From fcc552aefe2615c19c6754afec732bdb2ade73ee Mon Sep 17 00:00:00 2001
From: Ian-Barbour <ian.barbour@nationwide.co.uk>
Date: Fri, 12 Apr 2024 10:30:43 +0100
Subject: [PATCH 1/4] Updates to Andromeda scenario

Signed-off-by: Ian-Barbour <ian.barbour@control-plane.io>
---
 docs/TTX/Andromeda_Gales/Andromeda_Gales.md   |   7 +++-
 .../Andromeda_Synthetic_Event_Logs.zip        | Bin 19079 -> 0 bytes
 docs/TTX/readme.md                            |  39 ++++++++++++++----
 3 files changed, 35 insertions(+), 11 deletions(-)
 delete mode 100644 docs/TTX/Andromeda_Gales/Andromeda_Synthetic_Event_Logs.zip

diff --git a/docs/TTX/Andromeda_Gales/Andromeda_Gales.md b/docs/TTX/Andromeda_Gales/Andromeda_Gales.md
index a32a3f1..06e1be0 100644
--- a/docs/TTX/Andromeda_Gales/Andromeda_Gales.md
+++ b/docs/TTX/Andromeda_Gales/Andromeda_Gales.md
@@ -2,11 +2,12 @@
 ## Andromeda Gales
 As part of the OpenSSF incident response scenario an open source product has unknowingly been compromised. A malicious payload has been merged into the underlying container image / test suite, infecting a multitude of public and private organisations on update.
 
-The infected software provides integration with numerous CI/CD build pipelines, managing the repeatable build stages for an organisation's software. The malicious payload has been designed to exfiltrate sensitive data from the target deployment and send it to a remote server. The payload is also capable of executing arbitrary code on the host system, potentially leading to further compromise.
+The infected software provides integration with numerous CI/CD build pipelines, managing the repeatable build stages for an organisation's software. The malicious payload has been designed to exfiltrate sensitive data from the target deployment and send it to a remote server. The payload is also capable of executing arbitrary code on the host system, via an implanted backdoor, potentially leading to further compromise.
 
 The incident response team has been tasked with identifying the malicious payload, understanding the extent of the compromise, and providing guidance on remediation steps to affected organisations.  The team must also provide guidance on how to prevent similar incidents in the future. The team has access to the following resources:
 
-- A copy of the infected container image\n- A list of affected organisations
+- A copy of the infected container image
+- A list of affected organisations
 - A copy of the malicious payload
 - A list of build pipeline integrations
 - A list of potential indicators of compromise (IOCs)
@@ -15,3 +16,5 @@ The incident response team has been tasked with identifying the malicious payloa
 - A list of potential preventative measures
 
 The team is expected to provide a detailed incident report outlining the steps taken to identify and contain the incident, the impact of the compromise, and the recommended remediation and preventative measures. The incident report should also include a timeline of events and any lessons learned from the incident response process.
+
+The correlating security and incident events and alerts have been captured in the /Event_Logs directory within this repository for technical visibility into stages of the attack flow (provided as Andromeda_Gales_Final.afb) to be used with https://center-for-threat-informed-defense.github.io/attack-flow/ui/
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Andromeda_Synthetic_Event_Logs.zip b/docs/TTX/Andromeda_Gales/Andromeda_Synthetic_Event_Logs.zip
deleted file mode 100644
index 912014fd684e80ccd0a961e99ee2d97d38319e71..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 19079
zcmb`vWmKJAvMr3e2X}%8cMtCF8eroacPF?Lf+x7UySrO}KnN0CgM<WkzMZ$bFXTO(
zdr$ZI7<mR`|Dfi6)~vNwRn4j>$wES5f`Ng-fh9=*v_ia8T{}Uah`_<X@Ik-DT}^GB
z4dm?1otRh*#O#c%OdX|Mj2Nx$%zdJ(BOq8X#czb}*IbJU*@T6s;alllYf9g}3rY@^
zFgq5(aGURRBUG+J*LQKhSgt)2*jm4~0MsSR*Cl`4YT(q^UprUvzE`2a-d`qyZ=I{Q
z%AYfp!8U&#EILZj&n5n;!~VKaE11(kvHZr7$dq;<FW75!16lD-icd4dg;qoU7a=|8
z2k)Hhhft<svNA60Ge_m|{gT<16g=A3G+e`jH#hQ-d)e7&gWQA=cK|&<&)QNY-0#IG
zXC)OSbV~o{wf$rPT4E=vp6Q@hE`b08Bm3KHGaHE8x`G}T8&gMsGtkcVueXmAwp(OI
z3O<6lC2=2hm0I;|9&03Jn9ah~u%?AMD444g?aD!laQtw0t?UB1$$UVytGs?e>_PEf
zIXx4<sMNEyV$bF7N=tLRu%x)e!1Nb0xfLYSL0m@QB+0?5f4roFj6dM(tMNRXCdqz{
zYPv`g8n*hmu3Dv2lyhS#BL4gr2)fF3pNX4AX(R7G=H#$fZ72i`e!A<MzR554|AKD5
z^yci0E@Rd<W%f{=K5`7L3B2@3#mp}^9{h`td0f{r{Wp;h{Q?6T7CISkhRK#v`Uv8G
zSROn3fALk)Sf!spNrP~iO}Iw<1vV>F>_XlbiFbnb!S7{TTt>L?1YD^vMb$#rRGxGI
zmSmO2E=2$gHyP5W4C(ufCe(GD&y$c>v|+rqESl>_84?^MZ~zH#0?D7t{F_ovMy~)t
zs5jT-b>@Rn8wK<ols513{Uz}~RS_s-c98CHANzG0r$I<gqgsDDraXv)d2sd2T+rP$
znChp%9bNCLWxz*9EU*dbFZ+-$s@>Mdze!1~n-$Zyi#mb)O+D4Kb?KYUUgsmXksxjh
zuJT}tK-^A0!!3(}xRW!$$QtNmVIXQ}W8?Ij+u%6G-`w_txFvEQHFeb^=aXwBJq$5|
zoUNyYvECI<n$r%WK)9Y}zd6lS^%6oAe~*zllu5j@%q^$gLYj4SEkAuG{{UQZGdfXr
zUaD+q@f68~{+5Ut#j1wk&E%1_&T%l*y#6k3J|<LltcZ25rKR`M1QVetoQemYPgcD5
zE34rty$rpNSS8EsmrqFvEC_R+M8nxhf({><nq^+gZWOlY?Tw>{N`y=n<!fo`a-hRC
zt!E<5=AoYvB)HUn_=RfL)Okl`==~POsNMB*hxeh|P1dl(^w|u5TzRRi+^dwIpMC3n
zQjMSoQmrZY!1_nyBqO$&NG!mWD-TAXFi<k0iA_GK5HWL}sEt<AkGFhjjVVPn90xyy
zC#KCPtkRALFe8#C;L-pr0fH%gS)Mto;+yDz)%g^fiqB91jGN)eICRO!98LK77Zz(4
z$L_XOtBo%G1+^c!IwKE)<FFgBjYF7*P==kjZCRj?!#M;aqCT5*qTVxINBIa4z-Q9t
zC`vf+<_S>7@9n*o2TD<+gl*(0ha;?AOLU2UJx`VQnmT^~d!#vD4xj~YjHSa4qInba
z5dCcnvl@tk{(<-f*qZ!Bu}`d^T@N!_|Ao{QN@F#<a+OvJGBnIgwp4z}%=jFRL)?Sd
zIo`tCYkeAKjbrDdtEGtv*yE4dH^s1Diq)r!B?L%jYL0k$GF|Egj8};py2T=~Lw4Iy
zup1045LA(>ge7_{_V<vdlabD=6cgG*y8DgR@(Ed>Sxl>=ap?<M@b!kHibGwhXg%w$
zA>TJ<7qL_oFz;ViaN+QCdZyqz;p|%m&QqkAMcsFUUkXK%ufAKnbuh=JR8Z-sEDdmF
zrWt~WhG*=fMyR?p-^pp`it!Ji%*6vl&=bX)ykqH>LJ=lp$0{_BDzxgrBxmk7Zb9C`
zmYob%WSM$TYH7@Dz6yt3d0q|0=H;ZTSsA<q|M@T`%(OhPzPHciEMq6-xRHHl3(-j0
z(W&tWFkf$3Z~3A88v1d$apeJ8*m7L_W1yv`h6G&_e_L)g16da%Q%74<XHzEwVHXqN
zUpI(>nVlo(7&W#tF*W%Y83y9+rp7LR9jYDx8*3kxQQJjkv^IiCL9`ZCCPDm@q`cRc
zGa^7Qix^1p3Zemw;p6O?yK6?uR$>1FKd|u67G|zyiZZeiuH?Hh3{C1QT^^?F<oq&N
z5!3IO5@-i`bx)Z^CZrGrUtUfIG)j04VGAR>ZwH!E*p--xmxgdIGRcpZAXFal98*=?
zNm7)zO3-gb^jueE528+Rso5C3@+`SA)7neaUX*VTY9Ob`*Ir*nY6$gHv7NnN_@P`X
z)@V^SLwLr3vnmS@OMIiGL+&$N?`#G({GHA@L02|-%AXFoA}Et|@+(}0u^9JixPYfU
zy)IfDF$Nv^{Q)Er(nKysS1_|OtZOX54gm+Oos<eAxOv;9R<E4P!_&c;N=FcW()Y#9
zgHLP8eefC!zp<0dDi}r}+Z6nq?|Bse_E`gMNe=C#$bCXh>h$eQyB}OU@)(a;-!`f;
zX#3ZM11@KLJ9?vDevV7WmRKk9!nNO=DV&9Q=od)d;ps<t(Hl`<>W}x{LD4<W)0%}M
zwh3h*7IxF+Raz!hJ9~h`-d8cVB`$c8ajTCf9bA=1<PUQ;N47@}-5B^TEo?w}RJW!j
z8IoaL)rwYIczBp{IlPrmc=2wC<GzrO?h>N}(2|3ZPZ<Zfi#y0&IR54??7w%Xnj^r>
z3}|d14{&mD0bR5vKwEPIQENLF6HS1#u?3^0lbvm_ihLx<J=&QLd~v;_r)TOyx3O!g
z7DX3@AcB*KO@L`(_3S0=BQ^9lD||J^b|?((P^@oLE?ADX&SA2Q_L-|4vvowjl%=4a
zl@zBchHl?^o;kGZ+!bL%RupbzkiXKjC$M|T!@kGYu=tvK;8H=p_8NXsCs@hqxU6i@
zU7Jiyny8xoGO0QL02yu|*G!feldYwz3rZn>1uvJ?!f>%G9K&l14XMU&ihd1%&(nV$
z1Yd@Ou74K8oKZdiU6;J}W1sjX)!vDaLrpmC>p=M!M+6Ps5g>f4lw67@oVe)eYFRC>
z@Ow$RE1CfyoxR!{^D~jls4o%af+D066B<p$hmNmQ*Lo^)hkza|4<B{s>96B2eQC+@
z_E=hd#dtd~wOCRDK8rfT@FjX>2*R+M-mY9CF7aP229{*$OV+<U4PW0#R3m4oep|(9
zYS188{q=)iQi`6^{d~-ef@3=~k{|XGCmx!_ykFk`deFPC5q_J%5+G&Q!6-?)8rlnJ
z%<L@6X8Ovp@QGm|iZZ1-L7N>(<wAR3#NISs@v}vTqet^AWO$p@UiU*LRidqhlWpP&
z?ugpK>H1-z*T_Ms#N;cvn+(XT<VT0&`y`M40Ri$4;xRq(aFBo4fi7vLzxfA;fr6>C
zo1LSTfry=ptqH)<!$8ClXkz}`Lu9!be;*t+al-GXnbCre5|2sBzNI%U_cU~ntt!EH
zmvj*e5vIB8v`HV7nWw2=oynzWjQZ;m3U*$!SM!mip_5R<sg)h<l8|M;?}kfFFDzL!
z+A<a>k5or}aVkN$$^-cs+&&6CTPv2t-6nJ@OogsJRz|k{rl7uARic=L^5&EN4XQ+w
z*Br4MHKlK5dy=BtlEk@PNF(dF!NVpm4dA;Lt?EVi?L5kLAHo6Ru-wmacXw4gWhuaF
z6d@)Sm)B|f+WUrhz&ZxQ!&M6>MXn`WuN6<BkQ7o5>uE0vebXS5h(xrLLGO&lpHWbO
zYb5b@-3>Nl{$pRJ=2le*yR<#9hDrmLn73zo?!n((YFDV|bEV2?w%l^KY3cX?GqUn!
zP28FTClJ?q<=pT4)J|qQxsE$a_!rS$Y8yc_nl-OM@K;2xdrEL3ZCmq>QhB%;Ay!;O
zH!Vr6LIv>)wR{Y7Z-WkBtb!6>BkDx+<&PAM$;nHI?HgBX^E-qfbu_zL_(^BH1zqwk
z8nz_y8u5|UG7zf^6}PYe5UcedR@wdyRyCAFC9Lh-eg|VNaT9g{%!K_%RQISMC#3ne
zXl>|A7`44}r<>&o0ppgk3rw~x2fhZeBMsKeLtZ4rOh==G&a9~(UGK-hcp8?CwgExL
zBmj~fz9<}YouJ`muO`PJ2+f+%h^=FXTBn++1hvE;XK2ve(U63OJL;SljX2P;CpzUq
z%9Lfv(bDCg4TI4n9atr}Sw!*h*|Sp^(01iWZjTQj6dB%Vwi}Uni}hek7e&mMn`z3x
zKr-{+&=gOby&Y;2ZK`vjG==Q*aW0SjRGXGiXT*WeW7tB)6(b$F&OKhHqG|eCF~>eF
zszjlsG8)MF^~&B>+pe6e@RD<s&YFYa2ZQBdqW}7GQ3}ToiS%E1EUWL;8AT&MRZUWV
zIQ7ELruoj)>SP-6Vl5y+&z}1z(ZqMyH{P#7F@XI}zUSLgv=!$)d)d?&F6>v4_VTwa
zC4rw6)R%hLi>(y6pisWLtsJh$!P)U%-9kJvCI({6jjeXd8N?VFh%w2(F~(`2=xXX{
z?O~u~>SzOWass-V8mQP=gYI}xSY@DOXALw4f<B15+gsZKo&QRe{<S~FV`V`hHCoUS
z#3>1Oi)s##Qr_LhiFp!2oLHc4*Plw0(>OxyN@@M}x`IBp{a1C`m6?0ZvXuMBsht*;
z_&a}=`BlmyBWqhlx8nNjR4$h-dkN|_0y9%J4VT2jFxpawxJfuh&jIKc7ZV~w8M2>z
zIVqaL4mzZ0QnlM`R=iw0u9{5urthP_d-dYk!Z^$kdwHFB>T2e>3c<hsSg`uyEy~6w
zv+*18Th*ccEeA<`B0vG-k3?Jb;X$;+(2>4dl7^FrNveDn7Z_M|y&p#QAK`!lP1NY-
zss(SPaZTTV(?@P$y~%eP;g;e3ST2$8Li2jGG+J%Bk2y#AfVZpSMP8CfIKJCTe2~F-
zNMp{C?v!on%1qD&nE~^3|B>3ciPRe75F%mk#V~X$3i^QNOEE|s+bZH?^fd(Vhht$B
z=1ClpEWIB{F9xOxOw6H(ZVgc>D+-u{;8g2sUEGDb@)C7*t&%*y_GAvVm3i~x?uppn
z<2(|31|qhA=51&;h*VE#FfiHwABa^oHU3=)_<b#>tI7Y)m)dc5ebKzX=O1e>asC>&
zn&O;`fR=6rC-96h<;6DB4WXcxjl8{3j*g@JP`*eharx`=Qflw;GziV^6P?8zj*`yM
ztZX<A=!}&hLzY~=LSvyVOD^U#rAxP5ZO1TsbLO#Ng&;?OpRep4tEd0w{Qv;7uw{Zn
zGlwk<*ARulbOn3t-jrhre3Fp4UNwrKTNrkf^jK67iE2KV1UlaWaf&fOSxvu-=KXhQ
ziVy5~@BO!-?<t0NuUj_Da1%A7chrV+cBoVjSFQ?{IOjeiqKFXA2-IbLj2$_<HxS@1
zv(9Jx#Ik7Jjgs$3rnry7e%;~aq@9ALDx{?wLolCYG*z1Ys=3(jVN&?qMPa*w|H^M`
z*jaPgYrba*K7V{iFHlD$Hu+F#BPfLB-JqgF8WjLPWJT|n;sHs39VYWhbkk0SyXH5-
zBtyRLDlU^aQJWXUR2Qhr13+>)<k_&4xZ*NsgLuj8t60uPLqB7IP*230yV_*0X5#BK
zOh!yBDvZdlR-gSXgJzB3`>>U3U>rjrm1_J0l<AO1WanKYX09i~ia(NB6rmSaY(<<h
z?8{Roy4SA~?qr9@QrvJ;xBaLG7ss@ir#rngfsq9-1&mp6$k?-C9$AM%)QQK8WcWd|
zV8tkeCq<$(568{8zAp#TT59<n;b(%gVvlj$o7n^=juwD7c61VHyt(9w+EsW}vn$@M
z6McE84=cd@EtZ!W-;mV!Zh{7>c`)zI75Fc0Wb(48@6Py8!J7+%H@~!d^-cH5Uw9D-
zzuV82H)MecTfL0C9bvC;gkGAPF#DRNI;lT8>obXz5nKKahYK){^qu4<@7sPTtIr#f
zqpk$E9=os>ss&MVhd2<#O=ea0=XXv{b3>!whqs^X1R`aCR<0V4q&Db?0|)H}`oHZ2
zuK#nk+1WlV`TXk~<A_yM4Fu(lM`J&USieC6^XkXdy>`coeNlLcRcb6@q%1gv_Y2)<
z-2;LekM7Q=bj&dq->({FeDCfM653BU;>9Bvb&bqF`_eR0iz2a$$=AaJ9>=|qk<mhe
zNtYMHffF~n6rW(pkbqVReI-vE>eavC()itODd}d3^wI;1VlY+fq>h+trBQHk^oQmq
zUb9b6f?uE;oLdJ8Z&-{u;FI@jVw%#IG7u$c1-HUneu@65=`C8w%cT9$XbKbu^b)+3
zL0QL9)!$9=a}?dX;o5T|r#Q1x2dHtr80FTnbzc~=8$fw0#}Hg&;&bz78QJyAB-B*M
zYR~rb+3csi=T-4?AGewghXDFp1%q!ZqcEPKRq(!?XQF1d&M}{2Gp_zs2YEvxEFmUG
z4)KzJ^c1_$SL|zUL;7nM=6C%}hREs?yV%3F0LIAT&gLn}9$7ZM4P-2`;L9i3f-2~+
zN(wKn5d=}B45CQrZxnI=BP%eFwgpvgY>iC~<V~FcCIDxEfv}RafjrR3#mV&ViGxop
z%kOkQ_(JA3R24fZL<0DsM%?-PWWHL-%wZLiVeDM24-8hH?-36?x@>IC<<-`5>%`7H
zq|iV?e%GAqJVs3ojlprw*yz{FV-Ic2<2#f0?UfFT99}(~SFcLjt)w@&Y&7JN<nG}s
zb>8O5N5A<%XO8!dQZPCu%THGZayd+z1sH}+ew4;V&6A~K1n%0!7qEvZ(A}Eos)6o}
zmMbBl6)%X3ZW$h!yOv(f+!_DcK&W5N=EE_6HJ5W2j2`kxJk=;nDj2I!z=a9q%qP*n
zn)oIiw=4~QQhey(90GHk4T+m3GCR``q_XMp6gl{Qx4pniRcq{E$<UIW?BapBpU(3<
z>6>11@h7Y^aCtdgw_d6c>U+s%dd=_VN-}<7ZoZ_GZt{u${z=OQvu0mYTfXddC7fi5
zX#9Nd7V6_o!lMSz(&V)~^ac^L3-e!Zl7Ew&fA9oK{eaeg-6ZAe@^-00XziLKzE#|A
z@P-F--;~nSiYy8GZTGi1^#_JawsTu$38_bXkE#s495DJrNh#1ywvAWD2r?92pLwDz
z8&~*dtK|%(7wueDa5=svP|a7OqD>B7j`?1EFO_*#(1(vlr*8UDABWDGa7aTY)=9bN
zl{E6^1$#uLZ=cgm1gWB_a7GtRcl+v)-$~BM86%REDx$zktx_o<miXIARM_6yskxIt
zxRh^lD#z1Y8ysfcZRt$(?h&$fnML57Ul#DJp<bO~aUF&iNZ(F2yGn_3zx>rU#PNDp
z0N|x6qMlpFfSu0yzS7ZS$QahU>!aU+Up4v1Js9uzc!4F7n|vnQU`J3Zo&ra==^Tu4
zrx>aUS>YM*7DdC=Xj%1`kutfwh77tQdf!_;xp^$u)foZ#EupIzjj{6K{y0Hnh+51U
z(04;8yB+g5vuz(GRYl07lZW)3h;hvkxfoszBgbuj2}UB0O!Hhjepw69ZNa}fX#Ih9
zj&G-nrx8I$Gk!Z;B=>Xkm4d2tuSv>!voLOpKY@<tJ3HFo?*lq49T<fj`|rQ4HM!MK
zxrx7Ba0{(i`P51N%OF_Bz&|gA{SZuc%VlC6mGIRI`-R=rt-eVLW*XT6X?{}2gtEja
zW0yb_eeC9*NGvmFnN}UkI&C#}aH2J$^5qsj)O-t=Usa167D_8z*i8&}8n@z*oq9M1
zw%fyZnI6~fELSk`(P}$~F*ekT{&zoai(BZr8``sPcX8M0(S0^K1*pzs$?D^i<n}~D
zMwRjHeY-`L6}6iPNp->6e~}(;7~(CX9DTCxA8QaytB;U%Kq>uV`xYpOAkt^YSQ@W5
z@c{nl<WwpEEu+F>8DWr<Gk~02^lv8+&z~Xg@3NMXBhVFSZE9``swW!*tp5@F{#Ctr
z;@oP(j=!C|b>tyyoe+&Q4c9hdE3e3!QCb>vg=*53%53yBtDo_~D+NHXM)Rq=B`f9a
z^yvP@_S&flD~lmy^DP2|M=U{ipFRD}H}`xItbi~K1gGZ0Nl_oEK}Q3TcSz`^NO9t^
zB2NBB`KumdvPlx*0p7YWYwJ!;v%bQ5Ciyh1(J>#@jCzfkwFz<58E?eoifngZR58G$
znF_Bqu^k<pr8=#+eiKrfr~Q^a49%*lNP8Nx&?e942|)xNb_7^yXp8Du>aLW0xfYfm
z`SL?mJS4db1}*f1vb50MM~Hc3M7pb5Di$*gwQzzYqm^uteu$5GGfn|Ba9>>ord{Q~
z8Z_4$x?<0r*H5jH+@!vdM7M$HD{^daSEN_H%Gi=#+Qn|gh1Ivfldssp&QUTZddI;Y
zGj*$+8S+tLiY|l5T&0&GQl<|f9D^aL`sQUJ9z%+7sEZh93JDx5T&v&WEFV@%mr{xX
zfmkAc3qriuWWh{d!<J_TM=k%j$r?kV5|Z6i-{z;=eopH>t!U$`4#BIg6HBf$`b-o(
zEUP1g%QxU7bW}wG(!{fRIxk2%#+KD8Ov&q`!!$g6I7M~A#&xiHdQ1`UkPF=UL%22&
ziDfk26U}@6%-b^zj+FqW=4vmVZg-kz+`CkDJJ+j!iI*aNeQ@ua8LOkx8i#0lDV)PL
z?W%E}Er!)(W1;@dKcI67`>5jU)b<T;b7z{b$q8fxuQ@-5*oCDX3;h+e?6kg^3A;kr
z&muNOMdGLRZUm5r!c}X3Ed$+=Lm)5Z`wu<zpVbqeSf2P7ENH<_npc9(Jo6SP6S!4a
zHP)*y{f;5PG5sZ`t*pvp&AybcU7np1&e%dENB_9!`07*Np>EHWwR0wOagHca(@i&7
zT%Trek+7(Qw0JhM=BLmNpNWBy8FRe~|CO#G{hP~Ix;Zt|`q7bBr6`#tI$!c%jaCv&
z5!FW@Ve%hLgvtUN=Z#&;*&6rtP48XY<IipiMd^W~>Lp+4l=(Jx*>%5#RJaWpVVNII
z6y~~PiO7mu*A2U@%Z8mdnhE=wF}7jX=@aDT^uwkT;;?XAQ`DZBW7L2flj~6Bm?e0<
zjIwNpz(qA~_5RFcbdbQ0G@HdqMKNKCt|qZ-v`Y_2WuTl_A@{^oVRyfkLg=t*Fx5YF
z^+-SBTp46`YC|0-$Ip<foMu%BxO9~uBr#yz@&yhqplCOyoaMn(K?$)gNO!nGiRM`2
zbv5A~K`M%{zsQqt9Ic|Bnqr)OHzuNHTZmVmWdPAL-q~m82e~@23_aS#f-Wk?rTfNO
zG0O+hH#PgcYZc0b)X(1Ie$Q3Jo~0WvW(6IV?bMy{B}9i54|$8=@>h+%Pec!BNq`oi
zt)L1H$O*oH9<o23fYm_Q(HUq4Fm|>B70gsUY>ofYEhnoLdYRE+Rs~d+*Ba>AUG#AG
z7*t}5`jn<#QY4MkR}P2wMOzoDdw70>ve44vPkX5CY$dAS4YcM1Py2O)x53u&4GXcG
z7|Qqvc<e6n0;<i>TmX8Xv8o+6kxJK@T7@Rd**{w4P37l2HUBd7s_&^Vv*l&XR5nML
z3i@bS<<~-*7omFdu8i+o8^jst=Cc&zvlY8mj?+Rc$wf~KhF@ivY+f$bs@EioP-P-3
zZxs>bPREc)`ssN7bSPTT7R@YLlgkeIV(7hx>K5z8`7SX<4mw)`7o9nb^ky&_JlSwC
zqkGrZieCp-`)c|oB(!Fqb#g9y$^tWcVtSJUe}l?)_YSM&A?e|VYdg9Uy~iiV3>@!Y
zPqYm-(AMhHt$*=5I~albFWLqxNDX#(b_A{JU-fB6QxlLr4g^^Lvj+0qHSo_(_D*fl
zc3KF{r*g(O>~@T|!8mJ~tCSSeKg+Ttz&&+tx@whxueDj}Y=uvs`UjPY`0cvM_Sj(>
zo}j+I92Iy)HOobjbiF(&wJ@QCW;el3O^~O4jczhgE3p@O>Uc#jaq^3K{L#gR9x^|l
zbPf4z-lFaNKyQPg+jHIfUSE@`*>qbgaV-SKY7J-vnuu9WGdZXQmtH1#f;bbY5$@!C
zyOs9NksR(=W;L9YQN@W7?pqT46V)p?itDIWpOZ+B4gpUI3YO@r7F&Wq-IE^q%s$-m
zq*>A{GuIi^7~PZ7!dkGviatm+_P8CTU<u~5Ye-Q~F$~J$FpO9ew_&-0*r=S$Ztw?o
z31Z$9Ho79kR~Ni*gBP~=0%>ua(B?J2@+br;D`mntRgj7{JcO?+73#XQC^H2i34XI8
zHJ>};Q}6s#5UN|JfrBDFB!gR$?T@vGW_kIQliz+Q{t6vdUocy{DaNblAfwvvS7Xxx
zNfM>MkVKysb+gV%Y8yRA<PKa|4~2ZM_D4^gkCjbPx!$4yBZBK(WdQt82SPJ#&Z`{!
z*7O3vKuF)!c{Ton4uunBiY~kN>M}g)G_rLxwJUoy;i7<sn-EdDeKV%D(+a%4IrwM*
zIfNnvaitYO&wH%ds67IpwffaH;cHrg5k41Wbq<v77CMQ|O2(0`{%N+y07D7nV-~F7
z-M*k*D+ls3`M>Sl|HQ{YikhvNJiz|1a=82x1siJRjyig}pv6@HYOadx(AA<ElANs=
zU-wvS#OmU^<f8CmBtT}<OYrrL^_$W!OJUK|P%t-$klIIe0dqQxpLAc9F%7DxICC2n
zej$DkqgW<KUPdo~U(~nUg)OgXDM@WBIl11>*55bFE!|^zu_SGEAztcm*XXg-_Gas$
z0+32#E0@?vS9Y>-J;QHz@MZMOBb6%0wPzSu-E?+0NfxQD)#m%dZCxFq+%FNO&lfCE
zt-(EL&H>oQx1fp&8GaSEMtYb|ne+++CY?$~o@u&BZ;F8BTn9zM3N7l_RCPxfko>&+
zBB^SeiQy_=@^om>(EcK@&T~XVU71V1nla_zLag<tuV7o&+WaYhp%34NPvBZ9v;1JD
zQ)Uj#4nL%<{HPW`T$vcNZ`8#h6%vKRryqI;EMUerWC|m^{S!rukwq6-m|nq^gk4oH
z&xH%3_&0H?CSxI}&&n`*k;o8`8ggIWXzl4=u8Wv^)6veVpFNQ_DpUblu+?n>B_O8f
zK}_@ijcFDGIe;@r?XotIw{tbM`Q2;d3IzOCN9`T$Ks8p7Qu>by>pu^X;J8-XZ_H@o
zUf|cE{`i`oRcZ(;waqq+VqbRiI>eGfi_5zL!}EGVA#V2B5}@Y9W1PK_js%=S16c(^
zZ}8-Y*jS1so%OYQh5Ph_E$41z=9lz#=EK;c2^B8sa!{#H<2i^==xOA=vZ+zTds7-r
zzEYNUG7ne{;N57%*nZ}HyZY1nrUu82h|YA0i&Fo=dh}#`>rJt3=6UbZkh4t+KY2YH
zRpFO)!!vdxQo2S@Ujd?FE6KXIJG^9c=)L{CXD=bLJ6Vr5aeah#4#J4eipS<(j7L@E
zUVP4mle*cR`o#|^g-Fh>jdPz&Y^eZS8%L8@HwE?j6`SD%B{)xM;$X+OS0m*?n{DqD
z)_>LR{A@4M{!(Z2MT4vVeP5^RX|b0G9`*!a_@OEw1Mc(=A?3$%^oD^?fzCVO)0bi5
zn1)uOy!$@kW*VRH<=GU{q$G6-ft&+#RdCl>G_DB{{q13j0TI2>qX}g2#7UE$XuiTB
zr4RFOl>3U6x>DiDq(!TQG?dB1GF~IDg*i0;`l%Zn$tr|t|L_aEAzP#0Dg$*!Nbgtv
zVR$XzsSoggd?5BkZn-Lme@jq0@wc)%>%ZXxf6tc_)fOF7nbCYE<nFtBotp8fL%66E
z_~h*H7HyW=inH=cz?G#h<K*rI=p0_uWwh|)mI<^jjPl%gd$1(qx`!hE!eUdf00h10
ztxs$IC6W9pT01QuIgI>c#ugc2q;WVU>w4RWLrWfB1yPp<s|rP)n0DH$p+<FF20=-J
zJNOqVAELH{HfF}8s)KQ4Fm$kbOgx$U)Fgf)Ol5@X{bWYk{;J95yVtD1jH;aOe_Zo`
z{v}C}YETb*&vW`d315x6Ec7e->Nzn<YL143GcG?-4ZN=?qCaZRQ8Lm?D00D9{>^WZ
zLT<su6EA5O(@6clV4>1%ydlAS1;B-eYX=JxbC2Fh{WRnJt$riu2fcHeS8ji&bB2us
zi!(y))VO0urc%XvI?s!(uNa0roKY|mO0V(fcmnYyW<nuVPs}yHo^(01gIkWZuxwlp
z%#iG<a}{qtq-++pmaJ*i8HI~L;4viRQtJriV<+VGE)>ind|xyHa}6gU$XEZ?7lt@(
z6Qu|J{wRmtl$k@l+SsGR?rK&p-sBWcv*`6v^YC=}72;vcp-zPrv@r9PP{f|$jRqKO
zMh!;?(nAF^j$4?pCj@3CP>1t1ubpR<<1%tt(tuLK@kB|%o52cy)m~}QR0vGH&jA~Y
zNIOdD8Tfl&$8cV6R@w5gT>m`MynwixpmZwnym1b1C(e)f@*3I$b)Va<S1N=^re}r`
zmu;4WS;Ie-f7Uq?>-I3CqjjaP^(gi9yX!A>2AFZn;N!yA3yGaO%F?z<NiJy+OXxyk
z)Q!7a{i9F%;<Q12dl19+T^4k9{g!3_rW&xa8i@U_x{2CZTbqKyAyC2840L9J>T;lj
z*ybM@u!^a@of8lgfd1Bn{+15=D0j>Bg3@8cd(q+M@KkooC0#UB=<0liSIZ5<G^MHX
z-{x(~^B;bgsP0D?YQc?poh+v&FMS_2MC-<{YljW2nL;NK1NIC|O^Tv)%e@N7U&5%{
zk5Fq^#O5{g-?c2-eizW;Uo|WBW<;Y%dW#knQGcwk-}utu(miPeA27_y320@04SClz
zM=BYaRya>1*x5vAP|d!Pb8-5{+}HW7CfX#b3ntU(0C15SQ9U=hisZh`nAS=VFi^v9
zmisYZHpy{dS3n%xZi-vglPVfRIdVcm^&roBFUE!1vtBpcwZ${|^Ex=yF`+(6q#JIa
z5J4d<TKlDmhFW5_w6{f)iATofaKFFt>Js=uGV><jdsug}Mum4^E>D02a0`E3MhpGI
zkel11?wv%FvXbhqf;3-#Pr3JsPoOwmWw6R1rn94T)OsfJQRkDKzz)ROcXK8^a}Z}!
zAkMh{cHgiWsM-SToh<B}|Iv-(ZU(dlMYDgg_ji6&<P`%!{G?uz!0iMeikEwle-UL`
zsC$QRM<=%^@7JH6U(b1Wgo0RZWw{A4)|Pxx-P+mqlb?iBDcO9IMt#d^;=KsxF>J#Z
z(p_l<8=&jVLZkSr)Hlcstm4)(L*^xZwtk-VN$ONq%5si~9?2)p=LsDxsG$@2^ikL$
zG?0hUh&CLPk&z6J>_Z-ysPX%$i&I3AMvS})d@e2xJ8sb6<;By-^s4fvyrw@iI-v<+
z1Rdy2fJ6iI3J{z~T6Ko#?{Uo!#@+0lzU+>@B#RVPj$l%c{lTo7kLZQD)KU!tFw_sn
z|2lFC*E3=GC3M9Q3_>35Ouh~(9+<L|@=a@vJ}RC<t|yf^cP$s3T{Sy=U{aV@vR)aw
z{|isSkze=)y<K^)W4-NRX3sD<8-vv}Vl$3}yKM?Fu_+%Qwm?T64i!3KbK3NE58sdT
zBh=&CZ|}LRB7qEpIW!8y-&LeV@*dLG)(9S>LQPO@l_A1{!4|~b;4`rT`|lnZTc^L2
zSI}m2w)>rlfV!+e!2_s&M%C02B+eTAp`0r!Zv56Nq`X64nPXfTeEzHp-HNdQnYbIi
z*p~riB}zCSU*mV)S}B^Q624{DeldD-DZk9bq){4mzy=erL$+AK+8s2KJccL8+<|31
zI%n*9*6mNVe+|E|^zC+zB#y8R#`reRNdqn)L0xT_jfKl2U^oCPZB!(2n5d1s@D0x4
zUIGWVqOy_<f&;=8rg^c`Atd-afK10j;&F6f2U|P_>Mw9o%i=`ZYRlQfZ6KaonO9zN
z>I6@#EoT#FBBK>FhS*CRlENd7Pi5nHKXojCm`U>W%X+mhBzFn4gbr|Kq^#9Eq621a
z52g?GhBlA4WIT!NYkr(d)+d~%61Oe;e6_E$gFNhDnm0~u;0z%oQ~LA)u)NJP;Kv`@
zC?1{ftk7GxFN$yO2DK<`!zWw$zGAR)(>GoURgll3kn&fZp|L>5TXJiGkeJm1C#J@o
z3WDNj(`3pq(P^!ASkLRrb4B|0P{!7_%bO=Paug|mmQPay&=SPs@93WR&ppUyAZ-Hx
z6$({>=C+_5@~@;k_OG@#@e7Dk)Y_AgioT)Bd3Y&*sNt7YM3}n;Swpe>@8l4?xqq&N
zCQUBv=Fq(kx%ecI2AMeo>w%9ZMpoiMwr%7^Lr0HDACc*CekVso%AaW>S+(=2>ie;^
z;*YTiG)tVO#8+Bw!?ill4KRb|@h>L^poQ@d55nsXOcd`4-Z!=*6?<eHT2y6J62nz$
z4Bszf+p2#Qy&K$t<v3&RB1bl1$LrrzEu$rAQ*vB5-0xGfF?>*q+(MuWABFjX@D(2z
zc!-S{ZW<`E7B~=LKfhkmdxp*xwYW0OFofpQ6D||0c>aDfaRU&*PY6#1h6^-2CmF!2
z@{hs1F#G{Cs{>o>J7<=4w7N<oz%B;k9YBHnR_4n<M`ssx=*I2?&UGLo8hy;KDfFR_
z5mZ&{_RXJO7Ke7X*pIK4MMtD&WQBjT>Kv+dQ$#7;U{ZY5LLr;#u>IY@+BstN3OV~*
zgm^VtqzeD${1YXx7{t=OG6cqJ5KF&vebPT!VmA<R0a}}Yw%EV=6Mwh7$I2>#iYGxw
zNw*{#>oJJZ(+QzJ%j?8n;k?X;3zyxZTAXFCW)MUWBpD<VU+)6uC%Tz+{E~3CAUa|X
ze92_{xlJlEbo?|4i)Zx2O-92!A-bEYEnoyOwCcKNfiIhaGV;u%I!MLBI#>*5f<{q9
z$Ne<NX0>F<&O9MO!pD$^eY=LGq&K8<&9;JrGI1l+zCKQVPYqw94*ghYxa|kg+<Uy9
z7DPqb@IY{qM3gphK6HmgN1O`UaOF&-qo1nDF9H#C6MEbd=%;2Sc7;8@%iBY^iFJ_)
z;jV^&WxfCQvgi&Pco7NZWh#WK7IT{|Q;};@3CVdL3@P&Bg5?#(0~p2XA+B}Q+wgjl
zYE~Kjw$ebDz&PDVWXeix`P~7&FVOjBizGI^Kj`<A-sHCxi^iHhOxMy+6ijQo`d%PE
zo^)=~0IiaNW!2yLuODdbU;erF9RFN<P@9Pp(8<{pB=Y^<CGX+{fA^5|yFuKdz&cMF
z(bc3C&~R~`uhL@~;y|~+nID%_B}w`Fe%@RRO<2zYCdu)mxgFj8h?NwGLFJBu*emJK
z*Ep-W_taYobD=ER!!d7#WfkrkfW9Lz^;_Docmu|ca89MP!)#&2-MVD3WSc!jezp+f
z$H!`J!|xs0qWQD9;<bU(EcZ>QNfO)0yg%lB-n1DZ4<FRQ=b3Nm{R9c-2X)`M7l*9L
z47t*z+T-$WKFD+lv}98sEq0g8sRDUY6QgI(AsRF?hUMcnx%qPTX}aEir2iH084%Zm
z|0eDulCA*9DXxl0n$56m;UHdq^=mM^dL-9mlp%(27x1-=EcZ}Vu#PH5Lr$s4v<yFD
z=>dN3arw7Ox3KKDk;?R|OrBl12QdL3<}RcucXHx#IJ-YVk?59yVJ-FFo#NlQhZB3h
z#R_}<)lP(-=Y}{?4jTeRd8CfsT#%m!T%}Q^zSw&*PAB2BMEpA6+%83T$1sV_8;vc?
zddALg{7)2GW*LB%2E4-n4T!#b&_n$veVl(39+e#JO#X4={l#G{%kLc&4C=c^Z8WvC
zmje#l#0upEWLu8(sNn5LG2rvnr;A*jafi?NX?;|vS@F6M@G8Z3)MsaaF!z3K>^*Q|
z)6mBwI-tM4doQ*?UWTvyB4K&%Ey5e&V#{)8B1y{m__!b?t;*#fq!cGYtj~104pnj?
zEY#5<{&&?J$m%)Ru#TGL9O_(`u9j$oL8#6Sb=kArUtr1k@n}&5-MXC-*|ZE;2i`D(
zMd$sL>h7RL{8;M^z9rgihu!2oxCrC)Zp_fDFIRl0ns058I-@h-E8<GCQf_>l9$YIq
zb-CrB<Dx+K5Zntsq=T5-N<9d#wbewa!2Qe;i2Ux*Z<~too0?W$!1Mx#(}SUPu<94_
z7CQr-@B(t?l--u^Vz&5AX%*St-aXkXcc6%lY2X}J2ei=NLC@<y7n{pK4CrJGsvUr8
zyrLGS##RQx<^Ui_8V3ag#x9OPXHe<a&dk{j;Ar}<9tQCkf#3Tm#0~r!HON&4GnWG8
zYeQftg!pGyi`X@}3?dDT;W$a?`wIa+n3i7~KlzW^Yf(RiF%iI65=h-sZ?79OLzJA%
zOtgN!;kGtjq;Fa?>eHmK7n<bU)TD>9V$GSBQB(mIXLjsQMUBv$l^U-?*F22Xwf34E
zEd}-sZYX4AEGL|9kTC4Dn(7?&ih9enHUJjj-?<OO8PQzQRse;28ip?$YxW0EGTuNA
zZi<P5ol{q7!GuZ{AtKYZunO7pRO||MYzT|Ud>#;5h1>>&7xpxBj=@r;$6Tr)noV<x
z=%L`yJR~@g=^+bRFTd0xup)Ju{`e5G=+`FCT;7+$@S_up{H<H=-WmIuab>HfEqRcX
zke*%h^|q%W8I$|r+?5eIET8O6i0d{QlZDl}Gd3mhcOq5<B$s|~aX3<ik5b$)S|VTH
zSYFfo2xd6z1>|n{)TulbXkb8dCkdX>*2W;l^g$<_@PE!4NLqBV0sJFOsI~-co)EXd
zm9+*r&S>fEGwe7enNXNGmE8iV4`MTMQ9m}>?N*#H8i{0Z5WNcxRt7ukQNk1Ve-9jK
zsJSQ$S{Gi7zxkr}#Ve!S^YmL6m9lv~a=0N-I+S<=Z#%`t?g~lPWG0Ggf)m%PwA$aL
zZWEJ!AqI)RkVt|_){)?17kPkRw=Nvl7}Ckk$lhXx;D@cCDLy~lerPlPPCvX`@Lr3^
z`(Azm+yFbnvv6K`2<y!#$Qi1GtGt)@5c-75zMJzH(vpjBm_GTx{WfFatOB)d23<%l
zgG7Q(^-v|(b-n+YMC3&mx)SUTg#<A<!a~U?V$yrV4xY0vT0~fQs*ttZ1&woygj{8X
zINK~ENJ0@=O6%Zt-Qdq_q(ri5u>DaL#`BO?d0MT41{hVEFutFOUdf;rkJWzYgP;%o
zq#K3wo~B?=<%|w_Yf}3(4U<G=22ODwra)bL!fdOq>}e)-37T=}{@!q}3S#gG^pO0?
zAUCKx$kjmB)Z<ALvV5%cUx(XKET{>2IsIK-T?a(yvXV9mDN2O^1J$p&GmPC%bBM&%
zO`Fq>iwxL6ovK!N=EUIBZ9EZn6zF*ER5j#%Ej&#{8|^6OZkjn11-zHY)W*QXS;U6j
zl!_hs!Par(uMw`aDch#Pp0xw#8dW}(NuJPOZ>wJ0UV0hp+)p8EdLJBOX#QBJR7|ZQ
zttTG~+9i@`a+rM|lSSXdbOLOo)R1Q!R(cnAssAdhJ|u9=xTJl$I;kkIHjDBhNZ`Y=
z(-yOIAgHhoA>Kg+=cS?oZUVu(11FpSZG2)jn?L9t4PTZOIZP8H(;OwOC$*01h`0Iy
zUL}$d7JBi9W^O;nrljJiw4p_(O_?l=aaas`kYqXL0xB;`kO5MGio5O<$J?*AoBXPY
ze3ZxEY(!gD%hlfhF4Y8_hD7E?t{6ul{D*tuumoS85#Y!S$2iwx%mAhUn$r7mW8nwl
z;&(OTZ!yCkd_37QD%}d3pw>jqJ;BR?V2yN3?n#0GbbJS}?lO&q)YO*#9QlCw1k=v9
zL?PM?IJV)LnRmzfC~Zn%O_wMO1xp(8y7eDI$4$TLIm@4v(!0{l&vmOJWFWU<8k%cj
zo8y%C1~z3JLUCaZi{X!~hntv+ri&0_2kp=2ga1%bG^(ey*q3r8rH$O@36}cYok-Nj
zz`m-uCm0#QOAu=_@GD5uZboz0$5g>kTQ7O&lWWzDJXLWJ)Af&Cfl<}ukPr&Yk@b)O
z^mED2YssrC^xQXQQ+V!iQ{g!=^aYm(K@YpZ_qrF3dZDj?TSJ(i{L7Q4V@kWT>aVg?
zN!?lbYpz5LlyPr(re{jIsF~1cB(^NX>%SX{k_kC8w|>vfxt7R?Gkl90Rkn$L?rIn~
zZ+(=5VwTp8=)qrK>=(wW++fvx#imurbZY_UqW!JVVg>=(oGRR2mNSrNt^Li}=+7WY
zM3V0u)h4TwLx5nnal5Jat8usiccQSV1-6Zgo~n($Pns$SK>R70-I6<i_)`G!NBQS|
z;`!Zp_pfNrK*r9<>0j5Ce5|nQJ}GAKMe?w(VGA`GZoO$K<K6(5&z{I2w7;$_0V%|A
z)Wfo@O8O7S;Wh6aJ%s_FFfo;VG5w~YKAG4?I;rCfm3pB|SyW|V0lnwPEF2S91M<GQ
zKyG)OZ2GurZdpFKn)Rs01cwo>i8k~!_<?1O-PHDmi-004AIQcVj=OJ!xE$lL)6?oJ
zDqe@Sw}(~t3s4%^yXWx9b)-Mqh&-jj5D;%n8^tx=0gac2^H4rkx?&h3sR);G9Bj=M
zUhlSsox+QRdSVGtb$LXgiD{$72_AFY;&mEB(ET)IMaWZm>nxr2F36eJ9Z~0VtzQP#
zF7_QRruBok@UkXysr#aa{FjQ?j^FaTRNbHw%{GDh7r95r_RT+5h_Akh#OYA+tdMRJ
zIt;1EeMfsgzH3m_X1L=W2cNzkfX7!B!k21rbX)-K67xwcGTQA#f?b%a=E7fZcPKM@
zbMVmf1uFJ-PiOf(xxJqKh?U%s_Q{h#?-l44>!hKR4FhrZ9>f{V|C6&PJ1<W0_pA<R
zh|)K-`EYoErMb)w(3nt1k1U@gVpqeityq1Z728&q*+I_df0$2gJU*SeGBzDd@2J9w
zH0gHN@%_5Mx9xy9w1c4Khxr>HoymM~{qzywaqNAT{|gB!g<bX@#64*qBgBc1O4RHw
zE(1+51K<kE2nZQwnaJMb<Py{`vA<)bcWY@XI$`H>cXcQ4GT@&<4lZV^waZ566_<Lo
zdkj`9ld)gxmz4%8Y%YN@El(x}{k+vhDm%TvPtMQP3$4wV+|(X1xE*piiz*`zKHN(u
zJ|2`lv@BAeVx~ZC!wdC|nhwe$uXy!Sb9Kz0{c6mSUa~Wfs7*CxsC*&x0qJD2$5aGc
zRC`|+h=x9tjAhhqR7qGwfk}q-(m72W<F$zjyWtmaV_fC$5ZFg^Sx~aCtHnsBImJ*U
zq&aQg_>4*;rkk)D%l*WImM!moE9p;FZ*ySLND`E*+ZVpv0F7CzYp=14LO3R(XWQur
z@3@%7kCB;MMXU&U(9*DSwD@N60i<k$Ltuja_XFM_O2NRvNPqtV{rvai-cRj3H!=PD
zum54^;%|1Iou7Vc?zth|M{~c&cAtK&XGeCQntN^-^wC_)Z%zNnQ2T!w4Sj0rxk1NA
zQ?wv4=c%dxc<k{h<a5JvkC0k$e?tC`N9UeGJU4Ik2;q+KC&d3?`s%6i=f-{>jVmDi
z&y7DRWj+OXZc61501V|%fd9qJ%2UwiCMX_3=TZOnpiky0o&rDDu>J_Vf$=Bs|Eqod
zspaSTtRF3hfKH63zWr}D_Wsq)`xNcD#^Faaa_s*V+TW$6r@+rOb3OvY;r$8xAGUTr
z1$?eI?-8(s;6DTWr~dyG=(+x{N1#g34Ez%UpYH~HYVNtlr$=+pp#0~lx&Nd^<*(M1
zr;yL}!8}3&$^Q3{e{{t>g?_Fv;}Kew{7>kAL!$pLFZrDO|A?dsii4l7>%W2YfAjk1
zwA)8eR8S!I6!d?o<UU>3=LE<{;9lB4f&UFT@+ru3O4%cbFWsLY|E_NK6zMrF=MhPg
z;SZ!|l%1!xo>LqiZ5=ZHVe47_;i<LfYUq#FfXshb`)?}hPwhQd)P1x^!}^E4|67Uo
zsnO?(mybphK_kIW-0(jrWj@7vuH^QJB@6mb2mV8>$DHOV+;jDzM>u4V@csnukLtuT
zNBMKbjYnhY-2c6?=fB)@$@ZhYH@tt?`|nflr|<h*F8F8?9n{$N<b9tp`SgoIg97K@
R{mNuuaiDl`Md0_R{}0z>^$P$1

diff --git a/docs/TTX/readme.md b/docs/TTX/readme.md
index 442dea3..58dc9cd 100644
--- a/docs/TTX/readme.md
+++ b/docs/TTX/readme.md
@@ -1,4 +1,4 @@
-This directory contains files from the OpenSSF's Table Top Exercises (TTX) that demonstrate how to prepare and "roleplay" a cyber seecurity incident.
+This directory contains files for Cyber Incident Response (CIR) Table Top Exercises (TTX) that demonstrate how to prepare and "roleplay" a cyber security incident.
 
 # Cyber Incident Response - Table Top Exercises
 ## Table of Contents
@@ -15,22 +15,36 @@ This directory contains files from the OpenSSF's Table Top Exercises (TTX) that
 - [References](#references)
 
 ## Introduction
-The purpose of this document is to provide guidance on how to conduct a table top exercise for cyber incident response. This document is intended to be used by organizations that want to test their incident response plans and procedures in a controlled environment. The document provides a scenario, objectives, and materials for the exercise. It also provides guidance on how to prepare for, execute, and debrief the exercise.
+The purpose of this document is to provide guidance on how to conduct a table top exercise for cyber incident response. This document is intended to be used by organizations, and anyone who wishes to contribute to building future exercises, that want to test their incident response plans and procedures in a controlled environment. The document provides guidance on how to craft a scenario, objectives, and materials for the exercise. It also provides guidance on how to prepare for, execute, and debrief the exercise.
 
 ## Table Top Exercise
 A table top exercise is a discussion-based exercise that is designed to test an organization's incident response plans and procedures. The exercise is conducted in a controlled environment and involves key personnel who are responsible for responding to a cyber incident. The exercise is designed to identify gaps in the organization's incident response plans and procedures and to improve the organization's ability to respond to a cyber incident.
 
+Typically at a TTX level the policies and process are under scrutiny as a standard, however we are pushing more towards involving technical investigation, response and resolution processes and guidance, as Cyber Incidents have become more widespread and visible over recent times.
+
+With this in mind we aim to produce two 'sides' to each TTX Exercise;
+- Documentation based TTX
+- - Typically involves a Question and Answer document revovling around a hypothetical scenario, for participants to walkthrough and discuss hwo and why they may take specific actions against steps of the incident
+- - Ideal for conference 'panelist' discussion forums, where Subject Matter Experts (SMEs) can share insights and guidance for specific steps of scenarios (e.g. Project maintainer can divulge how they would react to vulnerability disclosures)
+
+- Technical TTX
+- - We use this to underpin the entire TTX scenario, so that what we deliver is as realistic as possible, as opposed to 100% hypotheticals that are technically never exposable or viable as attack vectors in a real deployment
+- - Currently we use the Center for Threat Informed Defense (CTID) Attack Flow builder - https://center-for-threat-informed-defense.github.io/attack-flow/ui/
+- - Each scenario will have a .afb file attached, allowing attendees to open the technical attack flow to follow along. This proves valuable for 'technical' individuals who benefit from having a further visual and technical aid to understanding the scenario
+- - Where possible we produce 'synthetic' alerts and events to accompany the Incident Response process. These are normally hand crafted to mirror what an analyst/developer may see in a typical real-world scenario, again emphasising the realness of our scenarios
+
+
 ## Scenario
-The scenario for the table top exercise is a cyber incident that has occurred in the organization. The scenario is designed to be realistic and to test the organization's incident response plans and procedures. The scenario includes a series of events that unfold over time, and the participants are required to respond to the events as they occur.
+The scenarios for the table top exercise typically occur after a cyber incident that has occurred. The scenarios are designed to be realistic and to test the organization's incident response plans and procedures. The scenario should includes a series of events that unfold over time, and the participants are required to respond to the events as they occur, and if technical members are in attendance you should be able to dive into attack flows, indicators and relevant data sources that correlate against the scenario.
 
 ## Exercise Objectives
 The objectives of the table top exercise are to:
 - Test the organization's incident response plans and procedures
 - Identify gaps in the organization's incident response plans and procedures
-- Improve the organization's ability to respond to a cyber incident
+- Improve the organization's ability to respond to a cyber incident, including technical directive where suitable
 
 ## Exercise Participants
-The participants in the table top exercise are key personnel who are responsible for responding to a cyber incident. The participants include:
+The participants in the table top exercise are key personnel who are responsible for responding to a cyber incident. The participants normally include:
 - Incident Response Team
 - IT Security Team
 - IT Operations Team
@@ -39,26 +53,32 @@ The participants in the table top exercise are key personnel who are responsible
 - Human Resources Team
 - Business Continuity Team
 - Executive Management
-- Placeholder for other teams
+- Additional participants on ad-hoc basis
 
 ## Exercise Materials
 The materials for the table top exercise include:
 - Table top exercise scenario
 - Table top exercise objectives
-- Table top exercise slack channel
+- Table top exercise questions based upon the scenario
+- Table top exercise technical attack flow
+- Table top exercise synthetic events and alerts
+- Table top exercise slack channel (If running technical analysis)
 - Table top exercise evaluation form
 
 ## Exercise Preparation
 The preparation for the table top exercise includes:
-- Reviewing the table top exercise scenario
+- Creating and Reviewing the table top exercise scenario
 - Reviewing the table top exercise objectives
-- Setting up the table top exercise slack channel
+- Creating a real-world viable technical attack flow including indicators and data source requirements
+- Creating synethitic event logs and alerts from technical analysis of scenario
+- Setting up the table top exercise slack channel (If required)
 - Distributing the table top exercise materials to the participants
 
 ## Exercise Execution
 The execution of the table top exercise includes:
 - Introducing the table top exercise scenario
 - Facilitating the discussion of the scenario
+- If a technical exercise, setting up the technical aspects (events, alerting and feeds) into a relevant space (e.g. Slack) for analysts / developers etc to respond to
 - Documenting the responses of the participants
 - Evaluating the responses of the participants
 
@@ -66,6 +86,7 @@ The execution of the table top exercise includes:
 The debrief of the table top exercise includes:
 - Reviewing the responses of the participants
 - Identifying gaps in the organization's incident response plans and procedures
+- Identifying technical gaps in the organiation's observability and security posture (e.g. visibility of indicators, data source requirements etc)
 - Developing an action plan to address the gaps
 
 ## Exercise Conclusion

From 72bd8246af7235ffe759027afb5fb44ab41ecd30 Mon Sep 17 00:00:00 2001
From: Ian Barbour <70201769+ian-barbour@users.noreply.github.com>
Date: Tue, 30 Apr 2024 15:11:23 +0100
Subject: [PATCH 2/4] Updated to readme and template

Signed-off-by: Ian-Barbour <ian.barbour@control-plane.io>
---
 .../TTX/Andromeda_Gales/Andromeda_Template.md | 187 ++++++++++++++++++
 docs/TTX/readme.md                            |   2 +
 2 files changed, 189 insertions(+)
 create mode 100644 docs/TTX/Andromeda_Gales/Andromeda_Template.md

diff --git a/docs/TTX/Andromeda_Gales/Andromeda_Template.md b/docs/TTX/Andromeda_Gales/Andromeda_Template.md
new file mode 100644
index 0000000..47d6383
--- /dev/null
+++ b/docs/TTX/Andromeda_Gales/Andromeda_Template.md
@@ -0,0 +1,187 @@
+# Panelists & Contributors
+
+## Panelists
+
+- **Panelist 1**
+  - Role: Maintainer
+
+- **Panelist 2**
+  - Role: Maintainer
+
+- **Panelist 3**
+  - Role: Maintainer
+
+- **Panelist 4**
+  - Role: Maintainer
+
+- **Panelist 5**
+  - Role: Maintainer
+
+- **Panelist 6**
+  - Role: Repo package registry
+
+- **Panelist 7**
+  - Role: SOC/IRT
+
+- **Panelist 8**
+  - Role: End user
+
+- **Panelist 9**
+  - Role: End user
+
+- **Panelist 10**
+  - Role: End user
+
+- **Panelist 11**
+  - Role: End user
+
+- **Panelist 12**
+  - Role: End user
+
+## Contributors
+
+- **Contributor 1**
+  - Role: Maintainer
+
+- **Contributor 2**
+  - Role: Maintainer
+
+- **Contributor 3**
+  - Role: End user
+
+- **Contributor 4**
+  - Role: End user
+
+- **Contributor 5**
+  - Role: Public sector
+
+- **Contributor 6**
+  - Role: Public sector
+
+# Desired Outcomes
+
+1. Provide a TTX template/formula for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response and overall security posture.
+2. Provide education for developers who are learning security.
+3. Demonstrate how current OpenSSF technologies may be helpful during a security incident.
+
+- **Welcome background description and desired outcomes for the TTX**
+
+## Breakthrough 1: Initial Incident
+
+A large mature organization has disclosed a cybersecurity incident as encouraged by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The details are initially sparse, but the known facts are:
+
+- A security analyst has identified anomalous egress connections from their Cloud estate.
+- The connections originated from workloads running on their Kubernetes cluster.
+- These workloads run a business application with access to confidential data.
+- Cluster logs show workloads running some commands against the cluster API, harvesting runtime environmental information.
+- The workloads have recently been updated as part of routine patching/updates, coinciding with the timing of some suspicious alerts generated.
+- The Incident Response Team (IRT) is still investigating ongoing threads.
+
+### Questions
+
+1. What are the typical steps an organization may take on initial security alert disclosure when initiating a Cyber Incident Response process?
+2. After initial cyber incident response processes have been carried out and the org has moved into in-depth investigation, what steps are typical at this stage of the IR process?
+
+## Breakthrough 2: Scenario Evolution
+
+As the investigation progresses, more details come to light:
+
+- From the CI/CD build account, the Incident Response Team (IRT) has traced the event back to a specific pipeline execution.
+- The pipeline includes several steps where external images are pulled from a public repository.
+- A specific container image pulled consists of a widely used open source application.
+- IRT obtains a copy of the image for further investigation but finds no signs of image tampering.
+- Enhanced monitoring was put in place on the suspicious workloads.
+- Signs of a possible Remote Code Execution (RCE) are detected, but the Vulnerability Management team reports no known CVEs affecting the open source application.
+- Everything points to a 0-day vulnerability affecting one or more applications components with an active exploitation campaign ongoing.
+
+### Questions
+
+1. In light of the latest investigation progress after inconclusive findings, the team have decided to focus some effort on the internal repository (e.g., GitLab self-hosted) and the CI/CD pipeline. What kind of actions should they be looking to carry out at this point and with what goals in mind?
+2. With the ongoing security incident and deep investigation, could you give some insight into how keeping a detailed inventory of both software and hardware, including open source software and dependencies, can be influential to incident response?
+3. Additionally, could you explain the concept and significance of a Software Bill of Materials (SBOM) in managing open source security and share how SBOMs can be instrumental in streamlining the investigation process particularly in identifying compromised components and mapping out dependencies for a more efficient incident response?
+
+## Breakthrough 3: Scenario Evolution
+
+The scenario further evolves:
+
+- Internal investigations have concluded and found that the exploit has spread across various resources, necessitating disclosure of the vulnerability.
+- The 0-day vulnerability is confirmed with exploitation replicated.
+- Open Source maintainers have been contacted through their vulnerability disclosure process to work on a fix.
+- Considering the active malicious campaign, the degree of urgency is communicated.
+- Threat intelligence organizations provide data on the active campaign:
+  - Malicious destination domains and IPs
+  - Malicious binary hashes
+  - Malicious process names
+  - Malicious exploitation strings
+
+### Questions
+
+1. With the recent information provided by the IRT (Incident Response Team), the scenario has grown to include open source maintainers at this stage; they're required to begin their vulnerability disclosure process. How does this typically work?
+2. In today's world, maintaining reputation across platforms is paramount. How can organizations and maintainers alike manage social media scrutiny and pressure, especially in 'crisis' events such as highly visible exploits targeting specific projects?
+3. How can you aim to protect the people working under pressure and stress throughout these events?
+
+## Breakthrough 4: Scenario Evolution
+
+The scenario evolves:
+
+- The maintainers have successfully produced and tested a fix.
+- The fix was incorporated into a new release of the application and made available to the general public.
+- Indicators of Compromise are available to aid detections.
+- The CVE now has a remediation/fix with a 9.5 score made available to the general public.
+
+### Questions
+
+1. In light of the recent successful development and release of a patch for a high-severity vulnerability, could you elaborate on best practices for coordinating efforts of maintainers and open source project teams to ensure the fix's security and authenticity, preventing it from becoming a secondary attack vector?
+2. Additionally, how can you collaborate with larger organizations or the initial disclosing entity to validate and publicize the remedy?
+
+3. Considering the recent CVE announcement, could you walk us through the process your organization employs to create a comprehensive and timely response to customers?
+4. Specifically, how do you integrate communication, patch management, and incident response strategies to address vulnerabilities and maintain trust in a cloud-native platform?
+
+5. When looking at enhancing security within open source projects, how does a collaborative project like GUAC contribute to this goal?
+6. How do projects like GUAC integrate with existing security practices to comprehensively secure open source software, and what unique advantages does GUAC provide in the broader context of open source security management?
+
+7. In light of our ongoing discussion and the scenario we've navigated, how can the OSV database and scanner be strategically used to support the identification, tracking, and resolution of vulnerabilities such as the one we've encountered?
+8. Could you share insights or experiences on how these tools have facilitated a more streamlined and effective response to vulnerabilities in past incidents?
+
+## Breakthrough 5: Postmortem / Open Discussion
+
+### Reflections on the Scenario
+
+### Questions
+
+1. What is CISA’s role in OSS security?
+2. A number of sectors have an inherent distrust in open source due to a number of factors including time to remediation, SLAs, enterprise-level support, and its 'open' nature. How do you think this could be tackled, and are there any initiatives that could support this?
+
+### End User(s) Discussion
+
+#### Forum Discussion Style Topic: 10-15 Minutes
+
+"Leveraging Corporate Resources for Open Source Security"
+- A conversation about how large organizations who have fully established policies, processes, and resources in place to respond to such incidents, invest and establish mutual beneficiary outcomes with open source maintainers and projects, potentially creating a framework for mutual support.
+
+"Collaborative Incident Response: Bridging the Gap between Large Organizations and Open Source Projects"
+- This discussion topic aims to explore how large organizations could potentially extend their incident response capabilities to support open source projects during security incidents.
+- It will focus on sharing actionable insights, resources, and best practices to enhance the resilience of open source software against emerging threats, emphasizing collaborative efforts, shared responsibility, and the alignment of incident response strategies for the collective benefit of the digital ecosystem.
+
+#### Forum Discussion Style Topic: 10-15 Minutes
+
+"Fostering Trust and Transparency: The Art of Communicating with Security Issue Reporters"
+- Discuss the importance of open lines of communication between project maintainers and Security issue reporters for enhancing project security and community trust.
+
+### Lesson Learnt, Final Observations
+
+### Closing Remarks
+
+### Q&A
+
+# Acknowledgments
+
+We thank all the panelists, contributors, and attendees for their active participation and valuable contributions to the success of this event. Special thanks to the organizing team for their efforts in coordinating and facilitating the session.
+
+# About This Document
+
+This document was created to provide a structured overview of the tabletop exercise (TTX) and to serve as a reference for future similar events.
+
+# Contact Information
+
+For any inquiries related to this document or the discussions held during the TTX, please contact OpenSSF
\ No newline at end of file
diff --git a/docs/TTX/readme.md b/docs/TTX/readme.md
index 58dc9cd..854b421 100644
--- a/docs/TTX/readme.md
+++ b/docs/TTX/readme.md
@@ -37,6 +37,8 @@ With this in mind we aim to produce two 'sides' to each TTX Exercise;
 ## Scenario
 The scenarios for the table top exercise typically occur after a cyber incident that has occurred. The scenarios are designed to be realistic and to test the organization's incident response plans and procedures. The scenario should includes a series of events that unfold over time, and the participants are required to respond to the events as they occur, and if technical members are in attendance you should be able to dive into attack flows, indicators and relevant data sources that correlate against the scenario.
 
+Included with every scenario should be a template (e.g. Within Andromeda_Gales there is a scenario_template.md) which covers the scenario walkthrough / roleplay, required attendees, questions and format to the TTX.
+
 ## Exercise Objectives
 The objectives of the table top exercise are to:
 - Test the organization's incident response plans and procedures

From 91d57f7e5fa7096d2b6efd5cb0c7024e7336f5b1 Mon Sep 17 00:00:00 2001
From: Ian-Barbour <ian.barbour@control-plane.io>
Date: Thu, 2 May 2024 15:44:31 +0100
Subject: [PATCH 3/4] Amended scenario codename to SOSS Community Day, added
 templates and readme to reflect scenario

Signed-off-by: Ian-Barbour <ian.barbour@control-plane.io>
---
 .../Event_Logs/10_Env_Enumeration.log         |  12 -
 .../Event_Logs/11_Establish_Comms.log         |  12 -
 .../Event_Logs/12_C2_Commands.log             |   9 -
 .../15_Network_Boundary_Bridging_VPCFlow.log  |  26 --
 .../Event_Logs/1_DockerHub.log                |   8 -
 ...smission_to_External_C2_Server_VPCFlow.log |  26 --
 .../Event_Logs/2_Artifactory_Sync.log         |  10 -
 .../Event_Logs/3_Image_Signing.log            |  11 -
 .../Event_Logs/4_Build_Execution.log          |  12 -
 .../Event_Logs/5_Build_Persistence.log        |  13 -
 .../Event_Logs/6_Artifactory_Prod_Image.log   |  11 -
 ...Check_Against_Security_Software_Prisma.log |  10 -
 .../Event_Logs/8_Env_Keying_Prisma.log        |  11 -
 .../Event_Logs/9_Persistence_Jobs_Prisma.log  |  11 -
 docs/TTX/Andromeda_Gales/readme.md            |   1 -
 ...dit_Log_for_Encoded_Command_Execution.yaml |  44 +--
 ...14_C2_Traffic_Masquerading_CloudWatch.json |  44 +--
 .../15_Network_Boundary_Bridging_K8.yaml      |  34 +-
 ...ve_Roles_and_Policies_Exploitation_K8.yaml |  28 +-
 ...oles_and_Policies_Exploitation_SecHub.json |  56 +--
 .../17_Permission_Enumeration_K8.yaml         |  28 +-
 ...stance_Metadata_API_Misuse_CloudWatch.json |  28 +-
 ...data_API_Misuse_CloudWatch_CloudTrail.json |  94 ++---
 ...n_for_Privilege_Escalation_CloudTrail.json |  90 ++---
 ...loitation_for_Privilege_Escalation_K8.yaml |  38 +-
 ...edentials_and_Privilege_Escalation_K8.yaml |  68 ++--
 ...s_and_Privilege_Escalation_K8_ConfMap.yaml |  34 +-
 ...ral_Movement_via_Compromised_Roles_K8.yaml |  38 +-
 ...t_via_Compromised_Roles_K8_CloudTrail.json |  90 ++---
 ...m_Information_Repositories_CloudTrail.json |  38 +-
 ..._Snapshot_for_Exfiltration_CloudTrail.json |  44 +--
 ...ry_Check_Against_Security_Software_K8.yaml |  28 +-
 .../Event_Logs/8_Env_Keying_K8.yaml           |  28 +-
 .../Event_Logs/9_Persistence_Jobs_K8.yaml     |  38 +-
 .../Event_Logs/readme.md                      |   0
 ...SOSS_Community_Day_NA_2024_AttackFlow.afb} |   0
 .../SOSS_Community_Day_NA_2024_Scenario.md}   |  40 +-
 .../SOSS_Community_Day_NA_2024_Template.md}   | 372 +++++++++---------
 docs/TTX/SOSS Community Day NA 2024/readme.md |   1 +
 docs/TTX/readme.md                            |   2 +-
 40 files changed, 653 insertions(+), 835 deletions(-)
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/10_Env_Enumeration.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/11_Establish_Comms.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/12_C2_Commands.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_VPCFlow.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/1_DockerHub.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/24_Transmission_to_External_C2_Server_VPCFlow.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/2_Artifactory_Sync.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/3_Image_Signing.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/4_Build_Execution.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/5_Build_Persistence.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/6_Artifactory_Prod_Image.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/7_Discovery_Check_Against_Security_Software_Prisma.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/8_Env_Keying_Prisma.log
 delete mode 100644 docs/TTX/Andromeda_Gales/Event_Logs/9_Persistence_Jobs_Prisma.log
 delete mode 100644 docs/TTX/Andromeda_Gales/readme.md
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/15_Network_Boundary_Bridging_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_SecHub.json (98%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/17_Permission_Enumeration_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch.json (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch_CloudTrail.json (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/19_Exploitation_for_Privilege_Escalation_CloudTrail.json (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/19_Exploitation_for_Privilege_Escalation_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8_ConfMap.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8_CloudTrail.json (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/22_Data_Collection_from_Information_Repositories_CloudTrail.json (96%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/23_Snapshot_for_Exfiltration_CloudTrail.json (96%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/7_Discovery_Check_Against_Security_Software_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/8_Env_Keying_K8.yaml (97%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/9_Persistence_Jobs_K8.yaml (96%)
 rename docs/TTX/{Andromeda_Gales => SOSS Community Day NA 2024}/Event_Logs/readme.md (100%)
 rename docs/TTX/{Andromeda_Gales/Andromeda_Gales_Final.afb => SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_AttackFlow.afb} (100%)
 rename docs/TTX/{Andromeda_Gales/Andromeda_Gales.md => SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Scenario.md} (92%)
 rename docs/TTX/{Andromeda_Gales/Andromeda_Template.md => SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Template.md} (98%)
 create mode 100644 docs/TTX/SOSS Community Day NA 2024/readme.md

diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/10_Env_Enumeration.log b/docs/TTX/Andromeda_Gales/Event_Logs/10_Env_Enumeration.log
deleted file mode 100644
index eca7cb2..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/10_Env_Enumeration.log
+++ /dev/null
@@ -1,12 +0,0 @@
-Timestamp: 2024-02-29T20:30:00Z
-Event: Unauthorized Enumeration Activity Detected
-Service: Prisma Cloud Kubernetes Defender
-Cluster: AndromedaWebCluster
-Container: andromeda-web-app-container
-Action: Conducted Target Environment Enumeration
-Description: Detected unauthorized enumeration activity by 'andromeda-web-app-container' aimed at identifying critical system services within the 'AndromedaWebCluster'. The process appears to be gathering information of importance to exfiltrate over a Command and Control (C2) channel.
-Outcome: High Alert Generated
-Response: Initiated Automated Containment Measures
-Investigation Priority: High
-User: system
-Source IP: 10.244.1.2
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/11_Establish_Comms.log b/docs/TTX/Andromeda_Gales/Event_Logs/11_Establish_Comms.log
deleted file mode 100644
index 4cd2fd2..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/11_Establish_Comms.log
+++ /dev/null
@@ -1,12 +0,0 @@
-Timestamp: 2024-02-29T20:45:00Z
-Event: Suspicious Outbound Communication Detected
-Service: Prisma Cloud Kubernetes Defender
-Cluster: AndromedaWebCluster
-Container: andromeda-web-app-container
-Action: Established Outbound Communication
-Target URL: hxxp://malicious[.]domain/control
-Description: 'Andromeda-web-app-container' initiated unauthorized outbound communication to a known attacker-controlled location 'hxxp://malicious[.]domain/control', likely for command and control purposes. This indicates the backdoor's attempt to establish a communication channel with the attacker.
-Outcome: Critical Alert Generated
-Response: Quarantine Container and Initiate Forensic Analysis
-User: system
-Source IP: 10.244.1.2
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/12_C2_Commands.log b/docs/TTX/Andromeda_Gales/Event_Logs/12_C2_Commands.log
deleted file mode 100644
index 0364529..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/12_C2_Commands.log
+++ /dev/null
@@ -1,9 +0,0 @@
-Timestamp: 2024-02-29T21:00:00Z
-Event: Encoded Command Execution Detected
-Service: Prisma Cloud Kubernetes Defender
-Cluster: AndromedaWebCluster
-Container: andromeda-web-app-container
-Description: Detected execution of encoded commands from an external C2 server within 'andromeda-web-app-container'. Commands indicate potential for file manipulation, service enumeration, and unauthorized access to device functions.
-Outcome: Critical Alert
-User: system
-Source IP: 10.244.1.2
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_VPCFlow.log b/docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_VPCFlow.log
deleted file mode 100644
index cfcb24a..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_VPCFlow.log
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  "timestamp": "2024-02-29T22:30:15Z",
-  "action": "ACCEPT",
-  "srcaddr": "10.244.2.2",
-  "dstaddr": "10.244.3.3",
-  "protocol": 6,
-  "srcport": 12345,
-  "dstport": 8080,
-  "logStatus": "OK",
-  "vpcId": "vpc-0a1b2c3d4e",
-  "subnetId": "subnet-05f6g7h8i",
-  "instanceId": "i-0123456789abcdef0",
-  "interfaceId": "eni-02468acefdb97531",
-  "accountId": "123456789012",
-  "type": "IPv4",
-  "pktSrcAddr": "10.244.2.2",
-  "pktDstAddr": "10.244.3.3",
-  "region": "us-east-1",
-  "azId": "use1-az6",
-  "sublocationType": "AvailabilityZone",
-  "sublocationId": "use1-az6",
-  "tcpFlags": 19,
-  "direction": "egress",
-  "flowDirection": "outbound",
-  "trafficPath": "external"
-}
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/1_DockerHub.log b/docs/TTX/Andromeda_Gales/Event_Logs/1_DockerHub.log
deleted file mode 100644
index f4847ce..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/1_DockerHub.log
+++ /dev/null
@@ -1,8 +0,0 @@
-Timestamp: 2024-02-29T12:00:00Z
-Event: Image Upload
-User: john_doe
-Repository: AndromedaGales
-Image: andromedagales/image:latest
-Action: Pushed
-Source IP: 198.51.100.42
-Description: User 'john_doe' pushed a new image 'andromedagales/image:latest' to repository 'AndromedaGales'.
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/24_Transmission_to_External_C2_Server_VPCFlow.log b/docs/TTX/Andromeda_Gales/Event_Logs/24_Transmission_to_External_C2_Server_VPCFlow.log
deleted file mode 100644
index 0e3c548..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/24_Transmission_to_External_C2_Server_VPCFlow.log
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  "timestamp": "2024-03-01T01:20:00Z",
-  "action": "ACCEPT",
-  "srcaddr": "10.244.4.6",
-  "dstaddr": "203.0.113.45",
-  "protocol": 6,
-  "srcport": 44322,
-  "dstport": 443,
-  "logStatus": "OK",
-  "vpcId": "vpc-01a2b3c4d5e6f7g8h",
-  "subnetId": "subnet-09f8e7d6c5b4a3a2",
-  "instanceId": "i-0a1b2c3d4e5f67890",
-  "interfaceId": "eni-0a1b2cd3ef4567890",
-  "accountId": "123456789012",
-  "type": "IPv4",
-  "pktSrcAddr": "10.244.4.6",
-  "pktDstAddr": "203.0.113.45",
-  "region": "us-east-1",
-  "azId": "use1-az1",
-  "sublocationType": "AvailabilityZone",
-  "sublocationId": "use1-az1",
-  "tcpFlags": 16,
-  "direction": "egress",
-  "flowDirection": "outbound",
-  "trafficPath": "external"
-}
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/2_Artifactory_Sync.log b/docs/TTX/Andromeda_Gales/Event_Logs/2_Artifactory_Sync.log
deleted file mode 100644
index f89d24f..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/2_Artifactory_Sync.log
+++ /dev/null
@@ -1,10 +0,0 @@
-Timestamp: 2024-02-29T13:05:00Z
-Event: Repository Sync
-Service: Artifactory
-Action: Pull Image
-Source Repository: dockerhub.com/andromedagales
-Image: andromedagales/image:latest
-Destination: Local Artifactory Repository
-Description: Artifactory service has synchronized with DockerHub, downloading the latest image 'andromedagales/image:latest' into the local repository for 'AndromedaWebApp' dependencies.
-User: artifactory_sync_service
-Source IP: 192.0.2.123
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/3_Image_Signing.log b/docs/TTX/Andromeda_Gales/Event_Logs/3_Image_Signing.log
deleted file mode 100644
index 38c37bf..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/3_Image_Signing.log
+++ /dev/null
@@ -1,11 +0,0 @@
-Timestamp: 2024-02-29T14:10:00Z
-Event: Image Signing
-Service: Artifactory
-Action: Sign Image
-Image: andromedagales/image:latest
-Repository: Local Artifactory Repository - AndromedaWebApp Dependencies
-Signing Key: RSA 2048 SHA256:4a:5b:c6:7d:e8:f9:0a:1b:2c:3d:4e:5f:6g:7h:8i:9j
-Status: Success
-Description: The latest image 'andromedagales/image:latest' in the Artifactory repository for 'AndromedaWebApp' dependencies has been signed successfully with the RSA 2048 key to ensure authenticity and support reproducible builds.
-User: build_security_service
-Source IP: 192.0.2.123
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/4_Build_Execution.log b/docs/TTX/Andromeda_Gales/Event_Logs/4_Build_Execution.log
deleted file mode 100644
index 7249c1d..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/4_Build_Execution.log
+++ /dev/null
@@ -1,12 +0,0 @@
-Timestamp: 2024-02-29T15:20:00Z
-Event: Test Suite Execution
-CI/CD Pipeline: Jenkins Build #2053
-Project: AndromedaWebApp
-Stage: End-to-End Testing
-Action: Execute Image
-Image: andromedagales/image:latest
-Test Framework: Selenium
-Description: During the end-to-end testing phase of Jenkins build #2053 for project 'AndromedaWebApp', the test suite executed the image 'andromedagales/image:latest' using the Selenium testing framework.
-Outcome: Passed
-User: automated_test_service
-Source IP: 203.0.113.76
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/5_Build_Persistence.log b/docs/TTX/Andromeda_Gales/Event_Logs/5_Build_Persistence.log
deleted file mode 100644
index 518f466..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/5_Build_Persistence.log
+++ /dev/null
@@ -1,13 +0,0 @@
-Timestamp: 2024-02-29T16:30:00Z
-Event: Artifact Export and Integration
-CI/CD Pipeline: Jenkins Build #2054
-Project: AndromedaWebApp
-Stage: Build and Packaging
-Action: Embed Artifact
-Artifact: harmless_module.o
-Build Tool: Docker Packer
-Target Image: andromedagales/production_image:latest
-Description: Post end-to-end testing, the 'harmless_module.o' artifact, produced by executing the image 'andromedagales/mimage:latest', was automatically embedded into the 'andromedagales/production_image:latest' during the build and packaging stage using Docker Packer.
-Outcome: Success
-User: ci_cd_service_account
-Source IP: 203.0.113.76
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/6_Artifactory_Prod_Image.log b/docs/TTX/Andromeda_Gales/Event_Logs/6_Artifactory_Prod_Image.log
deleted file mode 100644
index c7353c0..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/6_Artifactory_Prod_Image.log
+++ /dev/null
@@ -1,11 +0,0 @@
-Timestamp: 2024-02-29T17:40:00Z
-Event: Image Storage and Signing
-Service: Artifactory
-Action: Store and Sign Image
-Image: andromedagales/production_image:latest
-Repository: Local Artifactory Repository - Production Images
-Signing Key: RSA 4096 SHA256:7k:8m:9n:0o:pq:qr:st:uv:wx:yz
-Status: Success
-Description: The latest production image 'andromedagales/production_image:latest' has been stored in the 'Production Images' Artifactory repository..
-User: prod_artifactory_service
-Source IP: 192.0.2.123
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/7_Discovery_Check_Against_Security_Software_Prisma.log b/docs/TTX/Andromeda_Gales/Event_Logs/7_Discovery_Check_Against_Security_Software_Prisma.log
deleted file mode 100644
index 8aad34b..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/7_Discovery_Check_Against_Security_Software_Prisma.log
+++ /dev/null
@@ -1,10 +0,0 @@
-Timestamp: 2024-02-29T18:50:00Z
-Event: Suspicious Discovery Activity Detected
-Service: Prisma Cloud Kubernetes Defender
-Cluster: AndromedaWebCluster
-Container: andromeda-web-app-container
-Action: Executed Security Software Discovery Check
-Description: A suspicious activity was detected where the 'andromeda-web-app-container' in the 'AndromedaWebCluster' executed commands associated with discovery checks against installed security software and detection tools. The activity suggests an attempt to identify and evade security measures.
-Outcome: Alert Generated
-User: system
-Source IP: 10.244.1.2
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/8_Env_Keying_Prisma.log b/docs/TTX/Andromeda_Gales/Event_Logs/8_Env_Keying_Prisma.log
deleted file mode 100644
index a981392..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/8_Env_Keying_Prisma.log
+++ /dev/null
@@ -1,11 +0,0 @@
-Timestamp: 2024-02-29T19:05:00Z
-Event: Suspicious Environment Probing Detected
-Service: Prisma Cloud Kubernetes Defender
-Cluster: AndromedaWebCluster
-Container: andromeda-web-app-container
-Action: Executed Environment Keying Procedures
-Description: The container 'andromeda-web-app-container' performed unauthorized environment keying activities, including scanning for specific environment variables, network settings, and access to log and configuration files. Indicates potential preparation for targeted malicious operations.
-Outcome: Alert Generated
-Investigation: Required
-User: system
-Source IP: 10.244.1.2
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/9_Persistence_Jobs_Prisma.log b/docs/TTX/Andromeda_Gales/Event_Logs/9_Persistence_Jobs_Prisma.log
deleted file mode 100644
index 5e5ca9f..0000000
--- a/docs/TTX/Andromeda_Gales/Event_Logs/9_Persistence_Jobs_Prisma.log
+++ /dev/null
@@ -1,11 +0,0 @@
-Timestamp: 2024-02-29T19:20:00Z
-Event: Unauthorized Persistence Mechanism Detected
-Service: Prisma Cloud Kubernetes Defender
-Cluster: AndromedaWebCluster
-Container: andromeda-web-app-container
-Action: Modified System Processes and Scheduled Jobs
-Description: Detected unauthorized modifications to system processes and the creation of suspicious cron jobs within the 'andromeda-web-app-container'. These changes are indicative of an attempt to ensure persistence of a malicious beacon or process across restarts and updates.
-Outcome: Alert Generated
-Remediation: Immediate Investigation and Containment Advised
-User: system
-Source IP: 10.244.1.2
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/readme.md b/docs/TTX/Andromeda_Gales/readme.md
deleted file mode 100644
index 5f3f5fa..0000000
--- a/docs/TTX/Andromeda_Gales/readme.md
+++ /dev/null
@@ -1 +0,0 @@
-TTX materials for the Andromeda Gales scenario
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml
index a8a949e..fda13a6 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/13_Kubernetes_Audit_Log_for_Encoded_Command_Execution.yaml	
@@ -1,23 +1,23 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-02-29T21:00:00Z"
-auditID: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
-stage: ResponseComplete
-requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/exec"
-verb: create
-user:
-  username: system:serviceaccount:default:andromeda-service-account
-  uid: "123456"
-  groups:
-  - system:serviceaccounts
-  - system:serviceaccounts:default
-  - system:authenticated
-sourceIPs: ["192.0.2.123"]
-responseObject:
-  status: "Success"
-  reason: "Executed Encoded Command"
-annotations:
-  kubernetes.io/encoded-command: "[Redacted for Security]"
-  authorization.k8s.io/decision: "allow"
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-02-29T21:00:00Z"
+auditID: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6
+stage: ResponseComplete
+requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/exec"
+verb: create
+user:
+  username: system:serviceaccount:default:andromeda-service-account
+  uid: "123456"
+  groups:
+  - system:serviceaccounts
+  - system:serviceaccounts:default
+  - system:authenticated
+sourceIPs: ["192.0.2.123"]
+responseObject:
+  status: "Success"
+  reason: "Executed Encoded Command"
+annotations:
+  kubernetes.io/encoded-command: "[Redacted for Security]"
+  authorization.k8s.io/decision: "allow"
   authorization.k8s.io/reason: "RBAC: allowed by RoleBinding andromeda-rb/default to ServiceAccount andromeda-service-account"
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json
index 4941a2a..79db87b 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/14_C2_Traffic_Masquerading_CloudWatch.json	
@@ -1,23 +1,23 @@
-{
-  "timestamp": "2024-02-29T21:05:00Z",
-  "logStream": "AndromedaWebCluster/andromeda-web-app-container",
-  "message": "Outbound connection attempt to masqueraded C2 hostname detected. Hostname matches internal service, but DNS resolution history is suspicious. Protocol pattern mimics legitimate service traffic, indicating potential obfuscation efforts.",
-  "kubernetes": {
-    "cluster": "AndromedaWebCluster",
-    "namespace": "default",
-    "pod": "andromeda-web-app-container",
-    "container": "andromeda-web-app"
-  },
-  "network": {
-    "destinationHostname": "internal-service.companydomain.com",
-    "resolvedIP": "malicious[.]ip[.]address",
-    "protocol": "HTTPS",
-    "action": "OutboundConnectionAttempt",
-    "outcome": "Success"
-  },
-  "threat": {
-    "indicator": "C2TrafficMasquerading",
-    "level": "High",
-    "response": "AlertGenerated"
-  }
+{
+  "timestamp": "2024-02-29T21:05:00Z",
+  "logStream": "AndromedaWebCluster/andromeda-web-app-container",
+  "message": "Outbound connection attempt to masqueraded C2 hostname detected. Hostname matches internal service, but DNS resolution history is suspicious. Protocol pattern mimics legitimate service traffic, indicating potential obfuscation efforts.",
+  "kubernetes": {
+    "cluster": "AndromedaWebCluster",
+    "namespace": "default",
+    "pod": "andromeda-web-app-container",
+    "container": "andromeda-web-app"
+  },
+  "network": {
+    "destinationHostname": "internal-service.companydomain.com",
+    "resolvedIP": "malicious[.]ip[.]address",
+    "protocol": "HTTPS",
+    "action": "OutboundConnectionAttempt",
+    "outcome": "Success"
+  },
+  "threat": {
+    "indicator": "C2TrafficMasquerading",
+    "level": "High",
+    "response": "AlertGenerated"
+  }
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/15_Network_Boundary_Bridging_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/15_Network_Boundary_Bridging_K8.yaml
index 03cebea..c7b8c97 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/15_Network_Boundary_Bridging_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/15_Network_Boundary_Bridging_K8.yaml	
@@ -1,18 +1,18 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-02-29T22:30:00Z"
-auditID: d7e8f9g0-h1i2-j3k4-l5m6-n7o8p9q0r1s2
-stage: ResponseComplete
-requestURI: "/apis/networking.k8s.io/v1/namespaces/default/networkpolicies"
-verb: "list"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.2.2"]
-responseObject:
-  kind: NetworkPolicyList
-  apiVersion: networking.k8s.io/v1
-annotations:
-  kubernetes.io/network-boundary-bridging: "Attempted enumeration of network policies to identify zero-trust boundary weaknesses."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-02-29T22:30:00Z"
+auditID: d7e8f9g0-h1i2-j3k4-l5m6-n7o8p9q0r1s2
+stage: ResponseComplete
+requestURI: "/apis/networking.k8s.io/v1/namespaces/default/networkpolicies"
+verb: "list"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.2.2"]
+responseObject:
+  kind: NetworkPolicyList
+  apiVersion: networking.k8s.io/v1
+annotations:
+  kubernetes.io/network-boundary-bridging: "Attempted enumeration of network policies to identify zero-trust boundary weaknesses."
+responseStatus:
   code: 200
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml
index 212b135..46fd7b8 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_K8.yaml	
@@ -1,15 +1,15 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: Metadata
-timestamp: "2024-02-29T22:40:00Z"
-auditID: u1v2w3x4-y5z6-a7b8-c9d0-e1f2g3h4i5j6
-stage: ResponseComplete
-requestURI: "/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles"
-verb: "list"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.2.3"]
-annotations:
-  kubernetes.io/role-exploitation: "Listed roles in the default namespace to find overly permissive configurations for privilege escalation."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: Metadata
+timestamp: "2024-02-29T22:40:00Z"
+auditID: u1v2w3x4-y5z6-a7b8-c9d0-e1f2g3h4i5j6
+stage: ResponseComplete
+requestURI: "/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles"
+verb: "list"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.2.3"]
+annotations:
+  kubernetes.io/role-exploitation: "Listed roles in the default namespace to find overly permissive configurations for privilege escalation."
+responseStatus:
   code: 200
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_SecHub.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_SecHub.json
similarity index 98%
rename from docs/TTX/Andromeda_Gales/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_SecHub.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_SecHub.json
index 81e08c6..efd7406 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_SecHub.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/16_Overly_Permissive_Roles_and_Policies_Exploitation_SecHub.json	
@@ -1,29 +1,29 @@
-{
-  "SchemaVersion": "2018-10-08",
-  "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.1/finding/81f3e8b2-3e45-499e-bd9e-44877fcad8f6",
-  "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
-  "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/IAM.1",
-  "AwsAccountId": "123456789012",
-  "Types": ["Software and Configuration Checks/AWS Security Best Practices"],
-  "FirstObservedAt": "2024-02-29T22:40:00Z",
-  "LastObservedAt": "2024-02-29T22:40:00Z",
-  "CreatedAt": "2024-02-29T22:40:00Z",
-  "UpdatedAt": "2024-02-29T22:40:00Z",
-  "Severity": {"Label": "HIGH"},
-  "Title": "IAM Policy Misconfiguration Detected",
-  "Description": "Security Hub detected an overly permissive IAM role 'andromeda-service-account-role' that could allow unauthorized access to AKS cluster resources. Review and restrict IAM policies according to the principle of least privilege.",
-  "Remediation": {
-    "Recommendation": {
-      "Text": "For guidance on IAM roles and policies, see the IAM User Guide.",
-      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
-    }
-  },
-  "Resources": [
-    {
-      "Type": "AwsIamRole",
-      "Id": "arn:aws:iam::123456789012:role/andromeda-service-account-role",
-      "Partition": "aws",
-      "Region": "us-east-1"
-    }
-  ]
+{
+  "SchemaVersion": "2018-10-08",
+  "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.1/finding/81f3e8b2-3e45-499e-bd9e-44877fcad8f6",
+  "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
+  "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/IAM.1",
+  "AwsAccountId": "123456789012",
+  "Types": ["Software and Configuration Checks/AWS Security Best Practices"],
+  "FirstObservedAt": "2024-02-29T22:40:00Z",
+  "LastObservedAt": "2024-02-29T22:40:00Z",
+  "CreatedAt": "2024-02-29T22:40:00Z",
+  "UpdatedAt": "2024-02-29T22:40:00Z",
+  "Severity": {"Label": "HIGH"},
+  "Title": "IAM Policy Misconfiguration Detected",
+  "Description": "Security Hub detected an overly permissive IAM role 'andromeda-service-account-role' that could allow unauthorized access to AKS cluster resources. Review and restrict IAM policies according to the principle of least privilege.",
+  "Remediation": {
+    "Recommendation": {
+      "Text": "For guidance on IAM roles and policies, see the IAM User Guide.",
+      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
+    }
+  },
+  "Resources": [
+    {
+      "Type": "AwsIamRole",
+      "Id": "arn:aws:iam::123456789012:role/andromeda-service-account-role",
+      "Partition": "aws",
+      "Region": "us-east-1"
+    }
+  ]
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/17_Permission_Enumeration_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/17_Permission_Enumeration_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/17_Permission_Enumeration_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/17_Permission_Enumeration_K8.yaml
index aa0e238..c35ef59 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/17_Permission_Enumeration_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/17_Permission_Enumeration_K8.yaml	
@@ -1,15 +1,15 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: Request
-timestamp: "2024-02-29T22:50:00Z"
-auditID: k5l6m7n8-o9p0-q1r2-s3t4-u5v6w7x8y9z0
-stage: ResponseComplete
-requestURI: "/api/v1/namespaces/default/pods"
-verb: "list"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.2.4"]
-annotations:
-  kubernetes.io/resource-enumeration: "Enumerated pods to discover resources and assess permissions available to the compromised account."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: Request
+timestamp: "2024-02-29T22:50:00Z"
+auditID: k5l6m7n8-o9p0-q1r2-s3t4-u5v6w7x8y9z0
+stage: ResponseComplete
+requestURI: "/api/v1/namespaces/default/pods"
+verb: "list"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.2.4"]
+annotations:
+  kubernetes.io/resource-enumeration: "Enumerated pods to discover resources and assess permissions available to the compromised account."
+responseStatus:
   code: 200
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch.json
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch.json
index d438bb8..997b571 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch.json	
@@ -1,15 +1,15 @@
-{
-  "timestamp": "2024-02-29T23:00:00Z",
-  "logStream": "AndromedaWebCluster/andromeda-web-app-container",
-  "message": "Detected unauthorized access to the Azure Instance Metadata Service from within 'andromeda-web-app-container'. Attempted retrieval of credentials and tokens for lateral movement or escalation.",
-  "kubernetes": {
-    "cluster": "AndromedaWebCluster",
-    "namespace": "default",
-    "pod": "andromeda-web-app-container"
-  },
-  "security": {
-    "action": "MetadataServiceAccess",
-    "outcome": "Detected",
-    "indicator": "CredentialRetrievalAttempt"
-  }
+{
+  "timestamp": "2024-02-29T23:00:00Z",
+  "logStream": "AndromedaWebCluster/andromeda-web-app-container",
+  "message": "Detected unauthorized access to the Azure Instance Metadata Service from within 'andromeda-web-app-container'. Attempted retrieval of credentials and tokens for lateral movement or escalation.",
+  "kubernetes": {
+    "cluster": "AndromedaWebCluster",
+    "namespace": "default",
+    "pod": "andromeda-web-app-container"
+  },
+  "security": {
+    "action": "MetadataServiceAccess",
+    "outcome": "Detected",
+    "indicator": "CredentialRetrievalAttempt"
+  }
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch_CloudTrail.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch_CloudTrail.json
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch_CloudTrail.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch_CloudTrail.json
index 2b236b0..4c95240 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch_CloudTrail.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/18_Cloud_Instance_Metadata_API_Misuse_CloudWatch_CloudTrail.json	
@@ -1,48 +1,48 @@
-{
-  "eventVersion": "1.08",
-  "userIdentity": {
-    "type": "AssumedRole",
-    "principalId": "AWS:AROAXXXXXXXXXXXXX:andromeda-service-account",
-    "arn": "arn:aws:sts::123456789012:assumed-role/andromeda-service-account-role/i-0123456789abcdef0",
-    "accountId": "123456789012",
-    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
-    "sessionContext": {
-      "sessionIssuer": {
-        "type": "Role",
-        "principalId": "AROAXXXXXXXXXXXXX",
-        "arn": "arn:aws:iam::123456789012:role/andromeda-service-account-role",
-        "accountId": "123456789012",
-        "userName": "andromeda-service-account-role"
-      },
-      "webIdFederationData": {},
-      "attributes": {
-        "mfaAuthenticated": "false",
-        "creationDate": "2024-02-29T23:00:00Z"
-      }
-    }
-  },
-  "eventTime": "2024-02-29T23:05:00Z",
-  "eventSource": "sts.amazonaws.com",
-  "eventName": "AssumeRole",
-  "awsRegion": "us-east-1",
-  "sourceIPAddress": "10.244.2.4",
-  "userAgent": "aws-cli/1.18.69 Python/3.6.10",
-  "requestParameters": {
-    "roleArn": "arn:aws:iam::123456789012:role/andromeda-service-account-role",
-    "roleSessionName": "andromeda-web-app-container-session"
-  },
-  "responseElements": {
-    "credentials": {
-      "accessKeyId": "ASIAxxxxxxxxxxxxxx",
-      "expiration": "2024-02-29T29:59:59Z",
-      "sessionToken": "FwoGZXIvYXdzEDMaDXXXXXXXXXXXXXX"
-    },
-    "assumedRoleUser": {
-      "assumedRoleId": "AROAXXXXXXXXXXXXX:andromeda-web-app-container-session",
-      "arn": "arn:aws:sts::123456789012:assumed-role/andromeda-service-account-role/andromeda-web-app-container-session"
-    }
-  },
-  "requestID": "6f8d2c1b-4c3d-4f5e-ba3d-c2d3e5f4g6h7",
-  "eventType": "AwsApiCall",
-  "recipientAccountId": "123456789012"
+{
+  "eventVersion": "1.08",
+  "userIdentity": {
+    "type": "AssumedRole",
+    "principalId": "AWS:AROAXXXXXXXXXXXXX:andromeda-service-account",
+    "arn": "arn:aws:sts::123456789012:assumed-role/andromeda-service-account-role/i-0123456789abcdef0",
+    "accountId": "123456789012",
+    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
+    "sessionContext": {
+      "sessionIssuer": {
+        "type": "Role",
+        "principalId": "AROAXXXXXXXXXXXXX",
+        "arn": "arn:aws:iam::123456789012:role/andromeda-service-account-role",
+        "accountId": "123456789012",
+        "userName": "andromeda-service-account-role"
+      },
+      "webIdFederationData": {},
+      "attributes": {
+        "mfaAuthenticated": "false",
+        "creationDate": "2024-02-29T23:00:00Z"
+      }
+    }
+  },
+  "eventTime": "2024-02-29T23:05:00Z",
+  "eventSource": "sts.amazonaws.com",
+  "eventName": "AssumeRole",
+  "awsRegion": "us-east-1",
+  "sourceIPAddress": "10.244.2.4",
+  "userAgent": "aws-cli/1.18.69 Python/3.6.10",
+  "requestParameters": {
+    "roleArn": "arn:aws:iam::123456789012:role/andromeda-service-account-role",
+    "roleSessionName": "andromeda-web-app-container-session"
+  },
+  "responseElements": {
+    "credentials": {
+      "accessKeyId": "ASIAxxxxxxxxxxxxxx",
+      "expiration": "2024-02-29T29:59:59Z",
+      "sessionToken": "FwoGZXIvYXdzEDMaDXXXXXXXXXXXXXX"
+    },
+    "assumedRoleUser": {
+      "assumedRoleId": "AROAXXXXXXXXXXXXX:andromeda-web-app-container-session",
+      "arn": "arn:aws:sts::123456789012:assumed-role/andromeda-service-account-role/andromeda-web-app-container-session"
+    }
+  },
+  "requestID": "6f8d2c1b-4c3d-4f5e-ba3d-c2d3e5f4g6h7",
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "123456789012"
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/19_Exploitation_for_Privilege_Escalation_CloudTrail.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/19_Exploitation_for_Privilege_Escalation_CloudTrail.json
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/19_Exploitation_for_Privilege_Escalation_CloudTrail.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/19_Exploitation_for_Privilege_Escalation_CloudTrail.json
index a7ca9af..789ab02 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/19_Exploitation_for_Privilege_Escalation_CloudTrail.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/19_Exploitation_for_Privilege_Escalation_CloudTrail.json	
@@ -1,46 +1,46 @@
-{
-  "eventVersion": "1.08",
-  "userIdentity": {
-    "type": "AssumedRole",
-    "principalId": "AWS:AROAXXXXXXXXXXXXX:compromised-service-account",
-    "arn": "arn:aws:iam::123456789012:role/eks-irsa-compromised-role",
-    "accountId": "123456789012",
-    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
-    "sessionContext": {
-      "attributes": {
-        "mfaAuthenticated": "false",
-        "creationDate": "2024-02-29T23:35:00Z"
-      },
-      "sessionIssuer": {
-        "userName": "eks-irsa-compromised-role",
-        "type": "Role",
-        "arn": "arn:aws:iam::123456789012:role/eks-irsa-compromised-role",
-        "accountId": "123456789012",
-        "principalId": "AROAXXXXXXXXXXXXX"
-      }
-    }
-  },
-  "eventTime": "2024-02-29T23:35:00Z",
-  "eventSource": "sts.amazonaws.com",
-  "eventName": "AssumeRole",
-  "awsRegion": "us-east-1",
-  "sourceIPAddress": "10.244.3.4",
-  "userAgent": "aws-sdk-java/1.11.999 Linux/4.9.112-java",
-  "requestParameters": {
-    "roleArn": "arn:aws:iam::123456789012:role/eks-irsa-compromised-role",
-    "roleSessionName": "session123456789"
-  },
-  "responseElements": {
-    "assumedRoleUser": {
-      "assumedRoleId": "AROAXXXXXXXXXXXXX:session123456789",
-      "arn": "arn:aws:sts::123456789012:assumed-role/eks-irsa-compromised-role/session123456789"
-    },
-    "credentials": {
-      "accessKeyId": "ASIAxxxxxxxxxxxxxx",
-      "expiration": "2024-03-01T03:35:00Z",
-      "sessionToken": "FwoGZXIvYXdzEDMaDXXXXXXXXXXXXXX"
-    }
-  },
-  "eventType": "AwsApiCall",
-  "recipientAccountId": "123456789012"
+{
+  "eventVersion": "1.08",
+  "userIdentity": {
+    "type": "AssumedRole",
+    "principalId": "AWS:AROAXXXXXXXXXXXXX:compromised-service-account",
+    "arn": "arn:aws:iam::123456789012:role/eks-irsa-compromised-role",
+    "accountId": "123456789012",
+    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
+    "sessionContext": {
+      "attributes": {
+        "mfaAuthenticated": "false",
+        "creationDate": "2024-02-29T23:35:00Z"
+      },
+      "sessionIssuer": {
+        "userName": "eks-irsa-compromised-role",
+        "type": "Role",
+        "arn": "arn:aws:iam::123456789012:role/eks-irsa-compromised-role",
+        "accountId": "123456789012",
+        "principalId": "AROAXXXXXXXXXXXXX"
+      }
+    }
+  },
+  "eventTime": "2024-02-29T23:35:00Z",
+  "eventSource": "sts.amazonaws.com",
+  "eventName": "AssumeRole",
+  "awsRegion": "us-east-1",
+  "sourceIPAddress": "10.244.3.4",
+  "userAgent": "aws-sdk-java/1.11.999 Linux/4.9.112-java",
+  "requestParameters": {
+    "roleArn": "arn:aws:iam::123456789012:role/eks-irsa-compromised-role",
+    "roleSessionName": "session123456789"
+  },
+  "responseElements": {
+    "assumedRoleUser": {
+      "assumedRoleId": "AROAXXXXXXXXXXXXX:session123456789",
+      "arn": "arn:aws:sts::123456789012:assumed-role/eks-irsa-compromised-role/session123456789"
+    },
+    "credentials": {
+      "accessKeyId": "ASIAxxxxxxxxxxxxxx",
+      "expiration": "2024-03-01T03:35:00Z",
+      "sessionToken": "FwoGZXIvYXdzEDMaDXXXXXXXXXXXXXX"
+    }
+  },
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "123456789012"
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/19_Exploitation_for_Privilege_Escalation_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/19_Exploitation_for_Privilege_Escalation_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/19_Exploitation_for_Privilege_Escalation_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/19_Exploitation_for_Privilege_Escalation_K8.yaml
index d3648b9..bbdac77 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/19_Exploitation_for_Privilege_Escalation_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/19_Exploitation_for_Privilege_Escalation_K8.yaml	
@@ -1,20 +1,20 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-02-29T23:30:00Z"
-auditID: f8g9h0i1-j2k3-l4m5-n6o7-p8q9r0s1t2u3
-stage: ResponseComplete
-requestURI: "/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings"
-verb: "create"
-user:
-  username: "system:serviceaccount:default:compromised-service-account"
-sourceIPs: ["10.244.3.4"]
-responseObject:
-  kind: RoleBinding
-  apiVersion: rbac.authorization.k8s.io/v1
-  metadata:
-    name: "escalated-access-binding"
-annotations:
-  kubernetes.io/rbac-abuse: "Created a RoleBinding 'escalated-access-binding' to exploit trust relationships and escalate privileges within the EKS cluster."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-02-29T23:30:00Z"
+auditID: f8g9h0i1-j2k3-l4m5-n6o7-p8q9r0s1t2u3
+stage: ResponseComplete
+requestURI: "/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings"
+verb: "create"
+user:
+  username: "system:serviceaccount:default:compromised-service-account"
+sourceIPs: ["10.244.3.4"]
+responseObject:
+  kind: RoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1
+  metadata:
+    name: "escalated-access-binding"
+annotations:
+  kubernetes.io/rbac-abuse: "Created a RoleBinding 'escalated-access-binding' to exploit trust relationships and escalate privileges within the EKS cluster."
+responseStatus:
   code: 201
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8.yaml
index 1b8e087..2fd6153 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8.yaml	
@@ -1,35 +1,35 @@
-{
-  "eventVersion": "1.08",
-  "userIdentity": {
-    "type": "AssumedRole",
-    "principalId": "AWS:AROAXXXXXXXXXXXXX:compromised-service-account",
-    "arn": "arn:aws:sts::123456789012:assumed-role/compromised-service-account",
-    "accountId": "123456789012",
-    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
-    "sessionContext": {
-      "attributes": {
-        "mfaAuthenticated": "false",
-        "creationDate": "2024-02-29T23:40:00Z"
-      },
-      "sessionIssuer": {
-        "userName": "compromised-service-account",
-        "type": "Role",
-        "arn": "arn:aws:iam::123456789012:role/compromised-service-account",
-        "accountId": "123456789012",
-        "principalId": "AROAXXXXXXXXXXXXX"
-      }
-    }
-  },
-  "eventTime": "2024-02-29T23:40:00Z",
-  "eventSource": "secretsmanager.amazonaws.com",
-  "eventName": "GetSecretValue",
-  "awsRegion": "us-east-1",
-  "sourceIPAddress": "10.244.3.4",
-  "userAgent": "aws-sdk-java/1.11.999 Linux/4.9.112-java",
-  "requestParameters": {
-    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:compromised-db-credentials-abc123"
-  },
-  "responseElements": null,
-  "eventType": "AwsApiCall",
-  "recipientAccountId": "123456789012"
+{
+  "eventVersion": "1.08",
+  "userIdentity": {
+    "type": "AssumedRole",
+    "principalId": "AWS:AROAXXXXXXXXXXXXX:compromised-service-account",
+    "arn": "arn:aws:sts::123456789012:assumed-role/compromised-service-account",
+    "accountId": "123456789012",
+    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
+    "sessionContext": {
+      "attributes": {
+        "mfaAuthenticated": "false",
+        "creationDate": "2024-02-29T23:40:00Z"
+      },
+      "sessionIssuer": {
+        "userName": "compromised-service-account",
+        "type": "Role",
+        "arn": "arn:aws:iam::123456789012:role/compromised-service-account",
+        "accountId": "123456789012",
+        "principalId": "AROAXXXXXXXXXXXXX"
+      }
+    }
+  },
+  "eventTime": "2024-02-29T23:40:00Z",
+  "eventSource": "secretsmanager.amazonaws.com",
+  "eventName": "GetSecretValue",
+  "awsRegion": "us-east-1",
+  "sourceIPAddress": "10.244.3.4",
+  "userAgent": "aws-sdk-java/1.11.999 Linux/4.9.112-java",
+  "requestParameters": {
+    "secretId": "arn:aws:secretsmanager:us-east-1:123456789012:secret:compromised-db-credentials-abc123"
+  },
+  "responseElements": null,
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "123456789012"
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8_ConfMap.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8_ConfMap.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8_ConfMap.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8_ConfMap.yaml
index cd814be..1538a68 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8_ConfMap.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/20_Extracting_Credentials_and_Privilege_Escalation_K8_ConfMap.yaml	
@@ -1,18 +1,18 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-02-29T23:45:00Z"
-auditID: v3w4x5y6-z7a8-b9c0-d1e2-f3g4h5i6j7k8
-stage: ResponseComplete
-requestURI: "/api/v1/namespaces/default/configmaps"
-verb: "list"
-user:
-  username: "system:serviceaccount:default:compromised-service-account"
-sourceIPs: ["10.244.3.4"]
-responseObject:
-  kind: ConfigMapList
-  apiVersion: v1
-annotations:
-  kubernetes.io/configmap-access: "Enumerated ConfigMaps in the default namespace to extract stored credentials and configuration details."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-02-29T23:45:00Z"
+auditID: v3w4x5y6-z7a8-b9c0-d1e2-f3g4h5i6j7k8
+stage: ResponseComplete
+requestURI: "/api/v1/namespaces/default/configmaps"
+verb: "list"
+user:
+  username: "system:serviceaccount:default:compromised-service-account"
+sourceIPs: ["10.244.3.4"]
+responseObject:
+  kind: ConfigMapList
+  apiVersion: v1
+annotations:
+  kubernetes.io/configmap-access: "Enumerated ConfigMaps in the default namespace to extract stored credentials and configuration details."
+responseStatus:
   code: 200
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8.yaml
index e4e155f..521a771 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8.yaml	
@@ -1,20 +1,20 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-03-01T00:10:00Z"
-auditID: y7z8a9b0-c1d2-e3f4-g5h6-i7j8k9l0m1n2
-stage: ResponseComplete
-requestURI: "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings"
-verb: "create"
-user:
-  username: "system:serviceaccount:linked:compromised-service-account"
-sourceIPs: ["10.244.4.5"]
-responseObject:
-  kind: ClusterRoleBinding
-  apiVersion: rbac.authorization.k8s.io/v1
-  metadata:
-    name: "cross-environment-access-binding"
-annotations:
-  kubernetes.io/pass-the-role: "Created a ClusterRoleBinding 'cross-environment-access-binding' using a compromised role to assume additional roles within the EKS cluster."
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-03-01T00:10:00Z"
+auditID: y7z8a9b0-c1d2-e3f4-g5h6-i7j8k9l0m1n2
+stage: ResponseComplete
+requestURI: "/apis/rbac.authorization.k8s.io/v1/clusterrolebindings"
+verb: "create"
+user:
+  username: "system:serviceaccount:linked:compromised-service-account"
+sourceIPs: ["10.244.4.5"]
+responseObject:
+  kind: ClusterRoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1
+  metadata:
+    name: "cross-environment-access-binding"
+annotations:
+  kubernetes.io/pass-the-role: "Created a ClusterRoleBinding 'cross-environment-access-binding' using a compromised role to assume additional roles within the EKS cluster."
+responseStatus:
   code: 201
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8_CloudTrail.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8_CloudTrail.json
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8_CloudTrail.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8_CloudTrail.json
index b8fbd15..47ac70c 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8_CloudTrail.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/21_Lateral_Movement_via_Compromised_Roles_K8_CloudTrail.json	
@@ -1,46 +1,46 @@
-{
-  "eventVersion": "1.08",
-  "userIdentity": {
-    "type": "AssumedRole",
-    "principalId": "AWS:AROAXXXXXXXXXXXXX:compromised-linked-account-role",
-    "arn": "arn:aws:sts::987654321098:assumed-role/compromised-linked-account-role/role-session123",
-    "accountId": "987654321098",
-    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
-    "sessionContext": {
-      "attributes": {
-        "mfaAuthenticated": "false",
-        "creationDate": "2024-03-01T00:15:00Z"
-      },
-      "sessionIssuer": {
-        "userName": "compromised-linked-account-role",
-        "type": "Role",
-        "arn": "arn:aws:iam::987654321098:role/compromised-linked-account-role",
-        "accountId": "123456789012",
-        "principalId": "AROAXXXXXXXXXXXXX"
-      }
-    }
-  },
-  "eventTime": "2024-03-01T00:15:00Z",
-  "eventSource": "sts.amazonaws.com",
-  "eventName": "AssumeRole",
-  "awsRegion": "us-east-1",
-  "sourceIPAddress": "10.244.4.5",
-  "userAgent": "aws-sdk-java/1.11.999 Linux/4.9.112-java",
-  "requestParameters": {
-    "roleArn": "arn:aws:iam::987654321098:role/cross-account-access-role",
-    "roleSessionName": "cross-account-session"
-  },
-  "responseElements": {
-    "assumedRoleUser": {
-      "assumedRoleId": "AROAXXXXXXXXXXXXX:cross-account-session",
-      "arn": "arn:aws:sts::987654321098:assumed-role/cross-account-access-role/cross-account-session"
-    },
-    "credentials": {
-      "accessKeyId": "ASIAxxxxxxxxxxxxxx",
-      "expiration": "2024-03-01T04:15:00Z",
-      "sessionToken": "FwoGZXIvYXdzEDMaDXXXXXXXXXXXXXX"
-    }
-  },
-  "eventType": "AwsApiCall",
-  "recipientAccountId": "987654321098"
+{
+  "eventVersion": "1.08",
+  "userIdentity": {
+    "type": "AssumedRole",
+    "principalId": "AWS:AROAXXXXXXXXXXXXX:compromised-linked-account-role",
+    "arn": "arn:aws:sts::987654321098:assumed-role/compromised-linked-account-role/role-session123",
+    "accountId": "987654321098",
+    "accessKeyId": "ASIAxxxxxxxxxxxxxx",
+    "sessionContext": {
+      "attributes": {
+        "mfaAuthenticated": "false",
+        "creationDate": "2024-03-01T00:15:00Z"
+      },
+      "sessionIssuer": {
+        "userName": "compromised-linked-account-role",
+        "type": "Role",
+        "arn": "arn:aws:iam::987654321098:role/compromised-linked-account-role",
+        "accountId": "123456789012",
+        "principalId": "AROAXXXXXXXXXXXXX"
+      }
+    }
+  },
+  "eventTime": "2024-03-01T00:15:00Z",
+  "eventSource": "sts.amazonaws.com",
+  "eventName": "AssumeRole",
+  "awsRegion": "us-east-1",
+  "sourceIPAddress": "10.244.4.5",
+  "userAgent": "aws-sdk-java/1.11.999 Linux/4.9.112-java",
+  "requestParameters": {
+    "roleArn": "arn:aws:iam::987654321098:role/cross-account-access-role",
+    "roleSessionName": "cross-account-session"
+  },
+  "responseElements": {
+    "assumedRoleUser": {
+      "assumedRoleId": "AROAXXXXXXXXXXXXX:cross-account-session",
+      "arn": "arn:aws:sts::987654321098:assumed-role/cross-account-access-role/cross-account-session"
+    },
+    "credentials": {
+      "accessKeyId": "ASIAxxxxxxxxxxxxxx",
+      "expiration": "2024-03-01T04:15:00Z",
+      "sessionToken": "FwoGZXIvYXdzEDMaDXXXXXXXXXXXXXX"
+    }
+  },
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "987654321098"
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/22_Data_Collection_from_Information_Repositories_CloudTrail.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/22_Data_Collection_from_Information_Repositories_CloudTrail.json
similarity index 96%
rename from docs/TTX/Andromeda_Gales/Event_Logs/22_Data_Collection_from_Information_Repositories_CloudTrail.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/22_Data_Collection_from_Information_Repositories_CloudTrail.json
index 5b8c690..56bd02f 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/22_Data_Collection_from_Information_Repositories_CloudTrail.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/22_Data_Collection_from_Information_Repositories_CloudTrail.json	
@@ -1,20 +1,20 @@
-{
-  "eventVersion": "1.08",
-  "userIdentity": {
-    "type": "AssumedRole",
-    "principalId": "AWS:AROAXXXXXXXXXXXXX:exfiltration-role",
-    "arn": "arn:aws:sts::123456789012:assumed-role/exfiltration-role/exfiltration-session",
-    "accountId": "123456789012"
-  },
-  "eventTime": "2024-03-01T01:00:00Z",
-  "eventSource": "s3.amazonaws.com",
-  "eventName": "ListObjects",
-  "awsRegion": "us-east-1",
-  "sourceIPAddress": "10.244.4.6",
-  "requestParameters": {
-    "bucketName": "sensitive-data-bucket"
-  },
-  "responseElements": null,
-  "eventType": "AwsApiCall",
-  "recipientAccountId": "123456789012"
+{
+  "eventVersion": "1.08",
+  "userIdentity": {
+    "type": "AssumedRole",
+    "principalId": "AWS:AROAXXXXXXXXXXXXX:exfiltration-role",
+    "arn": "arn:aws:sts::123456789012:assumed-role/exfiltration-role/exfiltration-session",
+    "accountId": "123456789012"
+  },
+  "eventTime": "2024-03-01T01:00:00Z",
+  "eventSource": "s3.amazonaws.com",
+  "eventName": "ListObjects",
+  "awsRegion": "us-east-1",
+  "sourceIPAddress": "10.244.4.6",
+  "requestParameters": {
+    "bucketName": "sensitive-data-bucket"
+  },
+  "responseElements": null,
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "123456789012"
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/23_Snapshot_for_Exfiltration_CloudTrail.json b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/23_Snapshot_for_Exfiltration_CloudTrail.json
similarity index 96%
rename from docs/TTX/Andromeda_Gales/Event_Logs/23_Snapshot_for_Exfiltration_CloudTrail.json
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/23_Snapshot_for_Exfiltration_CloudTrail.json
index 82442a1..c6f648e 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/23_Snapshot_for_Exfiltration_CloudTrail.json
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/23_Snapshot_for_Exfiltration_CloudTrail.json	
@@ -1,23 +1,23 @@
-{
-  "eventVersion": "1.08",
-  "userIdentity": {
-    "type": "AssumedRole",
-    "principalId": "AWS:AROAXXXXXXXXXXXXX:exfiltration-role",
-    "arn": "arn:aws:sts::123456789012:assumed-role/exfiltration-role/exfiltration-session",
-    "accountId": "123456789012"
-  },
-  "eventTime": "2024-03-01T01:10:00Z",
-  "eventSource": "ec2.amazonaws.com",
-  "eventName": "CreateSnapshot",
-  "awsRegion": "us-east-1",
-  "sourceIPAddress": "10.244.4.6",
-  "requestParameters": {
-    "volumeId": "vol-0abcd1234efgh5678",
-    "description": "Data exfiltration snapshot"
-  },
-  "responseElements": {
-    "snapshotId": "snap-0abcd1234efgh5678"
-  },
-  "eventType": "AwsApiCall",
-  "recipientAccountId": "123456789012"
+{
+  "eventVersion": "1.08",
+  "userIdentity": {
+    "type": "AssumedRole",
+    "principalId": "AWS:AROAXXXXXXXXXXXXX:exfiltration-role",
+    "arn": "arn:aws:sts::123456789012:assumed-role/exfiltration-role/exfiltration-session",
+    "accountId": "123456789012"
+  },
+  "eventTime": "2024-03-01T01:10:00Z",
+  "eventSource": "ec2.amazonaws.com",
+  "eventName": "CreateSnapshot",
+  "awsRegion": "us-east-1",
+  "sourceIPAddress": "10.244.4.6",
+  "requestParameters": {
+    "volumeId": "vol-0abcd1234efgh5678",
+    "description": "Data exfiltration snapshot"
+  },
+  "responseElements": {
+    "snapshotId": "snap-0abcd1234efgh5678"
+  },
+  "eventType": "AwsApiCall",
+  "recipientAccountId": "123456789012"
 }
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/7_Discovery_Check_Against_Security_Software_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/7_Discovery_Check_Against_Security_Software_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/7_Discovery_Check_Against_Security_Software_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/7_Discovery_Check_Against_Security_Software_K8.yaml
index 5e59f82..d709311 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/7_Discovery_Check_Against_Security_Software_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/7_Discovery_Check_Against_Security_Software_K8.yaml	
@@ -1,15 +1,15 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: Metadata
-timestamp: "2024-02-29T21:10:00Z"
-auditID: a3b4c5d6-e7f8-g9h0-i1j2-k3l4m5n6o7p8
-stage: ResponseComplete
-requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/logs"
-verb: "get"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.1.2"]
-annotations:
-  kubernetes.io/discovery-check: "Security software enumeration attempt detected"
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: Metadata
+timestamp: "2024-02-29T21:10:00Z"
+auditID: a3b4c5d6-e7f8-g9h0-i1j2-k3l4m5n6o7p8
+stage: ResponseComplete
+requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/logs"
+verb: "get"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.1.2"]
+annotations:
+  kubernetes.io/discovery-check: "Security software enumeration attempt detected"
+responseStatus:
   code: 200
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/8_Env_Keying_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/8_Env_Keying_K8.yaml
similarity index 97%
rename from docs/TTX/Andromeda_Gales/Event_Logs/8_Env_Keying_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/8_Env_Keying_K8.yaml
index f6efae8..3913661 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/8_Env_Keying_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/8_Env_Keying_K8.yaml	
@@ -1,15 +1,15 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: Request
-timestamp: "2024-02-29T21:15:00Z"
-auditID: b4c5d6e7-f8g9-h0i1-j2k3-l4m5n6o7p8q9
-stage: ResponseComplete
-requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/exec"
-verb: "create"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.1.3"]
-annotations:
-  kubernetes.io/environment-keying: "Executed command for environment reconnaissance"
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: Request
+timestamp: "2024-02-29T21:15:00Z"
+auditID: b4c5d6e7-f8g9-h0i1-j2k3-l4m5n6o7p8q9
+stage: ResponseComplete
+requestURI: "/api/v1/namespaces/default/pods/andromeda-web-app-container/exec"
+verb: "create"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.1.3"]
+annotations:
+  kubernetes.io/environment-keying: "Executed command for environment reconnaissance"
+responseStatus:
   code: 200
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/9_Persistence_Jobs_K8.yaml b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/9_Persistence_Jobs_K8.yaml
similarity index 96%
rename from docs/TTX/Andromeda_Gales/Event_Logs/9_Persistence_Jobs_K8.yaml
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/9_Persistence_Jobs_K8.yaml
index ed65161..6fdbbc0 100644
--- a/docs/TTX/Andromeda_Gales/Event_Logs/9_Persistence_Jobs_K8.yaml
+++ b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/9_Persistence_Jobs_K8.yaml	
@@ -1,20 +1,20 @@
-kind: Event
-apiVersion: audit.k8s.io/v1
-level: RequestResponse
-timestamp: "2024-02-29T21:20:00Z"
-auditID: c5d6e7f8-g9h0-i1j2-k3l4-m5n6o7p8q9r0
-stage: ResponseComplete
-requestURI: "/apis/batch/v1/namespaces/default/jobs"
-verb: "create"
-user:
-  username: "system:serviceaccount:default:andromeda-service-account"
-sourceIPs: ["10.244.1.4"]
-responseObject:
-  kind: Job
-  apiVersion: batch/v1
-  metadata:
-    name: "persistence-job-andromeda"
-annotations:
-  kubernetes.io/persistence-mechanism: "Created job for persistence mechanism establishment"
-responseStatus:
+kind: Event
+apiVersion: audit.k8s.io/v1
+level: RequestResponse
+timestamp: "2024-02-29T21:20:00Z"
+auditID: c5d6e7f8-g9h0-i1j2-k3l4-m5n6o7p8q9r0
+stage: ResponseComplete
+requestURI: "/apis/batch/v1/namespaces/default/jobs"
+verb: "create"
+user:
+  username: "system:serviceaccount:default:andromeda-service-account"
+sourceIPs: ["10.244.1.4"]
+responseObject:
+  kind: Job
+  apiVersion: batch/v1
+  metadata:
+    name: "persistence-job-andromeda"
+annotations:
+  kubernetes.io/persistence-mechanism: "Created job for persistence mechanism establishment"
+responseStatus:
   code: 201
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Event_Logs/readme.md b/docs/TTX/SOSS Community Day NA 2024/Event_Logs/readme.md
similarity index 100%
rename from docs/TTX/Andromeda_Gales/Event_Logs/readme.md
rename to docs/TTX/SOSS Community Day NA 2024/Event_Logs/readme.md
diff --git a/docs/TTX/Andromeda_Gales/Andromeda_Gales_Final.afb b/docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_AttackFlow.afb
similarity index 100%
rename from docs/TTX/Andromeda_Gales/Andromeda_Gales_Final.afb
rename to docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_AttackFlow.afb
diff --git a/docs/TTX/Andromeda_Gales/Andromeda_Gales.md b/docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Scenario.md
similarity index 92%
rename from docs/TTX/Andromeda_Gales/Andromeda_Gales.md
rename to docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Scenario.md
index 06e1be0..6e9078c 100644
--- a/docs/TTX/Andromeda_Gales/Andromeda_Gales.md
+++ b/docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Scenario.md	
@@ -1,20 +1,20 @@
-# Scenario Descripton
-## Andromeda Gales
-As part of the OpenSSF incident response scenario an open source product has unknowingly been compromised. A malicious payload has been merged into the underlying container image / test suite, infecting a multitude of public and private organisations on update.
-
-The infected software provides integration with numerous CI/CD build pipelines, managing the repeatable build stages for an organisation's software. The malicious payload has been designed to exfiltrate sensitive data from the target deployment and send it to a remote server. The payload is also capable of executing arbitrary code on the host system, via an implanted backdoor, potentially leading to further compromise.
-
-The incident response team has been tasked with identifying the malicious payload, understanding the extent of the compromise, and providing guidance on remediation steps to affected organisations.  The team must also provide guidance on how to prevent similar incidents in the future. The team has access to the following resources:
-
-- A copy of the infected container image
-- A list of affected organisations
-- A copy of the malicious payload
-- A list of build pipeline integrations
-- A list of potential indicators of compromise (IOCs)
-- A list of potential attack vectors
-- A list of potential remediation steps
-- A list of potential preventative measures
-
-The team is expected to provide a detailed incident report outlining the steps taken to identify and contain the incident, the impact of the compromise, and the recommended remediation and preventative measures. The incident report should also include a timeline of events and any lessons learned from the incident response process.
-
-The correlating security and incident events and alerts have been captured in the /Event_Logs directory within this repository for technical visibility into stages of the attack flow (provided as Andromeda_Gales_Final.afb) to be used with https://center-for-threat-informed-defense.github.io/attack-flow/ui/
\ No newline at end of file
+# Scenario Descripton
+## SOSS Community Day NA 2024
+As part of the OpenSSF incident response scenario an open source product has unknowingly been compromised. A malicious payload has been merged into the underlying container image / test suite, infecting a multitude of public and private organisations on update.
+
+The infected software provides integration with numerous CI/CD build pipelines, managing the repeatable build stages for an organisation's software. The malicious payload has been designed to exfiltrate sensitive data from the target deployment and send it to a remote server. The payload is also capable of executing arbitrary code on the host system, via an implanted backdoor, potentially leading to further compromise.
+
+The incident response team has been tasked with identifying the malicious payload, understanding the extent of the compromise, and providing guidance on remediation steps to affected organisations.  The team must also provide guidance on how to prevent similar incidents in the future. The team has access to the following resources:
+
+- A copy of the infected container image
+- A list of affected organisations
+- A copy of the malicious payload
+- A list of build pipeline integrations
+- A list of potential indicators of compromise (IOCs)
+- A list of potential attack vectors
+- A list of potential remediation steps
+- A list of potential preventative measures
+
+The team is expected to provide a detailed incident report outlining the steps taken to identify and contain the incident, the impact of the compromise, and the recommended remediation and preventative measures. The incident report should also include a timeline of events and any lessons learned from the incident response process.
+
+The correlating security and incident events and alerts have been captured in the /Event_Logs directory within this repository for technical visibility into stages of the attack flow (provided as SOSS_Community_Day_NA_2024_AttackFlow.afb) to be used with https://center-for-threat-informed-defense.github.io/attack-flow/ui/
\ No newline at end of file
diff --git a/docs/TTX/Andromeda_Gales/Andromeda_Template.md b/docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Template.md
similarity index 98%
rename from docs/TTX/Andromeda_Gales/Andromeda_Template.md
rename to docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Template.md
index 47d6383..685a281 100644
--- a/docs/TTX/Andromeda_Gales/Andromeda_Template.md
+++ b/docs/TTX/SOSS Community Day NA 2024/SOSS_Community_Day_NA_2024_Template.md	
@@ -1,187 +1,187 @@
-# Panelists & Contributors
-
-## Panelists
-
-- **Panelist 1**
-  - Role: Maintainer
-
-- **Panelist 2**
-  - Role: Maintainer
-
-- **Panelist 3**
-  - Role: Maintainer
-
-- **Panelist 4**
-  - Role: Maintainer
-
-- **Panelist 5**
-  - Role: Maintainer
-
-- **Panelist 6**
-  - Role: Repo package registry
-
-- **Panelist 7**
-  - Role: SOC/IRT
-
-- **Panelist 8**
-  - Role: End user
-
-- **Panelist 9**
-  - Role: End user
-
-- **Panelist 10**
-  - Role: End user
-
-- **Panelist 11**
-  - Role: End user
-
-- **Panelist 12**
-  - Role: End user
-
-## Contributors
-
-- **Contributor 1**
-  - Role: Maintainer
-
-- **Contributor 2**
-  - Role: Maintainer
-
-- **Contributor 3**
-  - Role: End user
-
-- **Contributor 4**
-  - Role: End user
-
-- **Contributor 5**
-  - Role: Public sector
-
-- **Contributor 6**
-  - Role: Public sector
-
-# Desired Outcomes
-
-1. Provide a TTX template/formula for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response and overall security posture.
-2. Provide education for developers who are learning security.
-3. Demonstrate how current OpenSSF technologies may be helpful during a security incident.
-
-- **Welcome background description and desired outcomes for the TTX**
-
-## Breakthrough 1: Initial Incident
-
-A large mature organization has disclosed a cybersecurity incident as encouraged by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The details are initially sparse, but the known facts are:
-
-- A security analyst has identified anomalous egress connections from their Cloud estate.
-- The connections originated from workloads running on their Kubernetes cluster.
-- These workloads run a business application with access to confidential data.
-- Cluster logs show workloads running some commands against the cluster API, harvesting runtime environmental information.
-- The workloads have recently been updated as part of routine patching/updates, coinciding with the timing of some suspicious alerts generated.
-- The Incident Response Team (IRT) is still investigating ongoing threads.
-
-### Questions
-
-1. What are the typical steps an organization may take on initial security alert disclosure when initiating a Cyber Incident Response process?
-2. After initial cyber incident response processes have been carried out and the org has moved into in-depth investigation, what steps are typical at this stage of the IR process?
-
-## Breakthrough 2: Scenario Evolution
-
-As the investigation progresses, more details come to light:
-
-- From the CI/CD build account, the Incident Response Team (IRT) has traced the event back to a specific pipeline execution.
-- The pipeline includes several steps where external images are pulled from a public repository.
-- A specific container image pulled consists of a widely used open source application.
-- IRT obtains a copy of the image for further investigation but finds no signs of image tampering.
-- Enhanced monitoring was put in place on the suspicious workloads.
-- Signs of a possible Remote Code Execution (RCE) are detected, but the Vulnerability Management team reports no known CVEs affecting the open source application.
-- Everything points to a 0-day vulnerability affecting one or more applications components with an active exploitation campaign ongoing.
-
-### Questions
-
-1. In light of the latest investigation progress after inconclusive findings, the team have decided to focus some effort on the internal repository (e.g., GitLab self-hosted) and the CI/CD pipeline. What kind of actions should they be looking to carry out at this point and with what goals in mind?
-2. With the ongoing security incident and deep investigation, could you give some insight into how keeping a detailed inventory of both software and hardware, including open source software and dependencies, can be influential to incident response?
-3. Additionally, could you explain the concept and significance of a Software Bill of Materials (SBOM) in managing open source security and share how SBOMs can be instrumental in streamlining the investigation process particularly in identifying compromised components and mapping out dependencies for a more efficient incident response?
-
-## Breakthrough 3: Scenario Evolution
-
-The scenario further evolves:
-
-- Internal investigations have concluded and found that the exploit has spread across various resources, necessitating disclosure of the vulnerability.
-- The 0-day vulnerability is confirmed with exploitation replicated.
-- Open Source maintainers have been contacted through their vulnerability disclosure process to work on a fix.
-- Considering the active malicious campaign, the degree of urgency is communicated.
-- Threat intelligence organizations provide data on the active campaign:
-  - Malicious destination domains and IPs
-  - Malicious binary hashes
-  - Malicious process names
-  - Malicious exploitation strings
-
-### Questions
-
-1. With the recent information provided by the IRT (Incident Response Team), the scenario has grown to include open source maintainers at this stage; they're required to begin their vulnerability disclosure process. How does this typically work?
-2. In today's world, maintaining reputation across platforms is paramount. How can organizations and maintainers alike manage social media scrutiny and pressure, especially in 'crisis' events such as highly visible exploits targeting specific projects?
-3. How can you aim to protect the people working under pressure and stress throughout these events?
-
-## Breakthrough 4: Scenario Evolution
-
-The scenario evolves:
-
-- The maintainers have successfully produced and tested a fix.
-- The fix was incorporated into a new release of the application and made available to the general public.
-- Indicators of Compromise are available to aid detections.
-- The CVE now has a remediation/fix with a 9.5 score made available to the general public.
-
-### Questions
-
-1. In light of the recent successful development and release of a patch for a high-severity vulnerability, could you elaborate on best practices for coordinating efforts of maintainers and open source project teams to ensure the fix's security and authenticity, preventing it from becoming a secondary attack vector?
-2. Additionally, how can you collaborate with larger organizations or the initial disclosing entity to validate and publicize the remedy?
-
-3. Considering the recent CVE announcement, could you walk us through the process your organization employs to create a comprehensive and timely response to customers?
-4. Specifically, how do you integrate communication, patch management, and incident response strategies to address vulnerabilities and maintain trust in a cloud-native platform?
-
-5. When looking at enhancing security within open source projects, how does a collaborative project like GUAC contribute to this goal?
-6. How do projects like GUAC integrate with existing security practices to comprehensively secure open source software, and what unique advantages does GUAC provide in the broader context of open source security management?
-
-7. In light of our ongoing discussion and the scenario we've navigated, how can the OSV database and scanner be strategically used to support the identification, tracking, and resolution of vulnerabilities such as the one we've encountered?
-8. Could you share insights or experiences on how these tools have facilitated a more streamlined and effective response to vulnerabilities in past incidents?
-
-## Breakthrough 5: Postmortem / Open Discussion
-
-### Reflections on the Scenario
-
-### Questions
-
-1. What is CISA’s role in OSS security?
-2. A number of sectors have an inherent distrust in open source due to a number of factors including time to remediation, SLAs, enterprise-level support, and its 'open' nature. How do you think this could be tackled, and are there any initiatives that could support this?
-
-### End User(s) Discussion
-
-#### Forum Discussion Style Topic: 10-15 Minutes
-
-"Leveraging Corporate Resources for Open Source Security"
-- A conversation about how large organizations who have fully established policies, processes, and resources in place to respond to such incidents, invest and establish mutual beneficiary outcomes with open source maintainers and projects, potentially creating a framework for mutual support.
-
-"Collaborative Incident Response: Bridging the Gap between Large Organizations and Open Source Projects"
-- This discussion topic aims to explore how large organizations could potentially extend their incident response capabilities to support open source projects during security incidents.
-- It will focus on sharing actionable insights, resources, and best practices to enhance the resilience of open source software against emerging threats, emphasizing collaborative efforts, shared responsibility, and the alignment of incident response strategies for the collective benefit of the digital ecosystem.
-
-#### Forum Discussion Style Topic: 10-15 Minutes
-
-"Fostering Trust and Transparency: The Art of Communicating with Security Issue Reporters"
-- Discuss the importance of open lines of communication between project maintainers and Security issue reporters for enhancing project security and community trust.
-
-### Lesson Learnt, Final Observations
-
-### Closing Remarks
-
-### Q&A
-
-# Acknowledgments
-
-We thank all the panelists, contributors, and attendees for their active participation and valuable contributions to the success of this event. Special thanks to the organizing team for their efforts in coordinating and facilitating the session.
-
-# About This Document
-
-This document was created to provide a structured overview of the tabletop exercise (TTX) and to serve as a reference for future similar events.
-
-# Contact Information
-
+# Panelists & Contributors
+
+## Panelists
+
+- **Panelist 1**
+  - Role: Maintainer
+
+- **Panelist 2**
+  - Role: Maintainer
+
+- **Panelist 3**
+  - Role: Maintainer
+
+- **Panelist 4**
+  - Role: Maintainer
+
+- **Panelist 5**
+  - Role: Maintainer
+
+- **Panelist 6**
+  - Role: Repo package registry
+
+- **Panelist 7**
+  - Role: SOC/IRT
+
+- **Panelist 8**
+  - Role: End user
+
+- **Panelist 9**
+  - Role: End user
+
+- **Panelist 10**
+  - Role: End user
+
+- **Panelist 11**
+  - Role: End user
+
+- **Panelist 12**
+  - Role: End user
+
+## Contributors
+
+- **Contributor 1**
+  - Role: Maintainer
+
+- **Contributor 2**
+  - Role: Maintainer
+
+- **Contributor 3**
+  - Role: End user
+
+- **Contributor 4**
+  - Role: End user
+
+- **Contributor 5**
+  - Role: Public sector
+
+- **Contributor 6**
+  - Role: Public sector
+
+# Desired Outcomes
+
+1. Provide a TTX template/formula for maintainers, contributors, and open source consumers to adopt and customize to start running their own TTX and improve their incident response and overall security posture.
+2. Provide education for developers who are learning security.
+3. Demonstrate how current OpenSSF technologies may be helpful during a security incident.
+
+- **Welcome background description and desired outcomes for the TTX**
+
+## Breakthrough 1: Initial Incident
+
+A large mature organization has disclosed a cybersecurity incident as encouraged by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The details are initially sparse, but the known facts are:
+
+- A security analyst has identified anomalous egress connections from their Cloud estate.
+- The connections originated from workloads running on their Kubernetes cluster.
+- These workloads run a business application with access to confidential data.
+- Cluster logs show workloads running some commands against the cluster API, harvesting runtime environmental information.
+- The workloads have recently been updated as part of routine patching/updates, coinciding with the timing of some suspicious alerts generated.
+- The Incident Response Team (IRT) is still investigating ongoing threads.
+
+### Questions
+
+1. What are the typical steps an organization may take on initial security alert disclosure when initiating a Cyber Incident Response process?
+2. After initial cyber incident response processes have been carried out and the org has moved into in-depth investigation, what steps are typical at this stage of the IR process?
+
+## Breakthrough 2: Scenario Evolution
+
+As the investigation progresses, more details come to light:
+
+- From the CI/CD build account, the Incident Response Team (IRT) has traced the event back to a specific pipeline execution.
+- The pipeline includes several steps where external images are pulled from a public repository.
+- A specific container image pulled consists of a widely used open source application.
+- IRT obtains a copy of the image for further investigation but finds no signs of image tampering.
+- Enhanced monitoring was put in place on the suspicious workloads.
+- Signs of a possible Remote Code Execution (RCE) are detected, but the Vulnerability Management team reports no known CVEs affecting the open source application.
+- Everything points to a 0-day vulnerability affecting one or more applications components with an active exploitation campaign ongoing.
+
+### Questions
+
+1. In light of the latest investigation progress after inconclusive findings, the team have decided to focus some effort on the internal repository (e.g., GitLab self-hosted) and the CI/CD pipeline. What kind of actions should they be looking to carry out at this point and with what goals in mind?
+2. With the ongoing security incident and deep investigation, could you give some insight into how keeping a detailed inventory of both software and hardware, including open source software and dependencies, can be influential to incident response?
+3. Additionally, could you explain the concept and significance of a Software Bill of Materials (SBOM) in managing open source security and share how SBOMs can be instrumental in streamlining the investigation process particularly in identifying compromised components and mapping out dependencies for a more efficient incident response?
+
+## Breakthrough 3: Scenario Evolution
+
+The scenario further evolves:
+
+- Internal investigations have concluded and found that the exploit has spread across various resources, necessitating disclosure of the vulnerability.
+- The 0-day vulnerability is confirmed with exploitation replicated.
+- Open Source maintainers have been contacted through their vulnerability disclosure process to work on a fix.
+- Considering the active malicious campaign, the degree of urgency is communicated.
+- Threat intelligence organizations provide data on the active campaign:
+  - Malicious destination domains and IPs
+  - Malicious binary hashes
+  - Malicious process names
+  - Malicious exploitation strings
+
+### Questions
+
+1. With the recent information provided by the IRT (Incident Response Team), the scenario has grown to include open source maintainers at this stage; they're required to begin their vulnerability disclosure process. How does this typically work?
+2. In today's world, maintaining reputation across platforms is paramount. How can organizations and maintainers alike manage social media scrutiny and pressure, especially in 'crisis' events such as highly visible exploits targeting specific projects?
+3. How can you aim to protect the people working under pressure and stress throughout these events?
+
+## Breakthrough 4: Scenario Evolution
+
+The scenario evolves:
+
+- The maintainers have successfully produced and tested a fix.
+- The fix was incorporated into a new release of the application and made available to the general public.
+- Indicators of Compromise are available to aid detections.
+- The CVE now has a remediation/fix with a 9.5 score made available to the general public.
+
+### Questions
+
+1. In light of the recent successful development and release of a patch for a high-severity vulnerability, could you elaborate on best practices for coordinating efforts of maintainers and open source project teams to ensure the fix's security and authenticity, preventing it from becoming a secondary attack vector?
+2. Additionally, how can you collaborate with larger organizations or the initial disclosing entity to validate and publicize the remedy?
+
+3. Considering the recent CVE announcement, could you walk us through the process your organization employs to create a comprehensive and timely response to customers?
+4. Specifically, how do you integrate communication, patch management, and incident response strategies to address vulnerabilities and maintain trust in a cloud-native platform?
+
+5. When looking at enhancing security within open source projects, how does a collaborative project like GUAC contribute to this goal?
+6. How do projects like GUAC integrate with existing security practices to comprehensively secure open source software, and what unique advantages does GUAC provide in the broader context of open source security management?
+
+7. In light of our ongoing discussion and the scenario we've navigated, how can the OSV database and scanner be strategically used to support the identification, tracking, and resolution of vulnerabilities such as the one we've encountered?
+8. Could you share insights or experiences on how these tools have facilitated a more streamlined and effective response to vulnerabilities in past incidents?
+
+## Breakthrough 5: Postmortem / Open Discussion
+
+### Reflections on the Scenario
+
+### Questions
+
+1. What is CISA’s role in OSS security?
+2. A number of sectors have an inherent distrust in open source due to a number of factors including time to remediation, SLAs, enterprise-level support, and its 'open' nature. How do you think this could be tackled, and are there any initiatives that could support this?
+
+### End User(s) Discussion
+
+#### Forum Discussion Style Topic: 10-15 Minutes
+
+"Leveraging Corporate Resources for Open Source Security"
+- A conversation about how large organizations who have fully established policies, processes, and resources in place to respond to such incidents, invest and establish mutual beneficiary outcomes with open source maintainers and projects, potentially creating a framework for mutual support.
+
+"Collaborative Incident Response: Bridging the Gap between Large Organizations and Open Source Projects"
+- This discussion topic aims to explore how large organizations could potentially extend their incident response capabilities to support open source projects during security incidents.
+- It will focus on sharing actionable insights, resources, and best practices to enhance the resilience of open source software against emerging threats, emphasizing collaborative efforts, shared responsibility, and the alignment of incident response strategies for the collective benefit of the digital ecosystem.
+
+#### Forum Discussion Style Topic: 10-15 Minutes
+
+"Fostering Trust and Transparency: The Art of Communicating with Security Issue Reporters"
+- Discuss the importance of open lines of communication between project maintainers and Security issue reporters for enhancing project security and community trust.
+
+### Lesson Learnt, Final Observations
+
+### Closing Remarks
+
+### Q&A
+
+# Acknowledgments
+
+We thank all the panelists, contributors, and attendees for their active participation and valuable contributions to the success of this event. Special thanks to the organizing team for their efforts in coordinating and facilitating the session.
+
+# About This Document
+
+This document was created to provide a structured overview of the tabletop exercise (TTX) and to serve as a reference for future similar events.
+
+# Contact Information
+
 For any inquiries related to this document or the discussions held during the TTX, please contact OpenSSF
\ No newline at end of file
diff --git a/docs/TTX/SOSS Community Day NA 2024/readme.md b/docs/TTX/SOSS Community Day NA 2024/readme.md
new file mode 100644
index 0000000..0e0bdbd
--- /dev/null
+++ b/docs/TTX/SOSS Community Day NA 2024/readme.md	
@@ -0,0 +1 @@
+TTX materials for the SOSS_Community_Day_NA_2024 scenario
diff --git a/docs/TTX/readme.md b/docs/TTX/readme.md
index 854b421..12373bc 100644
--- a/docs/TTX/readme.md
+++ b/docs/TTX/readme.md
@@ -37,7 +37,7 @@ With this in mind we aim to produce two 'sides' to each TTX Exercise;
 ## Scenario
 The scenarios for the table top exercise typically occur after a cyber incident that has occurred. The scenarios are designed to be realistic and to test the organization's incident response plans and procedures. The scenario should includes a series of events that unfold over time, and the participants are required to respond to the events as they occur, and if technical members are in attendance you should be able to dive into attack flows, indicators and relevant data sources that correlate against the scenario.
 
-Included with every scenario should be a template (e.g. Within Andromeda_Gales there is a scenario_template.md) which covers the scenario walkthrough / roleplay, required attendees, questions and format to the TTX.
+Included with every scenario should be a template (e.g. Within SOSS_Community_Day_NA_2024 there is a SOSS_Community_Day_NA_2024_template.md) which covers the scenario walkthrough / roleplay, required attendees, questions and format to the TTX.
 
 ## Exercise Objectives
 The objectives of the table top exercise are to:

From 2c0ef72e96f1105363f4af1808d46edb5b90e9b1 Mon Sep 17 00:00:00 2001
From: Ian-Barbour <ian.barbour@control-plane.io>
Date: Thu, 2 May 2024 15:53:15 +0100
Subject: [PATCH 4/4] resolve merge conflict in readme.md

Signed-off-by: Ian-Barbour <ian.barbour@control-plane.io>
---
 docs/TTX/readme.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/TTX/readme.md b/docs/TTX/readme.md
index 12373bc..061bfed 100644
--- a/docs/TTX/readme.md
+++ b/docs/TTX/readme.md
@@ -1,4 +1,4 @@
-This directory contains files for Cyber Incident Response (CIR) Table Top Exercises (TTX) that demonstrate how to prepare and "roleplay" a cyber security incident.
+This directory contains files from the OpenSSF's Table Top Exercises (TTX) that demonstrate how to prepare and "roleplay" a cyber security incident.
 
 # Cyber Incident Response - Table Top Exercises
 ## Table of Contents