diff --git a/audit.rules b/audit.rules
index 03ed184..222ca04 100644
--- a/audit.rules
+++ b/audit.rules
@@ -48,7 +48,8 @@
 ## Audit the audit logs
 ### Successful and unsuccessful attempts to read information from the audit records
 -w /var/log/audit/ -p wra -k auditlog
--w /var/audit/ -p wra -k auditlog
+#-w /var/log/audit/ -p wra -k T1005_Data_From_Local_System_audit_log
+#-w /var/audit/ -p wra -k T1005_Data_From_Local_System_audit_log
 
 ## Auditd configuration
 ### Modifications to audit configuration that occur while the audit collection functions are operating
@@ -64,11 +65,11 @@
 
 ## Access to all audit trails
 
--a always,exit -F path=/usr/sbin/ausearch -F perm=x -k audittools
--a always,exit -F path=/usr/sbin/aureport -F perm=x -k audittools
--a always,exit -F path=/usr/sbin/aulast -F perm=x -k audittools
--a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -k audittools
--a always,exit -F path=/usr/sbin/auvirt -F perm=x -k audittools
+-a always,exit -F path=/usr/sbin/ausearch -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/aureport -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/aulast -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/aulastlogin -F perm=x -k T1005_Data_From_Local_System_audit_log
+-a always,exit -F path=/usr/sbin/auvirt -F perm=x -k T1005_Data_From_Local_System_audit_log
 
 # Filters ---------------------------------------------------------------------
 
@@ -85,19 +86,27 @@
 -a never,exit -F subj_type=crond_t
 
 ## This prevents chrony from overwhelming the logs
--a never,exit -F arch=b64 -S adjtimex -F auid=-1 -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
+-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
 
 ## This is not very interesting and wastes a lot of space if the server is public facing
 -a always,exclude -F msgtype=CRYPTO_KEY_USER
 
-## Open VM Tools
+## VMware tools
+-a never,exit -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
+-a never,exit -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
+
+-a exit,never -F arch=b32 -S all -F exe=/usr/bin/vmtoolsd
 -a exit,never -F arch=b64 -S all -F exe=/usr/bin/vmtoolsd
 
 ## High Volume Event Filter (especially on Linux Workstations)
+-a never,exit -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
 -a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
+-a never,exit -F arch=b32 -F dir=/var/lock/lvm -k locklvm
 -a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
 
 ## FileBeat
+-a never,exit -F arch=b32 -F path=/opt/filebeat -k filebeat
 -a never,exit -F arch=b64 -F path=/opt/filebeat -k filebeat
 
 ## More information on how to filter events
@@ -114,6 +123,7 @@
 -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
 -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
 -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
+-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
 
 ## Modprobe configuration
 -w /etc/modprobe.conf -p wa -k modprobe
@@ -121,39 +131,40 @@
 
 ## KExec usage (all actions)
 -a always,exit -F arch=b64 -S kexec_load -k KEXEC
+-a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC
 
 ## Special files
--a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles
+#-a always,exit -F arch=b32 -S mknod -S mknodat -k specialfiles
+#-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles
 
 ## Mount operations (only attributable)
--a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
-
-### NFS mount
--a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
+#-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
+#-a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount
 
 ## Change swap (only attributable)
--a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
+#-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
+#-a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap
 
 ## Time
--a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time
+#-a always,exit -F arch=b32 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time
+#-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time
 ### Local time zone
--w /etc/localtime -p wa -k localtime
+#-w /etc/localtime -p wa -k localtime
 
 ## Stunnel
 -w /usr/sbin/stunnel -p x -k stunnel
 -w /usr/bin/stunnel -p x -k stunnel
 
 ## Cron configuration & scheduled jobs
--w /etc/cron.allow -p wa -k cron
--w /etc/cron.deny -p wa -k cron
--w /etc/cron.d/ -p wa -k cron
--w /etc/cron.daily/ -p wa -k cron
--w /etc/cron.hourly/ -p wa -k cron
--w /etc/cron.monthly/ -p wa -k cron
--w /etc/cron.weekly/ -p wa -k cron
--w /etc/crontab -p wa -k cron
--w /var/spool/cron/ -p wa -k cron
+#-w /etc/cron.allow -p wa -k cron
+#-w /etc/cron.deny -p wa -k cron
+#-w /etc/cron.d/ -p wa -k cron
+#-w /etc/cron.daily/ -p wa -k cron
+#-w /etc/cron.hourly/ -p wa -k cron
+#-w /etc/cron.monthly/ -p wa -k cron
+#-w /etc/cron.weekly/ -p wa -k cron
+#-w /etc/crontab -p wa -k cron
+#-w /var/spool/cron/ -p wa -k cron
 
 ## User, group, password databases
 -w /etc/group -p wa -k etcgroup
@@ -187,17 +198,22 @@
 
 ## Network Environment
 ### Changes to hostname
--a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
+#-a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications
+#-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
 
 ### Detect Remote Shell Use
--a always,exit -F arch=b64 -F exe=/bin/bash -F success=1 -S connect -k "remote_shell"
--a always,exit -F arch=b64 -F exe=/usr/bin/bash -F success=1 -S connect -k "remote_shell"
+#-a always,exit -F arch=b32 -F exe=/bin/bash -F success=1 -S connect -k "remote_shell"
+#-a always,exit -F arch=b64 -F exe=/bin/bash -F success=1 -S connect -k "remote_shell"
+#-a always,exit -F arch=b32 -F exe=/usr/bin/bash -F success=1 -S connect -k "remote_shell"
+#-a always,exit -F arch=b64 -F exe=/usr/bin/bash -F success=1 -S connect -k "remote_shell"
 
 ### Successful IPv4 Connections
--a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4
+#-a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4
+#-a always,exit -F arch=b32 -S connect -F a2=16 -F success=1 -F key=network_connect_4
 
 ### Successful IPv6 Connections
--a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6
+#-a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6
+#-a always,exit -F arch=b32 -S connect -F a2=28 -F success=1 -F key=network_connect_6
 
 ### Changes to other files
 -w /etc/hosts -p wa -k network_modifications
@@ -244,18 +260,9 @@
 -w /root/.ssh -p wa -k rootkey
 
 # Systemd
--w /bin/systemctl -p x -k systemd
--w /etc/systemd/ -p wa -k systemd
--w /usr/lib/systemd -p wa -k systemd
-
-## https://systemd.network/systemd.generator.html
--w /etc/systemd/system-generators/ -p wa -k systemd_generator
--w /usr/local/lib/systemd/system-generators/ -p wa -k systemd_generator
--w /usr/lib/systemd/system-generators -p wa -k systemd_generator
-
--w /etc/systemd/user-generators/ -p wa -k systemd_generator
--w /usr/local/lib/systemd/user-generators/ -p wa -k systemd_generator
--w /lib/systemd/system-generators/ -p wa -k systemd_generator
+#-w /bin/systemctl -p x -k systemd
+#-w /etc/systemd/ -p wa -k systemd
+#-w /usr/lib/systemd -p wa -k systemd
 
 ## SELinux events that modify the system's Mandatory Access Controls (MAC)
 -w /etc/selinux/ -p wa -k mac_policy
@@ -271,8 +278,10 @@
 -a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess
 
 ## Process ID change (switching accounts) applications
--w /bin/su -p x -k priv_esc
--w /usr/bin/sudo -p x -k priv_esc
+#-w /bin/su -p x -k priv_esc
+#-w /usr/bin/sudo -p x -k priv_esc
+#-w /etc/sudoers -p rw -k priv_esc
+#-w /etc/sudoers.d -p rw -k priv_esc
 
 ## Power state
 -w /sbin/shutdown -p x -k power
@@ -286,6 +295,19 @@
 -w /var/log/wtmp -p wa -k session
 
 ## Discretionary Access Control (DAC) modifications
+-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
 -a always,exit -F arch=b64 -S chmod  -F auid>=1000 -F auid!=-1 -k perm_mod
 -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod
 -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod
@@ -303,12 +325,12 @@
 # Special Rules ---------------------------------------------------------------
 
 ## Reconnaissance
--w /usr/bin/whoami -p x -k recon
--w /usr/bin/id -p x -k recon
--w /bin/hostname -p x -k recon
--w /bin/uname -p x -k recon
--w /etc/issue -p r -k recon
--w /etc/hostname -p r -k recon
+#-w /usr/bin/whoami -p x -k recon
+#-w /usr/bin/id -p x -k recon
+#-w /bin/hostname -p x -k recon
+#-w /bin/uname -p x -k recon
+#-w /etc/issue -p r -k recon
+#-w /etc/hostname -p r -k recon
 
 ## Suspicious activity
 -w /usr/bin/wget -p x -k susp_activity
@@ -327,55 +349,48 @@
 -w /usr/bin/wireshark -p x -k susp_activity
 -w /usr/bin/tshark -p x -k susp_activity
 -w /usr/bin/rawshark -p x -k susp_activity
--w /usr/bin/rdesktop -p x -k susp_activity
--w /usr/local/bin/rdesktop -p x -k susp_activity
+-w /usr/bin/rdesktop -p x -k T1219_Remote_Access_Tools
+-w /usr/local/bin/rdesktop -p x -k T1219_Remote_Access_Tools
 -w /usr/bin/wlfreerdp -p x -k susp_activity
--w /usr/bin/xfreerdp -p x -k susp_activity
--w /usr/local/bin/xfreerdp -p x -k susp_activity
+-w /usr/bin/xfreerdp -p x -k T1219_Remote_Access_Tools
+-w /usr/local/bin/xfreerdp -p x -k T1219_Remote_Access_Tools
 -w /usr/bin/nmap -p x -k susp_activity
 
-## sssd
--a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
-
 ## T1002 Data Compressed
 
--w /usr/bin/zip -p x -k Data_Compressed
--w /usr/bin/gzip -p x -k Data_Compressed
--w /usr/bin/tar -p x -k Data_Compressed
--w /usr/bin/bzip2 -p x -k Data_Compressed
+-w /usr/bin/zip -p x -k T1002_Data_Compressed
+-w /usr/bin/gzip -p x -k T1002_Data_Compressed
+-w /usr/bin/tar -p x -k T1002_Data_Compressed
+-w /usr/bin/bzip2 -p x -k T1002_Data_Compressed
 
--w /usr/bin/lzip -p x -k Data_Compressed
--w /usr/local/bin/lzip -p x -k Data_Compressed
+-w /usr/bin/lzip -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lzip -p x -k T1002_Data_Compressed
 
--w /usr/bin/lz4 -p x -k Data_Compressed
--w /usr/local/bin/lz4 -p x -k Data_Compressed
+-w /usr/bin/lz4 -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lz4 -p x -k T1002_Data_Compressed
 
--w /usr/bin/lzop -p x -k Data_Compressed
--w /usr/local/bin/lzop -p x -k Data_Compressed
+-w /usr/bin/lzop -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lzop -p x -k T1002_Data_Compressed
 
--w /usr/bin/plzip -p x -k Data_Compressed
--w /usr/local/bin/plzip -p x -k Data_Compressed
+-w /usr/bin/plzip -p x -k T1002_Data_Compressed
+-w /usr/local/bin/plzip -p x -k T1002_Data_Compressed
 
--w /usr/bin/pbzip2 -p x -k Data_Compressed
--w /usr/local/bin/pbzip2 -p x -k Data_Compressed
+-w /usr/bin/pbzip2 -p x -k T1002_Data_Compressed
+-w /usr/local/bin/pbzip2 -p x -k T1002_Data_Compressed
 
--w /usr/bin/lbzip2 -p x -k Data_Compressed
--w /usr/local/bin/lbzip2 -p x -k Data_Compressed
+-w /usr/bin/lbzip2 -p x -k T1002_Data_Compressed
+-w /usr/local/bin/lbzip2 -p x -k T1002_Data_Compressed
 
--w /usr/bin/pixz -p x -k Data_Compressed
--w /usr/local/bin/pixz -p x -k Data_Compressed
+-w /usr/bin/pixz -p x -k T1002_Data_Compressed
+-w /usr/local/bin/pixz -p x -k T1002_Data_Compressed
 
--w /usr/bin/pigz -p x -k Data_Compressed
--w /usr/local/bin/pigz -p x -k Data_Compressed
--w /usr/bin/unpigz -p x -k Data_Compressed
--w /usr/local/bin/unpigz -p x -k Data_Compressed
+-w /usr/bin/pigz -p x -k T1002_Data_Compressed
+-w /usr/local/bin/pigz -p x -k T1002_Data_Compressed
+-w /usr/bin/unpigz -p x -k T1002_Data_Compressed
+-w /usr/local/bin/unpigz -p x -k T1002_Data_Compressed
 
--w /usr/bin/zstd -p x -k Data_Compressed
--w /usr/local/bin/zstd -p x -k Data_Compressed
+-w /usr/bin/zstd -p x -k T1002_Data_Compressed
+-w /usr/local/bin/zstd -p x -k T1002_Data_Compressed
 
 ## Added to catch netcat on Ubuntu
 -w /bin/nc.openbsd -p x -k susp_activity
@@ -393,10 +408,6 @@
 -w /usr/sbin/traceroute -p x -k sbin_susp
 -w /usr/sbin/ufw -p x -k sbin_susp
 
-### kde4
--a always,exit -F path=/usr/libexec/kde4/kpac_dhcp_helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/kde4/kdesud -F perm=x -F auid>=1000 -F auid!=4294967295 -k T1078_Valid_Accounts
-
 ## dbus-send invocation
 ### may indicate privilege escalation CVE-2021-3560
 -w /usr/bin/dbus-send -p x -k dbus_send
@@ -419,7 +430,8 @@
 
 # Web Server Actvity
 ## Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
--a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
+#-a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
+#-a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
 
 ### https://clustershell.readthedocs.io/
 -w /bin/clush -p x -k susp_shell
@@ -448,9 +460,13 @@
 ## Injection
 ### These rules watch for code injection by the ptrace facility.
 ### This could indicate someone trying to do something bad or just debugging
+-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
 -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
+-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
 -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
+-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
 -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection
+-a always,exit -F arch=b32 -S ptrace -k tracing
 -a always,exit -F arch=b64 -S ptrace -k tracing
 
 ## Anonymous File Creation
@@ -458,284 +474,275 @@
 ### "memfd_create" creates anonymous file and returns a file descriptor to access it
 ### When combined with "fexecve" can be used to stealthily run binaries in memory without touching disk
 -a always,exit -F arch=b64 -S memfd_create -F key=anon_file_create
+-a always,exit -F arch=b32 -S memfd_create -F key=anon_file_create
 
 ## Privilege Abuse
 ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
--a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse
+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse
 
 # Socket Creations
 # will catch both IPv4 and IPv6
 
--a always,exit -F arch=b32 -S socket -F a0=2  -k network_socket_created
--a always,exit -F arch=b64 -S socket -F a0=2  -k network_socket_created
+#-a always,exit -F arch=b32 -S socket -F a0=2  -k T1011_Exfiltration_Over_Other_Network_Medium
+#-a always,exit -F arch=b64 -S socket -F a0=2  -k T1011_Exfiltration_Over_Other_Network_Medium
 
--a always,exit -F arch=b32 -S socket -F a0=10 -k network_socket_created
--a always,exit -F arch=b64 -S socket -F a0=10 -k network_socket_created
+#-a always,exit -F arch=b32 -S socket -F a0=10 -k T1011_Exfiltration_Over_Other_Network_Medium
+#-a always,exit -F arch=b64 -S socket -F a0=10 -k T1011_Exfiltration_Over_Other_Network_Medium
 
 # Software Management ---------------------------------------------------------
 
 # RPM (Redhat/CentOS)
--w /usr/bin/rpm -p x -k software_mgmt
--w /usr/bin/yum -p x -k software_mgmt
+#-w /usr/bin/rpm -p x -k software_mgmt
+#-w /usr/bin/yum -p x -k software_mgmt
 
 # DNF (Fedora/RedHat 8/CentOS 8)
--w /usr/bin/dnf -p x -k software_mgmt
+#-w /usr/bin/dnf -p x -k software_mgmt
 
 # YAST/Zypper/RPM (SuSE)
--w /sbin/yast -p x -k software_mgmt
--w /sbin/yast2 -p x -k software_mgmt
--w /bin/rpm -p x -k software_mgmt
--w /usr/bin/zypper -k software_mgmt
+#-w /sbin/yast -p x -k software_mgmt
+#-w /sbin/yast2 -p x -k software_mgmt
+#-w /bin/rpm -p x -k software_mgmt
+#-w /usr/bin/zypper -k software_mgmt
 
 # DPKG / APT-GET (Debian/Ubuntu)
--w /usr/bin/dpkg -p x -k software_mgmt
--w /usr/bin/apt -p x -k software_mgmt
--w /usr/bin/apt-add-repository -p x -k software_mgmt
--w /usr/bin/apt-get -p x -k software_mgmt
--w /usr/bin/aptitude -p x -k software_mgmt
--w /usr/bin/wajig -p x -k software_mgmt
--w /usr/bin/snap -p x -k software_mgmt
+#-w /usr/bin/dpkg -p x -k software_mgmt
+#-w /usr/bin/apt -p x -k software_mgmt
+#-w /usr/bin/apt-add-repository -p x -k software_mgmt
+#-w /usr/bin/apt-get -p x -k software_mgmt
+#-w /usr/bin/aptitude -p x -k software_mgmt
+#-w /usr/bin/wajig -p x -k software_mgmt
+#-w /usr/bin/snap -p x -k software_mgmt
 
 # PIP(3) (Python installs)
--w /usr/bin/pip -p x -k third_party_software_mgmt
--w /usr/local/bin/pip -p x -k third_party_software_mgmt
--w /usr/bin/pip3 -p x -k third_party_software_mgmt
--w /usr/local/bin/pip3 -p x -k third_party_software_mgmt
--w /usr/bin/pipx -p x -k third_party_software_mgmt
--w /usr/local/bin/pipx -p x -k third_party_software_mgmt
+-w /usr/bin/pip -p x -k T1072_third_party_software
+-w /usr/local/bin/pip -p x -k T1072_third_party_software
+-w /usr/bin/pip3 -p x -k T1072_third_party_software
+-w /usr/local/bin/pip3 -p x -k T1072_third_party_software
 
 # npm
 ## T1072 third party software
 ## https://www.npmjs.com
 ## https://docs.npmjs.com/cli/v6/commands/npm-audit
--w /usr/bin/npm -p x -k third_party_software_mgmt
+-w /usr/bin/npm -p x -k T1072_third_party_software
 
 # Comprehensive Perl Archive Network (CPAN) (CPAN installs)
 ## T1072 third party software
 ## https://www.cpan.org
--w /usr/bin/cpan -p x -k third_party_software_mgmt
+-w /usr/bin/cpan -p x -k T1072_third_party_software
 
 # Ruby (RubyGems installs)
 ## T1072 third party software
 ## https://rubygems.org
--w /usr/bin/gem -p x -k third_party_software_mgmt
+-w /usr/bin/gem -p x -k T1072_third_party_software
 
 # LuaRocks (Lua installs)
 ## T1072 third party software
 ## https://luarocks.org
--w /usr/bin/luarocks -p x -k third_party_software_mgmt
+-w /usr/bin/luarocks -p x -k T1072_third_party_software
 
 # Pacman (Arch Linux)
 ## https://wiki.archlinux.org/title/Pacman
 ## T1072 third party software
--w /etc/pacman.conf -p x -k third_party_software_mgmt
--w /etc/pacman.d -p x -k third_party_software_mgmt
+#-w /etc/pacman.conf -p x -k T1072_third_party_software
+#-w /etc/pacman.d -p x -k T1072_third_party_software
    
 # Special Software ------------------------------------------------------------
 
 ## GDS specific secrets
--w /etc/puppet/ssl -p wa -k puppet_ssl
+#-w /etc/puppet/ssl -p wa -k puppet_ssl
 
 ## IBM Bigfix BESClient
--a always,exit -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient
--w /var/opt/BESClient/ -p wa -k soft_besclient
+#-a always,exit -F arch=b64 -S open -F dir=/opt/BESClient -F success=0 -k soft_besclient
+#-w /var/opt/BESClient/ -p wa -k soft_besclient
 
 ## CHEF https://www.chef.io/chef/
--w /etc/chef -p wa -k soft_chef
+#-w /etc/chef -p wa -k soft_chef
 
 ## Salt
 ## https://saltproject.io/
 ## https://docs.saltproject.io/en/latest/ref/configuration/master.html
--w /etc/salt -p wa -k soft_salt
--w /usr/local/etc/salt -p wa -k soft_salt
+#-w /etc/salt -p wa -k soft_salt
+#-w /usr/local/etc/salt -p wa -k soft_salt
 
 ## Otter
 ## https://inedo.com/otter
--w /etc/otter -p wa -k soft_otter
+#-w /etc/otter -p wa -k soft_otter
 
 ## T1081 Credentials In Files
--w /usr/bin/grep -p x -k string_search
--w /usr/bin/egrep -p x -k string_search
--w /usr/bin/ugrep -p x -k string_search
+#-w /usr/bin/grep -p x -k T1081_Credentials_In_Files
+#-w /usr/bin/egrep -p x -k T1081_Credentials_In_Files
+#-w /usr/bin/ugrep -p x -k T1081_Credentials_In_Files
 ### macOS
--w /usr/local/bin/grep -p x -k string_search
--w /usr/local/bin/egrep -p x -k string_search
--w /usr/local/bin/ugrep -p x -k string_search
+#-w /usr/local/bin/grep -p x -k T1081_Credentials_In_Files
+#-w /usr/local/bin/egrep -p x -k T1081_Credentials_In_Files
+#-w /usr/local/bin/ugrep -p x -k T1081_Credentials_In_Files
 
 ### https://github.com/tmbinc/bgrep
--w /usr/bin/bgrep -p x -k string_search
+#-w /usr/bin/bgrep -p x -k T1081_Credentials_In_Files
 ### macOS
--w /usr/local/bin/bgrep -p x -k string_search
+#-w /usr/local/bin/bgrep -p x -k T1081_Credentials_In_Files
 
 ### https://github.com/BurntSushi/ripgrep
--w /usr/bin/rg -p x -k string_search
-### macOS
--w /usr/local/bin/rg -p x -k string_search
-
-### https://github.com/awgn/cgrep
-
--w /usr/bin/cgrep -p x -k string_search
-### macOS
--w /usr/local/bin/cgrep -p x -k string_search
-
-### https://github.com/jpr5/ngrep
--w /usr/bin/ngrep -p x -k string_search
-### macOS
--w /usr/local/bin/ngrep -p x -k string_search
-
-### https://github.com/vrothberg/vgrep
--w /usr/bin/vgrep -p x -k string_search
+#-w /usr/bin/rg -p x -k T1081_Credentials_In_Files
 ### macOS
--w /usr/local/bin/vgrep -p x -k string_search
+#-w /usr/local/bin/rg -p x -k T1081_Credentials_In_Files
 
 ### https://github.com/monochromegane/the_platinum_searcher
--w /usr/bin/pt -p x -k string_search
+#-w /usr/bin/pt -p x -k T1081_Credentials_In_Files
 ### macOS
--w /usr/local/bin/pt -p x -k string_search
+#-w /usr/local/bin/pt -p x -k T1081_Credentials_In_Files
 
 ### https://github.com/gvansickle/ucg
--w /usr/bin/ucg -p x -k string_search
+#-w /usr/bin/ucg -p x -k T1081_Credentials_In_Files
 ### macOS
--w /usr/local/bin/ucg -p x -k string_search
+#-w /usr/local/bin/ucg -p x -k T1081_Credentials_In_Files
 
 ### https://github.com/ggreer/the_silver_searcher
--w /usr/bin/ag -p x -k string_search
+#-w /usr/bin/ag -p x -k T1081_Credentials_In_Files
 ### macOS
--w /usr/local/bin/ag -p x -k string_search
+#-w /usr/local/bin/ag -p x -k T1081_Credentials_In_Files
 
 ### https://github.com/beyondgrep/ack3
 ### https://beyondgrep.com
--w /usr/bin/ack -p x -k string_search
--w /usr/local/bin/ack -p x -k string_search
--w /usr/bin/semgrep -p x -k string_search
+#-w /usr/bin/ack -p x -k T1081_Credentials_In_Files
+#-w /usr/local/bin/ack -p x -k T1081_Credentials_In_Files
+#-w /usr/bin/semgrep -p x -k T1081_Credentials_In_Files
 ### macOS
--w /usr/local/bin/semgrep -p x -k string_search
+#-w /usr/local/bin/semgrep -p x -k T1081_Credentials_In_Files
 
 ## Docker
--w /usr/bin/dockerd -k docker
--w /usr/bin/docker -k docker
--w /usr/bin/docker-containerd -k docker
--w /usr/bin/docker-runc -k docker
--w /var/lib/docker -p wa -k docker
--w /etc/docker -k docker
--w /etc/sysconfig/docker -k docker
--w /etc/sysconfig/docker-storage -k docker
--w /usr/lib/systemd/system/docker.service -k docker
--w /usr/lib/systemd/system/docker.socket -k docker
+#-w /usr/bin/dockerd -k docker
+#-w /usr/bin/docker -k docker
+#-w /usr/bin/docker-containerd -k docker
+#-w /usr/bin/docker-runc -k docker
+#-w /var/lib/docker -k docker
+#-w /etc/docker -k docker
+#-w /etc/sysconfig/docker -k docker
+#-w /etc/sysconfig/docker-storage -k docker
+#-w /usr/lib/systemd/system/docker.service -k docker
+#-w /usr/lib/systemd/system/docker.socket -k docker
 
 ## Virtualization stuff
--w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64
--w /usr/bin/qemu-img -p x -k qemu-img
--w /usr/bin/qemu-kvm -p x -k qemu-kvm
--w /usr/bin/qemu -p x -k qemu
--w /usr/bin/virtualbox -p x -k virtualbox
--w /usr/bin/virt-manager -p x -k virt-manager
--w /usr/bin/VBoxManage -p x -k VBoxManage
+#-w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64
+#-w /usr/bin/qemu-img -p x -k qemu-img
+#-w /usr/bin/qemu-kvm -p x -k qemu-kvm
+#-w /usr/bin/qemu -p x -k qemu
+#-w /usr/bin/virtualbox -p x -k virtualbox
+#-w /usr/bin/virt-manager -p x -k virt-manager
+#-w /usr/bin/VBoxManage -p x -k VBoxManage
 
 #### VirtualBox on macOS
 
--w /usr/local/bin/VirtualBox -p x -k virt_tool
--w /usr/local/bin/VirtualBoxVM -p x -k virt_tool
--w /usr/local/bin/VBoxManage -p x -k virt_tool
--w /usr/local/bin/VBoxVRDP -p x -k virt_tool
--w /usr/local/bin/VBoxHeadless -p x -k virt_tool
--w /usr/local/bin/vboxwebsrv -p x -k virt_tool
--w /usr/local/bin/VBoxBugReport -p x -k virt_tool
--w /usr/local/bin/VBoxBalloonCtrl -p x -k virt_tool
--w /usr/local/bin/VBoxAutostart -p x -k virt_tool
--w /usr/local/bin/VBoxDTrace -p x -k virt_tool
--w /usr/local/bin/vbox-img -p x -k virt_tool
--w /Library/LaunchDaemons/org.virtualbox.startup.plist -p x -k virt_tool
--w /Library/Application Support/VirtualBox/LaunchDaemons/ -p x -k virt_tool
--w /Library/Application Support/VirtualBox/VBoxDrv.kext/ -p x -k virt_tool
--w /Library/Application Support/VirtualBox/VBoxUSB.kext/ -p x -k virt_tool
--w /Library/Application Support/VirtualBox/VBoxNetFlt.kext/ -p x -k virt_tool
--w /Library/Application Support/VirtualBox/VBoxNetAdp.kext/ -p x -k virt_tool
+#-w /usr/local/bin/VirtualBox -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VirtualBoxVM -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VBoxManage -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VBoxVRDP -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VBoxHeadless -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/vboxwebsrv -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VBoxBugReport -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VBoxBalloonCtrl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VBoxAutostart -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/VBoxDTrace -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/vbox-img -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /Library/LaunchDaemons/org.virtualbox.startup.plist -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /Library/Application Support/VirtualBox/LaunchDaemons/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /Library/Application Support/VirtualBox/VBoxDrv.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /Library/Application Support/VirtualBox/VBoxUSB.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /Library/Application Support/VirtualBox/VBoxNetFlt.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /Library/Application Support/VirtualBox/VBoxNetAdp.kext/ -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
 
 ### Parallels Desktop on macOS
 
--w /usr/local/bin/prl_convert -p x -k virt_tool
--w /usr/local/bin/prl_disk_tool -p x -k virt_tool
--w /usr/local/bin/prl_perf_ctl -p x -k virt_tool
--w /usr/local/bin/prlcore2dmp -p x -k virt_tool
--w /usr/local/bin/prlctl -p x -k virt_tool
--w /usr/local/bin/prlexec -p x -k virt_tool
--w /usr/local/bin/prlsrvctl -p x -k virt_tool
--w /Library/Preferences/Parallels -p x -k virt_tool
+-w /usr/local/bin/prl_convert -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prl_disk_tool -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prl_perf_ctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlcore2dmp -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlexec -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /usr/local/bin/prlsrvctl -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+-w /Library/Preferences/Parallels -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
 
 ### qemu on macOS
 
--w /usr/local/bin/qemu-edid -p x -k virt_tool
--w /usr/local/bin/qemu-img -p x -k virt_tool
--w /usr/local/bin/qemu-io -p x -k virt_tool
--w /usr/local/bin/qemu-nbd -p x -k virt_tool
--w /usr/local/bin/qemu-system-x86_64 -p x -k virt_tool
+#-w /usr/local/bin/qemu-edid -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/qemu-img -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/qemu-io -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/qemu-nbd -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
+#-w /usr/local/bin/qemu-system-x86_64 -p x -k T1497_Virtualization_Sandbox_Evasion_System_Checks
 
 ## Kubelet
--w /usr/bin/kubelet -k kubelet
+#-w /usr/bin/kubelet -k kubelet
 
 # ipc system call
 # /usr/include/linux/ipc.h
 
 ## msgctl
-#-a always,exit -S ipc -F a0=14 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=14 -k T1559_Inter-Process_Communication
 ## msgget
-#-a always,exit -S ipc -F a0=13 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=13 -k T1559_Inter-Process_Communication
 ## Use these lines on x86_64, ia64 instead
--a always,exit -F arch=b64 -S msgctl -k Inter-Process_Communication
--a always,exit -F arch=b64 -S msgget -k Inter-Process_Communication
+#-a always,exit -F arch=b64 -S msgctl -k T1559_Inter-Process_Communication
+#-a always,exit -F arch=b64 -S msgget -k T1559_Inter-Process_Communication
 
 ## semctl
-#-a always,exit -S ipc -F a0=3 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=3 -k T1559_Inter-Process_Communication
 ## semget
-#-a always,exit -S ipc -F a0=2 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=2 -k T1559_Inter-Process_Communication
 ## semop
-#-a always,exit -S ipc -F a0=1 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=1 -k T1559_Inter-Process_Communication
 ## semtimedop
-#-a always,exit -S ipc -F a0=4 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=4 -k T1559_Inter-Process_Communication
 ## Use these lines on x86_64, ia64 instead
--a always,exit -F arch=b64 -S semctl -k Inter-Process_Communication
--a always,exit -F arch=b64 -S semget -k Inter-Process_Communication
--a always,exit -F arch=b64 -S semop -k Inter-Process_Communication
--a always,exit -F arch=b64 -S semtimedop -k Inter-Process_Communication
+#-a always,exit -F arch=b64 -S semctl -k T1559_Inter-Process_Communication
+#-a always,exit -F arch=b64 -S semget -k T1559_Inter-Process_Communication
+#-a always,exit -F arch=b64 -S semop -k T1559_Inter-Process_Communication
+#-a always,exit -F arch=b64 -S semtimedop -k T1559_Inter-Process_Communication
 
 ## shmctl
-#-a always,exit -S ipc -F a0=24 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=24 -k T1559_Inter-Process_Communication
 ## shmget
-#-a always,exit -S ipc -F a0=23 -k Inter-Process_Communication
+#-a always,exit -S ipc -F a0=23 -k T1559_Inter-Process_Communication
 ## Use these lines on x86_64, ia64 instead
--a always,exit -F arch=b64 -S shmctl -k Inter-Process_Communication
--a always,exit -F arch=b64 -S shmget -k Inter-Process_Communication
+#-a always,exit -F arch=b64 -S shmctl -k T1559_Inter-Process_Communication
+#-a always,exit -F arch=b64 -S shmget -k T1559_Inter-Process_Communication
 
 # High Volume Events ----------------------------------------------------------
 
 ## Disable these rules if they create too many events in your environment
 
 ## Common Shells
--w /bin/bash -p x -k susp_shell
--w /bin/dash -p x -k susp_shell
--w /bin/busybox -p x -k susp_shell
--w /bin/zsh -p x -k susp_shell
--w /bin/sh -p x -k susp_shell
--w /bin/ksh -p x -k susp_shell
+#-w /bin/bash -p x -k susp_shell
+#-w /bin/dash -p x -k susp_shell
+#-w /bin/busybox -p x -k susp_shell
+#-w /bin/zsh -p x -k susp_shell
+#-w /bin/sh -p x -k susp_shell
+#-w /bin/ksh -p x -k susp_shell
 
 ## Root command executions
--a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -k rootcmd
+#-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k rootcmd
+#-a always,exit -F arch=b32 -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k rootcmd
 
 ## File Deletion Events by User
--a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete
+#-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete
+#-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -k delete
 
 ## File Access
 ### Unauthorized Access (unsuccessful)
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access
 -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access
 -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access
 
 ### Unsuccessful Creation
+-a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
 -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
+-a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
 -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation
 
 ### Unsuccessful Modification
+-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
+-a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
 -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
 
 ## 32bit API Exploitation