Change caps to lowercase

docs/example_technique_mappings/CloudTrail.rst

@@ -2,7 +2,7 @@ CloudTrail Example Scenarios
 ============================
 
 Both CloudTrail examples involve User Account data components. The first review the use of
-User Account Modification to provide visbility into Account Manipulation (T1098), while the 
+User Account Modification to provide visibility into Account Manipulation (T1098), while the 
 second considers User Account Metadata for detection of Password Policy Discovery (T1201)
 behavior. 
 
@@ -12,7 +12,7 @@ Account Manipulation (T1098)
 The following are the criteria considered for Account Manipulation (T1098). These were 
 directly taken by reviewing the definition of the technique. 
 
-.. image:: _static/CldTrlEx1.png
+.. image:: ../_static/cldtrlex1.png
    :width: 700
 
 1. Looking at the event logs themselves, is this enough proof or evidence to determine 
@@ -70,7 +70,7 @@ Password Policy Discovery (T1201)
 The following are the criteria considered for Password Policy Discovery (T1201). These 
 were directly taken by reviewing the definition of the technique. 
 
-.. image:: _static/CldTrlEx2.png
+.. image:: ../_static/cldtrlex2.png
    :width: 700
 
 1. Looking at the event logs themselves, is this enough proof or evidence to determine 

docs/example_technique_mappings/Linux.rst

@@ -11,7 +11,7 @@ This example explores Auditd events mapped to the User Account Creation data com
 their potential visibility into detecting activity associated with Create Local Account 
 (T1136.001). 
 
-.. image:: _static/LinuxEx1.png
+.. image:: ../_static/linuxex1.png
    :width: 700
 
 1. Looking at the event logs, is this enough proof or evidence to determine that "a local 

docs/example_technique_mappings/Network.rst

@@ -14,7 +14,7 @@ and/or mining of information in a network managed Data from Configuration Reposi
 of Snmp_report, Ssl_plaintext_data, http_entity_data have been mapped to this data component 
 under this project.
 
-.. image:: _static/NetworkEx1.png
+.. image:: ../_static/networkex1.png
    :width: 700
 
 1. Looking at the events themselves, is this enough proof or evidence to determine "data is 

docs/example_technique_mappings/Windows.rst

@@ -11,7 +11,7 @@ As identified in the SMAP mappings, process creation information can be collecte
 Sysmon 1, WinEvtx 4688, WinEvtx 4696. This first example walks through why WinEvtx 4696 
 may not be a feasible detection for Create or Modify System Process (T1543).
 
-.. image:: _static/WinEx1.png
+.. image:: ../_static/winex1.png
    :width: 700
 
 1. Looking at the event logs themselves, is this enough proof or evidence to determine 
@@ -109,7 +109,7 @@ As identified in the SMAP mappings, Windows Registry key creation can be collect
 Sysmon 12 and WinEvtx 4657. This example walks through using these events to potentially 
 provide detection for Create or Modify System Process (T1543).
 
-.. image:: _static/WinEx2.png
+.. image:: ../_static/winex2.png
    :width: 700
 
 1. Looking at what the event logs themselves, is this enough proof or evidence to say 

docs/example_technique_mappings/index.rst

@@ -17,8 +17,8 @@ additonal customized considerations must also be given when looking to provide i
 
 .. toctree::
 
-    Windows
-    Linux
-    CloudTrail
-    Network
-    
+    windows
+    linux
+    cloudtrail
+    network
+

docs/index.rst

@@ -8,7 +8,6 @@ into real-world adversary behaviors potentially occurring in their environments.
 representions of information that can be collected to concrete logs, sensors, and other security 
 capabilities that provide that type of data.   
 
-
 This project is created and maintained by `MITRE Engenuity Center for Threat-Informed Defense
 (Center) <https://ctid.mitre-engenuity.org/>`_ and is funded by our `research participants <https://ctid.mitre-engenuity.org/our-work/>`_, in futherance of our mission to
 advance the start of the art and the state of the practice in threat-informed defense globally.
@@ -25,7 +24,7 @@ threat-informed decisions.
     methodology/index
     levels/index
     use_cases
-    example_technique_mappings
+    example_technique_mappings/index
     future_work
     changelog
 

docs/methodology/index.rst

@@ -22,13 +22,11 @@ The Sensor Mappings to ATT&CK mapping methodology consists of the following step
 - **Definition Correlation** - For each identified event, understand the security capabilities it provides.
 - **Relationship Correlation** - Identify the ATT&CK Data Sources mappable to event IDs.
 
-<img src="./docs/_static/methodology.png" width="900px">
-
 .. toctree::
 
     step1
     step2
     step3
 
-.. image:: _static/BuildSensorMappings.png
+.. image:: ../_static/build_sensor_mappings.png
    :width: 700    

docs/methodology/step2.rst

@@ -26,7 +26,7 @@ provided by this event includes the user account that requested the creation of
 executed a new process. This event also provides metadata that can help us to describe the data elements needed later on in 
 Step 3 of this methodology.
 
-.. image:: ../_static/MSDN_4688_Ex.png
+.. image:: ../_static/msdn_4688_ex.png
    :width: 600
 
 - The action that triggered the generation of this event was the creation of a new process (Activity). 
@@ -38,7 +38,7 @@ Correlate to ATT&CK Data Component Definition
 To correlate with ATT&CK, the `Data Source <https://attack.mitre.org/datasources/>`_ pages provide definitions for each 
 individual Data Source. 
 
-.. image:: ../_static/ATTACK_Ex_PC.png
+.. image:: ../_static/attack_ex_pc.png
    :width: 600
 
 For Process Creation, ATT&CK's definition is : **..the initial construction of an executable..**. Through key word review, it 
@@ -48,5 +48,5 @@ ATT&CK Data Component.
 A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and WinEvtx 4696. The image below shows that 
 the definitions all have some correlation with either starting or executing a process. 
 
-.. image:: ../_static/DefinitionCorrelation_Ex.png
+.. image:: ../_static/definitioncorrelation_Ex.png
    :width: 700

docs/methodology/step3.rst

@@ -12,7 +12,7 @@ As mentioned in Step 2, `Event ID 4688: A new process has been created <https://
 that can help to describe the data elements needed. For instance, regarding the user account data element, 
 information on the logon ID and the domain it belongs to is collected. 
 
-.. image:: ../_static/MSDN_4688_Ex_Attributes.png
+.. image:: ../_static/msdn_4688_ex_attributes.png
    :width: 600
 
 The use of Data Elements helps to understand key attributes that are related to the adversary behavior. 
@@ -25,7 +25,7 @@ Additional context on how to establish data elements can be gained by considerin
 - *What are all the data objects that define the context of the data source?*
 - *What are some attributes from the event log that contributes to the activity of the adversary behavior?*
 
-.. image:: ../_static/DataElement_Ex.png
+.. image:: ../_static/dataelement_ex.png
    :width: 700
 
 This method can also be used to provide a general idea of what information needs to be collected. 
@@ -44,7 +44,7 @@ relationships are the ones that make references to the action that triggered the
 Informational relationships are the ones defined based on the metadata provided by the event. Therefore, 
 please be aware of alternative data elements (i.e., a thread can create a process).
 
-.. image:: ../_static/Relationship_Ex.png
+.. image:: ../_static/relationship_ex.png
    :width: 700
 
 As discussed by `OSSEM <https://github.com/OTRF/OSSEM>`_ at their ATT&CKcon 2018 and 2019 presentation, the activity of the