;white-space:nowrap}details.field-values{margin-top:.35em}details.field-values summary{cursor:pointer;font-size:.9375rem;color:var(--fg2)}.field-value-list{display:grid;grid-template-columns:auto minmax(0,1fr);gap:.125em .75em;margin:.35em 0 0;padding:0;font-size:.9375rem}.field-value-list dt{margin:0;color:var(--fg2)}.field-value-list dd{margin:0;overflow-wrap:anywhere}@media(max-width:600px){.field-value-list{grid-template-columns:1fr;gap:0}.field-value-list dt{margin-top:.35em}.field-value-list dt:first-child{margin-top:0}.field-value-list dd{padding-left:1em}}.detection-rules{list-style:none;padding:0;margin:0}.detection-rules li{padding:.25em .5em;border-bottom:1px solid var(--bg3)}.detection-rules li:nth-child(odd){background:var(--bg2)}.detection-rules li:last-child{border-bottom:0}.rule-severity{display:inline-block;font-size:.65em;font-weight:600;padding:.15em .5em;border-radius:3px;vertical-align:middle;text-transform:uppercase;letter-spacing:.03em}.rel-inferred-pill{display:inline-block;font-size:.65em;font-weight:600;padding:.05em .4em;margin-right:.35em;border:1px dashed var(--fg2);border-radius:3px;vertical-align:middle;text-transform:uppercase;letter-spacing:.03em;color:var(--fg2);cursor:help}.rule-severity--informational,.rule-severity--low,.rule-severity--medium,.rule-severity--high,.rule-severity--critical{background:var(--badge-bg);color:var(--badge-fg)}.sigma-desc{color:var(--fg2);overflow-wrap:anywhere}.sigma-more{margin-top:.5em}.sigma-more summary{cursor:pointer;color:var(--link);font-size:.9em;width:fit-content}.sigma-more summary:hover{text-decoration:underline}.ref-page-link{font-size:.75rem;font-weight:400;color:var(--fg2);text-decoration:none;margin-left:.5em}.ref-page-link:hover{color:var(--link);text-decoration:underline}.rule-also-fires{display:block;font-size:.8rem;color:var(--fg2);font-style:italic;margin-top:.1em}.related-events{list-style:none;padding:0;margin:0}.related-event-group{margin-bottom:1.25em}.related-event-group-label{font-weight:700;font-size:1rem;margin-bottom:.5em;padding-bottom:.25em;text-transform:uppercase;letter-spacing:.03em}.related-event-card{border:1px solid var(--border);border-radius:4px;padding:.6em .8em;margin-bottom:.4em}.related-event-card .related-event-line1{font-weight:500;overflow-wrap:anywhere}.related-event-card .related-event-line2{padding-left:0;color:var(--fg2);margin-top:.2em}.related-event-source{font-size:.8em;opacity:.7}.related-event-rules{list-style:none;padding:0;margin:.4em 0 0 0}.related-event-rules li{font-size:.85em;padding:.15em 0;color:var(--fg1)}.related-event-rule-vendor{display:inline-block;font-size:.75em;font-weight:600;padding:.1em .45em;border-radius:3px;vertical-align:middle;text-transform:uppercase;letter-spacing:.03em;background:var(--badge-bg);color:var(--badge-fg);margin-right:.35em}.event-provider-table{width:100%;border-collapse:separate;border-spacing:0;border:1px solid var(--border)}.event-provider-table th,.event-provider-table td{border-right:1px solid var(--border);border-bottom:1px solid var(--border)}.event-provider-table th:last-child,.event-provider-table td:last-child{border-right:0}.event-provider-table tbody tr:last-child td{border-bottom:0}.event-provider-table th{text-align:left;font-size:.8rem;padding:.4em .75em;white-space:nowrap}.event-provider-table td{padding:.4em .75em}.event-provider-table td a{color:var(--link)}.event-provider-table .provider-row{content-visibility:auto;contain-intrinsic-size:auto 38px}.event-provider-table .col-count{width:1%;white-space:nowrap}.event-provider-table .col-nowrap{white-space:nowrap}.provider-overflow{margin:.6em 0 .2em;font-size:.85rem;color:var(--fg2)}.event-catalog>h1{font-size:1.15rem;margin-top:.75em;margin-bottom:0}.event-catalog-summary{color:var(--fg2);font-size:.8rem;margin-top:.15em;margin-bottom:.25em}.event-provider>h1{font-size:1.15rem;margin-top:.75em;margin-bottom:0}.event-provider>h1 .provider-raw{color:var(--fg2);font-weight:normal;font-size:.85em}.event-provider-summary{color:var(--fg2);font-size:.8rem;margin-top:.15em;margin-bottom:1em}.event-toc-table{width:100%;border-collapse:separate;border-spacing:0;border:1px solid var(--border)}.event-toc-table th,.event-toc-table td{border-right:1px solid var(--border);border-bottom:1px solid var(--border)}.event-toc-table th:last-child,.event-toc-table td:last-child{border-right:0}.event-toc-table tbody tr:last-child td{border-bottom:0}.event-toc-table tbody tr{content-visibility:auto;contain-intrinsic-size:auto 32px}.event-toc-table th{text-align:left;font-size:.8rem}.event-toc-table td,.event-toc-table th{padding:.4em .75em}.event-toc-table td a{color:var(--link)}.event-toc-table .col-event-id,.event-toc-table .col-channel,.event-toc-table .col-sample{width:1%;white-space:nowrap}.event-toc-table .col-sample{text-align:center}.event-toc-table .col-rt-title{white-space:nowrap}.event-entry{border-left:3px solid transparent;scroll-margin-top:calc(var(--hf-height) + 1em);content-visibility:auto;contain-intrinsic-size:auto 60px}.event-entry-header{display:none}.event-entry-heading{font-size:1.15rem;margin:0}.event-body{display:none;padding:0 .75em .75em}html:not(.js) .event-entry:target{border-left-color:var(--link);background:var(--bg2)}html:not(.js) .event-entry:target .event-body,html:not(.js) .event-entry:has(:target) .event-body{display:block}html.hash-landing .event-provider>h1,html.hash-landing .event-provider>.event-provider-summary,html.hash-landing .event-provider>.table-scroll-wrap,html.hash-landing .event-provider>.esf-grouping-note,html.hash-landing .event-provider>.esf-group-label,html.hash-landing .event-provider>.esf-section,html.hash-landing .event-provider>.provider-provenance{display:none}.event-provider:has(:target)>h1,.event-provider:has(:target)>.event-provider-summary,.event-provider:has(:target)>.table-scroll-wrap,.event-provider:has(:target)>.esf-grouping-note,.event-provider:has(:target)>.esf-group-label,.event-provider:has(:target)>.esf-section,.event-provider:has(:target)>.provider-provenance,.event-provider:has(:target)>.event-entry:not(:target):not(:has(:target)){display:none}.event-provider:has(:target)>.event-entry:target,.event-provider:has(:target)>.event-entry:has(:target){border-left-color:transparent;background:transparent;margin:0}.event-provider:has(:target)>.event-entry:target .event-entry-header,.event-provider:has(:target)>.event-entry:has(:target) .event-entry-header{display:flex;align-items:baseline;gap:.5em;padding-top:.85rem;padding-bottom:.5em;margin-bottom:.75em;border-bottom:1px solid var(--border)}.event-provider:has(:target)>.event-entry:target,.event-provider:has(:target)>.event-entry:has(:target),.event-provider.event-focused>.event-entry.event-active{content-visibility:visible}.event-entry.event-active{border-left-color:var(--link);background:var(--bg2)}.event-entry.event-active .event-body{display:block}.event-provider.event-focused>h1,.event-provider.event-focused>.event-provider-summary,.event-provider.event-focused>.table-scroll-wrap,.event-provider.event-focused>.esf-grouping-note,.event-provider.event-focused>.esf-group-label,.event-provider.event-focused>.esf-section,.event-provider.event-focused>.provider-provenance,.event-provider.event-focused>.event-entry:not(.event-active){display:none}.event-provider.event-focused>.event-entry.event-active{border-left-color:transparent;background:transparent;margin:0}.event-provider.event-focused>.event-entry.event-active .event-entry-header{display:flex;align-items:baseline;gap:.5em;padding-top:.85rem;padding-bottom:.5em;margin-bottom:.75em;border-bottom:1px solid var(--border)}.event-permalink{color:var(--fg2);text-decoration:none;font-size:.9em;opacity:0;margin-left:.3em;font-weight:400}.event-entry-header:hover .event-permalink,.event-entry:target .event-permalink{opacity:1}.event-permalink:hover{color:var(--link)}.provider-badge-stub{display:inline-block;font-size:.65em;padding:.15em .45em;border-radius:3px;vertical-align:middle;background:var(--badge-bg);color:var(--badge-fg)}@keyframes field-flash{0%{background-color:color-mix(in srgb,var(--accent) 35%,transparent)}100%{background-color:transparent}}tr[id*="-field-"]:target td{animation:field-flash 2s ease-out}tr[id*="-field-"]{scroll-margin-top:30vh}.search-container{position:relative;margin-bottom:.5em}.search-input-wrap{position:relative;display:flex;align-items:center}.search-icon{position:absolute;left:.75em;width:1.1em;height:1.1em;color:var(--fg2);pointer-events:none}.search-input-placeholder{position:absolute;left:2.6em;right:2.6em;top:50%;transform:translateY(-50%);pointer-events:none;color:var(--fg2);font-size:1rem;white-space:nowrap;overflow:hidden;text-overflow:ellipsis;opacity:1}.search-input-placeholder kbd{display:inline-block;padding:.05em .4em;font-family:var(--font-mono,monospace);font-size:.85rem;border:1px solid var(--border);border-radius:3px;background:var(--bg2);color:var(--fg1)}#event-search:focus ~ .search-input-placeholder,.search-input-wrap--has-value .search-input-placeholder{opacity:0}.search-input{width:100%;padding:.75em 1em .75em 2.5em;font-size:1rem;font-family:inherit;background:var(--bg2);color:var(--fg1);border:1px solid var(--border);border-radius:4px;outline:0;box-sizing:border-box}.search-input:focus{border-color:var(--link);box-shadow:0 0 0 2px color-mix(in srgb,var(--link) 30%,transparent)}.search-input::placeholder{color:var(--fg2)}.search-status{position:absolute;right:2.75em;font-size:.8rem;color:var(--fg2);pointer-events:none;white-space:nowrap}.search-filters{display:flex;flex-wrap:wrap;gap:.5em;margin-top:.5em;align-items:center}.filter-select{display:inline-flex;align-items:center;padding:.3em .6em;font-size:.8rem;font-family:inherit;line-height:1.4;border-radius:3px;border:1px solid var(--border);background:var(--bg2);color:var(--fg1);cursor:pointer;white-space:nowrap;transition:background .15s,border-color .15s,color .15s}.filter-select:hover{background:var(--bg3)}.filter-select:focus{outline:0;border-color:color-mix(in srgb,var(--link) 50%,var(--border))}.filter-select:not(:has(option[value=""]:checked)):not(:focus){background:color-mix(in srgb,#3b82f6 15%,var(--bg2));border-color:color-mix(in srgb,#3b82f6 40%,var(--border))}.filter-more{position:relative;display:inline-block}.filter-more>.filter-more-summary{list-style:none;cursor:pointer}.filter-more>.filter-more-summary::-webkit-details-marker{display:none}.filter-more>.filter-more-summary::after{content:" \25BE";opacity:.6}.filter-more[open]>.filter-more-summary{background:color-mix(in srgb,#3b82f6 10%,var(--bg2))}.filter-more-panel{position:absolute;top:calc(100% + 4px);left:0;z-index:10;display:flex;flex-direction:column;gap:.4em;min-width:14em;padding:.75em;background:var(--bg1);border:1px solid var(--border);border-radius:4px;box-shadow:0 4px 12px rgba(0,0,0,0.15)}.filter-more-panel label{display:flex;align-items:center;gap:.5em;font-size:.85rem;cursor:pointer;white-space:nowrap}.filter-more-panel label:hover{color:var(--link)}.visually-hidden{position:absolute;width:1px;height:1px;margin:-1px;padding:0;border:0;overflow:hidden;clip:rect(0 0 0 0);clip-path:inset(50%);white-space:nowrap}.search-suggest{position:absolute;top:calc(100% + 4px);left:0;right:0;z-index:30;max-height:min(50vh,18rem);overflow-y:auto;-webkit-overflow-scrolling:touch;background:var(--bg1);border:1px solid var(--border);border-radius:4px;box-shadow:0 4px 12px rgba(0,0,0,0.15)}.search-suggest[hidden]{display:none}.search-suggest-row{display:flex;align-items:baseline;gap:1em;padding:.4em .75em;font-size:.85rem;cursor:pointer}.search-suggest-row:hover,.search-suggest-row--active{background:var(--bg3)}.search-suggest-label{flex:0 1 auto;min-width:0;font-family:var(--font-mono,monospace);color:var(--fg1);white-space:nowrap;overflow:hidden;text-overflow:ellipsis}.search-suggest-gloss{flex:1 1 auto;min-width:0;text-align:right;color:var(--fg2);white-space:nowrap;overflow:hidden;text-overflow:ellipsis}.search-suggest-hint{padding:.5em .75em;font-size:.8rem;color:var(--fg2)}@media(max-width:600px){.search-suggest-gloss{display:none}}.search-recent{position:absolute;top:calc(100% + 4px);left:0;right:0;z-index:30;max-height:min(50vh,18rem);overflow-y:auto;background:var(--bg1);border:1px solid var(--border);border-radius:4px;box-shadow:0 4px 12px rgba(0,0,0,0.15)}.search-recent[hidden]{display:none}.search-recent-header{display:flex;justify-content:space-between;align-items:center;padding:.35em .75em;font-size:.75rem;color:var(--fg2);border-bottom:1px solid var(--border)}.search-recent-clear{background:0;border:0;padding:0;cursor:pointer;color:var(--fg2);font-size:.75rem}.search-recent-clear:hover{color:var(--fg1)}.search-recent-item{display:block;width:100%;text-align:left;background:0;border:0;padding:.4em .75em;font-size:.85rem;font-family:var(--font-mono,monospace);color:var(--fg1);cursor:pointer;white-space:nowrap;overflow:hidden;text-overflow:ellipsis}.search-recent-item:hover{background:var(--bg3)}.search-noscript{margin:.5em 0 0;padding:.5em .75em;font-size:.8rem;color:var(--fg2);background:var(--bg2);border:1px solid var(--border);border-radius:4px}.search-clear{position:absolute;right:.5em;top:50%;transform:translateY(-50%);background:0;border:0;color:var(--fg2);font-size:1.3rem;cursor:pointer;padding:.25em;line-height:1;align-items:center;z-index:1}.search-clear:not([hidden]){display:flex}.search-clear:hover{color:var(--fg1)}.search-results-table{overflow-x:auto;-webkit-overflow-scrolling:touch}.search-card-expand,.search-card-more-btn{display:inline-block;margin-top:.4em;background:transparent;color:var(--fg2);border:1px solid var(--border);border-radius:3px;padding:.15em .55em;font-size:.75rem;cursor:pointer;font-family:inherit}.search-card-expand:hover,.search-card-more-btn:hover{background:var(--bg3);color:var(--fg1)}.search-card-expanded{margin-top:.5em;padding:.5em .75em;background:var(--bg2);border-radius:3px;border-left:2px solid var(--border);max-height:60vh;overflow-y:auto}.search-card-expanded .rule-section{margin:.5rem 0}.search-card-expanded .rule-section h2{font-size:.95rem;border-bottom:1px solid var(--border);margin-bottom:.3rem;padding-bottom:.2rem}.search-card-expanded-loading{margin:0;font-size:.85rem;color:var(--fg2)}.search-result-toolbar{display:flex;justify-content:flex-end;gap:.4em;padding:0 0 .5em}.search-result-copy,.search-result-density{background:var(--bg2);color:var(--fg2);border:1px solid var(--border);border-radius:3px;padding:.2em .6em;font-size:.75rem;cursor:pointer;font-family:inherit}.search-result-copy:hover:not(:disabled),.search-result-density:hover{background:var(--bg3);color:var(--fg1)}.search-result-copy:disabled{cursor:default;opacity:.7}.search-result-density{margin-right:auto}.search-cards--compact .search-card{padding:.4em .65em}.search-cards--compact .search-card-context,.search-cards--compact .search-card-techniques,.search-cards--compact .search-card-thirdline,.search-cards--compact .search-card-indicators,.search-cards--compact .search-card-expand,.search-cards--compact .search-card-expanded,.search-cards--compact .search-card-more-btn,.search-cards--compact .search-card-more-panel{display:none}.search-cards--compact .search-card-primary{margin:0}.search-pagination{display:flex;align-items:center;justify-content:center;gap:.25em;margin-top:1em;padding:.5em 0}.search-pagination .page-btn{min-width:2em;padding:.3em .5em;border:1px solid var(--border);border-radius:3px;background:var(--bg2);color:var(--fg1);font-size:.85rem;font-family:inherit;cursor:pointer;text-align:center}.search-pagination .page-btn:hover:not(:disabled){background:var(--bg3)}.search-pagination .page-btn--active{background:var(--link);color:var(--badge-fg);border-color:var(--link)}.search-pagination .page-btn:disabled{opacity:.4;cursor:default}.search-pagination .page-ellipsis{padding:.3em .25em;color:var(--fg2)}.search-pagination .page-summary{font-size:.8rem;color:var(--fg2);margin-left:1em}mark,.search-highlight{background:var(--highlight-bg);color:var(--highlight-fg);border-radius:2px;padding:0 2px}.search-cards{display:flex;flex-direction:column;gap:2px}.search-card{display:block;padding:.6em .75em;border-bottom:1px solid var(--border);cursor:pointer;transition:background .1s}.search-card:hover,.search-card--active{background:var(--bg3)}.search-card--rule{border-left:3px solid var(--fg2)}.search-card--indicator{border-left:3px solid var(--indicator-accent)}.search-card-indicator-value{font-weight:600}.search-card-ws{color:var(--fg2)}.search-card-rule-link{display:block;padding:.25em .5em .25em .6em;margin:.2em 0;border-left:2px solid var(--fg2);font-size:.85rem;color:var(--fg1);text-decoration:none}.search-card-rule-link:hover{background:var(--bg2)}.search-card-type{display:inline-block;font-size:.65rem;font-weight:600;letter-spacing:.05em;text-transform:uppercase;color:var(--fg2);margin-right:.5em;opacity:.6;min-width:4.5em}.search-card-vendor{font-weight:600;font-size:.85rem}.search-card-technique{display:inline-block;font-size:.78rem;padding:.1em .4em;border-radius:2px;background:var(--bg3);margin-right:.35em;margin-bottom:.15em;color:var(--fg1)}.search-card-technique code{font-weight:600;font-size:.75rem;color:var(--link);margin-right:.25em}.search-card-techniques{display:flex;flex-wrap:wrap}.search-card-thirdline{font-size:.85rem;color:var(--fg2);display:flex;flex-direction:column;gap:.35em}.search-card-indicators{font-size:.78rem;color:var(--fg2);display:flex;flex-direction:column;gap:.15em;margin-top:.3em;padding-left:.7em;border-left:2px solid var(--border)}.search-card-indicator-line code{background:var(--bg3);padding:0 .25em;border-radius:2px;font-size:.92em;color:var(--fg1)}.search-card-indicator-line em,.search-card-indicator-kind{font-style:normal;color:var(--fg2);font-size:.9em;padding:0 .15em}.search-card-group-header{font-size:.95rem;margin:1.25em 0 .5em;color:var(--fg1);border-bottom:1px solid var(--border);padding-bottom:.3em}.search-card-group-header:first-child{margin-top:.25em}.search-card-group-count{color:var(--fg2);font-weight:normal;font-size:.85em}.search-card-indicator-kind--regex_match{color:#dc2626}.search-card-indicator-kind--cidr_match{color:#2563eb}.search-card-indicator-kind--eq,.search-card-indicator-kind--in{color:#16a34a}.search-card-indicator-kind--starts_with,.search-card-indicator-kind--ends_with{color:#ea580c}.search-card-indicator-kind--wildcard,.search-card-indicator-kind--match,.search-card-indicator-kind--contains{color:var(--link)}.search-card-indicator-kind--ne{color:#9333ea}.search-card-rule-desc{display:block}.search-card-badge-row{display:flex;flex-wrap:wrap;gap:.4em;align-items:baseline}.search-card-badge{display:inline-block;font-size:.7rem;padding:.05em .4em;border-radius:3px;background:var(--bg3);color:var(--fg1);white-space:nowrap}.search-card-badge--sev-critical{background:color-mix(in srgb,#dc2626 25%,var(--bg2))}.search-card-badge--sev-high{background:color-mix(in srgb,#ea580c 22%,var(--bg2))}.search-card-badge--sev-medium{background:color-mix(in srgb,#ca8a04 22%,var(--bg2))}.search-card-badge--sev-low{background:color-mix(in srgb,#2563eb 18%,var(--bg2))}.search-card-badge--sev-informational{background:var(--bg3)}.search-card--provider{border-left:3px solid var(--link);padding-left:calc(0.75em - 3px)}.search-card--provider .search-card-provider{color:var(--link);font-size:.95rem;font-weight:600}.search-card-primary{font-size:.95rem;line-height:1.4}.search-card-provider{color:var(--fg2);font-size:.85rem}.search-card-separator{color:var(--fg2);font-size:.85rem;margin:0 .15em}.search-card-id{color:var(--link);font-weight:600}.search-card-desc{color:var(--fg1)}.search-card-context{margin-top:.3em;padding-left:1em;font-size:.85rem;color:var(--fg2);line-height:1.5;overflow:hidden;text-overflow:ellipsis}.search-card-section{font-weight:600;color:var(--fg2);font-size:.8rem;text-transform:uppercase;letter-spacing:.03em}.filter-detail-item{display:block;margin-top:.15em;padding-left:1em;text-indent:-1em}.filter-detail-item:first-of-type{margin-top:0}.filter-detail-item code{color:var(--link);font-size:.85rem;padding:0;background:0}@media(max-width:600px){.mw-prefix{display:none}}.pattern .pattern-chain-source{color:var(--fg2);margin-bottom:.15em}.pattern .pattern-chain-source a{color:var(--link);text-decoration:none}@media(hover:hover){.pattern .pattern-chain-source a:hover{text-decoration:underline}}.pattern .pattern-chain-source-sep{display:inline-block;width:4ch}.pattern,.pattern-shape{border:1px solid var(--border);border-radius:4px;padding:.9em 1em;margin-bottom:.8em;background:var(--bg1)}.pattern:last-of-type,.pattern-shape:last-of-type{margin-bottom:0}.pattern[id],.pattern-shape[id]{scroll-margin-top:calc(var(--hf-height) + 1em)}.pattern:target,.pattern-shape:target{border-color:var(--link)}.pattern .p-title{display:flex;align-items:baseline;gap:.7em;flex-wrap:wrap}.pattern .p-title .p-name{font-weight:600;font-size:1.05em;color:var(--fg1);text-decoration:none}@media(hover:hover){.pattern .p-title a.p-name:hover{text-decoration:underline;color:var(--link)}}.pattern .p-title .p-tactic{color:var(--fg2);font-size:.88em}.pattern .p-desc{color:var(--fg2);margin:.4em 0 .7em;line-height:1.5}.pattern .chain-line,.pattern-shape .chain-line{font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.88em;color:var(--fg2);margin:.3em 0;display:flex;flex-wrap:wrap;align-items:baseline;gap:.25em;line-height:1.6}.pattern .coverage .lbl{color:var(--fg2);text-transform:uppercase;letter-spacing:.06em;font-size:.75em;opacity:.75;margin-right:.7em;font-family:ui-sans-serif,system-ui,sans-serif}.pattern .chain-line .node a,.pattern-shape .chain-line .node a{color:var(--link);text-decoration:none;overflow-wrap:anywhere}.pattern .chain-line .node.cur,.pattern-shape .chain-line .node.cur{background:var(--bg2);padding:.05em .4em;border-radius:3px;border:1px solid var(--border)}.pattern .chain-line .node.cur a,.pattern-shape .chain-line .node.cur a{color:var(--fg1);font-weight:700;text-decoration:none;cursor:default}@media(hover:hover){.pattern .chain-line .node a:hover,.pattern-shape .chain-line .node a:hover{text-decoration:underline}.pattern .chain-line .node.cur a:hover,.pattern-shape .chain-line .node.cur a:hover{text-decoration:none}}.pattern .chain-line .arrow,.pattern-shape .chain-line .arrow{color:var(--fg2);opacity:.55;margin:0 .3em}.pattern .chain-line .joiner,.pattern-shape .chain-line .joiner{color:var(--fg2);opacity:.55;margin:0 .4em;font-style:italic}.pattern .chain-line .step-alts,.pattern-shape .chain-line .step-alts{display:inline-flex;align-items:baseline;gap:.2em}.pattern .chain-line .step-paren,.pattern-shape .chain-line .step-paren{color:var(--fg2);opacity:.55}.pattern .chain-line .joiner-alt,.pattern-shape .chain-line .joiner-alt{font-style:normal}.pattern .chain-line .arrow-step,.pattern-shape .chain-line .arrow-step{margin:0 .45em}.pattern .coverage{color:var(--fg2);font-size:.95em;margin:.3em 0 .5em;line-height:1.5}.pattern .coverage strong{color:var(--fg1);font-weight:600}.pattern details.pattern-rules{margin:.2em 0 0}.pattern details.pattern-rules>summary{cursor:pointer;color:var(--fg2);font-size:.9em;list-style:none;padding:.2em 0}.pattern details.pattern-rules>summary::-webkit-details-marker{display:none}.pattern details.pattern-rules>summary .caret{display:inline-block;width:.9em;color:var(--fg2);opacity:.7}.pattern details.pattern-rules[open]>summary .caret::before{content:"▾"}.pattern details.pattern-rules:not([open])>summary .caret::before{content:"▸"}.pattern .rule-group,.pattern-shape .rule-group{margin:.2em 0 .4em}.pattern .rule-group h4,.pattern-shape .rule-group h4{font-size:.78em;text-transform:uppercase;letter-spacing:.06em;color:var(--fg2);margin:.8em 0 .25em;font-weight:600}.pattern .rule-row,.pattern-shape .rule-row{display:grid;grid-template-columns:minmax(0,1fr) auto;gap:.7em;padding:.25em 0;border-top:1px solid var(--border);font-size:.95em}.pattern .rule-group .rule-row:first-of-type,.pattern-shape .rule-group .rule-row:first-of-type{border-top:0}.pattern .rule-row .title,.pattern-shape .rule-row .title{min-width:0;overflow:hidden;text-overflow:ellipsis}.pattern .rule-row .title a,.pattern-shape .rule-row .title a{color:var(--link);text-decoration:none}@media(hover:hover){.pattern .rule-row .title a:hover,.pattern-shape .rule-row .title a:hover{color:var(--link);text-decoration:underline}}.pattern .rule-row .rule-row-source-sep,.pattern-shape .rule-row .rule-row-source-sep{display:inline-block;width:4ch}.pattern .rule-row .author,.pattern-shape .rule-row .author{color:var(--fg2);opacity:.8;font-size:.88em}@media(max-width:600px){.pattern .rule-row,.pattern-shape .rule-row{grid-template-columns:minmax(0,1fr)}.pattern .rule-row .author:not(:empty),.pattern-shape .rule-row .author:not(:empty){margin-top:.15em}}.pattern-shape details>summary{cursor:pointer;list-style:none}.pattern-shape details>summary::-webkit-details-marker{display:none}.pattern-shape details>summary .caret{display:inline-block;width:.9em;color:var(--fg2);opacity:.7}.pattern-shape details[open]>summary .caret::before{content:"▾"}.pattern-shape details:not([open])>summary .caret::before{content:"▸"}.pattern-shape .shape-details{margin-top:.2em}.pattern-shape .shape-details>summary.shape-summary{color:var(--fg2);font-size:.88em;padding:.3em 0}@media(hover:hover){.pattern-shape .shape-details>summary.shape-summary:hover{color:var(--fg1)}}.pattern-shape .shape-summary strong{color:var(--fg1);font-weight:600}.pattern-shape .pattern-purpose{margin:0 0 .4em;font-size:1.05em;font-weight:600;color:var(--fg1);line-height:1.35}.pattern-shape .shape-rules-more{margin-top:.25em}.pattern-shape .shape-rules-overflow{margin:.25em 0 0;font-size:.9em}.pattern-shape .shape-rules-more>summary{cursor:pointer;color:var(--link);font-size:.9em;width:fit-content}@media(hover:hover){.pattern-shape .shape-rules-more>summary:hover{text-decoration:underline}}.event-detection-patterns .detection-patterns-more{margin-top:.8em}.event-detection-patterns .detection-patterns-more>summary{cursor:pointer;color:var(--link);width:fit-content;list-style:none}.event-detection-patterns .detection-patterns-more>summary::-webkit-details-marker{display:none}.event-detection-patterns .detection-patterns-more>summary::after{content:" \25BE";opacity:.6}.event-detection-patterns .detection-patterns-more[open]>summary::after{content:" \25B4"}.event-detection-patterns .detection-patterns-more[open]>summary{margin-bottom:.8em}@media(hover:hover){.event-detection-patterns .detection-patterns-more>summary:hover{text-decoration:underline}}.pattern-sources h3{font-size:.85em;margin:.7em 0 .2em}.pattern-refs ul{margin:0;padding-left:1.2em;line-height:1.5}.pattern-refs a{word-break:break-all}@media(max-width:480px){.event-body{padding:0 .25em .5em}.event-message{padding:.5em .5em}.pattern,.pattern-shape{padding:.6em .5em}.related-event-card{padding:.5em .5em}.detection-rules li{padding:.2em .25em}}.sigma-source-link{margin-left:.4em;font-size:.78em;color:var(--fg2);text-decoration:none;text-transform:uppercase;letter-spacing:.04em}.sigma-source-link:hover{text-decoration:underline}.event-section-prose{margin:0 0 .75em;font-size:.9em;color:var(--fg2)}.rule-eval-conditional{margin:0 0 .75rem;font-size:.88rem}.rule-eval-field{margin-bottom:.3rem;font-size:.9rem;font-weight:600;color:var(--fg1)}.rule-eval-field code{font-family:monospace;background:var(--bg1);padding:.05rem .3rem;border-radius:3px}.rule-eval-branch{display:flex;flex-wrap:wrap;align-items:baseline;gap:.25rem .5rem;padding:.15rem 0;padding-left:1.5rem;border-left:2px solid var(--border);margin-bottom:.15rem}.rule-eval-kw{font-family:monospace;font-size:.82rem;color:var(--fg2);min-width:3ch;flex-shrink:0}.rule-eval-cond{font-family:monospace;font-size:.82rem;background:var(--bg1);padding:.05rem .3rem;border-radius:3px;overflow-wrap:anywhere}.rule-eval-val{font-family:monospace;font-size:.82rem;background:var(--bg1);padding:.05rem .3rem;border-radius:3px;overflow-wrap:anywhere}@media(max-width:480px){.rule-eval-branch{padding-left:.75rem;flex-direction:column;gap:.15rem}}.esf-section{margin:1.75rem 0 0}.esf-section-heading{display:flex;flex-wrap:wrap;align-items:baseline;gap:.5rem}.esf-section-count{font-size:.75rem;font-weight:500;color:var(--fg2)}.esf-section-blurb{margin:.25rem 0 .75rem;font-size:.9rem;color:var(--fg2)}.esf-grouping-note{margin-bottom:1rem}.esf-group-label{margin:2.25rem 0 0;padding-top:1rem;border-top:1px solid var(--border);font-size:.8rem;font-weight:600;color:var(--fg2)}.event-section .esf-table-heading{margin-top:1.75rem;font-size:.92rem}.esf-auth-note{font-size:.85em;color:var(--fg2)}.reference-list{margin:.5rem 0 0;padding-left:1.25rem;font-size:.9rem}.reference-list li{margin:.35rem 0}.rules-index-page,.rule-page,.rules-event-page{max-width:1100px;margin:0 auto;padding:.5rem 1rem 1rem}.rules-intro{color:var(--fg2);line-height:1.55;margin:.5rem 0 1.25rem}.rules-coverage-about{color:var(--fg2);line-height:1.55;margin:0 0 1.5rem;max-width:70ch}.rules-coverage-about p{margin:0 0 .75rem}.rules-index-controls{display:flex;align-items:center;gap:.75rem;margin:1rem 0 .75rem}.rules-index-controls input{flex:1;max-width:36rem;padding:.45rem .65rem;font-family:inherit;font-size:.9rem;background:var(--bg1);color:var(--fg1);border:1px solid var(--border);border-radius:4px}.rules-framework-heading{margin:1rem 0 .4rem;font-size:1rem;font-weight:600;letter-spacing:.02em}.rules-toc{display:flex;flex-wrap:wrap;gap:.5rem 1rem;margin:.5rem 0 1.5rem;padding:.6rem .75rem;background:var(--bg2);border:1px solid var(--border);border-radius:4px;font-size:.88rem}.rules-toc-count{color:var(--fg2);font-size:.82rem}.rules-secondary-nav{margin:.5rem 0 1.5rem}.rules-secondary-nav>summary{cursor:pointer;user-select:none;list-style:none;display:inline-flex;align-items:baseline;gap:.45rem;padding:.4rem .75rem;border:1px solid var(--border);border-radius:5px;background:var(--bg1);color:var(--fg1);font-size:.9rem}.rules-secondary-nav>summary::-webkit-details-marker{display:none}.rules-secondary-nav>summary::before{content:"\25b8";color:var(--fg2);font-size:.8em}.rules-secondary-nav[open]>summary::before{content:"\25be"}.rules-secondary-nav>summary:hover{border-color:var(--fg2)}.rules-secondary-label{font-weight:600;letter-spacing:.02em}.rules-secondary-nav[open] .rules-framework-heading:first-of-type{margin-top:.6rem}.rules-tactic-section{margin:2rem 0}.rules-tactic-section h2{margin:0 0 .5rem;font-size:1.25rem;border-bottom:1px solid var(--border);padding-bottom:.3rem}.rules-section-meta{color:var(--fg2);font-weight:normal;font-size:.85rem;margin-left:.5rem}.rules-section-blurb{margin:0 0 .75rem;max-width:70ch;color:var(--fg2);font-size:.9rem;line-height:1.4}.rules-technique-block{margin:.4rem 0;padding:.4rem .6rem;border:1px solid var(--border);border-radius:4px;background:var(--bg2)}.rules-technique-block summary{cursor:pointer;display:flex;flex-wrap:wrap;align-items:baseline;gap:.5rem;font-weight:500}.rules-technique-link{color:var(--link)}.rules-technique-count{color:var(--fg2);font-size:.82rem;margin-left:auto}.rules-list{list-style:none;margin:.5rem 0 0;padding:0}.rules-list li{padding:.18rem 0;font-size:.92rem;line-height:1.4}.rules-meta{color:var(--fg2);font-size:.82rem}.rules-filter-bar{display:flex;flex-wrap:wrap;gap:.5rem;margin:.6rem 0 1.3rem}.rules-filter-group{position:relative;font-size:.86rem}.rules-filter-group>summary{cursor:pointer;user-select:none;list-style:none;display:inline-flex;align-items:baseline;gap:.35rem;padding:.3rem .7rem;border:1px solid var(--border);border-radius:5px;background:var(--bg1);color:var(--fg1);white-space:nowrap}.rules-filter-group>summary::-webkit-details-marker{display:none}.rules-filter-group>summary::after{content:"\25be";color:var(--fg2);font-size:.7em}.rules-filter-group[open]>summary,.rules-filter-group>summary:hover{border-color:var(--fg2)}.rules-filter-meta{color:var(--fg2);font-size:.78rem;font-variant-numeric:tabular-nums}.rules-filter-panel{position:absolute;z-index:20;top:calc(100% + 4px);left:0;min-width:12rem;max-width:min(22rem,90vw);padding:.6rem .75rem;background:var(--bg1);border:1px solid var(--border);border-radius:6px;box-shadow:0 4px 14px rgba(0,0,0,0.18)}.rules-filter-bulk{display:flex;align-items:center;gap:.4rem;margin-bottom:.5rem;padding-bottom:.45rem;border-bottom:1px solid var(--border)}.rules-filter-bulk-btn{cursor:pointer;background:0;border:0;padding:0;font:inherit;font-size:.8rem;color:var(--link)}.rules-filter-bulk-btn:hover{text-decoration:underline}.rules-filter-bulk-sep{color:var(--fg2)}.rules-filter-options{display:flex;flex-wrap:wrap;gap:.4rem .85rem}.rules-filter-chip{display:inline-flex;align-items:center;gap:.35rem;cursor:pointer;user-select:none;white-space:nowrap}.rules-filter-chip input{margin:0;cursor:pointer}.rules-filter-chip .rule-vendor,.rules-filter-chip .rule-status,.rules-filter-chip .rules-categorical-label{font-size:inherit;font-family:inherit;text-transform:none;text-decoration:none;letter-spacing:normal;font-weight:normal;font-style:normal;min-width:0;margin:0;color:var(--fg1)}.rules-filter-count{color:var(--fg2);font-size:.78rem;font-variant-numeric:tabular-nums}@media(max-width:600px){.rules-filter-group{width:100%}.rules-filter-group>summary{width:100%;box-sizing:border-box;justify-content:space-between}.rules-filter-panel{position:static;max-width:none;margin-top:.3rem;box-shadow:none}}.rules-expand-controls{margin:.4rem 0 .8rem}.rules-expand-toggle{cursor:pointer;font-size:.82rem;color:var(--fg2);background:var(--bg1);border:1px solid var(--border);border-radius:4px;padding:.25rem .6rem}.rules-expand-toggle:hover{color:var(--fg1);border-color:var(--fg2)}.rule-vendor{display:inline-block;font-size:.78rem;font-family:monospace;color:var(--fg2);text-transform:uppercase;letter-spacing:.04em;margin-right:.4rem;min-width:3.6rem}.rule-vendor--sigma{color:var(--syn-key)}.rule-vendor--elastic{color:var(--syn-num)}.rule-vendor--splunk{color:var(--syn-str)}.rule-vendor--kusto{color:var(--syn-bool)}.rule-vendor--chronicle{color:var(--syn-bool);font-style:italic}.rule-status{display:inline-block;font-size:.78rem;font-family:monospace;text-transform:uppercase;letter-spacing:.04em;margin-left:.3em}.rule-status--production,.rule-status--stable,.rule-status--available{color:var(--syn-str)}.rule-status--experimental,.rule-status--development,.rule-status--validation,.rule-status--test,.rule-status--testing{color:var(--syn-num)}.rule-status--deprecated,.rule-status--unsupported{color:var(--fg2);text-decoration:line-through}.rule-eyebrow{font-size:.85rem;color:var(--fg2);margin:0 0 .25rem}.rule-header h1{margin:0 0 .4rem;line-height:1.25;font-size:1.6rem;overflow-wrap:anywhere}dl.rule-header-meta{display:grid;grid-template-columns:max-content 1fr;column-gap:.75rem;row-gap:.15rem;color:var(--fg2);margin:0 0 .6rem;font-size:.92rem;line-height:1.4}dl.rule-header-meta dt{font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;font-family:monospace;color:var(--fg2);margin:0;align-self:baseline}dl.rule-header-meta dd{margin:0;color:var(--fg1);align-self:baseline;overflow-wrap:anywhere}p.rule-header-meta{color:var(--fg2);margin:0 0 .6rem;font-size:.92rem;line-height:1.5}.rule-description{margin:.6rem 0 0;line-height:1.55;overflow-wrap:anywhere}.rule-parse-failed{margin:1rem 0;padding:.65rem .8rem;border-left:3px solid var(--syn-num);background:var(--bg2);border-radius:0 4px 4px 0;font-size:.92rem}.rule-not-detection-note{margin:.75rem 0 0;padding:.65rem .8rem;border-left:3px solid var(--syn-num);background:var(--bg2);border-radius:0 4px 4px 0;font-size:.9rem;line-height:1.5}.rule-section{margin:1.75rem 0}.rule-section h2{font-size:1.2rem;margin:0 0 .5rem;border-bottom:1px solid var(--border);padding-bottom:.3rem}.rule-subheading{font-size:1rem;margin:1.4rem 0 .4rem;font-weight:600;color:var(--fg1)}.rule-section-prose{color:var(--fg2);margin:0 0 .6rem;font-size:.9rem;line-height:1.5}.rule-section-prose code{font-size:.85em;padding:0 .2em;background:var(--bg2);border-radius:2px}.rule-authoring-table{table-layout:auto}.rule-authoring-table code{font-size:.82rem}.rule-authoring-kinds{color:var(--fg2);font-size:.85rem}.rule-authoring-samples{color:var(--fg2);font-size:.82rem;word-break:break-all}.rule-authoring-value{word-break:break-all;max-width:32rem}.rule-authoring-table td:first-child{white-space:nowrap}.rule-authoring-scroll{width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}@media(max-width:700px){.rule-authoring-table{font-size:.82rem;min-width:36rem}.rule-authoring-table th,.rule-authoring-table td{padding:.35rem .45rem}.rule-authoring-samples,.rule-authoring-value{word-break:normal;max-width:18rem}}.rule-mitre-table,.rule-events-table,.rule-exclusions-table,.rule-search-terms-table,.rule-participants-table,.rule-indicators-table{width:100%;border-collapse:separate;border-spacing:0;font-size:.9rem;background:var(--bg2);border:1px solid var(--border);border-radius:4px;overflow:hidden}.rule-mitre-table th,.rule-events-table th,.rule-exclusions-table th,.rule-search-terms-table th,.rule-participants-table th,.rule-indicators-table th{text-align:left;font-weight:600;font-size:.82rem;color:var(--fg2);background:var(--bg1);padding:.5rem .65rem;border:0;border-bottom:1px solid var(--border)}.rule-mitre-table td,.rule-events-table td,.rule-exclusions-table td,.rule-search-terms-table td,.rule-participants-table td,.rule-indicators-table td{padding:.4rem .65rem;border:0;border-bottom:1px solid var(--border);vertical-align:top}.rule-mitre-table tr:last-child td,.rule-events-table tr:last-child td,.rule-exclusions-table tr:last-child td,.rule-search-terms-table tr:last-child td,.rule-participants-table tr:last-child td,.rule-indicators-table tr:last-child td{border-bottom:0}.rule-participants-table th:nth-child(1),.rule-participants-table td:nth-child(1){width:1%;white-space:nowrap}.rule-events-table th:nth-child(1),.rule-events-table td:nth-child(1){width:1%;white-space:nowrap}.rule-events-table th:nth-child(2),.rule-events-table td:nth-child(2){width:1%;white-space:nowrap;font-variant-numeric:tabular-nums;text-align:right}.rule-events-table th:nth-child(3),.rule-events-table td:nth-child(3){width:auto}.rule-mitre-table th:nth-child(1),.rule-mitre-table td:nth-child(1){width:1%;white-space:nowrap}.rule-mitre-table th:nth-child(2),.rule-mitre-table td:nth-child(2){width:auto}.rule-indicators-table th:nth-child(1),.rule-indicators-table td:nth-child(1){width:1%;white-space:nowrap}.rule-indicators-table th:nth-child(2),.rule-indicators-table td:nth-child(2){width:1%;white-space:nowrap}.rule-indicators-table th:nth-child(3),.rule-indicators-table td:nth-child(3){width:auto}.rule-num{text-align:right;white-space:nowrap;font-variant-numeric:tabular-nums;color:var(--fg2);width:5rem}.rule-mitre-tactic{white-space:nowrap;font-weight:500;width:12rem}.rule-stage{margin:.9rem 0;padding:.7rem .9rem;background:var(--bg2);border:1px solid var(--border);border-radius:4px}.rule-stage h3{margin:0 0 .4rem;font-size:1rem}.rule-stage-negated{color:var(--syn-num);font-weight:normal;font-size:.85rem}.rule-stage-eid{margin-left:.4rem;font-size:.78rem;font-family:monospace;color:var(--fg2);font-weight:normal}.rule-stage-meta{list-style:none;margin:0 0 .5rem;padding:0;display:flex;flex-wrap:wrap;gap:.4rem 1rem;font-size:.85rem;color:var(--fg2)}.rule-stage-meta li code{font-family:monospace;background:var(--bg1);padding:.05rem .3rem;border-radius:3px}.rule-participant-head{margin:0 0 .35rem;font-size:.95rem;font-weight:600}.rule-condition-list{list-style:none;margin:0;padding:0;display:flex;flex-direction:column;gap:.25rem}.rule-condition-list code{font-family:monospace;font-size:.85rem;background:var(--bg1);padding:.1rem .35rem;border-radius:3px;overflow-wrap:anywhere}dl.rule-corr-meta{display:grid;grid-template-columns:max-content 1fr;column-gap:.75rem;row-gap:.3rem;margin:0 0 .6rem;font-size:.88rem}dl.rule-corr-meta dt{font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;font-family:monospace;color:var(--fg2);margin:0}dl.rule-corr-meta dd{margin:0;color:var(--fg1);overflow-wrap:anywhere}dl.rule-corr-meta dd code{font-family:monospace;font-size:.85rem}.rule-stage-pred summary{cursor:pointer;font-size:.88rem;color:var(--fg2);margin-bottom:.3rem}.rule-stage-pred-body{margin:0;padding:.6rem .75rem;background:var(--bg1);border:1px solid var(--border);border-radius:4px;overflow-x:auto;font-size:.82rem;line-height:1.45;white-space:pre-wrap;overflow-wrap:anywhere;word-break:normal;tab-size:2}.rule-stage-pred-body code{background:transparent;padding:0;font-family:monospace}.rule-stage-pred-body .line{display:block;padding-left:4ch;text-indent:-4ch}.rule-meta{color:var(--fg2);font-size:.85rem}.rules-event-page .rule-section h2{font-size:1.1rem}.rule-body-section h2{display:flex;align-items:baseline;gap:.5rem}.rule-body-lang{font-size:.78rem;font-weight:normal;color:var(--fg2);text-transform:uppercase;letter-spacing:.05em;font-family:monospace}.rule-body-code{border:1px solid var(--border);border-radius:4px;max-height:36rem;overflow:auto}.rule-body-code pre,.rule-body-code .highlight{margin:0;border-radius:0}.rule-body-code .spl-line .kr,.rule-stage-pred-body .spl-line .kr{color:var(--syn-bool);font-weight:bold}.rule-body-code .spl-line .nf,.rule-body-code .spl-line .fm,.rule-stage-pred-body .spl-line .nf,.rule-stage-pred-body .spl-line .fm{color:var(--syn-key);font-weight:500}.rule-body-code .spl-line .nv,.rule-stage-pred-body .spl-line .nv{color:var(--fg1)}.rule-body-code .spl-line .o,.rule-body-code .spl-line .p,.rule-stage-pred-body .spl-line .o,.rule-stage-pred-body .spl-line .p{color:var(--syn-punct)}.rule-body-code .spl-line .k,.rule-stage-pred-body .spl-line .k{color:var(--syn-bool)}.rule-body-code .eql-line .kr,.rule-body-code .eql-line .k,.rule-stage-pred-body .eql-line .kr,.rule-stage-pred-body .eql-line .k{color:var(--syn-bool);font-weight:bold}.rule-body-code .eql-line .kc,.rule-stage-pred-body .eql-line .kc{color:var(--syn-bool)}.rule-body-code .eql-line .nf,.rule-stage-pred-body .eql-line .nf{color:var(--syn-key);font-weight:500}.rule-body-code .eql-line .nv,.rule-stage-pred-body .eql-line .nv{color:var(--fg1)}.rule-body-code .eql-line .o,.rule-body-code .eql-line .p,.rule-stage-pred-body .eql-line .o,.rule-stage-pred-body .eql-line .p{color:var(--syn-punct)}.rule-body-code .kql-line .kr,.rule-body-code .kql-line .k,.rule-stage-pred-body .kql-line .kr,.rule-stage-pred-body .kql-line .k{color:var(--syn-bool);font-weight:bold}.rule-body-code .kql-line .kc,.rule-stage-pred-body .kql-line .kc{color:var(--syn-bool)}.rule-body-code .kql-line .nf,.rule-body-code .kql-line .fm,.rule-stage-pred-body .kql-line .nf,.rule-stage-pred-body .kql-line .fm{color:var(--syn-key);font-weight:500}.rule-body-code .kql-line .nv,.rule-stage-pred-body .kql-line .nv{color:var(--fg1)}.rule-body-code .kql-line .o,.rule-body-code .kql-line .p,.rule-stage-pred-body .kql-line .o,.rule-stage-pred-body .kql-line .p{color:var(--syn-punct)}.rule-indicator-values{list-style:none;margin:0;padding:0}.rule-indicator-values li{padding:.1rem 0;line-height:1.45}.rule-indicator-values li+li{border-top:1px dashed var(--border);padding-top:.2rem;margin-top:.1rem}.rule-indicator-values code{word-break:break-word}.rule-regex-alternatives{list-style:none;margin:0;padding:0}.rule-regex-alternatives li{padding:.05rem 0;line-height:1.4}.rule-compare-vendor{margin:1.2rem 0 .5rem;font-size:1rem}.rule-compare-list{display:flex;flex-direction:column;gap:.5rem}.rule-compare-card{border:1px solid var(--border);background:var(--bg2);border-radius:4px;padding:.5rem .75rem}.rule-compare-card summary{cursor:pointer;display:flex;flex-wrap:wrap;align-items:baseline;gap:.4rem .75rem}.rule-compare-title{font-weight:500}.rule-compare-body{margin-top:.6rem;padding-top:.6rem;border-top:1px solid var(--border);font-size:.88rem}.rule-compare-meta{margin:.4rem 0 .25rem;font-size:.85rem;color:var(--fg2)}.rule-compare-exclusions,.rule-compare-indicators{list-style:disc;margin:0 0 .4rem 1.25rem;padding:0;font-size:.84rem}.rule-compare-exclusions li,.rule-compare-indicators li{padding:.08rem 0}.attack-technique-links{margin:0 0 .5rem;font-size:.88rem}@media(max-width:600px){.rule-header h1{font-size:1.3rem}.rules-index-controls{flex-direction:column;align-items:stretch;gap:.3rem}.rules-index-controls input{max-width:none}.rules-toc{gap:.35rem .7rem}.rule-mitre-table,.rule-events-table,.rule-exclusions-table,.rule-search-terms-table,.rule-participants-table,.rule-indicators-table{font-size:.84rem}.rule-mitre-table td,.rule-events-table td,.rule-exclusions-table td,.rule-search-terms-table td,.rule-participants-table td,.rule-indicators-table td{padding:.35rem .45rem;word-break:break-word;overflow-wrap:anywhere}.rule-stage-pred-body{font-size:.78rem}.rules-technique-block summary{flex-direction:column;align-items:flex-start}.rules-technique-count{margin-left:0}.rule-stage-pred-body,.rule-body-code,.rule-compare-card pre{max-width:100%}}.mql-fires-scope{margin:.2rem 0}.mql-fires-summary{margin:.1rem 0 .7rem;color:var(--fg2)}.mql-req-list{margin:.3rem 0;padding-left:1.5rem}.mql-req-list>li.mql-req-item{margin:.3rem 0}.mql-req-single{list-style:none;padding-left:0}.mql-sub-list{list-style:disc;margin:.2rem 0;padding-left:1.2rem}.mql-sub-list>li{margin:.15rem 0}.mql-req-text,.mql-fires-patterns>summary{overflow-wrap:anywhere}.mql-req-detail>summary,.mql-fires-patterns>summary{cursor:pointer}.mql-req-detail[open]>summary{margin-bottom:.2rem}.mql-fires-patterns ul{margin:.25rem 0 .5rem 1.1rem}.mql-inspects dt{font-weight:600;margin-top:.45rem}.mql-inspects dd{margin:.1rem 0 0}.mql-indicators{border-collapse:separate;border-spacing:0;font-size:.9em;margin-top:.3rem}.mql-indicators td,.mql-indicators th{text-align:left;padding:.12rem .7rem .12rem 0;vertical-align:top}.mql-indicators-more>summary{cursor:pointer;color:var(--link)}.provider-provenance .provenance-binary{margin:.4rem 0 .6rem}.provider-provenance .provenance-binary code,.provider-provenance .provenance-observation code{background:var(--code-bg);font-family:var(--font-mono);font-size:.85em;padding:.05em .35em;border-radius:4px;word-break:break-all}.provenance-sources{margin:.4rem 0 0;padding-left:1.2rem}.provenance-sources li{padding:.2rem 0;font-size:.9rem;line-height:1.4}.provenance-observations{list-style:none;margin:0;padding:0}.provenance-observation{padding:.4rem 0;border-top:1px solid var(--border);color:var(--fg2);font-size:.9rem}.provenance-observation:first-child{border-top:0;padding-top:0}.provenance-observation .obs-build{color:var(--fg1);font-family:var(--font-mono)}.provenance-observation .obs-method{color:var(--fg2)}.provenance-obs-label{margin:.7rem 0 .2rem;color:var(--fg2);font-size:.9rem}.provenance-observation .obs-note{margin:.3rem 0 0;font-size:.85rem;line-height:1.4}.provider-provenance .provenance-subhead{margin-top:1em}.provider-download-list{list-style:none;margin:0;padding:0}.provider-download-list li{padding:.2rem 0;color:var(--fg2);font-size:.9rem}.provider-download-list a{color:var(--link);font-family:var(--font-mono);word-break:break-all}.download-kind{margin-left:.4rem;padding:.03em .4em;background:var(--badge-bg);color:var(--badge-fg);border-radius:4px;font-size:.72em;text-transform:uppercase;white-space:nowrap}