```html
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
  <title>Windows Security Event Logs Reference</title>

  <style>
    /* Same vibe as your Tailwind UI: dark gradient background + glass panels */

    :root{
      --bg1:#0b1220;   /* slate-900 */
      --bg2:#0b2a6a;   /* blue-900 */
      --bg3:#0b1220;   /* slate-900 */
      --glass: rgba(255,255,255,0.10);
      --glassBorder: rgba(255,255,255,0.20);
      --glassBorderHover: rgba(96,165,250,0.50); /* blue-400/50 */
      --text: #ffffff;
      --muted: rgba(191,219,254,0.95); /* blue-200 */
      --blue300: rgba(147,197,253,0.95);
      --green300: rgba(134,239,172,0.95);
      --yellow300: rgba(253,224,71,0.95);
      --red300: rgba(252,165,165,0.95);
      --cyan300: rgba(103,232,249,0.95);
      --purple: rgba(168,85,247,0.80);
      --blueBadge: rgba(59,130,246,0.80);
      --btn: #16a34a;
      --btnHover: #15803d;
    }

    *{ box-sizing:border-box; }
    html, body{ height:100%; }
    body{
      margin:0;
      font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial, "Apple Color Emoji","Segoe UI Emoji";
      color: var(--text);
    }

    .page{
      min-height:100vh;
      padding:24px;
      background: radial-gradient(1200px 800px at 30% 10%, rgba(59,130,246,0.20), transparent 60%),
                  radial-gradient(1000px 700px at 80% 40%, rgba(168,85,247,0.18), transparent 60%),
                  linear-gradient(135deg, var(--bg1), var(--bg2), var(--bg3));
    }

    .container{
      max-width: 1120px;
      margin: 0 auto;
    }

    .panel{
      background: var(--glass);
      border: 1px solid var(--glassBorder);
      backdrop-filter: blur(14px);
      -webkit-backdrop-filter: blur(14px);
      border-radius: 18px;
      padding: 20px;
      margin-bottom: 18px;
    }

    .title{
      font-size: 30px;
      font-weight: 800;
      margin: 0 0 8px 0;
    }
    .subtitle{
      color: var(--blue300);
      font-size: 20px;
      font-weight: 700;
      margin: 0 0 4px 0;
    }
    .instructor{
      color: var(--green300);
      font-size: 18px;
      margin: 0 0 8px 0;
    }
    .desc{
      color: var(--muted);
      margin:0;
    }

    .controls{
      display:grid;
      grid-template-columns: 1fr 1fr 240px;
      gap: 14px;
    }

    @media (max-width: 900px){
      .controls{ grid-template-columns: 1fr; }
    }

    .inputWrap{
      position: relative;
    }

    .icon{
      position:absolute;
      left: 12px;
      top: 10px;
      width: 20px;
      height: 20px;
      color: var(--blue300);
      opacity: 0.9;
      display:flex;
      align-items:center;
      justify-content:center;
    }

    input, select{
      width:100%;
      padding: 10px 12px 10px 40px;
      background: rgba(255,255,255,0.20);
      border: 1px solid rgba(255,255,255,0.30);
      border-radius: 10px;
      color: var(--text);
      outline: none;
      transition: box-shadow 0.15s ease, border-color 0.15s ease;
    }

    select option{
      background: #0f172a; /* slate-900-ish */
    }

    input::placeholder{
      color: rgba(191,219,254,0.85);
    }

    input:focus, select:focus{
      box-shadow: 0 0 0 3px rgba(96,165,250,0.35);
      border-color: rgba(96,165,250,0.55);
    }

    .btn{
      display:flex;
      align-items:center;
      justify-content:center;
      gap: 10px;
      background: var(--btn);
      color: white;
      border: none;
      border-radius: 10px;
      cursor:pointer;
      padding: 10px 14px;
      font-weight: 700;
      transition: background 0.15s ease;
    }

    .btn:hover{ background: var(--btnHover); }

    .btn .icon{
      position: static;
      width: 20px;
      height: 20px;
      color: white;
    }

    .meta{
      margin-top: 12px;
      color: var(--muted);
      font-size: 13px;
    }

    .quickGrid{
      display:grid;
      grid-template-columns: repeat(4, 1fr);
      gap: 12px;
    }

    @media (max-width: 900px){
      .quickGrid{ grid-template-columns: 1fr; }
    }

    .miniCard{
      background: rgba(255,255,255,0.10);
      border: 1px solid var(--glassBorder);
      border-radius: 14px;
      padding: 14px;
    }

    .miniLabel{
      color: var(--muted);
      font-size: 13px;
    }

    .miniValue{
      font-size: 26px;
      font-weight: 800;
      margin-top: 4px;
    }

    .tip{
      margin-top: 14px;
      color: var(--muted);
      font-size: 13px;
    }

    .tipStrong{
      color: var(--green300);
      font-weight: 800;
    }

    .cards{
      display:grid;
      gap: 14px;
      margin-top: 6px;
    }

    .card{
      background: rgba(255,255,255,0.10);
      border: 1px solid var(--glassBorder);
      border-radius: 16px;
      padding: 18px;
      transition: border-color 0.15s ease;
    }

    .card:hover{
      border-color: var(--glassBorderHover);
    }

    .cardTop{
      display:flex;
      justify-content: space-between;
      align-items:flex-start;
      margin-bottom: 10px;
    }

    .badges{
      display:flex;
      gap: 10px;
      align-items:center;
      margin-bottom: 8px;
    }

    .badge{
      display:inline-flex;
      align-items:center;
      padding: 6px 12px;
      border-radius: 999px;
      color: white;
      font-weight: 800;
    }

    .badge.eventId{ background: var(--blueBadge); font-size: 16px; }
    .badge.category{ background: var(--purple); font-size: 12px; font-weight: 700; }

    .cardTitle{
      margin:0;
      font-size: 20px;
      font-weight: 800;
    }

    .rows{
      margin-top: 12px;
      display:flex;
      flex-direction: column;
      gap: 10px;
      font-size: 13px;
    }

    .rowLabel{
      font-weight: 800;
    }

    .labelImportance{ color: var(--yellow300); }
    .labelInvestigate{ color: var(--red300); }
    .labelMitre{ color: var(--green300); }
    .labelInfo{ color: var(--cyan300); }
    .labelSource{ color: var(--blue300); }

    .rowValue{
      color: rgba(219,234,254,0.95); /* blue-100-ish */
    }

    .empty{
      text-align:center;
      padding: 34px;
      color: var(--muted);
    }

    .hidden{ display:none; }
  </style>
</head>

<body>
  <div class="page">
    <div class="container">
      <!-- Header -->
      <div class="panel">
        <h1 class="title">Windows Security Event Logs Reference</h1>
        <p class="subtitle">Abadnet Blue Team Level 2 Bootcamp</p>
        <p class="instructor">Eng. Ahmed Fatouh</p>
        <p class="desc">Comprehensive guide to critical Windows security events for SOC analysts</p>
      </div>

      <!-- Controls -->
      <div class="panel">
        <div class="controls">
          <div class="inputWrap">
            <span class="icon" data-lucide="search"></span>
            <input id="searchInput" type="text" placeholder="Search events..." />
          </div>

          <div class="inputWrap">
            <span class="icon" data-lucide="filter"></span>
            <select id="categorySelect"></select>
          </div>

          <button id="exportBtn" class="btn">
            <span class="icon" data-lucide="download"></span>
            Export to Excel
          </button>
        </div>

        <div class="meta">
          <span id="showingText">Showing 0 of 0 events</span>
        </div>
      </div>

      <!-- Quick Info -->
      <div class="panel">
        <div class="quickGrid">
          <div class="miniCard">
            <div class="miniLabel">Total Events</div>
            <div id="statTotal" class="miniValue">0</div>
          </div>
          <div class="miniCard">
            <div class="miniLabel">Categories</div>
            <div id="statCategories" class="miniValue">0</div>
          </div>
          <div class="miniCard">
            <div class="miniLabel">Critical / High</div>
            <div id="statCriticalHigh" class="miniValue">0 / 0</div>
          </div>
          <div class="miniCard">
            <div class="miniLabel">Log Sources</div>
            <div id="statSources" class="miniValue">0</div>
          </div>
        </div>

        <div class="tip">
          Tip: For best detection, enable <span class="tipStrong">4688 command line</span>,
          PowerShell logging (4104), and targeted object auditing (4663) on sensitive paths.
        </div>
      </div>

      <!-- Cards -->
      <div id="cards" class="cards"></div>

      <!-- Empty state -->
      <div id="emptyState" class="panel empty hidden">
        <p>No events found matching your search criteria</p>
      </div>
    </div>
  </div>

  <!-- Lucide icons (UMD) -->
  <script src="https://unpkg.com/lucide@latest/dist/umd/lucide.min.js"></script>

  <!-- SheetJS (XLSX) -->
  <script src="https://cdn.jsdelivr.net/npm/xlsx@0.18.5/dist/xlsx.full.min.js"></script>

  <script>
    // =========================
    // Data (same content/features)
    // =========================
    const securityEvents = [
      // Authentication
      {
        eventId: '4624',
        category: 'Authentication',
        description: 'An account was successfully logged on',
        importance: 'Critical - Tracks all successful logons including interactive, network, service, and remote desktop',
        whenToInvestigate: 'Unusual logon times, logon from unexpected locations, service account interactive logons, logon type 3 from internet IPs',
        mitreTTP: 'T1078 (Valid Accounts), T1021 (Remote Services), T1133 (External Remote Services)',
        logonTypes: 'Type 2: Interactive, Type 3: Network, Type 10: Remote Desktop',
        logSource: 'Security'
      },
      {
        eventId: '4625',
        category: 'Authentication',
        description: 'An account failed to log on',
        importance: 'Critical - Indicates failed authentication attempts, possible brute force or credential stuffing attacks',
        whenToInvestigate: 'Multiple failures from same source, failures followed by success, account lockouts, failures on sensitive accounts',
        mitreTTP: 'T1110 (Brute Force), T1078 (Valid Accounts), T1589 (Gather Victim Identity Information)',
        logonTypes: 'Sub-status codes indicate failure reason',
        logSource: 'Security'
      },
      {
        eventId: '4634',
        category: 'Authentication',
        description: 'An account was logged off',
        importance: 'Medium - Correlate with 4624 to determine session duration and establish baselines',
        whenToInvestigate: 'Abnormally short sessions, missing logoff events, correlate with other suspicious activities',
        mitreTTP: 'T1078 (Valid Accounts) - Used for timeline analysis',
        logonTypes: 'Tracks session termination',
        logSource: 'Security'
      },
      {
        eventId: '4648',
        category: 'Authentication',
        description: 'A logon was attempted using explicit credentials',
        importance: 'Critical - Detects RunAs, PsExec, and lateral movement with alternate credentials',
        whenToInvestigate: 'Users authenticating with different credentials, lateral movement patterns, privilege escalation',
        mitreTTP: 'T1078 (Valid Accounts), T1021.002 (SMB/Windows Admin Shares), T1550 (Use Alternate Authentication Material)',
        logonTypes: 'Explicit credential usage (RunAs, net use)',
        logSource: 'Security'
      },
      {
        eventId: '4776',
        category: 'Authentication',
        description: 'The domain controller attempted to validate credentials for an account',
        importance: 'High - NTLM authentication attempts, detect pass-the-hash and relay attacks',
        whenToInvestigate: 'NTLM usage when Kerberos should be used, authentication from legacy systems, relay attack patterns',
        mitreTTP: 'T1550.002 (Pass the Hash), T1557.001 (LLMNR/NBT-NS Poisoning)',
        logonTypes: 'NTLM authentication validation',
        logSource: 'Security'
      },

      // Remote Access
      {
        eventId: '4778',
        category: 'Remote Access',
        description: 'A session was reconnected to a Window Station',
        importance: 'High - Useful for tracking RDP reconnections and potential hijacked sessions',
        whenToInvestigate: 'RDP reconnections from unusual IPs, reconnections outside business hours, repeated reconnect cycles',
        mitreTTP: 'T1021.001 (Remote Services: RDP), T1078 (Valid Accounts)',
        logonTypes: 'Often seen with Remote Desktop Services activity',
        logSource: 'Security'
      },
      {
        eventId: '4779',
        category: 'Remote Access',
        description: 'A session was disconnected from a Window Station',
        importance: 'Medium - Complements 4778 for RDP session lifecycle and timeline analysis',
        whenToInvestigate: 'Frequent disconnects, short-lived sessions, disconnect followed by suspicious activity',
        mitreTTP: 'T1021.001 (Remote Services: RDP)',
        logonTypes: 'RDP session disconnect tracking',
        logSource: 'Security'
      },

      // Privilege Use
      {
        eventId: '4672',
        category: 'Privilege Use',
        description: 'Special privileges assigned to new logon',
        importance: 'High - Indicates privileged account usage, often logged with 4624 for admin accounts',
        whenToInvestigate: 'Unexpected privileged access, service accounts with special privileges, privilege escalation patterns',
        mitreTTP: 'T1078.002 (Domain Accounts), T1134 (Access Token Manipulation)',
        logonTypes: 'Associated with administrative logons',
        logSource: 'Security'
      },
      {
        eventId: '4673',
        category: 'Privilege Use',
        description: 'A privileged service was called',
        importance: 'High - Helps detect abuse of privileged APIs and potential token/privilege manipulation',
        whenToInvestigate: 'Unexpected privileged operations, unusual processes calling privileged services',
        mitreTTP: 'T1134 (Access Token Manipulation), T1548 (Abuse Elevation Control Mechanism)',
        logonTypes: 'Privilege-related service call details',
        logSource: 'Security'
      },
      {
        eventId: '4674',
        category: 'Privilege Use',
        description: 'An operation was attempted on a privileged object',
        importance: 'High - Detects access attempts on sensitive objects requiring high privileges',
        whenToInvestigate: 'Access attempts to protected system objects, repeated failures, unusual user/process',
        mitreTTP: 'T1068 (Exploitation for Privilege Escalation), T1134 (Access Token Manipulation)',
        logonTypes: 'Privileged object access attempt',
        logSource: 'Security'
      },

      // Process Creation
      {
        eventId: '4688',
        category: 'Process Creation',
        description: 'A new process has been created',
        importance: 'Critical - Tracks all process creation, essential for detecting malware execution and lateral movement',
        whenToInvestigate: 'Suspicious processes, encoded commands, unusual parent-child relationships, processes from temp folders',
        mitreTTP: 'T1059 (Command and Scripting Interpreter), T1569 (System Services), T1204 (User Execution), T1047 (WMI)',
        logonTypes: 'Requires audit policy enabled with command line logging',
        logSource: 'Security'
      },
      {
        eventId: '4689',
        category: 'Process Creation',
        description: 'A process has exited',
        importance: 'Medium - Useful to correlate process start/stop and confirm execution duration',
        whenToInvestigate: 'Very short-lived suspicious processes, correlations with 4688 for malware timing',
        mitreTTP: 'T1059 (Command and Scripting Interpreter) - Timeline correlation',
        logonTypes: 'Process termination tracking',
        logSource: 'Security'
      },

      // Scheduled Tasks
      {
        eventId: '4698',
        category: 'Scheduled Task',
        description: 'A scheduled task was created',
        importance: 'Critical - Scheduled tasks are common persistence and lateral movement mechanisms',
        whenToInvestigate: 'Tasks created by non-admin users, tasks running scripts/executables from temp, tasks with suspicious names',
        mitreTTP: 'T1053.005 (Scheduled Task), T1021.006 (Windows Remote Management)',
        logonTypes: 'Task Scheduler creation event',
        logSource: 'Security'
      },
      {
        eventId: '4702',
        category: 'Scheduled Task',
        description: 'A scheduled task was updated',
        importance: 'High - Attackers often modify legitimate tasks for stealthy persistence',
        whenToInvestigate: 'Updates to existing tasks, task action changed to script/binary in temp/user profile paths',
        mitreTTP: 'T1053.005 (Scheduled Task)',
        logonTypes: 'Task Scheduler modification event',
        logSource: 'Security'
      },

      // Account Management
      {
        eventId: '4720',
        category: 'Account Management',
        description: 'A user account was created',
        importance: 'Critical - Unauthorized account creation is a strong indicator of compromise and persistence',
        whenToInvestigate: 'Accounts created outside change windows, accounts with naming anomalies, accounts created by non-admin users',
        mitreTTP: 'T1136.001 (Create Account: Local), T1136.002 (Create Account: Domain), T1098 (Account Manipulation)',
        logonTypes: 'Track who created account and when',
        logSource: 'Security'
      },
      {
        eventId: '4722',
        category: 'Account Management',
        description: 'A user account was enabled',
        importance: 'High - Re-enabling dormant/disabled accounts is common for persistence',
        whenToInvestigate: 'Enablement outside change window, sensitive accounts enabled unexpectedly, enablement by unusual admin',
        mitreTTP: 'T1098 (Account Manipulation), T1078 (Valid Accounts)',
        logonTypes: 'Account enablement event',
        logSource: 'Security'
      },
      {
        eventId: '4723',
        category: 'Account Management',
        description: 'An attempt was made to change an account’s password',
        importance: 'High - May indicate account takeover attempts or malicious password changes',
        whenToInvestigate: 'Password changes on privileged/service accounts, changes outside normal hours, repeated attempts',
        mitreTTP: 'T1098 (Account Manipulation)',
        logonTypes: 'Password change attempt',
        logSource: 'Security'
      },
      {
        eventId: '4724',
        category: 'Account Management',
        description: 'An attempt was made to reset an account’s password',
        importance: 'Critical - Password resets (especially by admins) are high-impact and often abused',
        whenToInvestigate: 'Resets for privileged accounts, unexpected admin activity, resets followed by new logons',
        mitreTTP: 'T1098 (Account Manipulation), T1078 (Valid Accounts)',
        logonTypes: 'Password reset attempt (admin action)',
        logSource: 'Security'
      },
      {
        eventId: '4725',
        category: 'Account Management',
        description: 'A user account was disabled',
        importance: 'Medium - Can be response activity or attacker disabling accounts to disrupt operations',
        whenToInvestigate: 'Unexpected disablement, disablement of admin/service accounts, disablement during incident',
        mitreTTP: 'T1489 (Service Stop) - sometimes associated with disruption patterns',
        logonTypes: 'Account disablement event',
        logSource: 'Security'
      },
      {
        eventId: '4726',
        category: 'Account Management',
        description: 'A user account was deleted',
        importance: 'Critical - Account deletion can be destructive, cover tracks, or disrupt recovery',
        whenToInvestigate: 'Deletion outside approved windows, deletion of admin accounts, deletion during active incident',
        mitreTTP: 'T1070 (Indicator Removal), T1485 (Data Destruction) - disruption/cleanup',
        logonTypes: 'Account deletion event',
        logSource: 'Security'
      },
      {
        eventId: '4738',
        category: 'Account Management',
        description: 'A user account was changed',
        importance: 'High - Tracks changes to key attributes (e.g., UAC flags, SPNs, group flags)',
        whenToInvestigate: 'SPN changes, UAC changes (e.g., password never expires), changes to privileged users',
        mitreTTP: 'T1098 (Account Manipulation), T1558.003 (Kerberoasting) - via SPN changes',
        logonTypes: 'Account attribute modifications',
        logSource: 'Security'
      },
      {
        eventId: '4740',
        category: 'Account Management',
        description: 'A user account was locked out',
        importance: 'High - Indicates possible brute force attack or user credential issues',
        whenToInvestigate: 'Multiple lockouts across domain, lockouts on service accounts, lockouts from external IPs',
        mitreTTP: 'T1110 (Brute Force), T1078 (Valid Accounts)',
        logonTypes: 'Account lockout event',
        logSource: 'Security'
      },

      // Group Management
      {
        eventId: '4728',
        category: 'Group Management',
        description: 'A member was added to a security-enabled global group',
        importance: 'Critical - Track additions to privileged groups like Domain Admins, Enterprise Admins',
        whenToInvestigate: 'Additions to admin groups, unauthorized group membership changes, additions during off-hours',
        mitreTTP: 'T1098 (Account Manipulation), T1136 (Create Account), T1078.002 (Domain Accounts)',
        logonTypes: 'Global group membership change',
        logSource: 'Security'
      },
      {
        eventId: '4729',
        category: 'Group Management',
        description: 'A member was removed from a security-enabled global group',
        importance: 'High - Removal can be legitimate or attacker cleanup to evade detection',
        whenToInvestigate: 'Removal from admin groups during compromise, removals after suspicious access',
        mitreTTP: 'T1070 (Indicator Removal), T1098 (Account Manipulation)',
        logonTypes: 'Global group membership removal',
        logSource: 'Security'
      },
      {
        eventId: '4732',
        category: 'Group Management',
        description: 'A member was added to a security-enabled local group',
        importance: 'Critical - Monitor additions to Administrators, Remote Desktop Users, Backup Operators',
        whenToInvestigate: 'Additions to local admin groups, privilege escalation patterns, lateral movement preparation',
        mitreTTP: 'T1078.003 (Local Accounts), T1098 (Account Manipulation)',
        logonTypes: 'Local group membership change',
        logSource: 'Security'
      },
      {
        eventId: '4733',
        category: 'Group Management',
        description: 'A member was removed from a security-enabled local group',
        importance: 'High - Local group cleanup is common after persistence setup',
        whenToInvestigate: 'Removal from Administrators/Remote Desktop Users after unusual activity',
        mitreTTP: 'T1070 (Indicator Removal), T1098 (Account Manipulation)',
        logonTypes: 'Local group membership removal',
        logSource: 'Security'
      },

      // Kerberos
      {
        eventId: '4768',
        category: 'Kerberos',
        description: 'A Kerberos authentication ticket (TGT) was requested',
        importance: 'High - Initial authentication in Kerberos, useful for detecting pass-the-ticket attacks',
        whenToInvestigate: 'Encryption downgrade (RC4 vs AES), requests from unusual IPs, excessive TGT requests',
        mitreTTP: 'T1558.003 (Kerberoasting), T1550.001 (Pass the Ticket), T1558.001 (Golden Ticket)',
        logonTypes: 'Kerberos TGT request',
        logSource: 'Security'
      },
      {
        eventId: '4769',
        category: 'Kerberos',
        description: 'A Kerberos service ticket was requested',
        importance: 'High - Service ticket requests, detect Kerberoasting and lateral movement',
        whenToInvestigate: 'RC4 encryption requests, service ticket requests for SPNs, unusual service access patterns',
        mitreTTP: 'T1558.003 (Kerberoasting), T1550.001 (Pass the Ticket), T1021 (Remote Services)',
        logonTypes: 'Kerberos service ticket request',
        logSource: 'Security'
      },
      {
        eventId: '4771',
        category: 'Kerberos',
        description: 'Kerberos pre-authentication failed',
        importance: 'Critical - Failed Kerberos authentication, potential password spray or AS-REP roasting',
        whenToInvestigate: 'Multiple pre-auth failures, failures from external IPs, AS-REP roasting indicators',
        mitreTTP: 'T1558.004 (AS-REP Roasting), T1110.003 (Password Spraying), T1110 (Brute Force)',
        logonTypes: 'Kerberos pre-authentication failure',
        logSource: 'Security'
      },
      {
        eventId: '4770',
        category: 'Kerberos',
        description: 'A Kerberos service ticket was renewed',
        importance: 'Medium - Useful for session continuity, and anomaly detection in long-lived sessions',
        whenToInvestigate: 'Unusual renew patterns, renewals from unexpected hosts, renewals during suspected compromise',
        mitreTTP: 'T1550.001 (Pass the Ticket) - Behavior correlation',
        logonTypes: 'Kerberos renewal activity',
        logSource: 'Security'
      },

      // File / Object Access
      {
        eventId: '5140',
        category: 'File Share',
        description: 'A network share object was accessed',
        importance: 'High - Track access to network shares, detect lateral movement and data exfiltration',
        whenToInvestigate: 'Access to ADMIN$, C$, IPC$ shares, unusual share access patterns, access from unexpected sources',
        mitreTTP: 'T1021.002 (SMB/Windows Admin Shares), T1039 (Data from Network Shared Drive)',
        logonTypes: 'SMB share access',
        logSource: 'Security'
      },
      {
        eventId: '4663',
        category: 'File Access',
        description: 'An attempt was made to access an object',
        importance: 'High - Detects file/folder access for sensitive paths when object auditing is enabled',
        whenToInvestigate: 'Access to confidential shares, LSASS dumps location, credential stores, unusual access frequency',
        mitreTTP: 'T1005 (Data from Local System), T1039 (Data from Network Shared Drive)',
        logonTypes: 'Requires object access auditing + SACLs on targets',
        logSource: 'Security'
      },
      {
        eventId: '4657',
        category: 'Registry',
        description: 'A registry value was modified',
        importance: 'High - Registry changes often indicate persistence or security weakening',
        whenToInvestigate: 'Run/RunOnce keys, service-related keys, security policy changes, tampering with defender settings',
        mitreTTP: 'T1112 (Modify Registry), T1547.001 (Registry Run Keys/Startup Folder)',
        logonTypes: 'Requires registry auditing and configured SACLs',
        logSource: 'Security'
      },
      {
        eventId: '4670',
        category: 'File Access',
        description: 'Permissions on an object were changed',
        importance: 'High - Detects ACL changes used to hide access or grant persistence',
        whenToInvestigate: 'ACL changes on sensitive files/shares, changes by non-admin accounts, changes during off-hours',
        mitreTTP: 'T1222.001 (File and Directory Permissions Modification), T1098 (Account Manipulation)',
        logonTypes: 'Tracks permission/ACL modifications',
        logSource: 'Security'
      },

      // Services / Persistence
      {
        eventId: '7045',
        category: 'Service',
        description: 'A service was installed in the system',
        importance: 'Critical - Service installation is common for persistence and lateral movement',
        whenToInvestigate: 'Services with suspicious names, services running from temp directories, services installed remotely',
        mitreTTP: 'T1543.003 (Windows Service), T1021.002 (SMB/Windows Admin Shares)',
        logonTypes: 'System Event Log',
        logSource: 'System'
      },
      {
        eventId: '4697',
        category: 'Service',
        description: 'A service was installed in the system (Security log)',
        importance: 'High - Similar to 7045 but appears in Security when service install auditing is enabled',
        whenToInvestigate: 'Services created by unusual accounts, suspicious binary paths, service creation near lateral movement events',
        mitreTTP: 'T1543.003 (Windows Service)',
        logonTypes: 'Service installation auditing event',
        logSource: 'Security'
      },
      {
        eventId: '7040',
        category: 'Service',
        description: 'The start type of a service was changed',
        importance: 'High - Attackers may enable/disable services for persistence or defense evasion',
        whenToInvestigate: 'Disabling security tools, enabling remote services, start type changes outside maintenance windows',
        mitreTTP: 'T1562.001 (Disable or Modify Tools), T1543.003 (Windows Service)',
        logonTypes: 'System Event Log',
        logSource: 'System'
      },

      // Audit / Defense Evasion
      {
        eventId: '4719',
        category: 'Audit Policy',
        description: 'System audit policy was changed',
        importance: 'Critical - Audit policy changes can indicate attempts to blind security monitoring',
        whenToInvestigate: 'Disabling of security logging, changes during suspected compromise',
        mitreTTP: 'T1562.002 (Disable Windows Event Logging), T1070 (Indicator Removal)',
        logonTypes: 'Audit policy modification',
        logSource: 'Security'
      },
      {
        eventId: '1102',
        category: 'Log Clearing',
        description: 'The audit log was cleared',
        importance: 'Critical - Log clearing is a strong indicator of anti-forensics',
        whenToInvestigate: 'Any occurrence outside scheduled maintenance should be investigated immediately',
        mitreTTP: 'T1070.001 (Clear Windows Event Logs), T1485 (Data Destruction)',
        logonTypes: 'Security log cleared',
        logSource: 'Security'
      },

      // PowerShell
      {
        eventId: '4104',
        category: 'PowerShell',
        description: 'PowerShell Script Block Logging',
        importance: 'Critical - Captures PowerShell script content, essential for detecting malicious PowerShell',
        whenToInvestigate: 'Encoded commands, obfuscated scripts, downloads from internet, credential dumping commands',
        mitreTTP: 'T1059.001 (PowerShell), T1027 (Obfuscated Files or Information)',
        logonTypes: 'PowerShell operational log',
        logSource: 'Microsoft-Windows-PowerShell/Operational'
      }
    ];

    // =========================
    // State
    // =========================
    let searchTerm = '';
    let filterCategory = 'All';

    // =========================
    // Elements
    // =========================
    const searchInput = document.getElementById('searchInput');
    const categorySelect = document.getElementById('categorySelect');
    const exportBtn = document.getElementById('exportBtn');
    const cardsEl = document.getElementById('cards');
    const emptyStateEl = document.getElementById('emptyState');
    const showingTextEl = document.getElementById('showingText');

    // Stats elements
    const statTotalEl = document.getElementById('statTotal');
    const statCategoriesEl = document.getElementById('statCategories');
    const statCriticalHighEl = document.getElementById('statCriticalHigh');
    const statSourcesEl = document.getElementById('statSources');

    // =========================
    // Helpers
    // =========================
    function unique(arr) {
      return Array.from(new Set(arr));
    }

    function computeCategories() {
      const cats = unique(securityEvents.map(e => e.category));
      return ['All', ...cats];
    }

    function computeStats() {
      const total = securityEvents.length;
      const totalCategories = unique(securityEvents.map(e => e.category)).length;
      const critical = securityEvents.filter(e => (e.importance || '').toLowerCase().includes('critical')).length;
      const high = securityEvents.filter(e => (e.importance || '').toLowerCase().includes('high')).length;
      const sources = unique(securityEvents.map(e => e.logSource).filter(Boolean)).length;
      return { total, totalCategories, critical, high, sources };
    }

    function filterEvents() {
      const q = (searchTerm || '').trim().toLowerCase();

      return securityEvents.filter(event => {
        const matchesSearch =
          event.eventId.includes(searchTerm) ||
          event.description.toLowerCase().includes(q) ||
          event.mitreTTP.toLowerCase().includes(q) ||
          (event.logSource || '').toLowerCase().includes(q) ||
          (event.whenToInvestigate || '').toLowerCase().includes(q);

        const matchesCategory = filterCategory === 'All' || event.category === filterCategory;
        return matchesSearch && matchesCategory;
      });
    }

    function escapeHtml(str) {
      return String(str)
        .replaceAll('&', '&amp;')
        .replaceAll('<', '&lt;')
        .replaceAll('>', '&gt;')
        .replaceAll('"', '&quot;')
        .replaceAll("'", '&#039;');
    }

    function renderCategories() {
      const cats = computeCategories();
      categorySelect.innerHTML = cats
        .map(c => `<option value="${escapeHtml(c)}">${escapeHtml(c)}</option>`)
        .join('');
      categorySelect.value = filterCategory;
    }

    function renderStats() {
      const s = computeStats();
      statTotalEl.textContent = s.total;
      statCategoriesEl.textContent = s.totalCategories;
      statCriticalHighEl.textContent = `${s.critical} / ${s.high}`;
      statSourcesEl.textContent = s.sources;
    }

    function renderCards() {
      const filtered = filterEvents();

      showingTextEl.textContent = `Showing ${filtered.length} of ${securityEvents.length} events`;

      if (filtered.length === 0) {
        cardsEl.innerHTML = '';
        emptyStateEl.classList.remove('hidden');
      } else {
        emptyStateEl.classList.add('hidden');
        cardsEl.innerHTML = filtered.map(event => `
          <div class="card">
            <div class="cardTop">
              <div>
                <div class="badges">
                  <span class="badge eventId">${escapeHtml(event.eventId)}</span>
                  <span class="badge category">${escapeHtml(event.category)}</span>
                </div>
                <h3 class="cardTitle">${escapeHtml(event.description)}</h3>
              </div>
            </div>

            <div class="rows">
              <div>
                <span class="rowLabel labelImportance">🎯 Importance: </span>
                <span class="rowValue">${escapeHtml(event.importance)}</span>
              </div>

              <div>
                <span class="rowLabel labelInvestigate">🔍 When to Investigate: </span>
                <span class="rowValue">${escapeHtml(event.whenToInvestigate)}</span>
              </div>

              <div>
                <span class="rowLabel labelMitre">⚔️ MITRE ATT&CK TTPs: </span>
                <span class="rowValue">${escapeHtml(event.mitreTTP)}</span>
              </div>

              <div>
                <span class="rowLabel labelInfo">ℹ️ Additional Info: </span>
                <span class="rowValue">${escapeHtml(event.logonTypes)}</span>
              </div>

              <div>
                <span class="rowLabel labelSource">📌 Log Source: </span>
                <span class="rowValue">${escapeHtml(event.logSource || '—')}</span>
              </div>
            </div>
          </div>
        `).join('');
      }

      // Re-render Lucide icons after DOM changes
      if (window.lucide && typeof window.lucide.createIcons === 'function') {
        window.lucide.createIcons();
      }
    }

    function exportToExcel() {
      const ws = XLSX.utils.json_to_sheet(securityEvents.map(event => ({
        'Event ID': event.eventId,
        'Category': event.category,
        'Description': event.description,
        'Importance': event.importance,
        'When to Investigate': event.whenToInvestigate,
        'MITRE ATT&CK TTPs': event.mitreTTP,
        'Additional Info': event.logonTypes,
        'Log Source': event.logSource || '—'
      })));

      ws['!cols'] = [
        { wch: 10 },
        { wch: 18 },
        { wch: 50 },
        { wch: 60 },
        { wch: 70 },
        { wch: 60 },
        { wch: 40 },
        { wch: 38 }
      ];

      const wb = XLSX.utils.book_new();
      XLSX.utils.book_append_sheet(wb, ws, 'Security Events');

      const stats = computeStats();
      const summary = [
        { Info: 'Bootcamp', Value: 'Abadnet Blue Team Level 2' },
        { Info: 'Instructor', Value: 'Eng. Ahmed Fatouh' },
        { Info: 'Total Events', Value: securityEvents.length },
        { Info: 'Categories', Value: stats.totalCategories },
        { Info: 'Critical Events', Value: stats.critical },
        { Info: 'High Events', Value: stats.high },
        { Info: 'Log Sources', Value: stats.sources },
        { Info: 'Created', Value: new Date().toLocaleDateString() }
      ];

      const infoWs = XLSX.utils.json_to_sheet(summary);
      infoWs['!cols'] = [{ wch: 22 }, { wch: 40 }];
      XLSX.utils.book_append_sheet(wb, infoWs, 'Info');

      XLSX.writeFile(wb, 'Windows_Security_Events_Abadnet.xlsx');
    }

    // =========================
    // Events
    // =========================
    searchInput.addEventListener('input', (e) => {
      searchTerm = e.target.value || '';
      renderCards();
    });

    categorySelect.addEventListener('change', (e) => {
      filterCategory = e.target.value || 'All';
      renderCards();
    });

    exportBtn.addEventListener('click', exportToExcel);

    // =========================
    // Init
    // =========================
    renderCategories();
    renderStats();
    renderCards();

    // First icon render
    if (window.lucide && typeof window.lucide.createIcons === 'function') {
      window.lucide.createIcons();
    }
  </script>
</body>
</html>
```