Update lowercase filenames

docs/definitions.rst

@@ -1,21 +1,21 @@
 Definitions
 ===========
 
-This page defines the key terms used throughout our research. 
+This page defines the key terms used throughout our research.
 
-MITRE ATT&CK 
+MITRE ATT&CK
 ------------
 MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK focuses on how external adversaries compromise and operate within computer information networks.
 
-Techniques 
+Techniques
 ~~~~~~~~~~
 Techniques represent "how" - the means by which adversaries achieve tactical objective.
 
 Sub-techniques
 ~~~~~~~~~~~~~~
 Sub-techniques break down behaviors described by techniques into more specific means by which adversaries achieve tactical objectives.
 
-Data Source 
+Data Source
 ~~~~~~~~~~~
 Data Sources represent information collected by a sensor or logging system that may identify properties or values relevant to identifying the adversarial action being performed, sequence of actions, or the results of those actions.
 
@@ -29,7 +29,7 @@ Data Elements
 -------------
 Data elements are names, definitions, and attributes that are being used or captured in an event
 
-.. image:: _static/MSDN_4688_Ex.png
+.. image:: _static/msdn_4688_ex.png
    :width: 500
 
 Sensors
@@ -40,5 +40,5 @@ Telemetry/Events
 ----------------
 Telemetry/events are generated by sensors in the form of log data, automatically generated and transmitted or streamed in near real-time, regardless of the format (e.g., json, csv, etc.).
 
-.. image:: _static/4688_Ex.png
+.. image:: _static/4688_ex.png
    :width: 500

docs/methodology/step2.rst

@@ -1,52 +1,52 @@
 Step 2: Definition Correlation
 ===============================
 
-What makes sensors useful to defenders is the meaning and context associated with the event. For each identified event ID, 
-consult the available documentation to understand its capabilities. Gather specific facts about the event ID that will 
-later help in mapping the event to the set of ATT&CK Data Sources it is able to detect. 
+What makes sensors useful to defenders is the meaning and context associated with the event. For each identified event ID,
+consult the available documentation to understand its capabilities. Gather specific facts about the event ID that will
+later help in mapping the event to the set of ATT&CK Data Sources it is able to detect.
 
-The most common way to bring context to the event is by applying the description and other types of metadata such as the 
-Data Elements and Fields. Documented description, elements, and fields can help provide understanding of what the sensor is 
+The most common way to bring context to the event is by applying the description and other types of metadata such as the
+Data Elements and Fields. Documented description, elements, and fields can help provide understanding of what the sensor is
 truly capturing, and make creating mappings more efficient.
 
-Identify the Source of Data 
+Identify the Source of Data
 ---------------------------
 
-Start with **identifying the source of data**. In a Windows environment, we can collect information pertaining to "Processes" 
-from built-in event providers such as Microsoft-Windows-Security-Auditing and open third-party tools, including Sysmon. 
+Start with **identifying the source of data**. In a Windows environment, we can collect information pertaining to "Processes"
+from built-in event providers such as Microsoft-Windows-Security-Auditing and open third-party tools, including Sysmon.
 
-Additional context on potential source of the data can be gained by considering: 
+Additional context on potential source of the data can be gained by considering:
 
 - *Why were these security events generated in my environment? (Activity)*
 - *What operating system supports its generation? (Platform)*
 
-For example, the documentation provided by Microsoft for Windows `Event ID 4688: A new process has been created <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688>`_ 
-provides context for this event. By the event description, 4688 is generated every time a new process starts. The information 
-provided by this event includes the user account that requested the creation of the process, and information of a process that 
-executed a new process. This event also provides metadata that can help us to describe the data elements needed later on in 
+For example, the documentation provided by Microsoft for Windows `Event ID 4688: A new process has been created <https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688>`_
+provides context for this event. By the event description, 4688 is generated every time a new process starts. The information
+provided by this event includes the user account that requested the creation of the process, and information of a process that
+executed a new process. This event also provides metadata that can help us to describe the data elements needed later on in
 Step 3 of this methodology.
 
 .. image:: ../_static/msdn_4688_ex.png
    :width: 600
 
-- The action that triggered the generation of this event was the creation of a new process (Activity). 
-- This security event can be collected by using the built-in event logging application for devices that work with the Windows operating system (Platform). Within a Windows environment, it is typically known to have a "process" as a source of data. 
+- The action that triggered the generation of this event was the creation of a new process (Activity).
+- This security event can be collected by using the built-in event logging application for devices that work with the Windows operating system (Platform). Within a Windows environment, it is typically known to have a "process" as a source of data.
 
 Correlate to ATT&CK Data Component Definition
 ---------------------------------------------
 
-To correlate with ATT&CK, the `Data Source <https://attack.mitre.org/datasources/>`_ pages provide definitions for each 
-individual Data Source. 
+To correlate with ATT&CK, the `Data Source <https://attack.mitre.org/datasources/>`_ pages provide definitions for each
+individual Data Source.
 
 .. image:: ../_static/attack_ex_pc.png
    :width: 600
 
-For Process Creation, ATT&CK's definition is : **..the initial construction of an executable..**. Through key word review, it 
-can be determined that this is the same as **..a process is created..** Therefore, event ID 4688 can be linked with this 
-ATT&CK Data Component. 
+For Process Creation, ATT&CK's definition is : **..the initial construction of an executable..**. Through key word review, it
+can be determined that this is the same as **..a process is created..** Therefore, event ID 4688 can be linked with this
+ATT&CK Data Component.
 
-A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and WinEvtx 4696. The image below shows that 
-the definitions all have some correlation with either starting or executing a process. 
+A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and WinEvtx 4696. The image below shows that
+the definitions all have some correlation with either starting or executing a process.
 
-.. image:: ../_static/definitioncorrelation_Ex.png
-   :width: 700
+.. image:: ../_static/definitioncorrelation_ex.png
+   :width: 700