diff --git a/splunk-magic-hound.md b/splunk-magic-hound.md
index 1e6899a..d871033 100644
--- a/splunk-magic-hound.md
+++ b/splunk-magic-hound.md
@@ -23,6 +23,8 @@ priority=""
 | collect `jarvis_index`
 ```
 
+
+```
 `indextime` (`sysmon` OR `windows`) AND ('powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true"' OR 'powershell.exe /c "Set-Service -Name windefend -StartupType Disabled"' OR 'powershell.exe /c "Stop-Service -Name windefend"')
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
@@ -43,7 +45,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND ('powershell /c "Get-ADUser -Filter * -Properties EmailAddress | Select-Object Name, EmailAddress"' OR 'powershell /c "Get-ADUser')
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).",
@@ -64,7 +68,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND *.docm
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. ",
@@ -85,7 +91,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND 'powershell.exe /c "net user DefaultAccount /active:yes"'
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.",
@@ -106,7 +114,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND (reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f)
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.",
@@ -127,7 +137,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND "powershell.exe /c 'auditpol /clear /y'"
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits.",
@@ -148,7 +160,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` ((`sysmon` EventCode="1") OR (`windows-security` EventCode="4688")) (Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )) OR (ServiceName="Windows Defender" OR ServiceName="Windows Firewall" AND ServiceName="stopped*")
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.",
@@ -169,7 +183,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND ("quser.exe" OR "netstat -ano")
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
@@ -190,7 +206,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND ("powershell /c 'Compress-Archive" AND "zip")
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
@@ -211,7 +229,9 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
+```
 
+```
 `indextime` (`sysmon` OR `windows`) AND ("schtasks /create /tn" OR "/ru SYSTEM")
 | eval hash_sha256= lower(hash_sha256),
 hunting_trigger="Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.",
@@ -232,9 +252,7 @@ priority=""
 | convert ctime(indextime) 
 | table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator upload_date last_modify_date mitre_version priority
 | collect `jarvis_index`
-
-
-
+```