diff --git a/README.md b/README.md
index 0b73eab..555c364 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,14 @@
 # Apache Access Log Detections Mod for Powerpipe
 
-View dashboards, run detections and scan for anomalies across your Apache access logs.
+[Tailpipe](https://tailpipe.io) is an open-source CLI tool that allows you to collect logs and query them with SQL.
 
-<!-- 
-TODO: Insert images
--->
+The [Apache Access Log Detections Mod](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-apache-access-log-detections) contains pre-built dashboards and detections, which can be used to monitor and analyze activity across your Apache servers.
+
+Run detection benchmarks:
+![image](docs/images/apache_access_log_owasp_dashboard.png)
+
+View insights in dashboards:
+![image](docs/images/apache_access_log_activity_dashboard.png)
 
 ## Documentation
 
@@ -102,13 +106,12 @@ List available benchmarks:
 powerpipe benchmark list
 ```
 
-<!-- TODO: add a benchmark name and uncomment
 Run a benchmark:
 
 ```sh
-powerpipe benchmark run apache_access_log_detections.benchmark.
+powerpipe benchmark run apache_access_log_detections.benchmark.owasp_top_10
 ```
--->
+
 Different output formats are also available, for more information please see
 [Output Formats](https://powerpipe.io/docs/reference/cli/benchmark#output-formats).
 
@@ -126,4 +129,4 @@ Want to help but don't know where to start? Pick up one of the `help wanted` iss
 
 - [Powerpipe](https://github.com/turbot/powerpipe/labels/help%20wanted)
 - [Tailpipe](https://github.com/turbot/tailpipe/labels/help%20wanted)
-- [Apache Access Log Detections Mod](https://github.com/turbot/tailpipe-mod-apache-access-log-detections/labels/help%20wanted)
\ No newline at end of file
+- [Apache Access Log Detections Mod](https://github.com/turbot/tailpipe-mod-apache-access-log-detections/labels/help%20wanted)
diff --git a/dashboards/activity_dashboard.pp b/dashboards/activity_dashboard.pp
new file mode 100644
index 0000000..e6bf8c4
--- /dev/null
+++ b/dashboards/activity_dashboard.pp
@@ -0,0 +1,339 @@
+dashboard "activity_dashboard" {
+  title         = "Access Log Activity Dashboard"
+  documentation = file("./dashboards/docs/activity_dashboard.md")
+
+  tags = {
+    type    = "Dashboard"
+    service = "Apache/AccessLog"
+  }
+
+  container {
+    # Analysis
+    card {
+      query = query.activity_dashboard_total_logs
+      width = 2
+    }
+
+    card {
+      query = query.activity_dashboard_success_count
+      width = 2
+      type  = "ok"
+    }
+
+    card {
+      query = query.activity_dashboard_redirect_count
+      width = 2
+      type  = "info"
+    }
+
+    card {
+      query = query.activity_dashboard_bad_request_count
+      width = 2
+      type  = "alert"
+    }
+
+    card {
+      query = query.activity_dashboard_error_count
+      width = 2
+      type  = "alert"
+    }
+  }
+
+  container {
+
+    chart {
+      title = "Requests by Day"
+      query = query.activity_dashboard_requests_by_day
+      width = 6
+      type  = "line"
+    }
+
+    chart {
+      title = "Requests by HTTP Method"
+      query = query.activity_dashboard_requests_by_http_method
+      width = 6
+      type  = "bar"
+    }
+
+    chart {
+      title = "Requests by Status Code"
+      query = query.activity_dashboard_requests_by_status_code
+      width = 6
+      type  = "pie"
+    }
+
+    chart {
+      title = "Top 10 User Agents (Requests)"
+      query = query.activity_dashboard_requests_by_user_agent
+      width = 6
+      type  = "pie"
+    }
+
+    chart {
+      title = "Top 10 Clients (Requests)"
+      query = query.activity_dashboard_top_10_clients
+      width = 6
+      type  = "table"
+    }
+
+    chart {
+      title = "Top 10 URLs (Requests)"
+      query = query.activity_dashboard_top_10_urls
+      width = 6
+      type  = "table"
+    }
+
+    chart {
+      title = "Top 10 URLs (Successful Requests)"
+      query = query.activity_dashboard_requests_by_successful_requests
+      width = 6
+      type  = "table"
+    }
+
+    chart {
+      title = "Top 10 URLs (Errors)"
+      query = query.activity_dashboard_requests_by_errors
+      width = 6
+      type  = "table"
+    }
+  }
+
+}
+
+# Queries
+query "activity_dashboard_total_logs" {
+  title       = "Log Count"
+  description = "Count the total Apache log entries."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Total Requests"
+    from
+      apache_access_log;
+  EOQ
+}
+
+query "activity_dashboard_success_count" {
+  title       = "Successful Request Count"
+  description = "Count of successful HTTP requests (status 2xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Successful (2xx)"
+    from
+      apache_access_log
+    where
+      status between 200 and 299;
+  EOQ
+}
+
+query "activity_dashboard_redirect_count" {
+  title       = "Redirect Request Count"
+  description = "Count of redirect HTTP requests (status 3xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Redirections (3xx)"
+    from
+      apache_access_log
+    where
+      status between 300 and 399;
+  EOQ
+}
+
+query "activity_dashboard_bad_request_count" {
+  title       = "Bad Request Count"
+  description = "Count of client error HTTP requests (status 4xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Bad Requests (4xx)"
+    from
+      apache_access_log
+    where
+      status between 400 and 499;
+  EOQ
+}
+
+query "activity_dashboard_error_count" {
+  title       = "Server Error Count"
+  description = "Count of server error HTTP requests (status 5xx)."
+
+  sql = <<-EOQ
+    select
+      count(*) as "Server Errors (5xx)"
+    from
+      apache_access_log
+    where
+      status between 500 and 599;
+  EOQ
+}
+
+query "activity_dashboard_top_10_clients" {
+  title       = "Top 10 Clients (Requests)"
+  description = "List the top 10 client IPs by request count."
+
+  sql = <<-EOQ
+    select
+      remote_addr as "Client IP",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    group by
+      remote_addr
+    order by
+      count(*) desc,
+      remote_addr
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_top_10_urls" {
+  title       = "Top 10 URLs (Requests)"
+  description = "List the top 10 requested URLs by request count."
+
+  sql = <<-EOQ
+    select
+      request_uri as "URL",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      request_uri is not null
+    group by
+      request_uri
+    order by
+      count(*) desc,
+      request_uri
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_day" {
+  title       = "Requests by Day"
+  description = "Count of requests grouped by day."
+
+  sql = <<-EOQ
+    select
+      strftime(tp_timestamp, '%Y-%m-%d') as "Date",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    group by
+      strftime(tp_timestamp, '%Y-%m-%d')
+    order by
+      strftime(tp_timestamp, '%Y-%m-%d');
+  EOQ
+}
+
+query "activity_dashboard_requests_by_status_code" {
+  title       = "Requests by Status Code"
+  description = "Count of rqeuests grouped by status code."
+
+  sql = <<-EOQ
+    select
+      case
+        when status between 200 and 299 then '2xx Success'
+        when status between 300 and 399 then '3xx Redirect'
+        when status between 400 and 499 then '4xx Client Error'
+        when status between 500 and 599 then '5xx Server Error'
+        else 'Other'
+      end as "Status Category",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      status is not null
+    group by
+      "Status Category"
+    order by
+      "Status Category";
+  EOQ
+}
+
+query "activity_dashboard_requests_by_http_method" {
+  title       = "Requests by HTTP Method"
+  description = "Distribution of HTTP methods used in requests."
+
+  sql = <<-EOQ
+    select
+      request_method as "HTTP Method",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      request_method is not null
+    group by
+      request_method
+    order by
+      count(*) asc,
+      request_method;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_successful_requests" {
+  title       = "Top 10 URLs (Successful Requests)"
+  description = "List the top 10 requested URLs by successful request count."
+
+  sql = <<-EOQ
+    select
+      request_uri as "Path",
+      count(*) as "Request Count",
+      string_agg(distinct status::text, ', ' order by status::text) as "Status Codes"
+    from
+      apache_access_log
+    where
+      status between 200 and 299
+      and request_uri is not null
+    group by
+      request_uri
+    order by
+      count(*) desc,
+      request_uri
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_errors" {
+  title       = "Top 10 URLs (Errors)"
+  description = "List the top 10 requested URLs by error count."
+
+  sql = <<-EOQ
+    select
+      request_uri as "Path",
+      count(*) as "Error Count",
+      string_agg(distinct status::text, ', ' order by status::text) as "Status Codes"
+    from
+      apache_access_log
+    where
+      status between 400 and 599
+      and request_uri is not null
+    group by
+      request_uri
+    order by
+      count(*) desc,
+      request_uri
+    limit 10;
+  EOQ
+}
+
+query "activity_dashboard_requests_by_user_agent" {
+  title       = "Top 10 User Agents (Requests)"
+  description = "Distribution of user agents in requests."
+
+  sql = <<-EOQ
+    select
+      http_user_agent as "User Agent",
+      count(*) as "Request Count"
+    from
+      apache_access_log
+    where
+      http_user_agent is not null
+    group by
+      http_user_agent
+    order by
+      count(*) desc,
+      http_user_agent
+    limit 10;
+  EOQ
+}
diff --git a/dashboards/docs/activity_dashboard.md b/dashboards/docs/activity_dashboard.md
new file mode 100644
index 0000000..14178bc
--- /dev/null
+++ b/dashboards/docs/activity_dashboard.md
@@ -0,0 +1,11 @@
+This dashboard answers the following questions:
+
+- How many HTTP requests has the Apache server handled?
+- What is the distribution of HTTP status codes (success, redirect, client errors, server errors)?
+- What HTTP methods are being used most frequently?
+- How has request volume changed over time?
+- Which browsers and tools are accessing the server?
+- Which client IPs are generating the most traffic?
+- Which URIs are most frequently requested?
+- Which paths have the most successful requests?
+- Which paths are generating the most errors?
diff --git a/detections/access_logs.pp b/detections/access_logs.pp
new file mode 100644
index 0000000..b5d267f
--- /dev/null
+++ b/detections/access_logs.pp
@@ -0,0 +1,15 @@
+benchmark "access_log_detections" {
+  title       = "Access Log Detections"
+  description = "This benchmark contains recommendations when scanning access logs."
+  type        = "detection"
+  children = [
+    benchmark.cross_site_scripting_detections,
+    benchmark.local_file_inclusion_detections,
+    benchmark.remote_command_execution_detections,
+    benchmark.sql_injection_detections,
+  ]
+
+  tags = merge(local.apache_access_log_detections_common_tags, {
+    type = "Benchmark"
+  })
+}
diff --git a/detections/cross_site_scripting.pp b/detections/cross_site_scripting.pp
new file mode 100644
index 0000000..20d8282
--- /dev/null
+++ b/detections/cross_site_scripting.pp
@@ -0,0 +1,577 @@
+locals {
+  cross_site_scripting_common_tags = merge(local.apache_access_log_detections_common_tags, {
+    category = "Cross-Site Scripting"
+  })
+}
+
+benchmark "cross_site_scripting_detections" {
+  title       = "Cross-Site Scripting (XSS) Detections"
+  description = "This benchmark contains cross-site scripting (XSS) focused detections when scanning access logs."
+  type        = "detection"
+  children = [
+    detection.cross_site_scripting_angular_template,
+    detection.cross_site_scripting_attribute_injection,
+    detection.cross_site_scripting_common_patterns,
+    detection.cross_site_scripting_dom_based,
+    detection.cross_site_scripting_encoding,
+    detection.cross_site_scripting_html_injection,
+    detection.cross_site_scripting_javascript_methods,
+    detection.cross_site_scripting_javascript_uri,
+    detection.cross_site_scripting_script_tag,
+  ]
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+detection "cross_site_scripting_common_patterns" {
+  title           = "Cross-Site Scripting Common Patterns"
+  description     = "Detect basic Cross-Site Scripting (XSS) attack patterns in HTTP requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_common_patterns.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_common_patterns
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_common_patterns" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- Common XSS patterns
+          request_uri ilike '%alert(%'
+          or request_uri ilike '%prompt(%'
+          or request_uri ilike '%confirm(%'
+          or request_uri ilike '%eval(%'
+          or request_uri ilike '%document.cookie%'
+          or request_uri ilike '%document.domain%'
+          or request_uri ilike '%document.write%'
+          -- URL encoded variants
+          or request_uri ilike '%&#x3C;script%'
+          or request_uri ilike '%\\x3Cscript%'
+        )
+      )
+      OR
+      (
+        http_user_agent is not null
+        and (
+          -- Common XSS patterns
+          http_user_agent ilike '%alert(%'
+          or http_user_agent ilike '%prompt(%'
+          or http_user_agent ilike '%confirm(%'
+          or http_user_agent ilike '%eval(%'
+          or http_user_agent ilike '%document.cookie%'
+          or http_user_agent ilike '%document.domain%'
+          or http_user_agent ilike '%document.write%'
+          -- URL encoded variants
+          or http_user_agent ilike '%&#x3C;script%'
+          or http_user_agent ilike '%\\x3Cscript%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_script_tag" {
+  title           = "Cross-Site Scripting Script Tag"
+  description     = "Detect Cross-Site Scripting attacks using script tags to execute arbitrary JavaScript code in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_script_tag.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_script_tag
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_script_tag" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- Standard script tags
+          request_uri ilike '%<script>%'
+          or request_uri ilike '%<script%src%'
+          or request_uri ilike '%<script/%'
+          -- Obfuscated script tags
+          or request_uri ilike '%<scr%ipt%'
+          or request_uri ilike '%<scr\\x00ipt%'
+          or request_uri ilike '%<s%00cript%'
+        )
+      )
+      OR
+      (
+        http_user_agent is not null
+        and (
+          -- Standard script tags
+          http_user_agent ilike '%<script>%'
+          or http_user_agent ilike '%<script%src%'
+          or http_user_agent ilike '%<script/%'
+          -- Obfuscated script tags
+          or http_user_agent ilike '%<scr%ipt%'
+          or http_user_agent ilike '%<scr\\x00ipt%'
+          or http_user_agent ilike '%<s%00cript%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_attribute_injection" {
+  title           = "Cross-Site Scripting Attribute Injection"
+  description     = "Detect Cross-Site Scripting attacks using HTML attribute injection, such as event handlers or dangerous attributes in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_attribute_injection.md")
+  severity        = "high"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_attribute_injection
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_attribute_injection" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- Attribute injection patterns
+          request_uri ilike '%onerror=%'
+          or request_uri ilike '%onload=%'
+          or request_uri ilike '%onmouseover=%'
+          or request_uri ilike '%onmouseout=%'
+          or request_uri ilike '%onclick=%'
+          or request_uri ilike '%onfocus=%'
+          or request_uri ilike '%onblur=%'
+          or request_uri ilike '%onchange=%'
+          or request_uri ilike '%onsubmit=%'
+          or request_uri ilike '%onkeypress=%'
+          -- Less common event handlers
+          or request_uri ilike '%onreadystatechange=%'
+          or request_uri ilike '%onbeforeonload=%'
+          or request_uri ilike '%onanimationstart=%'
+          -- Dangerous attributes
+          or request_uri ilike '%formaction=%'
+          or request_uri ilike '%xlink:href=%'
+          or request_uri ilike '%data:text/html%'
+          or request_uri ilike '%pattern=%'
+        )
+      )
+      OR
+      (
+        http_user_agent is not null
+        and (
+          -- Attribute injection patterns
+          http_user_agent ilike '%onerror=%'
+          or http_user_agent ilike '%onload=%'
+          or http_user_agent ilike '%onmouseover=%'
+          or http_user_agent ilike '%onmouseout=%'
+          or http_user_agent ilike '%onclick=%'
+          or http_user_agent ilike '%onfocus=%'
+          or http_user_agent ilike '%onblur=%'
+          or http_user_agent ilike '%onchange=%'
+          or http_user_agent ilike '%onsubmit=%'
+          or http_user_agent ilike '%onkeypress=%'
+          -- Less common event handlers
+          or http_user_agent ilike '%onreadystatechange=%'
+          or http_user_agent ilike '%onbeforeonload=%'
+          or http_user_agent ilike '%onanimationstart=%'
+          -- Dangerous attributes
+          or http_user_agent ilike '%formaction=%'
+          or http_user_agent ilike '%xlink:href=%'
+          or http_user_agent ilike '%data:text/html%'
+          or http_user_agent ilike '%pattern=%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_javascript_uri" {
+  title           = "Cross-Site Scripting JavaScript URI"
+  description     = "Detect Cross-Site Scripting attacks using javascript: URI schemes in attributes like href or src in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_javascript_uri.md")
+  severity        = "high"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_javascript_uri
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_javascript_uri" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- JavaScript URI schemes
+          request_uri ilike '%javascript:%'
+          or request_uri ilike '%vbscript:%'
+          -- Obfuscated javascript: URIs
+          or request_uri ilike '%jav&#x0A;ascript:%'
+          or request_uri ilike '%javascript:url(%'
+        )
+      )
+      or
+      (
+        http_user_agent is not null
+        and (
+          -- JavaScript URI schemes
+          http_user_agent ilike '%javascript:%'
+          or http_user_agent ilike '%vbscript:%'
+          -- Obfuscated javascript: URIs
+          or http_user_agent ilike '%jav&#x0A;ascript:%'
+          or http_user_agent ilike '%javascript:url(%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_html_injection" {
+  title           = "Cross-Site Scripting HTML Injection"
+  description     = "Detect Cross-Site Scripting attacks using HTML tag injection that may execute JavaScript in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_html_injection.md")
+  severity        = "high"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_html_injection
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_html_injection" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- Common HTML tags that can be used for XSS
+          request_uri ilike '%<iframe%src=%'
+          or request_uri ilike '%<img%src=%' and (
+              request_uri ilike '%onerror=%' 
+              or request_uri ilike '%onload=%'
+          )
+          or request_uri ilike '%<svg%on%=' -- SVG with event handlers
+          or request_uri ilike '%<svg><script%' -- SVG containing script
+          or request_uri ilike '%<object%data=%' and request_uri not ilike '%application/pdf%'
+          or request_uri ilike '%<embed%src=%' and request_uri not ilike '%application/pdf%'
+          or request_uri ilike '%<video%src=%' and (
+              request_uri ilike '%onerror=%' 
+              or request_uri ilike '%onload=%'
+          )
+          or request_uri ilike '%<audio%src=%' and (
+              request_uri ilike '%onerror=%' 
+              or request_uri ilike '%onload=%'
+          )
+        )
+      )
+      or
+      (
+        http_user_agent is not null
+        and (
+          -- HTML tags with dangerous attributes (reduces false positives)
+          http_user_agent ilike '%<iframe%src=%' 
+          or http_user_agent ilike '%<iframe%srcdoc=%'
+          or http_user_agent ilike '%<img%src=%' and (
+              http_user_agent ilike '%onerror=%' 
+              or http_user_agent ilike '%onload=%'
+          )
+          or http_user_agent ilike '%<svg%on%=' -- SVG with event handlers
+          or http_user_agent ilike '%<svg><script%' -- SVG containing script
+          or http_user_agent ilike '%<object%data=%' and http_user_agent not ilike '%application/pdf%'
+          or http_user_agent ilike '%<embed%src=%' and http_user_agent not ilike '%application/pdf%'
+          or http_user_agent ilike '%<video%src=%' and (
+              http_user_agent ilike '%onerror=%' 
+              or http_user_agent ilike '%onload=%'
+          )
+          or http_user_agent ilike '%<audio%src=%' and (
+              http_user_agent ilike '%onerror=%' 
+              or http_user_agent ilike '%onload=%'
+          )
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_javascript_methods" {
+  title           = "Cross-Site Scripting JavaScript Methods"
+  description     = "Detect Cross-Site Scripting attacks using dangerous JavaScript methods like eval(), setTimeout(), and Function() in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_javascript_methods.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_javascript_methods
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_javascript_methods" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- Dangerous JavaScript methods
+          request_uri ilike '%eval(%'
+          or request_uri ilike '%setTimeout(%'
+          or request_uri ilike '%setInterval(%'
+          or request_uri ilike '%Function(%'
+          or request_uri ilike '%fetch(%'
+          or request_uri ilike '%document.write(%'
+          or request_uri ilike '%document.cookie%'
+        )
+      )
+      or
+      (
+        http_user_agent is not null
+        and (
+          -- Dangerous JavaScript methods
+          http_user_agent ilike '%eval(%'
+          or http_user_agent ilike '%setTimeout(%'
+          or http_user_agent ilike '%setInterval(%'
+          or http_user_agent ilike '%Function(%'
+          or http_user_agent ilike '%fetch(%'
+          or http_user_agent ilike '%document.write(%'
+          or http_user_agent ilike '%document.cookie%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_encoding" {
+  title           = "Cross-Site Scripting Encoding"
+  description     = "Detect Cross-Site Scripting attacks using various encoding techniques to bypass filters in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_encoding.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_encoding
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_encoding" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- HTML entity encoding
+          request_uri ilike '%&#x3C;script%' -- Hex entity encoded <script
+          or request_uri ilike '%&#60;script%' -- Decimal entity encoded <script
+          or request_uri ilike '%&#x3c;%&#x2f;script&#x3e;%' -- Hex encoded </script>
+          or request_uri ilike '%&#x3c;img%&#x6f;nerror%' -- Hex encoded <img and onerror
+          -- Base64 encoding
+          or request_uri ilike '%data:text/html;base64,%'
+          -- URL encoding
+          or request_uri ilike '%\\u00%'
+          or request_uri ilike '%\\x%'
+          -- UTF-7 encoding (IE specific)
+          or request_uri ilike '%+ADw-%'
+        )
+      )
+      or
+      (
+        http_user_agent is not null
+        and (
+          -- HTML entity encoding
+          http_user_agent ilike '%&#x3C;script%' -- Hex entity encoded <script
+          or http_user_agent ilike '%&#60;script%' -- Decimal entity encoded <script
+          or http_user_agent ilike '%&#x3c;%&#x2f;script&#x3e;%' -- Hex encoded </script>
+          or http_user_agent ilike '%&#x3c;img%&#x6f;nerror%' -- Hex encoded <img and onerror
+          -- Base64 encoding
+          or http_user_agent ilike '%data:text/html;base64,%'
+          -- URL encoding
+          or http_user_agent ilike '%\\u00%'
+          or http_user_agent ilike '%\\x%'
+          -- UTF-7 encoding (IE specific)
+          or http_user_agent ilike '%+ADw-%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_dom_based" {
+  title           = "Cross-Site Scripting DOM Based"
+  description     = "Detect potential DOM-based Cross-Site Scripting attacks targeting JavaScript DOM manipulation in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_dom_based.md")
+  severity        = "high"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_dom_based
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_dom_based" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- DOM manipulation methods
+          request_uri ilike '%document.getElementById%'
+          or request_uri ilike '%document.querySelector%'
+          or request_uri ilike '%document.write%'
+          or request_uri ilike '%innerHTML%'
+          or request_uri ilike '%outerHTML%'
+          or request_uri ilike '%document.location%'
+          or request_uri ilike '%window.location%'
+          or request_uri ilike '%document.URL%'
+          or request_uri ilike '%document.documentURI%'
+          or request_uri ilike '%document.referrer%'
+          or request_uri ilike '%window.name%'
+          or request_uri ilike '%location.hash%'
+          or request_uri ilike '%location.search%'
+          or request_uri ilike '%location.href%'
+        )
+      )
+      or
+      (
+        http_user_agent is not null
+        and (
+          -- DOM manipulation methods
+          http_user_agent ilike '%document.getElementById%'
+          or http_user_agent ilike '%document.querySelector%'
+          or http_user_agent ilike '%document.write%'
+          or http_user_agent ilike '%innerHTML%'
+          or http_user_agent ilike '%outerHTML%'
+          or http_user_agent ilike '%document.location%'
+          or http_user_agent ilike '%window.location%'
+          or http_user_agent ilike '%document.URL%'
+          or http_user_agent ilike '%document.documentURI%'
+          or http_user_agent ilike '%document.referrer%'
+          or http_user_agent ilike '%window.name%'
+          or http_user_agent ilike '%location.hash%'
+          or http_user_agent ilike '%location.search%'
+          or http_user_agent ilike '%location.href%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "cross_site_scripting_angular_template" {
+  title           = "Cross-Site Scripting AngularJS Template"
+  description     = "Detect potential AngularJS template injection attacks that can lead to Cross-Site Scripting in requests and User-Agent headers."
+  documentation   = file("./detections/docs/cross_site_scripting_angular_template.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.cross_site_scripting_angular_template
+
+  tags = merge(local.cross_site_scripting_common_tags, {
+    mitre_attack_ids = "TA0002:T1059.007",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "cross_site_scripting_angular_template" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      (
+        request_uri is not null
+        and (
+          -- Common AngularJS injection patterns
+          request_uri ilike '%constructor.constructor%'
+          or request_uri ilike '%$eval%'
+          or request_uri ilike '%ng-init%'
+          or request_uri ilike '%ng-bind%'
+          or request_uri ilike '%ng-include%'
+        )
+      )
+      OR
+      (
+        http_user_agent is not null
+        and (
+          -- Common AngularJS injection patterns
+          http_user_agent ilike '%constructor.constructor%'
+          or http_user_agent ilike '%$eval%'
+          or http_user_agent ilike '%ng-init%'
+          or http_user_agent ilike '%ng-bind%'
+          or http_user_agent ilike '%ng-include%'
+        )
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
diff --git a/detections/docs/cross_site_scripting_angular_template.md b/detections/docs/cross_site_scripting_angular_template.md
new file mode 100644
index 0000000..c6db415
--- /dev/null
+++ b/detections/docs/cross_site_scripting_angular_template.md
@@ -0,0 +1,17 @@
+## Overview
+
+The AngularJS Template Injection detection identifies Cross-Site Scripting (XSS) attacks that specifically target AngularJS template expressions. This is a sophisticated attack vector where attackers inject malicious code using AngularJS's template syntax, such as double curly braces (`{{ }}`) and specialized directives.
+
+This detection examines both HTTP requests and User-Agent headers for patterns indicating AngularJS template injection attempts. It focuses on identifying AngularJS-specific syntax and common attack patterns like `{{ constructor.constructor() }}` that can be used to execute arbitrary JavaScript in applications using AngularJS.
+
+AngularJS template injection attacks are particularly dangerous because they can bypass traditional XSS filters that focus on HTML tags and JavaScript syntax. When AngularJS processes templates, it evaluates expressions within curly braces, potentially allowing attackers to execute arbitrary JavaScript if the application doesn't properly sanitize user inputs before incorporating them into templates.
+
+Advanced AngularJS injection techniques often use methods like `$eval` or directives like `ng-init` to execute code. Attackers may also leverage JavaScript's prototype chain to access constructor functions and execute arbitrary code, even in environments with Content Security Policy (CSP) protections.
+
+By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their template injection payloads in HTTP headers rather than request parameters. This comprehensive approach helps security teams identify sophisticated AngularJS template injection attempts targeting their web applications.
+
+**References**:
+- [OWASP Cross-Site Scripting Prevention](https://owasp.org/www-community/attacks/xss/)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
diff --git a/detections/docs/cross_site_scripting_attribute_injection.md b/detections/docs/cross_site_scripting_attribute_injection.md
new file mode 100644
index 0000000..698f96d
--- /dev/null
+++ b/detections/docs/cross_site_scripting_attribute_injection.md
@@ -0,0 +1,15 @@
+## Overview
+
+The XSS Attribute Injection detection identifies Cross-Site Scripting (XSS) attacks that exploit HTML attributes to execute malicious JavaScript. This is a sophisticated attack vector where attackers inject event handlers or other dangerous attributes into HTML elements.
+
+This detection examines both HTTP requests and User-Agent headers for patterns indicating attribute-based XSS attempts. It focuses on identifying event handlers like `onload`, `onerror`, and `onclick`, as well as dangerous attributes such as `formaction` and custom attributes that could be used to trigger JavaScript execution.
+
+Attribute-based XSS attacks can be particularly dangerous as they often bypass basic XSS filters that only look for script tags. By injecting event handlers into seemingly innocuous HTML elements, attackers can execute JavaScript when certain browser events are triggered. For example, injecting `onerror=alert(1)` into an image tag will execute the JavaScript when the image fails to load.
+
+This detection looks for both common and less common event handlers, as well as attributes that can trigger script execution in modern browsers. By examining both request URIs and User-Agent headers, the detection can identify attackers who attempt to evade security controls by hiding malicious code in HTTP headers rather than request parameters. This comprehensive approach helps security teams identify potential vulnerabilities in their web applications and detect active exploitation attempts that target attribute-based XSS vectors.
+
+**References**:
+- [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_common_patterns.md b/detections/docs/cross_site_scripting_common_patterns.md
new file mode 100644
index 0000000..ee45a3f
--- /dev/null
+++ b/detections/docs/cross_site_scripting_common_patterns.md
@@ -0,0 +1,15 @@
+## Overview
+
+Cross-Site Scripting Common Patterns detection identifies fundamental Cross-Site Scripting (XSS) patterns in HTTP requests and User-Agent headers. Cross-Site Scripting is one of the most prevalent web application security flaws that allows attackers to inject client-side scripts into web pages viewed by other users.
+
+This detection focuses on identifying the most common and widespread XSS attack patterns, including script tags, JavaScript functions like `alert()`, `prompt()`, and `eval()`, as well as document object manipulation attempts. These attacks typically target vulnerable input fields in web applications that fail to properly sanitize or encode user input.
+
+When XSS attacks are successful, attackers can steal cookies, session tokens, or other sensitive information; redirect users to malicious websites; or perform actions on behalf of the victim. Common targets include search fields, comment sections, form inputs, and URL parameters that are reflected back to users without proper sanitization.
+
+The detection helps identify reconnaissance attempts and actual exploitation by monitoring for script tags and common JavaScript functions in both request URIs and User-Agent headers. This comprehensive approach catches attackers attempting to evade detection by placing malicious payloads in HTTP headers rather than request parameters. While many of these patterns may represent false positives in legitimate use cases, their presence in log records often indicates scanning or active exploitation attempts.
+
+**References**:
+- [OWASP: Cross Site Scripting Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_dom_based.md b/detections/docs/cross_site_scripting_dom_based.md
new file mode 100644
index 0000000..f0c7070
--- /dev/null
+++ b/detections/docs/cross_site_scripting_dom_based.md
@@ -0,0 +1,17 @@
+## Overview
+
+The DOM-Based XSS Attack detection identifies potential Cross-Site Scripting (XSS) attacks that specifically target JavaScript Document Object Model (DOM) manipulation. Unlike traditional XSS attacks that focus on server-side vulnerabilities, DOM-based XSS exploits client-side JavaScript that dynamically modifies the page's DOM.
+
+This detection examines both HTTP requests and User-Agent headers for JavaScript DOM manipulation methods and properties commonly used in DOM-based XSS attacks. It looks for patterns like `document.getElementById`, `document.querySelector`, `innerHTML`, `outerHTML`, and various document location properties that can be used to introduce malicious code into the page.
+
+DOM-based XSS attacks are particularly dangerous because they often bypass traditional server-side XSS protections. The vulnerability occurs when client-side JavaScript code improperly handles data from untrusted sources (like URL parameters or form inputs) and uses it to modify the DOM without adequate sanitization. For example, an application might take a value from the URL and insert it into the page using `innerHTML`, allowing an attacker to inject malicious script.
+
+These attacks typically target single-page applications, complex web interfaces, and sites with significant client-side functionality. By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their payloads in HTTP headers rather than request parameters.
+
+This comprehensive approach helps security teams identify sophisticated DOM-based XSS attempts targeting their web applications, which might otherwise evade detection by traditional server-side security controls.
+
+**References**:
+- [OWASP DOM-Based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_encoding.md b/detections/docs/cross_site_scripting_encoding.md
new file mode 100644
index 0000000..905cc96
--- /dev/null
+++ b/detections/docs/cross_site_scripting_encoding.md
@@ -0,0 +1,17 @@
+## Overview
+
+The XSS Encoded Attack detection identifies Cross-Site Scripting (XSS) attacks that use various encoding techniques to bypass security filters. This is a sophisticated attack vector where attackers encode malicious JavaScript using HTML entities, URL encoding, Unicode encoding, or other obfuscation methods to evade detection.
+
+This detection examines both HTTP requests and User-Agent headers for patterns indicating encoded XSS payloads. It focuses on identifying HTML entity encoding (e.g., `&#x3C;script>`), Base64 encoding, URL encoding, and other encoding schemas that might be used to disguise malicious JavaScript.
+
+Encoded XSS attacks are particularly dangerous because they can bypass many security filters and Web Application Firewalls (WAFs) that only check for literal script tags or JavaScript keywords. By encoding these elements, attackers can create payloads that will be decoded by the browser at runtime but may pass through server-side security controls undetected.
+
+For example, an attacker might encode a script tag as `&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;`, which appears harmless to basic security filters but will be interpreted as `<script>alert(1)</script>` when rendered by the browser. Similarly, Base64 encoding can be used to completely obscure the contents of a payload until it's decoded and executed.
+
+By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their encoded payloads in HTTP headers rather than request parameters. This comprehensive approach helps security teams identify sophisticated XSS attempts that specifically aim to bypass traditional security controls through encoding techniques.
+
+**References**:
+- [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_event_handlers.md b/detections/docs/cross_site_scripting_event_handlers.md
new file mode 100644
index 0000000..7608716
--- /dev/null
+++ b/detections/docs/cross_site_scripting_event_handlers.md
@@ -0,0 +1,17 @@
+## Overview
+
+The XSS Event Handler Attack detection identifies Cross-Site Scripting (XSS) attacks that specifically target HTML event handlers to execute malicious JavaScript. Event handlers like `onload`, `onerror`, and `onclick` can be injected into HTML elements to trigger JavaScript execution when certain browser events occur.
+
+This detection examines both HTTP requests and User-Agent headers for patterns indicating event handler-based XSS attempts. It focuses on identifying both common event handlers that are frequently targeted in XSS attacks and less common event handlers that may be used to evade basic security filters.
+
+Event handler XSS attacks are particularly dangerous because they can bypass traditional XSS filters that focus primarily on script tags. Attackers can inject these event handlers into various HTML elements, creating multiple attack vectors. For example, an attacker might inject `<img src="invalid" onerror="alert(document.cookie)">` into a comment field, causing the malicious JavaScript to execute when the image fails to load.
+
+Modern web applications have numerous event handlers available, and new ones are introduced with each HTML5 specification update. This detection looks for patterns indicating attempts to exploit these event handlers in both request URIs and User-Agent headers, allowing it to catch attackers who attempt to evade detection by hiding their payloads in HTTP headers rather than request parameters.
+
+By monitoring for these event handler patterns, security teams can identify both reconnaissance activities and active exploitation attempts targeting their web applications through this specific XSS vector.
+
+**References**:
+- [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_html_injection.md b/detections/docs/cross_site_scripting_html_injection.md
new file mode 100644
index 0000000..26520ea
--- /dev/null
+++ b/detections/docs/cross_site_scripting_html_injection.md
@@ -0,0 +1,17 @@
+## Overview
+
+The XSS HTML Injection detection identifies Cross-Site Scripting (XSS) attacks that use HTML tag injection to execute malicious JavaScript. Unlike direct script tag injection, this attack vector leverages various HTML elements with event handlers or specific attributes that can execute JavaScript code.
+
+This detection examines both HTTP requests and User-Agent headers for HTML elements commonly used in XSS attacks, including `<iframe>`, `<img>`, `<svg>`, `<object>`, `<embed>`, as well as HTML5 elements like `<video>` and `<audio>`. These elements can be manipulated to execute JavaScript through event handlers or specialized attributes without requiring explicit script tags.
+
+HTML injection XSS attacks are particularly dangerous because they can bypass many traditional XSS filters that focus primarily on script tags. For example, an attacker might inject an image tag with an onerror event handler: `<img src="invalid" onerror="alert(document.cookie)">`. When the image fails to load, the JavaScript in the event handler executes in the context of the web application.
+
+Modern HTML5 specifications have introduced numerous additional elements and attributes that can be used for XSS attacks, substantially expanding the attack surface. By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their payloads in HTTP headers rather than request parameters.
+
+This detection helps security teams identify both reconnaissance activities and active exploitation attempts targeting their web applications through HTML tag-based XSS vectors.
+
+**References**:
+- [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_javascript_methods.md b/detections/docs/cross_site_scripting_javascript_methods.md
new file mode 100644
index 0000000..7077427
--- /dev/null
+++ b/detections/docs/cross_site_scripting_javascript_methods.md
@@ -0,0 +1,17 @@
+## Overview
+
+The XSS JavaScript Methods detection identifies Cross-Site Scripting (XSS) attacks that specifically target dangerous JavaScript methods and functions. This type of attack focuses on injecting code that uses powerful JavaScript methods like `eval()`, `setTimeout()`, `setInterval()`, and `Function()` constructor calls to execute arbitrary code.
+
+This detection examines both HTTP requests and User-Agent headers for patterns indicating the use of these high-risk JavaScript methods. It focuses on identifying attempts to use methods that can execute strings as code, manipulate the DOM, access cookies, or perform other sensitive operations that could lead to security breaches.
+
+JavaScript method-based XSS attacks are particularly dangerous because they often involve direct code execution capabilities. The `eval()` function and similar methods can execute arbitrary JavaScript passed as strings, creating a powerful vector for attackers. Similarly, timing functions like `setTimeout()` and `setInterval()` can be abused to execute code with delayed timing or repeatedly.
+
+These attacks typically target web applications with insufficient input validation or output encoding. Attackers may attempt to inject these method calls into URL parameters, form fields, or other user-controllable inputs. By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their payloads in HTTP headers rather than request parameters.
+
+This comprehensive approach helps security teams identify both reconnaissance activities and actual exploitation attempts targeting their web applications through JavaScript method-based XSS vectors.
+
+**References**:
+- [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_javascript_uri.md b/detections/docs/cross_site_scripting_javascript_uri.md
new file mode 100644
index 0000000..24b0ac5
--- /dev/null
+++ b/detections/docs/cross_site_scripting_javascript_uri.md
@@ -0,0 +1,17 @@
+## Overview
+
+The XSS JavaScript URI Vector detection identifies Cross-Site Scripting (XSS) attacks that specifically leverage JavaScript URI schemes to execute malicious code. This attack vector is particularly dangerous as it can be used within various HTML attributes to trigger script execution.
+
+This detection analyzes both HTTP requests and User-Agent headers for the presence of JavaScript URI schemes (`javascript:`) and their obfuscated variants. Attackers often use these URI schemes in attributes like `href`, `src`, `action`, and others to execute arbitrary JavaScript code when a user interacts with the element containing the malicious attribute.
+
+JavaScript URI-based XSS attacks can be especially deceptive as they can be hidden in legitimate-looking links or redirects. When users click on links containing these URI schemes, the browser will execute the JavaScript code in the context of the current page, potentially leading to session hijacking, credential theft, or other malicious actions.
+
+Attackers frequently employ obfuscation techniques to bypass security filters, including character splitting (e.g., `j%0Aa%0Avascript`), URL encoding, and various combinations of characters to spell out "javascript" in ways that may bypass simple pattern matching but are still interpreted by browsers as the JavaScript protocol.
+
+By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by placing their payloads in HTTP headers rather than request parameters. This approach helps security teams identify potential vulnerability exploitation attempts targeting their web applications through this specific XSS vector.
+
+**References**:
+- [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [OWASP Top 10 2021: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/cross_site_scripting_script_tag.md b/detections/docs/cross_site_scripting_script_tag.md
new file mode 100644
index 0000000..55344ba
--- /dev/null
+++ b/detections/docs/cross_site_scripting_script_tag.md
@@ -0,0 +1,15 @@
+## Overview
+
+The XSS Script Tag Vector detection identifies Cross-Site Scripting (XSS) attacks that specifically use script tags to inject and execute arbitrary JavaScript code in the context of a web application. This is one of the most direct and common methods attackers use to exploit XSS vulnerabilities.
+
+This detection examines both HTTP requests and User-Agent headers for standard and obfuscated script tag patterns. It identifies attempts to inject `<script>` tags directly, script tags with external sources, and various evasion techniques attackers use to bypass basic input filters and web application firewalls. These evasion techniques include character splitting, null byte injection, and various encoding methods.
+
+When successful, script tag XSS attacks allow attackers to execute arbitrary JavaScript in the victim's browser, which can lead to session hijacking, credential theft, malicious redirects, or complete account takeover. The injected scripts run with the privileges of the web application, giving attackers access to any information or functionality available to the legitimate application.
+
+The detection helps identify both scanning attempts and active exploitation by focusing on the script tag patterns found in request URIs and User-Agent headers. By examining both the request URI and User-Agent fields, this detection can catch attackers who attempt to evade security controls by placing their payloads in HTTP headers. This approach helps security teams identify potential XSS vulnerabilities in their web applications before they can be successfully exploited, or detect active exploitation attempts.
+
+**References**:
+- [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html)
+- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
+- [PortSwigger: Cross-site scripting](https://portswigger.net/web-security/cross-site-scripting)
+- [MITRE ATT&CK: T1059.007 Command and Scripting Interpreter: JavaScript](https://attack.mitre.org/techniques/T1059/007/)
\ No newline at end of file
diff --git a/detections/docs/encoded_path_traversal.md b/detections/docs/encoded_path_traversal.md
new file mode 100644
index 0000000..cc34c2a
--- /dev/null
+++ b/detections/docs/encoded_path_traversal.md
@@ -0,0 +1,13 @@
+## Overview
+
+Detect when a web server received requests with URL-encoded or otherwise obfuscated path traversal patterns. This detection focuses on identifying path traversal attempts that use various encoding methods to evade basic security controls, making it effective at catching more sophisticated attacks.
+
+Attackers use encoding techniques to bypass simple pattern matching and security filters when attempting path traversal attacks. Common encoding methods include URL encoding (percent encoding) where characters are replaced with their hexadecimal ASCII values (e.g., `../` becomes `%2e%2e%2f`), double encoding where already encoded values are encoded again (e.g., `%2e` becomes `%252e`), Unicode/UTF-8 encoding using the `%u` notation (e.g., `../` becomes `%u002e%u002e%u002f`), and backslash variants particularly targeting Windows systems (e.g., `../` becomes `..%5c`). These encoding techniques are often combined with other evasion methods like path normalization tricks and null byte injection.
+
+When this detection triggers, security teams should verify if the access attempt was successful, analyze what files the attacker was attempting to access, implement a web application firewall with rules to block encoded path traversal, use proper input validation with allowlists rather than denylists, apply the principle of least privilege for web server file access, patch and update web applications and frameworks, and implement proper file access controls. False positives may occur with applications that use encoded characters in URLs for legitimate purposes, language or internationalization features that use Unicode characters, frameworks that use URL encoding for special characters, and content management systems with complex URL structures.
+
+**References**:
+- [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+- [CWE-22: Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html)
+- [OWASP: Testing for Path Traversal](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include)
+- [MITRE ATT&CK: File and Directory Discovery (T1083)](https://attack.mitre.org/techniques/T1083/) 
\ No newline at end of file
diff --git a/detections/docs/header_based_local_file_inclusion.md b/detections/docs/header_based_local_file_inclusion.md
new file mode 100644
index 0000000..5a023b6
--- /dev/null
+++ b/detections/docs/header_based_local_file_inclusion.md
@@ -0,0 +1,13 @@
+## Overview
+
+Detect when a web server received requests with Local File Inclusion (LFI) attack patterns in the User-Agent or other headers. This specialized detection focuses on identifying path traversal and file inclusion attempts that specifically target HTTP headers rather than typical URL parameters or path components.
+
+Header-based LFI attacks represent an advanced evasion technique where attackers place path traversal sequences and OS file paths in HTTP headers to bypass Web Application Firewalls (WAFs) and other security controls that focus on examining request URLs. Standard security controls often focus on URL parameters and paths while neglecting HTTP headers - many WAF configurations may not thoroughly inspect HTTP headers for attack patterns, header-based attacks can bypass security monitoring focused on request URLs, and headers are sometimes logged separately and may receive less security scrutiny.
+
+This detection identifies multiple LFI techniques in HTTP headers, including basic path traversal with directory navigation sequences like `../` and `..\`, encoded path traversal with URL-encoded variants like `..%2f` and `%2e%2e%2f`, and OS file access attempts to access sensitive system files like `/etc/passwd`, `/etc/shadow`, and Windows configuration files. Web applications that process User-Agent headers without proper sanitization, logging infrastructure that stores header values in files whose paths are influenced by those values, and server-side includes or templates that might process and render header values are particularly at risk from these attack vectors.
+
+**References**:
+- [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+- [OWASP Testing Guide - Testing for Local File Inclusion](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion.html)
+- [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)
+- [MITRE ATT&CK: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/) 
\ No newline at end of file
diff --git a/detections/docs/hidden_file_access.md b/detections/docs/hidden_file_access.md
new file mode 100644
index 0000000..a89044f
--- /dev/null
+++ b/detections/docs/hidden_file_access.md
@@ -0,0 +1,14 @@
+## Overview
+
+Detect attempts to access hidden files and directories, including version control repositories, configuration files, and other sensitive resources not intended for public access. These files often contain sensitive information that can be exploited for further attacks.
+
+Attackers target hidden files and directories that may contain sensitive information such as version control repositories (`.git`, `.svn`) which can expose source code and commit history, configuration files (`.env`, `.htaccess`, `.htpasswd`) which may contain credentials and security settings, hidden system files (`.DS_Store`, `.bash_history`) which can reveal system information, development environment files (`.vscode`, `.idea`) which may contain project secrets, and infrastructure configuration files (`docker-compose.yml`, `Dockerfile`, `kubeconfig`) which reveal architecture details. These files are often unintentionally exposed due to misconfiguration or oversight during deployment.
+
+When this detection triggers, security teams should verify whether the access attempt was successful, review which hidden files were targeted and what sensitive information they may contain, remove or properly secure access to hidden files and directories, configure web servers to block access to hidden files, implement proper `.gitignore` files and deployment processes to prevent exposure, check for credentials or secrets that may have been exposed and rotate them, and consider implementing Git hooks to prevent committing sensitive files. Some legitimate scenarios may trigger this detection, including version control integrations that legitimately access repository files, development tools that check for configuration files, content management systems with special handling for hidden files, and administrative tools that manage server configuration files.
+
+**References**:
+- [OWASP: Reviewing Code for Version Control Systems Leakage](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information)
+- [CWE-527: Exposure of Version-Control Repository to an Unauthorized Control Sphere](https://cwe.mitre.org/data/definitions/527.html)
+- [Git-Secrets: Preventing sensitive information from being committed](https://github.com/awslabs/git-secrets)
+- [OWASP File Upload Security Guide](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+- [MITRE ATT&CK: File and Directory Discovery (T1083)](https://attack.mitre.org/techniques/T1083/) 
\ No newline at end of file
diff --git a/detections/docs/log4shell_vulnerability.md b/detections/docs/log4shell_vulnerability.md
new file mode 100644
index 0000000..38c9f6c
--- /dev/null
+++ b/detections/docs/log4shell_vulnerability.md
@@ -0,0 +1,16 @@
+## Overview
+
+Detect when a web server received requests containing Log4j/Log4Shell exploitation patterns (CVE-2021-44228, CVE-2021-45046). This detection focuses on identifying attempts to exploit a critical remote code execution vulnerability in the widely-used Log4j Java logging framework.
+
+The Log4Shell vulnerability exploits Log4j's JNDI (Java Naming and Directory Interface) lookup functionality, which allows for dynamic loading of Java classes. When Log4j logs a string containing a JNDI lookup expression (like `${jndi:ldap://malicious-server/payload}`), it attempts to resolve the reference, potentially executing arbitrary code from a remote source. Attackers typically inject these JNDI expressions into fields that are likely to be logged, such as HTTP headers, form fields, and URL parameters.
+
+Multiple variations of the attack exist, including obfuscation techniques to bypass detection, such as nested expressions, HTML entity encoding, and using string manipulation functions within the JNDI expression. This detection identifies both simple and sophisticated attack attempts by scanning for common JNDI injection patterns in HTTP request URIs and User-Agent headers, including standard patterns (`${jndi:...}`), nested expressions (`${${...}}`), encoded variants (`&dollar;{jndi:...}`), and obfuscated patterns using Log4j's lookup features (`${lower:${upper:j}ndi}`).
+
+When this detection triggers, security teams should immediately isolate affected systems if possible, check if the exploitation attempt was successful by looking for unusual outbound connections or newly created files, update all Log4j installations to patched versions (2.17.0 or newer), implement web application firewall rules to block JNDI lookup patterns, scan all applications and dependencies for Log4j vulnerabilities, and enhance logging to identify potential compromises. While this detection may occasionally trigger on security scanning or legitimate applications using ${} syntax in parameters, these cases are extremely rare in normal web traffic.
+
+**References**:
+- [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
+- [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046)
+- [OWASP: Log4j Security Vulnerabilities](https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities)
+- [CISA Alert: Log4j Vulnerabilities](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a)
+- [MITRE ATT&CK: Command and Scripting Interpreter (T1059)](https://attack.mitre.org/techniques/T1059/)
\ No newline at end of file
diff --git a/detections/docs/os_file_access.md b/detections/docs/os_file_access.md
new file mode 100644
index 0000000..4ee1976
--- /dev/null
+++ b/detections/docs/os_file_access.md
@@ -0,0 +1,13 @@
+## Overview
+
+Detect when a web server received requests attempting to access common operating system files. This detection focuses on identifying attempts to access sensitive system files that should never be accessible through a web application, which may indicate Local File Inclusion (LFI) vulnerabilities or other file disclosure attacks.
+
+Attackers target operating system files including Unix/Linux system files (such as `/etc/passwd`, `/etc/shadow`, `/etc/hosts`, `/etc/issue`, `/proc/self/`, `/proc/version`, `/var/log/`), Windows system files (such as `win.ini`, `system32`, `boot.ini`, `windows/system.ini`, `autoexec.bat`, `config.sys`), and common web server configuration files (such as `/usr/local/apache`, `/usr/local/etc/httpd`, `/var/www/`, `/var/apache`). 
+
+Successful exploitation can lead to disclosure of sensitive system information, including usernames, system configuration, and potentially even password hashes. Attackers use this information for reconnaissance and to plan further attacks. When this detection triggers, security teams should verify if the access attempt was successful (checking for 200 OK responses rather than 404 errors), analyze which system files were targeted, implement proper web server configuration to block access to system directories, configure web application firewalls to block common LFI patterns, validate and sanitize all file path inputs in the application, and review the application for file inclusion vulnerabilities. Some legitimate scenarios that may trigger this detection include system administration tools operating through web interfaces, monitoring and logging applications that need access to system files, and authorized system information display pages.
+
+**References**:
+- [OWASP Path Traversal Prevention](https://owasp.org/www-community/attacks/Path_Traversal) 
+- [CWE-22: Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html)
+- [OWASP File Security Guide](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
+- [MITRE ATT&CK: File and Directory Discovery (T1083)](https://attack.mitre.org/techniques/T1083/)
diff --git a/detections/docs/path_traversal.md b/detections/docs/path_traversal.md
new file mode 100644
index 0000000..2accc95
--- /dev/null
+++ b/detections/docs/path_traversal.md
@@ -0,0 +1,13 @@
+## Overview
+
+Detect when a web server received requests with path traversal patterns like '../'. This detection focuses on identifying attempts to navigate outside the intended web directory structure using directory traversal sequences, which is a common technique used in Local File Inclusion (LFI) attacks.
+
+Path traversal (also known as directory traversal) attacks use patterns such as `../` (or variations like `./`, `..\\`, `\\.\\`) to navigate up the directory tree and access files outside the web root or application's intended directory structure. By manipulating variables that reference files with "dot-dot-slash" sequences, attackers can access arbitrary files and directories stored on the file system, including application source code, configuration files, and critical system files. The most basic form uses `../` sequences, while more sophisticated attacks may use encoded versions or additional techniques to bypass security controls.
+
+When this detection triggers, security teams should verify if the attack was successful by checking log entries for 200 OK responses versus 404/403 errors, review which files the attacker attempted to access, implement server-side input validation that rejects or sanitizes path traversal sequences, configure the web server to restrict access to only the required directories, use a Web Application Firewall (WAF) with rules to block path traversal attacks, patch and update web applications to address potential LFI vulnerabilities, and implement proper file access controls based on the principle of least privilege. Some legitimate scenarios may trigger this detection, including certain content management systems with specific URL structures, development frameworks that use path-like parameters, applications that implement file browsers or explorers with navigation capabilities, and applications that legitimately need to reference parent directories.
+
+**References**:
+- [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+- [CWE-22: Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html)
+- [OWASP: Testing for Path Traversal](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include)
+- [MITRE ATT&CK: File and Directory Discovery (T1083)](https://attack.mitre.org/techniques/T1083/) 
\ No newline at end of file
diff --git a/detections/docs/restricted_file_access.md b/detections/docs/restricted_file_access.md
new file mode 100644
index 0000000..a207d42
--- /dev/null
+++ b/detections/docs/restricted_file_access.md
@@ -0,0 +1,14 @@
+## Overview
+
+Detect requests that attempt to access restricted application files such as configuration files, source code, database files, and temporary or backup files. Such access attempts may indicate attackers trying to extract sensitive application data or internal logic.
+
+Attackers target restricted files that may contain sensitive information such as configuration files (`.conf`, `.config`, `.ini`), backup or temporary files (`.bak`, `.old`, `.backup`, `~` files), source code files (especially those with extensions like `.inc`), database files (`.db`, `.sqlite`, `.mdb`), application metadata (`.php~`, `.php.swp`, etc.), and framework-specific directories (`/WEB-INF/`, `/META-INF/`). Accessing these files can reveal application credentials, database connection strings, API keys and secrets, business logic vulnerabilities, and internal application structure.
+
+When this detection triggers, security teams should verify if the access attempt was successful by checking for 200 OK responses, analyze which files were targeted and what sensitive information they may contain, remove or relocate sensitive files from the web root directory, implement proper web server configuration to block access to restricted file types, configure version control systems to exclude sensitive files from deployment, add proper file extension handling in web server configuration, and consider implementing a Web Application Firewall (WAF) with file restriction rules. Some legitimate scenarios may trigger this detection, including development environments where debugging information is accessible, administrative interfaces that legitimately access configuration files, content management systems that handle various file types, and applications that generate and serve configuration files.
+
+**References**:
+- [OWASP Sensitive Data Exposure](https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure)
+- [CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory](https://cwe.mitre.org/data/definitions/538.html)
+- [Securing Application Configuration Files](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#configuration-files)
+- [SANS: Securing Web Application Technologies [SWAT] Checklist](https://www.sans.org/cloud-security/securing-web-application-technologies/)
+- [MITRE ATT&CK: File and Directory Discovery (T1083)](https://attack.mitre.org/techniques/T1083/) 
\ No newline at end of file
diff --git a/detections/docs/spring4shell_vulnerability.md b/detections/docs/spring4shell_vulnerability.md
new file mode 100644
index 0000000..7391cdf
--- /dev/null
+++ b/detections/docs/spring4shell_vulnerability.md
@@ -0,0 +1,15 @@
+## Overview
+
+Detect when a web server received requests containing Spring4Shell exploitation patterns (CVE-2022-22965). This detection focuses on identifying attempts to exploit a critical remote code execution vulnerability in the Spring Framework, commonly known as Spring4Shell.
+
+The Spring4Shell vulnerability affects Spring Core and allows attackers to execute arbitrary code on vulnerable systems. The vulnerability exists in the way Spring Framework handles class loading and property binding. When an attacker creates a specially crafted request to a Spring application using specific class-loading expressions, they can bypass protections and execute arbitrary code on the server.
+
+This detection identifies multiple Spring4Shell attack patterns by scanning for malicious class-loading payloads in HTTP request URIs and User-Agent headers. These patterns include direct references to class loaders and application contexts that enable code execution, such as `class.module.classLoader.resources.context.parent.pipeline` and `springframework.context.support.FileSystemXmlApplicationContext`. The detection also accounts for URL-encoded variants of these payloads, which are common evasion techniques.
+
+When this detection triggers, security teams should immediately verify which systems were targeted and whether they are running vulnerable versions of Spring Framework, isolate affected systems if possible, apply available patches to update Spring Framework to secure versions (Spring Framework 5.3.18+ or 5.2.20+), implement web application firewall rules to block Spring4Shell exploitation patterns, and enhance logging to identify potential compromises. This detection may occasionally trigger false positives for systems using legitimate Spring Framework functionality, particularly in development environments where debugging information might contain similar patterns.
+
+**References**:
+- [CVE-2022-22965](https://nvd.nist.gov/vuln/detail/CVE-2022-22965)
+- [Spring Framework RCE - Spring4Shell Vulnerability Explained](https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/)
+- [OWASP: Class Loader Manipulation](https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection)
+- [MITRE ATT&CK: Command and Scripting Interpreter (T1059)](https://attack.mitre.org/techniques/T1059/)
\ No newline at end of file
diff --git a/detections/docs/sql_injection_blind_based.md b/detections/docs/sql_injection_blind_based.md
new file mode 100644
index 0000000..35c0d70
--- /dev/null
+++ b/detections/docs/sql_injection_blind_based.md
@@ -0,0 +1,17 @@
+## Overview
+
+Detect blind SQL injection attacks that attempt to extract information from the database using boolean conditions or time delays. Blind SQL injection occurs when an application is vulnerable to SQL injection but does not display database error messages or query results directly. Instead, attackers must infer information by observing differences in application behavior based on boolean conditions.
+
+This detection identifies patterns commonly used in blind SQL injection, including:
+- Conditional statements (AND 1=1, AND 1=2) that manipulate query logic
+- String manipulation functions like SUBSTR and ASCII used to extract data character by character
+- Comparison operations used to test data values
+- URL-encoded variants of these techniques designed to evade detection
+
+Blind SQL injection attacks are particularly stealthy as they don't rely on visible error messages or direct data retrieval, making them harder to detect through traditional means.
+
+**References**:
+- [OWASP SQL Injection Guide](https://owasp.org/www-community/attacks/SQL_Injection)
+- [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection)
+- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command](https://cwe.mitre.org/data/definitions/89.html)
+- [MITRE ATT&CK: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/)
\ No newline at end of file
diff --git a/detections/docs/sql_injection_common_patterns.md b/detections/docs/sql_injection_common_patterns.md
new file mode 100644
index 0000000..6169b34
--- /dev/null
+++ b/detections/docs/sql_injection_common_patterns.md
@@ -0,0 +1,11 @@
+## Overview
+
+Detect common SQL injection patterns targeting typical SQL keywords and syntax patterns. This detection identifies frequently used SQL injection techniques that might indicate an attempt to manipulate database queries, focusing on the most widespread syntax elements attackers use to compromise database security.
+
+This detection identifies common SQL command patterns (SELECT, INSERT, DELETE, UPDATE), basic SQL injection techniques (OR 1=1), and SQL comment markers used to bypass security controls.
+
+**References**:
+- [OWASP SQL Injection Guide](https://owasp.org/www-community/attacks/SQL_Injection)
+- [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)
+- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command](https://cwe.mitre.org/data/definitions/89.html)
+- [MITRE ATT&CK: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/)
\ No newline at end of file
diff --git a/detections/docs/sql_injection_error_based.md b/detections/docs/sql_injection_error_based.md
new file mode 100644
index 0000000..4fad38a
--- /dev/null
+++ b/detections/docs/sql_injection_error_based.md
@@ -0,0 +1,17 @@
+## Overview
+
+Detect error-based SQL injection attacks that attempt to extract information from database error messages. Error-based SQL injection is a technique where attackers deliberately cause database errors that contain sensitive information. By manipulating SQL queries to generate specific errors, attackers can extract data from the database through the error messages themselves when those messages are displayed to users.
+
+This detection identifies:
+- Database functions commonly used in error-based techniques (CONVERT, CAST, EXTRACTVALUE)
+- Database structure exposure functions (VERSION, @@version, DB_NAME)
+- SQL syntax that often triggers informative errors (HAVING, GROUP BY, ORDER BY)
+- Database system-specific functions used for error-based extraction
+
+Error-based SQL injection can be particularly effective against applications that display detailed database error messages to users, as it turns error handling into an attack vector.
+
+**References**:
+- [OWASP SQL Injection Guide](https://owasp.org/www-community/attacks/SQL_Injection)
+- [Error-Based SQL Injection Techniques](https://www.exploit-db.com/papers/17934)
+- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command](https://cwe.mitre.org/data/definitions/89.html)
+- [MITRE ATT&CK: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/)
\ No newline at end of file
diff --git a/detections/docs/sql_injection_time_based.md b/detections/docs/sql_injection_time_based.md
new file mode 100644
index 0000000..a574e09
--- /dev/null
+++ b/detections/docs/sql_injection_time_based.md
@@ -0,0 +1,18 @@
+## Overview
+
+Detect time-based SQL injection attacks that attempt to extract information by causing delays in database response times. Time-based SQL injection is a blind SQL injection technique where attackers infer information based on the time it takes for the database to respond. By injecting functions that cause the database to pause or delay execution, attackers can determine if conditions are true or false based on whether the response is delayed.
+
+This detection identifies:
+- Database-specific sleep/delay functions across multiple database platforms (SLEEP, BENCHMARK, PG_SLEEP, WAITFOR DELAY)
+- Conditional time-delay patterns used to extract data bit by bit
+- Various URL encoding techniques used to obfuscate time-based injection attempts
+- Heavy computational functions used to cause delays when direct sleep functions are blocked
+
+Time-based SQL injection is particularly effective against applications where other injection techniques fail, as it requires no error messages or direct output from the database query. It's a stealthy technique that can be used even when the application provides minimal feedback.
+
+**References**:
+- [OWASP SQL Injection Guide](https://owasp.org/www-community/attacks/SQL_Injection)
+- [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection)
+- [Time-Based Blind SQL Injection Attacks](https://portswigger.net/web-security/sql-injection/blind)
+- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command](https://cwe.mitre.org/data/definitions/89.html)
+- [MITRE ATT&CK: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/)
\ No newline at end of file
diff --git a/detections/docs/sql_injection_union_based.md b/detections/docs/sql_injection_union_based.md
new file mode 100644
index 0000000..e5a9549
--- /dev/null
+++ b/detections/docs/sql_injection_union_based.md
@@ -0,0 +1,11 @@
+## Overview
+
+Detect UNION-based SQL injection attacks that attempt to join results from another query to the original query's results. UNION-based SQL injection is a technique where attackers append an additional SELECT statement to an existing query using the UNION operator. This technique allows attackers to combine results from the original query with results from an injected query, enabling them to extract data from different database tables.
+
+This detection identifies various patterns of UNION-based SQL injection, including regular syntax, URL-encoded variants, and obfuscation techniques designed to evade detection. Attackers often use these methods to bypass security controls while still executing malicious database queries.
+
+**References**:
+- [OWASP SQL Injection Guide](https://owasp.org/www-community/attacks/SQL_Injection)
+- [SQL Injection UNION Attacks](https://portswigger.net/web-security/sql-injection/union-attacks)
+- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command](https://cwe.mitre.org/data/definitions/89.html)
+- [MITRE ATT&CK: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/)
\ No newline at end of file
diff --git a/detections/docs/sql_injection_user_agent_based.md b/detections/docs/sql_injection_user_agent_based.md
new file mode 100644
index 0000000..a6e53c6
--- /dev/null
+++ b/detections/docs/sql_injection_user_agent_based.md
@@ -0,0 +1,14 @@
+## Overview
+
+Detect SQL injection attacks that use the User-Agent header rather than URL parameters to bypass WAF protections or input filtering. This is an advanced evasion technique where attackers inject SQL code into the HTTP User-Agent header instead of query parameters or form fields. This method often bypasses traditional web application firewalls (WAFs) and input validation controls that focus on standard request parameters.
+
+This detection identifies SQL injection patterns in the User-Agent header, including SQL commands (SELECT, UNION, INSERT), comment markers, logic-based patterns (OR 1=1), database-specific functions, and time-based techniques. Attackers increasingly target non-standard HTTP headers to evade security controls. Unlike parameter-based SQL injection, User-Agent-based attacks often bypass WAF rules focused on URL parameters and form fields, may not appear in web server logs that don't record full header information, and can exploit backend logging systems that directly store User-Agent values in databases.
+
+Web applications that store User-Agent strings directly in databases without proper sanitization, log management systems that process User-Agent data through SQL queries, and analytics platforms that consume User-Agent data for statistics are particularly at risk from this attack vector.
+
+**References**:
+- [OWASP SQL Injection Prevention](https://owasp.org/www-community/attacks/SQL_Injection)
+- [OWASP HTTP Security Headers Guide](https://owasp.org/www-community/Security_Headers)
+- [CWE-89: Improper Neutralization of Special Elements used in an SQL Command](https://cwe.mitre.org/data/definitions/89.html)
+- [MITRE ATT&CK: Exploit Public-Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/)
+- [OWASP HTTP Security Testing Guide](https://owasp.org/www-community/attacks/HTTP_Response_Splitting) 
diff --git a/detections/local_file_inclusion.pp b/detections/local_file_inclusion.pp
new file mode 100644
index 0000000..5a2e81a
--- /dev/null
+++ b/detections/local_file_inclusion.pp
@@ -0,0 +1,343 @@
+locals {
+  local_file_inclusion_common_tags = merge(local.apache_access_log_detections_common_tags, {
+    category    = "Security"
+    attack_type = "Local File Inclusion"
+  })
+}
+
+benchmark "local_file_inclusion_detections" {
+  title       = "Local File Inclusion (LFI) Detections"
+  description = "This benchmark contains LFI focused detections when scanning access logs."
+  type        = "detection"
+  children = [
+    detection.encoded_path_traversal,
+    detection.header_based_local_file_inclusion,
+    detection.hidden_file_access,
+    detection.os_file_access,
+    detection.path_traversal,
+    detection.restricted_file_access,
+  ]
+
+  tags = merge(local.local_file_inclusion_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+detection "path_traversal" {
+  title           = "Path Traversal"
+  description     = "Detect directory traversal attacks using path sequences like '../' that attempt to access files outside the intended directory."
+  documentation   = file("./detections/docs/path_traversal.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.path_traversal
+
+  tags = merge(local.local_file_inclusion_common_tags, {
+    mitre_attack_ids = "TA0007:T1083",
+    owasp_top_10     = "A01:2021-Broken Access Control"
+  })
+}
+
+query "path_traversal" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Directory traversal sequences
+        request_uri ilike '%../%'
+        or request_uri ilike '%..\\%'
+        or request_uri ilike '%/./%'
+        or request_uri ilike '%\\.\\%'
+        or request_uri ilike '%/.%'
+        or request_uri ilike '%\\\\%'
+        -- Most common exploits
+        or request_uri ilike '%../..%'
+        or request_uri ilike '%../../../%'
+        or request_uri ilike '%../../../../%'
+        or request_uri ilike '%..//%'
+        or request_uri ilike '%../../../../../../../../%'
+        -- Bypass techniques
+        or request_uri ilike '%..;/%'
+        or request_uri ilike '%..///%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "encoded_path_traversal" {
+  title           = "Encoded Path Traversal"
+  description     = "Detect directory traversal attacks using URL encoded or otherwise obfuscated path sequences to bypass security filters."
+  documentation   = file("./detections/docs/encoded_path_traversal.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.encoded_path_traversal
+
+  tags = merge(local.local_file_inclusion_common_tags, {
+    mitre_attack_ids = "TA0007:T1083",
+    owasp_top_10     = "A01:2021-Broken Access Control"
+  })
+}
+
+query "encoded_path_traversal" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- URL encoded traversal sequences
+        request_uri ilike '%..%2f%'
+        or request_uri ilike '%..%2F%'
+        or request_uri ilike '%..%5c%'
+        or request_uri ilike '%..%5C%'
+        or request_uri ilike '%%2e%2e%2f%'
+        or request_uri ilike '%2e%2e/%'
+        or request_uri ilike '%2e%2e%2f%'
+        or request_uri ilike '%2e%2e%5c%'
+        -- Double URL encoding
+        or request_uri ilike '%%252e%252e%252f%'
+        or request_uri ilike '%%252e%252e%255c%'
+        -- Unicode/UTF-8 encoding
+        or request_uri ilike '%..%c0%af%'
+        or request_uri ilike '%..%e0%80%af%'
+        or request_uri ilike '%..%c1%1c%'
+        or request_uri ilike '%..%c1%9c%'
+        -- Overlong UTF-8 encoding
+        or request_uri ilike '%..%c0%2f%'
+        or request_uri ilike '%..%c0%5c%'
+        or request_uri ilike '%..%c0%80%af%'
+        -- Hex-encoded
+        or request_uri ilike '%2e2e2f%'
+        or request_uri ilike '%2e2e5c%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "os_file_access" {
+  title           = "OS File Access"
+  description     = "Detect attempts to access sensitive operating system files that might reveal confidential system information."
+  documentation   = file("./detections/docs/os_file_access.md")
+  severity        = "high"
+  display_columns = local.detection_display_columns
+
+  query = query.os_file_access
+
+  tags = merge(local.local_file_inclusion_common_tags, {
+    mitre_attack_ids = "TA0007:T1083",
+    owasp_top_10     = "A01:2021-Broken Access Control"
+  })
+}
+
+query "os_file_access" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Unix/Linux sensitive files
+        request_uri ilike '%/etc/passwd%'
+        or request_uri ilike '%/etc/shadow%'
+        or request_uri ilike '%/etc/hosts%'
+        or request_uri ilike '%/etc/fstab%'
+        or request_uri ilike '%/etc/issue%'
+        or request_uri ilike '%/etc/profile%'
+        or request_uri ilike '%/etc/ssh%'
+        or request_uri ilike '%/proc/version%'
+        or request_uri ilike '%/proc/self%'
+        or request_uri ilike '%/proc/cpuinfo%'
+        or request_uri ilike '%/var/log/auth.log%'
+        or request_uri ilike '%/var/log/secure%'
+        -- Windows sensitive files
+        or request_uri ilike '%c:\\windows\\win.ini%'
+        or request_uri ilike '%c:\\boot.ini%'
+        or request_uri ilike '%c:\\windows\\system32\\config%'
+        or request_uri ilike '%c:\\windows\\repair%'
+        or request_uri ilike '%c:\\windows\\debug\\netsetup.log%'
+        or request_uri ilike '%c:\\windows\\iis%log%'
+        or request_uri ilike '%c:\\sysprep.inf%'
+        or request_uri ilike '%c:\\sysprep\\sysprep.xml%'
+        -- Web server files
+        or request_uri ilike '%/var/log/apache%'
+        or request_uri ilike '%/var/log/httpd%'
+        or request_uri ilike '%/usr/local/apache%'
+        or request_uri ilike '%/usr/local/nginx%'
+        or request_uri ilike '%/var/log/nginx%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "restricted_file_access" {
+  title           = "Restricted File Access"
+  description     = "Detect attempts to access restricted application files, such as configuration files, that might reveal sensitive application data."
+  documentation   = file("./detections/docs/restricted_file_access.md")
+  severity        = "high"
+  display_columns = local.detection_display_columns
+
+  query = query.restricted_file_access
+
+  tags = merge(local.local_file_inclusion_common_tags, {
+    mitre_attack_ids = "TA0007:T1083",
+    owasp_top_10     = "A01:2021-Broken Access Control"
+  })
+}
+
+query "restricted_file_access" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Common application config files
+        request_uri ilike '%/config.php%'
+        or request_uri ilike '%/configuration.php%'
+        or request_uri ilike '%/db.php%'
+        or request_uri ilike '%/database.php%'
+        or request_uri ilike '%/settings.php%'
+        or request_uri ilike '%/conf.php%'
+        or request_uri ilike '%/wp-config.php%'
+        or request_uri ilike '%/config.xml%'
+        or request_uri ilike '%/app.config%'
+        or request_uri ilike '%/appsettings.json%'
+        or request_uri ilike '%/config.yml%'
+        or request_uri ilike '%/config.yaml%'
+        or request_uri ilike '%/.env%'
+        or request_uri ilike '%/.htaccess%'
+        or request_uri ilike '%/.svn/%'
+        or request_uri ilike '%/.git/%'
+        -- Popular application source files
+        or request_uri ilike '%/web.config%'
+        or request_uri ilike '%/php.ini%'
+        or request_uri ilike '%/.htpasswd%'
+        or request_uri ilike '%.inc%'
+        -- Temporary or backup files that may contain sensitive data
+        or request_uri ilike '%~%'
+        or request_uri ilike '%.bak%'
+        or request_uri ilike '%.backup%'
+        or request_uri ilike '%.old%'
+        or request_uri ilike '%.orig%'
+        or request_uri ilike '%.tmp%'
+        or request_uri ilike '%.temp%'
+        or request_uri ilike '%.swp%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "hidden_file_access" {
+  title           = "Hidden File Access"
+  description     = "Detect attempts to access hidden files and directories, which may contain sensitive configuration data or credentials."
+  documentation   = file("./detections/docs/hidden_file_access.md")
+  severity        = "medium"
+  display_columns = local.detection_display_columns
+
+  query = query.hidden_file_access
+
+  tags = merge(local.local_file_inclusion_common_tags, {
+    mitre_attack_ids = "TA0007:T1083",
+    owasp_top_10     = "A01:2021-Broken Access Control"
+  })
+}
+
+query "hidden_file_access" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Common hidden files and directories
+        request_uri ilike '%/.git/%'
+        or request_uri ilike '%/.svn/%'
+        or request_uri ilike '%/.DS_Store%'
+        or request_uri ilike '%/.htpasswd%'
+        or request_uri ilike '%/.npmrc%'
+        or request_uri ilike '%/.env%'
+        or request_uri ilike '%/.aws/%'
+        or request_uri ilike '%/.ssh/%'
+        or request_uri ilike '%/.bash_history%'
+        or request_uri ilike '%/.htaccess%'
+        or request_uri ilike '%/.htpasswd%'
+        or request_uri ilike '%/.config/%'
+        or request_uri ilike '%/.vscode/%'
+        or request_uri ilike '%/.idea/%'
+        -- Docker/Kubernetes files
+        or request_uri ilike '%/docker-compose%'
+        or request_uri ilike '%/Dockerfile%'
+        or request_uri ilike '%/kubernetes/%'
+        or request_uri ilike '%/kubeconfig%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "header_based_local_file_inclusion" {
+  title           = "Header-Based Local File Inclusion"
+  description     = "Detect when a web server received requests with LFI attack patterns in the User-Agent or other headers, which may indicate attempts to bypass basic WAF protections."
+  documentation   = file("./detections/docs/header_based_local_file_inclusion.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.header_based_local_file_inclusion
+
+  tags = merge(local.local_file_inclusion_common_tags, {
+    mitre_attack_ids = "TA0001:T1190",
+    owasp_top_10     = "A01:2021-Broken Access Control"
+  })
+}
+
+query "header_based_local_file_inclusion" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      http_user_agent is not null
+      and (
+        -- Path traversal in User-Agent
+        http_user_agent ilike '%../%'
+        or http_user_agent ilike '%/../%'
+        or http_user_agent ilike '%\\..\\%'
+        or http_user_agent ilike '%\\.\\%'
+        -- Encoded path traversal in User-Agent
+        or http_user_agent ilike '%..%2f%'
+        or http_user_agent ilike '%..%2F%'
+        or http_user_agent ilike '%%2e%2e%2f%'
+        or http_user_agent ilike '%%2E%2E%2F%'
+        or http_user_agent ilike '%..%5c%'
+        or http_user_agent ilike '%..%5C%'
+        -- OS file access in User-Agent
+        or http_user_agent ilike '%/etc/passwd%'
+        or http_user_agent ilike '%/etc/shadow%'
+        or http_user_agent ilike '%/etc/hosts%'
+        or http_user_agent ilike '%/proc/self/%'
+        or http_user_agent ilike '%win.ini%'
+        or http_user_agent ilike '%system32%'
+        or http_user_agent ilike '%boot.ini%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
diff --git a/detections/remote_command_execution.pp b/detections/remote_command_execution.pp
new file mode 100644
index 0000000..eba2035
--- /dev/null
+++ b/detections/remote_command_execution.pp
@@ -0,0 +1,117 @@
+locals {
+  remote_command_execution_common_tags = merge(local.apache_access_log_detections_common_tags, {
+    category = "Remote Command Execution"
+  })
+}
+
+benchmark "remote_command_execution_detections" {
+  title       = "Remote Command Execution (RCE) Detections"
+  description = "This benchmark contains RCE focused detections when scanning access logs."
+  type        = "detection"
+  children = [
+    detection.log4shell_vulnerability,
+    detection.spring4shell_vulnerability,
+  ]
+
+  tags = merge(local.remote_command_execution_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+detection "log4shell_vulnerability" {
+  title           = "Log4Shell Vulnerability"
+  description     = "Detect Log4Shell (CVE-2021-44228) exploitation attempts that target the Java Log4j library vulnerability, allowing attackers to execute arbitrary commands."
+  documentation   = file("./detections/docs/log4shell_vulnerability.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.log4shell_vulnerability
+
+  tags = merge(local.remote_command_execution_common_tags, {
+    mitre_attack_ids = "TA0002:T1059",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "log4shell_vulnerability" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- JNDI lookup patterns
+        request_uri ilike '%$${jndi:%'
+        or request_uri ilike '%$%7bjndi:%'
+        or request_uri ilike '%$${%7bjndi:%'
+        or request_uri ilike '%jndi://%'
+        
+        -- Common protocol exploits
+        or request_uri ilike '%jndi:ldap:%'
+        or request_uri ilike '%jndi:dns:%'
+        or request_uri ilike '%jndi:rmi:%'
+        or request_uri ilike '%jndi:http:%'
+        or request_uri ilike '%jndi:iiop:%'
+        or request_uri ilike '%jndi:corba:%'
+        
+        -- Base64 encoded variants
+        or request_uri ilike '%jTmRp%'
+        or request_uri ilike '%ak5kaQ%'
+        or request_uri ilike '%JE5ESQB%'
+        or request_uri ilike '%SnNkaQ%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "spring4shell_vulnerability" {
+  title           = "Spring4Shell Vulnerability"
+  description     = "Detect Spring4Shell (CVE-2022-22965) exploitation attempts that target Spring Framework's class injection vulnerability, allowing attackers to execute arbitrary commands."
+  documentation   = file("./detections/docs/spring4shell_vulnerability.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.spring4shell_vulnerability
+
+  tags = merge(local.remote_command_execution_common_tags, {
+    mitre_attack_ids = "TA0002:T1059",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "spring4shell_vulnerability" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Class pattern indicators
+        request_uri ilike '%class.module.classLoader%'
+        or request_uri ilike '%class.classLoader%'
+        or request_uri ilike '%ClassLoader%'
+        
+        -- Property access patterns
+        or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%'
+        or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.suffix=%'
+        or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.directory=%'
+        or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.prefix=%'
+        or request_uri ilike '%?class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=%'
+        
+        -- URL encoded variants
+        or request_uri ilike '%class%2Emodule%2EclassLoader%'
+        or request_uri ilike '%tomcatwar.jsp%'
+        
+        -- Common payloads
+        or request_uri ilike '%Pattern=%25%7Bc2%7Di%'
+        or request_uri ilike '%class.module.classLoader.DefaultAssertionStatus%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
diff --git a/detections/sql_injection.pp b/detections/sql_injection.pp
new file mode 100644
index 0000000..f0ce387
--- /dev/null
+++ b/detections/sql_injection.pp
@@ -0,0 +1,301 @@
+locals {
+  sql_injection_common_tags = merge(local.apache_access_log_detections_common_tags, {
+    category = "SQL Injection"
+  })
+}
+
+benchmark "sql_injection_detections" {
+  title       = "SQL Injection (SQLi) Detections"
+  description = "This benchmark contains SQLi focused detections when scanning access logs."
+  type        = "detection"
+  children = [
+    detection.sql_injection_blind_based,
+    detection.sql_injection_common_patterns,
+    detection.sql_injection_error_based,
+    detection.sql_injection_time_based,
+    detection.sql_injection_union_based,
+    detection.sql_injection_user_agent_based,
+  ]
+
+  tags = merge(local.sql_injection_common_tags, {
+    type = "Benchmark"
+  })
+}
+
+detection "sql_injection_common_patterns" {
+  title           = "SQL Injection Common Patterns"
+  description     = "Detect basic SQL injection attempts targeting common SQL keywords and syntax patterns that might indicate an attempt to manipulate database queries."
+  documentation   = file("./detections/docs/sql_injection_common_patterns.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.sql_injection_common_patterns
+
+  tags = merge(local.sql_injection_common_tags, {
+    mitre_attack_ids = "TA0001:T1190",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "sql_injection_common_patterns" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Basic SQL commands
+        request_uri ilike '%select%from%'
+        or request_uri ilike '%insert%into%'
+        or request_uri ilike '%delete%from%'
+        or request_uri ilike '%update%set%'
+        or request_uri ilike '%drop%table%'
+        or request_uri ilike '%truncate%table%'
+        or request_uri ilike '%create%table%'
+        or request_uri ilike '%alter%table%'
+        or request_uri ilike '%exec%xp_%'
+        or request_uri ilike '%information_schema%'
+        -- Common SQL injection patterns
+        or request_uri ilike '%or%1=1%'
+        or request_uri ilike '%or%true%'
+        or request_uri ilike '%/*_%*/%'
+        or request_uri ilike '%--+%'
+        or request_uri ilike '%-- %'
+        or request_uri ilike '%;--%'
+        -- URL encoded variants
+        or request_uri ilike '%\x27%'
+        or request_uri ilike '%\x22%'
+        or request_uri ilike '%\x3D\x3D%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "sql_injection_union_based" {
+  title           = "SQL Injection Union Based"
+  description     = "Detect UNION-based SQL injection attacks that attempt to join results from another query to the original query's results."
+  documentation   = file("./detections/docs/sql_injection_union_based.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.sql_injection_union_based
+
+  tags = merge(local.sql_injection_common_tags, {
+    mitre_attack_ids = "TA0001:T1190",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "sql_injection_union_based" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- UNION-based patterns
+        request_uri ilike '%union%select%'
+        -- Evasion techniques specific to UNION
+        or request_uri ilike '%uni%on%sel%ect%'
+        or request_uri ilike '%uni*/*/on/**/sel/**/ect%'
+        or request_uri ilike '%un?on+sel?ct%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "sql_injection_blind_based" {
+  title           = "SQL Injection Blind Based"
+  description     = "Detect blind SQL injection attacks that attempt to extract information from the database using boolean conditions or time delays."
+  documentation   = file("./detections/docs/sql_injection_blind_based.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.sql_injection_blind_based
+
+  tags = merge(local.sql_injection_common_tags, {
+    mitre_attack_ids = "TA0001:T1190",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "sql_injection_blind_based" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Blind condition checks
+        request_uri ilike '%and%1=1%'
+        or request_uri ilike '%and%1=2%'
+        or request_uri ilike '%case%when%'
+        or request_uri ilike '%substr%(%'
+        or request_uri ilike '%substring%(%'
+        or request_uri ilike '%ascii%(%'
+        or request_uri ilike '%length%(%'
+        or request_uri ilike '%benchmark%(%'
+        -- Blind patterns with comparison operators
+        or request_uri ilike '%and+1>0%'
+        or request_uri ilike '%and+1<2%'
+        or request_uri ilike '%and+ascii(substring%'
+        or request_uri ilike '%and+length(%)%'
+        -- URL encoded variants common in blind injections
+        or request_uri ilike '%and%28select%'
+        or request_uri ilike '%and%28case%'
+      )
+      and request_uri not ilike '%rand%'
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "sql_injection_error_based" {
+  title           = "SQL Injection Error Based"
+  description     = "Detect error-based SQL injection attacks that attempt to extract information from database error messages."
+  documentation   = file("./detections/docs/sql_injection_error_based.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.sql_injection_error_based
+
+  tags = merge(local.sql_injection_common_tags, {
+    mitre_attack_ids = "TA0001:T1190",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "sql_injection_error_based" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Error-based extraction patterns
+        request_uri ilike '%convert%(%'
+        or request_uri ilike '%cast%(%'
+        or request_uri ilike '%extractvalue%(%'
+        or request_uri ilike '%updatexml%(%'
+        or request_uri ilike '%floor%(%'
+        or request_uri ilike '%exp%(%'
+        or request_uri ilike '%concat%(%'
+        or request_uri ilike '%concat_ws%(%'
+        or request_uri ilike '%group_concat%(%'
+        -- Known error-based functions with database fingerprinting
+        or request_uri ilike '%db_name%(%'
+        or request_uri ilike '%@@version%'
+        or request_uri ilike '%version%(%'
+        or request_uri ilike '%pg_sleep%(%'
+        or request_uri ilike '%sys.%'
+        -- Common error triggers
+        or request_uri ilike '%having%1=1%'
+        or request_uri ilike '%order%by%'
+        or request_uri ilike '%group%by%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "sql_injection_time_based" {
+  title           = "SQL Injection Time Based"
+  description     = "Detect time-based SQL injection attacks that attempt to extract information by causing delays in database response times."
+  documentation   = file("./detections/docs/sql_injection_time_based.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.sql_injection_time_based
+
+  tags = merge(local.sql_injection_common_tags, {
+    mitre_attack_ids = "TA0001:T1190",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "sql_injection_time_based" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      request_uri is not null
+      and (
+        -- Time-based functions for various database types
+        request_uri ilike '%sleep%(%'
+        or request_uri ilike '%benchmark%(%'
+        or request_uri ilike '%pg_sleep%(%'
+        or request_uri ilike '%dbms_pipe.receive_message%(%'
+        or request_uri ilike '%waitfor%delay%'
+        or request_uri ilike '%GENERATE_SERIES%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
+
+detection "sql_injection_user_agent_based" {
+  title           = "SQL Injection User Agent Based"
+  description     = "Detect SQL injection attacks that use the User-Agent header rather than URL parameters to bypass WAF protections or input filtering."
+  documentation   = file("./detections/docs/sql_injection_user_agent_based.md")
+  severity        = "critical"
+  display_columns = local.detection_display_columns
+
+  query = query.sql_injection_user_agent_based
+
+  tags = merge(local.sql_injection_common_tags, {
+    mitre_attack_ids = "TA0001:T1190",
+    owasp_top_10     = "A03:2021-Injection"
+  })
+}
+
+query "sql_injection_user_agent_based" {
+  sql = <<-EOQ
+    select
+      ${local.detection_sql_columns}
+    from
+      apache_access_log
+    where
+      http_user_agent is not null
+      and (
+        -- Basic SQL injection patterns in User-Agent
+        http_user_agent ilike '%select%from%'
+        or http_user_agent ilike '%union%select%'
+        or http_user_agent ilike '%insert%into%'
+        or http_user_agent ilike '%update%set%'
+        or http_user_agent ilike '%delete%from%'
+        or http_user_agent ilike '%drop%table%'
+        -- Common SQL comment markers and logic patterns
+        or http_user_agent ilike '%/*_%*/%'
+        or http_user_agent ilike '%--+%'
+        or http_user_agent ilike '%-- %'
+        or http_user_agent ilike '%;--%'
+        or http_user_agent ilike '%or%1=1%'
+        or http_user_agent ilike '%or%true%'
+        -- Database-specific User-Agent attacks
+        or http_user_agent ilike '%@@version%'
+        or http_user_agent ilike '%information_schema%'
+        or http_user_agent ilike '%sql_injectionte_master%'
+        or http_user_agent ilike '%pg_tables%'
+        or http_user_agent ilike '%sys.%'
+        -- Time-based techniques
+        or http_user_agent ilike '%sleep(%'
+        or http_user_agent ilike '%benchmark(%'
+        or http_user_agent ilike '%pg_sleep(%'
+        or http_user_agent ilike '%waitfor%delay%'
+      )
+    order by
+      tp_timestamp desc;
+  EOQ
+}
diff --git a/docs/images/apache_access_log_activity_dashboard.png b/docs/images/apache_access_log_activity_dashboard.png
new file mode 100644
index 0000000..a8be923
Binary files /dev/null and b/docs/images/apache_access_log_activity_dashboard.png differ
diff --git a/docs/images/apache_access_log_mitre_dashboard.png b/docs/images/apache_access_log_mitre_dashboard.png
new file mode 100644
index 0000000..0689d24
Binary files /dev/null and b/docs/images/apache_access_log_mitre_dashboard.png differ
diff --git a/docs/images/apache_access_log_owasp_dashboard.png b/docs/images/apache_access_log_owasp_dashboard.png
new file mode 100644
index 0000000..0c1adb1
Binary files /dev/null and b/docs/images/apache_access_log_owasp_dashboard.png differ
diff --git a/docs/index.md b/docs/index.md
index 26f20af..626a397 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,6 +1,12 @@
 # Apache Access Log Detections Mod
 
-View dashboards, run reports, and scan for anomalies across your Apache Access logs.
+[Tailpipe](https://tailpipe.io) is an open-source CLI tool that allows you to collect logs and query them with SQL.
+
+The [Apache Access Log Detections Mod](https://hub.powerpipe.io/mods/turbot/tailpipe-mod-apache-access-log-detections) contains pre-built dashboards and detections, which can be used to monitor and analyze activity across your Apache servers.
+
+<img src="https://raw.githubusercontent.com/turbot/tailpipe-mod-apache-access-log-detections/main/docs/images/apache_access_log_owasp_dashboard.png" width="50%" type="thumbnail"/>
+<img src="https://raw.githubusercontent.com/turbot/tailpipe-mod-apache-access-log-detections/main/docs/images/apache_access_log_mitre_dashboard.png" width="50%" type="thumbnail"/>
+<img src="https://raw.githubusercontent.com/turbot/tailpipe-mod-apache-access-log-detections/main/docs/images/apache_access_log_activity_dashboard.png" width="50%" type="thumbnail"/>
 
 ## Documentation
 
@@ -9,74 +15,29 @@ View dashboards, run reports, and scan for anomalies across your Apache Access l
 
 ## Getting Started
 
-### Installation
-
-Install Powerpipe (https://powerpipe.io/downloads), or use Brew:
+Install Powerpipe from the [downloads](https://powerpipe.io/downloads) page:
 
 ```sh
+# MacOS
 brew install turbot/tap/powerpipe
 ```
 
-Install the mod:
-
-```sh
-mkdir dashboards
-cd dashboards
-powerpipe mod install github.com/turbot/tailpipe-mod-apache-access-log-detections
-```
-
-This mod also requires [Tailpipe](https://tailpipe.io) with the [Apache plugin](https://hub.tailpipe.io/plugins/turbot/apache).
-
-Install Tailpipe (https://tailpipe.io/downloads), or use Brew:
-
-```sh
-brew install turbot/tap/tailpipe
-tailpipe plugin install apache
-```
-
-### Configuration
-
-Configure your log source:
-
-```sh
-vi ~/.tailpipe/config/apache.tpc
-```
-
-```hcl
-partition "apache_access_log" "test" {
-  source "file"  {
-    paths = ["/Users/mscott/apache_access_log"]
-    file_layout = "%{DATA}.log"
-  }
-}
-```
-
-### Log Collection
-
-Collect logs:
-
 ```sh
-tailpipe collect apache_access_log
+# Linux or Windows (WSL)
+sudo /bin/sh -c "$(curl -fsSL https://powerpipe.io/install/powerpipe.sh)"
 ```
 
-When running `tailpipe collect` for the first time, logs from the last 7 days are collected. Subsequent `tailpipe collect` runs will collect logs from the last collection date.
-
-You can override the default behaviour by specifying `--from`:
+This mod also requires Apache access logs to be collected using [Tailpipe](https://tailpipe.io) with the [Apache plugin](https://hub.tailpipe.io/plugins/turbot/apache):
+- [Get started with the Apache plugin for Tailpipe →](https://hub.tailpipe.io/plugins/turbot/apache#getting-started)
 
-```sh
-tailpipe collect apache_access_log --from 2025-01-01
-```
-
-You can also use relative times. For instance, to collect logs from the last 60 days:
+Install the mod:
 
 ```sh
-tailpipe collect apache_access_log --from T-60d
+mkdir dashboards
+cd dashboards
+powerpipe mod install github.com/turbot/tailpipe-mod-apache-access-log-detections
 ```
 
-Please note that if you specify a date in `--from`, Tailpipe will delete any collected data for that partition starting from that date to help avoid gaps in the data.
-
-For additional examples on using `tailpipe collect`, please see [tailpipe collect](https://tailpipe.io/docs/reference/cli/collect) reference documentation.
-
 ### Browsing Dashboards
 
 Start the dashboard server:
@@ -98,28 +59,11 @@ List available benchmarks:
 powerpipe benchmark list
 ```
 
-<!-- TODO: add a benchmark name and uncomment
 Run a benchmark:
 
 ```sh
-powerpipe benchmark run apache_access_log_detections.benchmark.
+powerpipe benchmark run apache_access_log_detections.benchmark.owasp_top_10
 ```
--->
 
 Different output formats are also available, for more information please see
 [Output Formats](https://powerpipe.io/docs/reference/cli/benchmark#output-formats).
-
-## Open Source & Contributing
-
-This repository is published under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0). Please see our [code of conduct](https://github.com/turbot/.github/blob/main/CODE_OF_CONDUCT.md). We look forward to collaborating with you!
-
-[Steampipe](https://steampipe.io) and [Powerpipe](https://powerpipe.io) are products produced from this open source software, exclusively by [Turbot HQ, Inc](https://turbot.com). They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our [Open Source FAQ](https://turbot.com/open-source).
-
-## Get Involved
-
-**[Join #powerpipe on Slack →](https://turbot.com/community/join)**
-
-Want to help but don't know where to start? Pick up one of the `help wanted` issues:
-
-- [Powerpipe](https://github.com/turbot/powerpipe/labels/help%20wanted)
-- [Apache Access Log Detections Mod](https://github.com/turbot/tailpipe-mod-apache-access-log-detections/labels/help%20wanted)
\ No newline at end of file
diff --git a/locals.pp b/locals.pp
index c2daa3f..336b49f 100644
--- a/locals.pp
+++ b/locals.pp
@@ -6,3 +6,35 @@
   }
 }
 
+locals {
+  # Local internal variables to build the SQL select clause for common
+  # dimensions. Do not edit directly.
+  detection_sql_columns = <<-EOQ
+  tp_timestamp as timestamp,
+  request_method as operation,
+  request_uri as resource,
+  status,
+  http_user_agent as actor,
+  tp_source_ip as source_ip,
+  tp_id as source_id,
+  -- Create new aliases to preserve original row data
+  status as status_src,
+  timestamp as timestamp_src,
+  *
+  exclude (status, timestamp)
+  EOQ
+}
+
+locals {
+  # Local internal variables to build the SQL select clause for common
+  # dimensions. Do not edit directly.
+  detection_display_columns = [
+    "timestamp",
+    "operation",
+    "resource",
+    "status",
+    "actor",
+    "source_ip",
+    "source_id",
+  ]
+}
diff --git a/mitre_attack_v161/docs/mitre.md b/mitre_attack_v161/docs/mitre.md
new file mode 100644
index 0000000..694debd
--- /dev/null
+++ b/mitre_attack_v161/docs/mitre.md
@@ -0,0 +1,5 @@
+To obtain the latest version of this official guide, please visit https://attack.mitre.org/.
+
+## Overview
+
+MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
diff --git a/mitre_attack_v161/docs/ta0001.md b/mitre_attack_v161/docs/ta0001.md
new file mode 100644
index 0000000..6135b63
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0001.md
@@ -0,0 +1,5 @@
+## Overview
+
+The adversary is trying to get into your network.
+
+Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
diff --git a/mitre_attack_v161/docs/ta0001_t1190.md b/mitre_attack_v161/docs/ta0001_t1190.md
new file mode 100644
index 0000000..075e9c6
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0001_t1190.md
@@ -0,0 +1,11 @@
+## Overview
+
+Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
+
+Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.
+
+If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
+
+Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.
+
+For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.
diff --git a/mitre_attack_v161/docs/ta0002.md b/mitre_attack_v161/docs/ta0002.md
new file mode 100644
index 0000000..7156144
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0002.md
@@ -0,0 +1,5 @@
+## Overview
+
+The adversary is trying to run malicious code.
+
+Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
\ No newline at end of file
diff --git a/mitre_attack_v161/docs/ta0002_t1059.md b/mitre_attack_v161/docs/ta0002_t1059.md
new file mode 100644
index 0000000..78a08cb
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0002_t1059.md
@@ -0,0 +1,7 @@
+## Overview
+
+Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
+
+There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.
+
+Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.
\ No newline at end of file
diff --git a/mitre_attack_v161/docs/ta0002_t1059_007.md b/mitre_attack_v161/docs/ta0002_t1059_007.md
new file mode 100644
index 0000000..2cf0c83
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0002_t1059_007.md
@@ -0,0 +1,9 @@
+## Overview
+
+Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.
+
+JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.
+
+JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.
+
+Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.
\ No newline at end of file
diff --git a/mitre_attack_v161/docs/ta0007.md b/mitre_attack_v161/docs/ta0007.md
new file mode 100644
index 0000000..765bb62
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0007.md
@@ -0,0 +1,5 @@
+## Overview
+
+The adversary is trying to figure out your environment.
+
+Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
\ No newline at end of file
diff --git a/mitre_attack_v161/docs/ta0007_t1083.md b/mitre_attack_v161/docs/ta0007_t1083.md
new file mode 100644
index 0000000..ad01625
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0007_t1083.md
@@ -0,0 +1,7 @@
+## Overview
+
+Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+
+Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).
+
+Some files and directories may require elevated or specific user permissions to access.
\ No newline at end of file
diff --git a/mitre_attack_v161/docs/ta0009_t1059_007.md b/mitre_attack_v161/docs/ta0009_t1059_007.md
new file mode 100644
index 0000000..d5d0cf2
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0009_t1059_007.md
@@ -0,0 +1,11 @@
+## Overview
+
+Adversaries may abuse JavaScript for execution. JavaScript is a high-level, dynamic, and interpreted programming language that is widely used within web browsers and other applications to provide dynamic content. JavaScript can be leveraged by adversaries to perform a variety of malicious activities.
+
+JavaScript allows execution of arbitrary code within a web browser or other application that supports it, such as Node.js. It can be embedded in webpages, included from external files, or injected through cross-site scripting (XSS) vulnerabilities. 
+
+Attackers frequently use JavaScript for client-side attacks, including browser exploitation, fingerprinting, cookie theft, credential harvesting, keylogging, and various web-based attacks. JavaScript can also be used for server-side attacks when applications like Node.js are targeted.
+
+JavaScript-based attacks commonly target web applications and can execute in the context of the user's browser, potentially leading to session hijacking, DOM manipulation, or stealing of sensitive information. Many JavaScript-based attacks leverage obfuscation techniques to evade detection by security tools.
+
+Common JavaScript attack vectors include cross-site scripting (XSS), HTML injection, event handler abuse, and JavaScript URI schemes. These can be delivered through various means including compromised websites, phishing emails, or malicious advertisements.
diff --git a/mitre_attack_v161/docs/ta0009_t1190.md b/mitre_attack_v161/docs/ta0009_t1190.md
new file mode 100644
index 0000000..ca0541e
--- /dev/null
+++ b/mitre_attack_v161/docs/ta0009_t1190.md
@@ -0,0 +1,11 @@
+## Overview
+
+Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. In the context of the Collection tactic, this exploitation is focused on gathering information or data from the target system.
+
+Exploitation of public-facing applications can involve targeting websites, web-based databases, APIs, and other services that are accessible from the internet. Common targets include content management systems, customer portals, e-commerce platforms, web applications, and public APIs.
+
+For data collection purposes, adversaries often target databases through SQL injection attacks, allowing them to extract sensitive information directly from backend databases. They may also exploit vulnerabilities in web applications to access cached data, session information, or user credentials stored in memory or temporary files.
+
+Successful exploitation for collection purposes often goes beyond just gaining initial access - it focuses on accessing, querying, or exfiltrating specific data of interest to the attacker. This can include customer information, financial data, intellectual property, or authentication credentials that provide access to additional resources.
+
+Detection of exploitation for collection purposes can be challenging as the activities may blend in with normal application usage patterns. Monitoring for unusual data access patterns, suspicious queries, or unexpected data transfers can help identify such activities.
diff --git a/mitre_attack_v161/mitre.pp b/mitre_attack_v161/mitre.pp
new file mode 100644
index 0000000..b88763b
--- /dev/null
+++ b/mitre_attack_v161/mitre.pp
@@ -0,0 +1,21 @@
+locals {
+  mitre_attack_v161_common_tags = merge(local.apache_access_log_detections_common_tags, {
+    mitre_attack_version = "v16.1"
+  })
+}
+
+benchmark "mitre_attack_v161" {
+  title         = "MITRE ATT&CK v16.1"
+  description   = "MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations."
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/mitre.md")
+  children = [
+    benchmark.mitre_attack_v161_ta0001,
+    benchmark.mitre_attack_v161_ta0002,
+    benchmark.mitre_attack_v161_ta0007,
+  ]
+
+  tags = merge(local.mitre_attack_v161_common_tags, {
+    type = "Benchmark"
+  })
+}
diff --git a/mitre_attack_v161/ta0001.pp b/mitre_attack_v161/ta0001.pp
new file mode 100644
index 0000000..56f9a30
--- /dev/null
+++ b/mitre_attack_v161/ta0001.pp
@@ -0,0 +1,18 @@
+locals {
+  mitre_attack_v161_ta0001_common_tags = merge(local.mitre_attack_v161_common_tags, {
+    mitre_attack_tactic_id = "TA0001"
+  })
+}
+
+benchmark "mitre_attack_v161_ta0001" {
+  title         = "TA0001 Initial Access"
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/ta0001.md")
+  children = [
+    benchmark.mitre_attack_v161_ta0001_t1190,
+  ]
+
+  tags = merge(local.mitre_attack_v161_ta0001_common_tags, {
+    type = "Benchmark"
+  })
+}
diff --git a/mitre_attack_v161/ta0001_t1190.pp b/mitre_attack_v161/ta0001_t1190.pp
new file mode 100644
index 0000000..1417003
--- /dev/null
+++ b/mitre_attack_v161/ta0001_t1190.pp
@@ -0,0 +1,25 @@
+locals {
+  mitre_attack_v161_ta0001_t1190_common_tags = merge(local.mitre_attack_v161_ta0001_common_tags, {
+    mitre_attack_technique_id = "T1190"
+  })
+}
+
+benchmark "mitre_attack_v161_ta0001_t1190" {
+  title         = "T1190 Exploit Public-Facing Application"
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/ta0001_t1190.md")
+  children = [
+    # Local File Inclusion exploits
+    detection.header_based_local_file_inclusion,
+
+    # SQL Injection exploits
+    detection.sql_injection_blind_based,
+    detection.sql_injection_common_patterns,
+    detection.sql_injection_error_based,
+    detection.sql_injection_time_based,
+    detection.sql_injection_union_based,
+    detection.sql_injection_user_agent_based
+  ]
+
+  tags = local.mitre_attack_v161_ta0001_t1190_common_tags
+}
diff --git a/mitre_attack_v161/ta0002.pp b/mitre_attack_v161/ta0002.pp
new file mode 100644
index 0000000..696b6ad
--- /dev/null
+++ b/mitre_attack_v161/ta0002.pp
@@ -0,0 +1,18 @@
+locals {
+  mitre_attack_v161_ta0002_common_tags = merge(local.mitre_attack_v161_common_tags, {
+    mitre_attack_tactic_id = "TA0002"
+  })
+}
+
+benchmark "mitre_attack_v161_ta0002" {
+  title         = "TA0002 Execution"
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/ta0002.md")
+  children = [
+    benchmark.mitre_attack_v161_ta0002_t1059
+  ]
+
+  tags = merge(local.mitre_attack_v161_ta0002_common_tags, {
+    type = "Benchmark"
+  })
+}
diff --git a/mitre_attack_v161/ta0002_t1059.pp b/mitre_attack_v161/ta0002_t1059.pp
new file mode 100644
index 0000000..e4a650e
--- /dev/null
+++ b/mitre_attack_v161/ta0002_t1059.pp
@@ -0,0 +1,40 @@
+locals {
+  mitre_attack_v161_ta0002_t1059_common_tags = merge(local.mitre_attack_v161_ta0002_common_tags, {
+    mitre_attack_technique_id = "T1059"
+  })
+}
+
+benchmark "mitre_attack_v161_ta0002_t1059" {
+  title         = "T1059 Command and Scripting Interpreter"
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/ta0002_t1059.md")
+  children = [
+    benchmark.mitre_attack_v161_ta0002_t1059_007,
+    detection.log4shell_vulnerability,
+    detection.spring4shell_vulnerability
+  ]
+
+  tags = local.mitre_attack_v161_ta0002_t1059_common_tags
+}
+
+
+benchmark "mitre_attack_v161_ta0002_t1059_007" {
+  title         = "T1059.007 Command and Scripting Interpreter: JavaScript"
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/ta0002_t1059_007.md")
+  children = [
+    detection.cross_site_scripting_angular_template,
+    detection.cross_site_scripting_attribute_injection,
+    detection.cross_site_scripting_common_patterns,
+    detection.cross_site_scripting_dom_based,
+    detection.cross_site_scripting_encoding,
+    detection.cross_site_scripting_html_injection,
+    detection.cross_site_scripting_javascript_methods,
+    detection.cross_site_scripting_javascript_uri,
+    detection.cross_site_scripting_script_tag
+  ]
+
+  tags = merge(local.mitre_attack_v161_ta0002_t1059_common_tags, {
+    mitre_attack_technique_id = "T1059.007"
+  })
+} 
\ No newline at end of file
diff --git a/mitre_attack_v161/ta0007.pp b/mitre_attack_v161/ta0007.pp
new file mode 100644
index 0000000..b4f2fd6
--- /dev/null
+++ b/mitre_attack_v161/ta0007.pp
@@ -0,0 +1,18 @@
+locals {
+  mitre_attack_v161_ta0007_common_tags = merge(local.mitre_attack_v161_common_tags, {
+    mitre_attack_tactic_id = "TA0007"
+  })
+}
+
+benchmark "mitre_attack_v161_ta0007" {
+  title         = "TA0007 Discovery"
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/ta0007.md")
+  children = [
+    benchmark.mitre_attack_v161_ta0007_t1083
+  ]
+
+  tags = merge(local.mitre_attack_v161_ta0007_common_tags, {
+    type = "Benchmark"
+  })
+} 
\ No newline at end of file
diff --git a/mitre_attack_v161/ta0007_t1083.pp b/mitre_attack_v161/ta0007_t1083.pp
new file mode 100644
index 0000000..b50fec0
--- /dev/null
+++ b/mitre_attack_v161/ta0007_t1083.pp
@@ -0,0 +1,20 @@
+locals {
+  mitre_attack_v161_ta0007_t1083_common_tags = merge(local.mitre_attack_v161_ta0007_common_tags, {
+    mitre_attack_technique_id = "T1083"
+  })
+}
+
+benchmark "mitre_attack_v161_ta0007_t1083" {
+  title         = "T1083 File and Directory Discovery"
+  type          = "detection"
+  documentation = file("./mitre_attack_v161/docs/ta0007_t1083.md")
+  children = [
+    detection.encoded_path_traversal,
+    detection.hidden_file_access,
+    detection.os_file_access,
+    detection.path_traversal,
+    detection.restricted_file_access,
+  ]
+
+  tags = local.mitre_attack_v161_ta0007_t1083_common_tags
+} 
diff --git a/mod.pp b/mod.pp
index 740c328..9e7684a 100644
--- a/mod.pp
+++ b/mod.pp
@@ -11,6 +11,6 @@
   opengraph {
     title       = "Tailpipe Mod for Apache Access Log Detections"
     description = "Search your Apache access logs for high risk actions using Tailpipe."
-    #image       = "/images/mods/turbot/apache-social-graphic.png"
+    image       = "/images/mods/turbot/apache-access-log-detections-social-graphic.png"
   }
 }
diff --git a/owasp_top_10_2021/a01.pp b/owasp_top_10_2021/a01.pp
new file mode 100644
index 0000000..b3400fc
--- /dev/null
+++ b/owasp_top_10_2021/a01.pp
@@ -0,0 +1,23 @@
+locals {
+  owasp_top_10_2021_a01_common_tags = merge(local.owasp_top_10_2021_common_tags, {
+    owasp_top_10_version = "2021_a01"
+  })
+}
+
+benchmark "owasp_top_10_2021_a01" {
+  title         = "A01:2021 - Broken Access Control"
+  description   = "Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits."
+  type          = "detection"
+  documentation = file("./owasp_top_10_2021/docs/a01.md")
+  children = [
+    detection.encoded_path_traversal,
+    detection.hidden_file_access,
+    detection.os_file_access,
+    detection.path_traversal,
+    detection.restricted_file_access,
+  ]
+
+  tags = merge(local.owasp_top_10_2021_a01_common_tags, {
+    type = "Benchmark"
+  })
+}
diff --git a/owasp_top_10_2021/a03.pp b/owasp_top_10_2021/a03.pp
new file mode 100644
index 0000000..9c5f365
--- /dev/null
+++ b/owasp_top_10_2021/a03.pp
@@ -0,0 +1,35 @@
+locals {
+  owasp_top_10_2021_a03_common_tags = merge(local.owasp_top_10_2021_common_tags, {
+    owasp_top_10_version = "2021_a03"
+  })
+}
+
+benchmark "owasp_top_10_2021_a03" {
+  title         = "A03:2021 - Injection"
+  description   = "Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurrences."
+  type          = "detection"
+  documentation = file("./owasp_top_10_2021/docs/a01.md")
+  children = [
+    detection.cross_site_scripting_angular_template,
+    detection.cross_site_scripting_attribute_injection,
+    detection.cross_site_scripting_common_patterns,
+    detection.cross_site_scripting_dom_based,
+    detection.cross_site_scripting_encoding,
+    detection.cross_site_scripting_html_injection,
+    detection.cross_site_scripting_javascript_methods,
+    detection.cross_site_scripting_javascript_uri,
+    detection.cross_site_scripting_script_tag,
+    detection.log4shell_vulnerability,
+    detection.spring4shell_vulnerability,
+    detection.sql_injection_blind_based,
+    detection.sql_injection_common_patterns,
+    detection.sql_injection_error_based,
+    detection.sql_injection_time_based,
+    detection.sql_injection_union_based,
+    detection.sql_injection_user_agent_based,
+  ]
+
+  tags = merge(local.owasp_top_10_2021_a03_common_tags, {
+    type = "Benchmark"
+  })
+}
diff --git a/owasp_top_10_2021/docs/a01.md b/owasp_top_10_2021/docs/a01.md
new file mode 100644
index 0000000..5108f14
--- /dev/null
+++ b/owasp_top_10_2021/docs/a01.md
@@ -0,0 +1,12 @@
+## Overview
+
+Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Common access control vulnerabilities include:
+
+- Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
+- Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
+- Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
+- Accessing API with missing access controls for POST, PUT and DELETE.
+- Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
+- Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.
+- CORS misconfiguration allows API access from unauthorized/untrusted origins.
+- Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.
diff --git a/owasp_top_10_2021/docs/a03.md b/owasp_top_10_2021/docs/a03.md
new file mode 100644
index 0000000..176e1e8
--- /dev/null
+++ b/owasp_top_10_2021/docs/a03.md
@@ -0,0 +1,10 @@
+## Overview
+
+An application is vulnerable to attack when:
+
+- User-supplied data is not validated, filtered, or sanitized by the application.
+- Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
+- Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
+- Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
+
+Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. Source code review is the best method of detecting if applications are vulnerable to injections. Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs is strongly encouraged. Organizations can include static (SAST), dynamic (DAST), and interactive (IAST) application security testing tools into the CI/CD pipeline to identify introduced injection flaws before production deployment.
diff --git a/owasp_top_10_2021/docs/owasp.md b/owasp_top_10_2021/docs/owasp.md
new file mode 100644
index 0000000..84ae4f4
--- /dev/null
+++ b/owasp_top_10_2021/docs/owasp.md
@@ -0,0 +1,16 @@
+To obtain the latest version of this official guide, please visit https://owasp.org/Top10/.
+
+## Overview
+
+The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
+
+- A01:2021-Broken Access Control - Vulnerabilities that allow unauthorized users to access restricted functionality or data.
+- A02:2021-Cryptographic Failures - Failures to properly implement encryption, resulting in sensitive data exposure.
+- A03:2021-Injection - When untrusted data is sent to an interpreter as part of a command or query, allowing attackers to execute unintended commands.
+- A04:2021-Insecure Design - Security flaws that exist due to poor design choices before any code is written.
+- A05:2021-Security Misconfiguration - Improperly configured applications, frameworks, servers, or platforms that leave security gaps.
+- A06:2021-Vulnerable and Outdated Components - Using components with known vulnerabilities or failing to keep software updated.
+- A07:2021-Identification and Authentication Failures - Weaknesses in authentication mechanisms that allow account compromise.
+- A08:2021-Software and Data Integrity Failures - Code and infrastructure that doesn't protect against integrity violations, such as using untrusted plugins or libraries.
+- A09:2021-Security Logging and Monitoring Failures - Insufficient logging, monitoring, and incident response capabilities that prevent timely detection of attacks.
+- A10:2021-Server-Side Request Forgery (SSRF) - Flaws that allow attackers to induce the server-side application to make requests to unintended locations.
diff --git a/owasp_top_10_2021/owasp.pp b/owasp_top_10_2021/owasp.pp
new file mode 100644
index 0000000..a025419
--- /dev/null
+++ b/owasp_top_10_2021/owasp.pp
@@ -0,0 +1,18 @@
+locals {
+  owasp_top_10_2021_common_tags = local.apache_access_log_detections_common_tags
+}
+
+benchmark "owasp_top_10_2021" {
+  title         = "OWASP Top 10 2021"
+  description   = "The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications."
+  type          = "detection"
+  documentation = file("./owasp_top_10_2021/docs/owasp.md")
+  children = [
+    benchmark.owasp_top_10_2021_a01,
+    benchmark.owasp_top_10_2021_a03,
+  ]
+
+  tags = merge(local.owasp_top_10_2021_common_tags, {
+    type = "Benchmark"
+  })
+}